Legal
Privacy Policy
How we collect, use and protect your data
Last updated: January 1, 2026
1. Data controller
Tripool Inc., 1000 rue de la Gauchetière Ouest, Montreal, QC, H3B 0A2, Canada. Email: privacy@tripool.club
Tripool complies with Quebec's Act respecting the protection of personal information in the private sector (Law 25), Canada's PIPEDA, and the European Union's GDPR.
2. Data collected
- Identity: first name, last name, email address, country of residence.
- KYC: official identity document (processed by our certified provider — not stored at Tripool).
- Payment: delegated to Stripe (PCI-DSS level 1) — no banking data transits or is stored at Tripool.
- Usage: SM Score, request history, ATIE travel preferences, referral codes.
- Technical: connection logs, IP address, browser type (retention: 90 days).
3. Purposes and legal bases
- Contract performance: subscription management, booking processing, invoicing.
- Legitimate interest: fraud prevention, Pool security, anonymized aggregate analytics.
- Consent: marketing communications (revocable at any time).
- Legal obligation: retention of financial transactions (7 years, Quebec Civil Code).
4. Data recipients
Your data may be shared with:
- Stripe (payments, PCI-DSS L1) — United States, Privacy Shield framework.
- Supabase (database, hosting) — AWS us-east-1.
- Resend (transactional emails) — minimal data.
- KYC providers — one-time processing, data not retained.
No sale, rental, or commercial sharing of your data with third parties.
5. Your rights
Under Law 25 (QC), PIPEDA, and GDPR, you have the following rights:
- Access — obtain a copy of your data.
- Rectification — correct inaccurate data.
- Erasure — request deletion (subject to legal obligations).
- Portability — receive your data in a structured format.
- Objection — object to processing for marketing purposes.
Exercise your rights at: privacy@tripool.club
6. Security
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). The Supabase database uses Row Level Security (RLS) — each member accesses only their own data. Administrator access is logged and audited quarterly.
7. Retention
Account data: subscription duration + 3 years. Financial data: 7 years (legal obligation). Technical logs: 90 days. KYC data: deleted after verification (not retained).