Privacy Policy and Personal Data Processing
Last updated: 21 June 2026
1. General
This Privacy Policy describes how LetsTripTo LLC (“we”, “us”) processes personal data when you use LetsTripTo at https://letstrip.to and related services (the “Service”).
The Service is available internationally. This Policy is designed to meet common requirements under the EU General Data Protection Regulation (GDPR) and, where applicable, Russian Federal Law No. 152-FZ on personal data.
Effective date: 21 June 2026.
2. Data controller
Data controller: LetsTripTo LLC, Minsk, BY.
For privacy requests contact privacy@letstrip.to.
3. Data we collect
Depending on how you use the Service, we may process:
- Account data: email address and password (stored by our backend in hashed form).
- OAuth sign-in: when you use Google, we receive an ID token from Google to authenticate you. See Google Privacy Policy.
- Profile data: first name, last name, Instagram and Telegram handles, interface language, and map layer preferences.
- Routes and trips: track names, descriptions, coordinates, imported GPX/KML files, trip dates, and visibility settings (private, link-only, or public).
- Trip participants: name and optional phone, Telegram, or Viber contact details you or organizers provide; registered participants’ email may be visible to trip organizers.
- Guest identification: for unauthenticated trip participation we use a browser-generated visitor identifier (FingerprintJS). See FingerprintJS privacy policy.
- Technical data: IP address, browser type, session cookies, language cookie (NEXT_LOCALE), and an approximate map-center cookie derived from IP or browser locale (letstripto.coarseGeo.v1).
- Local browser storage: saved map view and basemap shortcuts (stored only on your device until cleared).
- Precise location: only when you explicitly request “My location” in the map; used locally to center the map and not sent to our servers automatically.
4. Purposes of processing
We process personal data to:
- Create and manage your account and authenticate you.
- Store, display, share, and export your routes and trips.
- Enable trip organization and participant management.
- Provide map, routing, and geocoding features.
- Remember your language and approximate map default location.
- Maintain security, prevent abuse, and comply with legal obligations.
5. Legal basis
Where GDPR applies, we rely on: (a) performance of a contract — providing the Service you request; (b) consent — Google sign-in, precise geolocation, and optional trip participation data you submit; (c) legitimate interests — securing the Service and setting an approximate map center without collecting precise GPS without your action.
Where Russian law applies, processing is based on your consent, contract performance, and other grounds permitted by applicable law.
7. Third-party services
We use service providers that may process data on our behalf or receive data from your browser:
- Our backend API — primary storage and processing of account, route, and trip data.
- Google — OAuth sign-in (Google Privacy Policy).
- FingerprintJS — guest visitor identifier for public trip flows (FingerprintJS privacy policy).
- OpenStreetMap and other map tile providers — your browser requests map tiles; see OpenStreetMap privacy policy where applicable.
- BRouter — routing requests include route coordinates.
- Nominatim (OpenStreetMap) — geocoding search queries are forwarded through our server (Nominatim usage policy).
9. International transfers
Your data may be processed in countries other than your own, including where our servers or providers are located. Where required, we use appropriate safeguards such as standard contractual clauses or equivalent mechanisms.
10. Retention
We keep personal data while your account is active and for a reasonable period afterward, unless a longer retention is required by law. You may delete routes and trips in the dashboard; account deletion requests should be sent to privacy@letstrip.to.
11. Your rights
Depending on your location, you may have the right to access, rectify, erase, restrict, or port your data, object to certain processing, and withdraw consent where processing is consent-based.
EU/UK users may lodge a complaint with their local supervisory authority.
Users in Russia may request clarification, blocking, or destruction of data, and may appeal to Roskomnadzor.
To exercise your rights, email privacy@letstrip.to. You can update profile fields in Account settings.
12. Security
We use HTTPS, session-based authentication, and CSRF protection for mutating requests. No method of transmission or storage is completely secure; we apply measures appropriate to the risk.
13. Children
The Service is not directed at persons under 16. We do not knowingly collect their personal data.
14. Changes
We may update this Policy by publishing a new version on this page with an updated effective date. Continued use after changes means you accept the updated Policy.
15. Contact
LetsTripTo LLC, Minsk, BY.
Privacy inquiries: privacy@letstrip.to. Learn more about the project on the About page.