Privacy Policy

Last Updated: November 1, 2025

1. Introduction

SLCTrips ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform and services.

By using SLCTrips, you agree to the collection and use of information in accordance with this Privacy Policy.

If you do not agree with this policy, please discontinue use of our Service immediately.

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

• Email address
• Display name or username
• Password (encrypted and stored securely via Supabase Auth)
• Profile information (optional)

Payment Information:

• Payment card details (processed securely by Stripe - we do not store complete card numbers)
• Billing address
• Transaction history

User-Generated Content:

• Reviews and ratings
• Comments and feedback
• Photos and media uploads
• Travel itineraries and saved destinations

Communications:

• Support inquiries and correspondence
• Email communications
• Feedback and survey responses

2.2 Information Collected Automatically

Usage Data:

• Pages visited and features used
• TripKit views and downloads
• Search queries and filters
• Time spent on pages
• Referral source
• Device type and browser information

Technical Data:

• IP address
• Browser type and version
• Operating system
• Device identifiers
• Cookies and similar technologies

Analytics Data:

• User behavior patterns
• Popular destinations and content
• Conversion metrics
• Performance statistics

2.3 Information from Third Parties

Social Media:

• If you choose to link social media accounts (future feature)
• Profile information you authorize us to access

Payment Processors:

• Transaction verification from Stripe
• Payment success/failure status

Service Providers:

• Analytics providers (Google Analytics, etc.)
• Email service providers

3. How We Use Your Information

We use collected information for the following purposes:

3.1 Service Delivery

• Create and manage your account
• Process TripKit purchases and deliver digital content
• Provide customer support
• Send transactional emails (purchase confirmations, account updates)

3.2 Service Improvement

• Analyze usage patterns to improve user experience
• Develop new features and content
• Optimize performance and fix bugs
• Conduct research and analytics

3.3 Personalization

• Recommend relevant destinations and TripKits
• Customize content based on preferences
• Remember your settings and preferences
• Display recently viewed destinations

3.4 Communication

• Send important service announcements
• Respond to inquiries and support requests
• Send marketing emails (with your consent - you may opt out)
• Notify you of updates and new features

3.5 Security and Compliance

• Detect and prevent fraud and abuse
• Enforce our Terms of Service
• Comply with legal obligations
• Protect user safety and platform integrity

3.6 Business Operations

• Process payments and prevent chargebacks
• Maintain business records
• Conduct financial reporting
• Manage legal matters

4. How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

4.1 Service Providers

We share data with trusted third-party service providers who assist in operating our platform:

Supabase - Database hosting and authentication

• Stores user accounts and profile information
• Manages authentication and session security
• Subject to Supabase's privacy policy and security standards

Stripe - Payment processing

• Processes payment transactions securely
• Handles payment card information (we do not store complete card numbers)
• Subject to Stripe's privacy policy and PCI DSS compliance

Email Services - Transactional and marketing emails

• Sends account notifications and purchase confirmations
• Manages email preferences and opt-outs

Analytics Providers - Usage analytics

• Google Analytics or similar services
• Aggregate usage statistics
• Performance monitoring

Hosting Services - Platform infrastructure

• Cloud hosting and content delivery
• Server management and maintenance

4.2 Legal Requirements

We may disclose information when required by law:

• To comply with legal obligations, court orders, or government requests
• To enforce our Terms of Service
• To protect our rights, property, or safety
• To protect the rights, property, or safety of our users or the public

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred to the acquiring entity.

4.4 With Your Consent

We may share information with your explicit consent for specific purposes not covered above.

4.5 Aggregated Data

We may share aggregated, anonymized data that cannot identify individual users:

• Usage statistics and trends
• Popular destinations and travel patterns
• Research and analytics reports

5. Cookies and Tracking Technologies

5.1 What We Use

Essential Cookies:

• Authentication and session management
• Security features
• Basic site functionality

Analytics Cookies:

• Google Analytics (or similar)
• Usage patterns and statistics
• Performance monitoring

Preference Cookies:

• Remember your settings
• Language preferences
• Display preferences

5.2 Your Cookie Choices

Most browsers allow you to:

• Block all cookies
• Accept only certain cookies
• Delete existing cookies

Note: Disabling essential cookies may limit platform functionality.

5.3 Do Not Track

We currently do not respond to Do Not Track (DNT) browser signals, as there is no industry standard for DNT compliance.

6. Data Security

6.1 Security Measures

We implement industry-standard security measures to protect your information:

Technical Safeguards:

• Encryption of data in transit (HTTPS/TLS)
• Encryption of sensitive data at rest
• Secure authentication via Supabase
• Regular security audits and updates
• Firewall protection and intrusion detection

Administrative Safeguards:

• Access controls and user permissions
• Employee training on data protection
• Incident response procedures
• Regular security policy reviews

Physical Safeguards:

• Secure data center facilities (via hosting providers)
• Environmental controls
• Access restrictions

6.2 Security Limitations

No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for:

• Maintaining the confidentiality of your password
• Securing your account credentials
• Notifying us immediately of any unauthorized access

7. Data Retention

7.1 Retention Periods

• Account Data: Retained while your account is active, plus reasonable time after closure for legal/business purposes
• Purchase History: Retained for tax and accounting requirements (typically 7 years)
• Analytics Data: Retained in aggregated form indefinitely
• User Content: Retained until you delete it or close your account
• Support Communications: Retained for customer service and legal purposes

7.2 Deletion Requests

You may request deletion of your data by contacting support. Note:

• Some data may be retained for legal or business requirements
• Aggregated, anonymized data may be retained
• Deletion may take up to 90 days to complete

8. Your Privacy Rights

Depending on your location, you may have the following rights:

8.1 Access and Portability

• Request a copy of your personal data
• Receive your data in a structured, machine-readable format

8.2 Correction

• Update or correct inaccurate information
• Complete incomplete information

8.3 Deletion

• Request deletion of your personal data
• "Right to be forgotten" (subject to legal exceptions)

8.4 Objection and Restriction

• Object to certain processing activities
• Request restriction of processing

8.5 Opt-Out Rights

• Unsubscribe from marketing emails (via unsubscribe link)
• Opt out of certain data collection (cookies, analytics)
• Withdraw consent for optional data processing

8.6 California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected
• Right to know whether personal information is sold or disclosed
• Right to opt out of the sale of personal information (we do not sell personal information)
• Right to deletion (subject to exceptions)
• Right to non-discrimination for exercising CCPA rights

8.7 European Residents (GDPR)

European Union residents have rights under the General Data Protection Regulation:

• Legal basis for processing: Consent, contract performance, legitimate interests
• Right to lodge a complaint with supervisory authorities
• Right to data portability
• Right to object to automated decision-making

8.8 Exercising Your Rights

To exercise any privacy rights, contact us at: Dan@slctrips.com

We will respond within 30 days (or as required by applicable law).

9. Children's Privacy

9.1 Age Requirements

• Our Service requires users to be at least 13 years old
• We do not knowingly collect information from children under 13

9.2 Educational Content

• Guardian content is designed for 4th-grade level (ages 9-10)
• This content should be accessed under parental supervision
• Parents are responsible for children's use of the platform

9.3 Parental Controls

Parents who discover their child has created an account should:

• Contact us immediately to delete the account
• We will delete all associated data within reasonable time

9.4 COPPA Compliance

We comply with the Children's Online Privacy Protection Act (COPPA):

• We do not knowingly collect data from children under 13
• If notified of underage accounts, we promptly delete them
• Educational content is informational only and does not require accounts

10. Utah Student Data Protection (Utah Code 53E-9-3)

10.1 Applicability

When SLCTrips contracts with Utah K-12 schools, school districts, or education entities, we comply with Utah Code Title 53E-9, Part 3 (Student Data Protection).

This section applies only when:

• A Utah education entity contracts with SLCTrips
• Students access content through an institutional account
• TK-000 Guardian educational content is used in K-12 classroom settings

For individual/family accounts: This section does not apply. See other sections of this Privacy Policy.

10.2 Third-Party Contractor Status

When contracted by Utah education entities, SLCTrips acts as a "third-party contractor" as defined in Utah Code §53E-9-301.

Our Commitments:

• Use student data strictly for contracted educational purposes
• No targeted advertising to students
• No selling or marketing use of student data
• No secondary use beyond contracted services

10.3 Prohibited Practices

Under Utah law, we do NOT:

Targeted Advertising (§53E-9-309(2)(a)):

• Present advertisements based on student behavior tracked over time
• Use student data for marketing or advertising purposes
• Build advertising profiles of students

Secondary Use (§53E-9-309(2)(b)):

• Use student data beyond the contracted educational service
• Sell or share student data for commercial purposes
• Repurpose student data for our own business development

Unauthorized Profiling (§53E-9-309(2)(c)):

• Create student profiles beyond educational necessity
• Use predictive analytics for non-educational purposes
• Aggregate student data across entities without permission

10.4 Student Data Rights

Students and parents at contracted Utah education entities have:

Access Rights:

• View student data collected by SLCTrips
• Request copies of student records
• Understand how data is used

Correction Rights:

• Request correction of inaccurate data
• Challenge data accuracy
• Update outdated information

Deletion Rights:

• Request deletion upon contract completion
• Data deleted within 30 days of request
• Permanent and irreversible deletion

Process: Contact your school/district or email Dan@slctrips.com

10.5 Data Security for Educational Accounts

For Utah education entity contracts, we maintain:

Enhanced Security:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication
• Regular security audits
• Documented information security program

Contract Provisions:

• Data deletion upon education entity request
• Prohibition on secondary use
• Audit rights for education entities
• Data return/destruction upon contract termination

10.6 Education Entity Audit Rights

Utah education entities may audit SLCTrips to verify compliance with Utah Code 53E-9-3.

Audit Process:

• Annual audits or upon reasonable suspicion
• Access to documentation and procedures
• Cooperation with investigation
• Remediation of any deficiencies

10.7 Data Breach Notification

For student data breaches:

Immediate Actions:

• Notify education entity within 24 hours
• Contain breach and prevent further access
• Document breach circumstances

Detailed Notification (within 72 hours):

• Nature and scope of breach
• Types of data compromised
• Number of affected students
• Remediation plan

10.8 Comprehensive Compliance Document

For detailed information on our Utah student data protection practices, see: Utah Student Data Protection Compliance

This comprehensive document covers:

• Complete regulatory framework
• Detailed data handling procedures
• Contract requirements
• Third-party service provider agreements
• Transparency and reporting obligations

Utah Education Entities: Please review the full compliance document when evaluating SLCTrips for institutional use.

10.9 Educational vs. Personal Use

Important Distinction:

Educational Institutional Accounts (Utah Code 53E-9-3 applies):

• Student accounts created through school contract
• Enhanced data protections
• No advertising
• Education entity controls data

Personal/Family Accounts (Standard Privacy Policy applies):

• Individual purchases of TripKits
• Personal travel planning use
• Standard data practices
• User controls their own data

Parents using SLCTrips for family travel planning are NOT subject to educational data restrictions, but we maintain high privacy standards for all users.

11. International Data Transfers

11.1 Data Location

• Our servers and service providers are primarily located in the United States
• Your information may be transferred to and processed in the United States

11.2 International Users

If you access our Service from outside the United States:

• You consent to transfer of your information to the United States
• U.S. data protection laws may differ from your country's laws
• We implement safeguards to protect your information

11.3 GDPR Compliance

For European users, we rely on:

• Standard Contractual Clauses with service providers
• Adequacy decisions where applicable
• Your consent to international transfers

12. Third-Party Links

Our Platform may contain links to third-party websites and services:

• We are not responsible for third-party privacy practices
• We recommend reviewing privacy policies of any third-party sites
• Third-party links do not imply endorsement

Examples:

• Social media platforms
• External travel resources
• Partner websites

13. Changes to This Privacy Policy

13.1 Updates

• We may update this Privacy Policy periodically
• Material changes will be communicated via:
  • Email notification to registered users
  • Prominent notice on our Platform
  • Updated "Last Updated" date

13.2 Your Acceptance

• Continued use after changes constitutes acceptance
• We encourage periodic review of this policy
• If you disagree with changes, discontinue use of the Service

14. Contact Us

14.1 Privacy Questions

For questions about this Privacy Policy or our data practices, contact:

Privacy Officer SLCTrips Dan@slctrips.com 2604 w Dublin Dr. WVC, UT 84119

14.2 Data Requests

To exercise privacy rights (access, deletion, correction):

• Email: Dan@slctrips.com
• Include your name, email, and specific request
• We will verify your identity before processing requests
• Response time: 30 days (or as required by law)

14.3 Security Issues

To report security vulnerabilities:

• Email: Dan@slctrips.com
• Use our responsible disclosure process
• Do not publicly disclose vulnerabilities before resolution

---

Acknowledgment

BY USING SLCTRIPS, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS PRIVACY POLICY, UNDERSTAND IT, AND AGREE TO ITS TERMS.