1. Who we are
This app, "Tripenzo — Travel Expenses" (the "App"), is published by Stopra systems s.r.o. ("we", "us", "our"). The contact for any privacy question, request, or complaint is:
- Email: tripenzo@stopra.cz
- Website: www.stopra.cz
For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, where applicable, we act as the data controller for any limited information we may receive (e.g. a support email you choose to send us). For everything that happens inside the App, we act only as the publisher of locally-running software — the data resides on your device and/or your iCloud account, to which we have no access.
2. Scope of this policy
This policy describes how the Tripenzo iOS app (and its companion website at the same domain as this page) handles information. It does not cover:
- Apple's iOS, App Store, iCloud, StoreKit, or other Apple services — see Apple's Privacy Policy.
- The third-party public exchange-rate APIs you may optionally invoke (listed in section 6).
- Any links from this site to external services.
3. What data we collect
None. The App does not contain any analytics SDK, advertising SDK, crash reporter, or telemetry mechanism. It does not transmit any personal data to us at any time. We do not require an account, an email address, or any sign-up.
The Apple App Store may share with us anonymized, aggregated information about downloads and crashes (only if you have opted in to share crash data with developers in iOS Settings). This information is provided by Apple, never identifies you, and we use it only to improve the App.
4. Data the App stores on your device
To do its job, the App stores the following information locally on your iPhone or iPad in Apple's SwiftData / SQLite store and the App's sandboxed file area:
| Category | What it contains | Where it lives |
|---|---|---|
| Companies | Name, default currency, conversion rate to your home currency, optional XLSX/CSV report template and column mapping. | On-device database; optional private iCloud sync. |
| Trips | Trip name, country, currency, exchange rate to company currency, dates. | On-device database; optional private iCloud sync. |
| Expenses | Amount, currency, conversion rates, category, notes, date. | On-device database; optional private iCloud sync. |
| Receipt scans | Photos and PDFs you choose to attach to expenses. | App's local file area; optional private iCloud sync. |
| Categories | The 14 predefined categories plus any custom ones you create. | On-device database; optional private iCloud sync. |
| Settings | Home currency, language, App Lock preferences, onboarding flag, cached premium status. | On-device database. |
You can delete any of this data at any time from inside the App, or remove all of it by deleting the App from your device.
5. iCloud sync (CloudKit)
If you are signed in to iCloud on your device and have iCloud Drive enabled, the App can sync the data listed above between your own Apple devices through Apple's CloudKit service. Specifically:
- Sync uses your private CloudKit container. Data is stored in your personal iCloud account, encrypted in transit and at rest by Apple.
- We — the publisher of the App — have no access to your private CloudKit container at any time. We cannot read, copy, or recover your data.
- We do not operate any backend servers and do not host any of your data on infrastructure we control.
- If you sign out of iCloud, disable iCloud Drive, or sign in with a different Apple ID, sync stops accordingly. See Apple's documentation for full details on CloudKit and iCloud security.
6. Network connections the App may make
By default the App functions fully offline. The only outbound network requests it can make — and only when you trigger them — are:
| When | Endpoint | What is sent |
|---|---|---|
| You tap "Fetch rate" on a trip or expense to refresh exchange rates. | Public, free APIs: api.frankfurter.app, open.er-api.com, cdn.jsdelivr.net (currency-api). | Only the currency code pair (e.g. "EUR → USD"). No personal data, no device identifiers, no expense amounts. |
| You make or restore an in-app purchase ("Tripenzo Premium"). | Apple StoreKit / App Store servers. | Handled entirely by iOS and Apple. We receive only an entitlement flag indicating whether you own the premium upgrade. |
| iCloud sync (when enabled by you on your device). | Apple iCloud / CloudKit. | Encrypted by Apple. We have no access (see section 5). |
None of these requests are routed through us. We do not see them, log them, or aggregate them. Each provider operates under its own privacy policy.
7. Camera, Photos, and Files
The App uses the following iOS capabilities, each strictly opt-in via standard iOS permission prompts:
- Camera — only when you tap the camera button to capture a receipt. The image is stored in the App's sandboxed file area and used only to attach to that expense and to run on-device OCR.
- Photo Library — only when you choose "Pick from Photos" to attach an existing image. We use the limited-photos picker where available so we never see photos you did not select.
- Files — only when you choose to import a PDF receipt or an XLSX/CSV report template, or to export a report as XLSX/CSV/ZIP. These flows use the iOS document picker; we never browse your files.
8. Optical Character Recognition (OCR)
OCR is a Premium feature that, when enabled, runs entirely on your device using Apple's Vision framework (VNRecognizeTextRequest). Your receipt images are never uploaded for processing — not to us, not to Apple's cloud, not to any third party.
9. App Lock and biometrics
The optional App Lock feature uses Apple's LocalAuthentication framework so you can require Face ID, Touch ID, or your device passcode to open the App. Biometric data never leaves your device and is handled exclusively by iOS — we never see it. App Lock state and the (optional) numeric PIN you may set are stored locally on your device.
10. In-app purchases
The Premium upgrade is a one-time, non-consumable in-app purchase processed through Apple StoreKit. Apple handles all payment information — we never see your name, billing address, or payment method. We receive only a yes/no entitlement indicating whether the purchase is active for your Apple ID. Family Sharing is supported through StoreKit.
11. Data sharing
We do not sell, rent, lease, or share your data with anyone. We have no advertising partners and no third-party SDKs of any kind. The only entities that touch any data related to your use of the App are:
- Apple (App Store, iOS, StoreKit, CloudKit, iCloud Drive, Vision, LocalAuthentication, MapKit) under their own privacy terms.
- The free currency APIs in section 6, only when you choose to fetch rates.
12. Data retention and deletion
All App data lives on your device (and optionally in your private iCloud). You control its lifecycle:
- Delete an expense, trip, company, category, or template from inside the App at any time.
- Use Settings → Backup & Restore to manage iCloud Drive backups (Premium).
- Sign out of iCloud, disable sync, or change Apple ID to stop CloudKit sync.
- Delete the App from your device to remove all local data.
- Use iOS Settings → iCloud → Manage Storage to remove iCloud-stored copies.
Because we never receive your data, we have nothing to delete on our side.
13. Your rights (GDPR, UK GDPR, CCPA and similar laws)
Where applicable laws give you rights such as access, rectification, deletion, restriction, portability, or objection regarding personal data, those rights apply to data a controller actually holds. Since we do not collect or hold any personal data about you, there is nothing in our possession to access, rectify, delete, restrict, port, or object to.
For data stored locally on your device or in your iCloud, you exercise these rights directly — through the App's UI and through Apple's iCloud controls.
If you contact us by email, we will receive only the information you choose to share (typically your email address and the contents of your message). We use that information solely to answer your question and delete it once the matter is closed. The legal basis is our legitimate interest (Article 6(1)(f) GDPR) in providing customer support.
You also have the right to lodge a complaint with your local supervisory authority.
14. Children's privacy
Tripenzo is intended for adult business travelers and is not directed at children under 13 (or under 16 in the EEA/UK). The App is rated 4+ in the App Store but is not designed for use by children. We do not knowingly collect any data from anyone — child or adult.
15. International data transfers
Because all App data stays on your device or within your own iCloud account, no international transfer of your personal data takes place between us and you. Apple's iCloud may store and process your data in regions chosen by Apple under its own safeguards.
16. Security
The App data on your device is protected by iOS's built-in sandboxing, file system encryption, and device passcode. iCloud sync is secured by Apple's transport and storage encryption. The optional App Lock adds a per-launch authentication barrier. Because we don't operate servers or hold copies of your data, there is no central database to breach on our side.
17. Changes to this policy
We may update this Privacy Policy from time to time, for example to reflect new App features or legal requirements. The "Effective date" and "Last updated" fields at the top of this page show the latest revision. Material changes will be highlighted in the App's release notes. Continued use of the App after a change becomes effective constitutes acceptance of the revised policy.
18. Contact
For privacy questions, requests, or complaints:
Stopra systems s.r.o.
Email: tripenzo@stopra.cz