To view the previous version of this Privacy Statement, click here.

TripIt Privacy Statement

Effective: December 1, 2023


Protecting the individual’s privacy is crucial to the future of business. We have created this privacy statement to demonstrate our firm commitment to the individual’s right to data protection and privacy. It outlines how we handle information that can be used to directly or indirectly identify an individual (“Personal Data”).

1. Who do we mean when we say TripIt in this Privacy Statement?

This Privacy Statement applies to the collection and processing of Personal Data that you provide to us or we gather from you while you access or use www.tripit.com (the "Site"), the TripIt mobile application (the "App"), and related services that link to this Privacy Statement (together, the “TripIt Services”).

The controller for purposes of the collection and processing of Personal Data described in this Privacy Statement is Concur Technologies, Inc., 601 108th Avenue NE, Suite 1000, Bellevue, WA 98004, USA through its TripIt business unit (referred to as “TripIt” or “us” or “we” or “SAP Concur”).

Any references to “SAP” mean SAP SE, SAP America, Inc. or the applicable SAP group entity. A current list of SAP group entities can be found here SAP Concur is a wholly owned subsidiary of SAP.

We may also supplement this Privacy Statement with other privacy notices in the TripIt Services. This Privacy Statement applies only to information collected by us through the TripIt Services and does not apply to services that link to other privacy policies, including any third-party websites or services you connect to from our TripIt Services, such as social-networking platforms or connected third-party applications. TripIt is not responsible for the privacy practices or content of such third parties. We encourage you to read the privacy statements of those third parties.

2. For what purposes does TripIt process your Personal Data?

TripIt may process Personal Data for one or more of the following business purposes:

A. To operate the TripIt Services

TripIt processes Personal Data for the purpose of operating, providing to you and administering your use of the TripIt Services. This processing includes: (i) creating and maintaining your travel itineraries and your profile and otherwise providing, operating, hosting, maintaining, connecting, and improving the TripIt Services, (ii) responding to your comments and questions and providing customer service, (iii) training and operating automated systems that recognize and extract travel and reward-program information from emails, (iv) updating you on new features and functionality of the TripIt Services, as well as other news and information about products and services offered by TripIt, SAP group entities, and our selected partners, (v)providing you information via email or another form of electronic notification related to your use, requests, and purchases, such as transaction confirmations, invoices, technical notices, and other notices about security, privacy, and administrative issues relating to your use of the TripIt Services, and (iv) personalizing your TripIt Services experience, content, marketing, and recommendations, including to target content and services to more closely match your interests or location.

Push and Text Message Alerts

TripIt uses Personal Data to communicate with you via push notifications or by text based on your selections. You may manage the push message alerts regarding flight delays, gate changes, and other alert information specific to your itinerary sent by the TripIt Services to your mobile device through the settings page in the Site or within the App. Similarly, you may manage text message alerts through the settings page in the Site or within the App, and you may always opt out of text message alerts by replying STOP to any text message sent by TripIt.

Sharing Your Travel Information

In your settings menu, you may configure certain privacy controls that enable the sharing of profile information, traveler information, and itinerary information and statistics with other users or with the general public (including external search engines). You can share specific itineraries with both TripIt Services users and non-users. If we send an email itinerary on your behalf to a non-user, you represent that you have permission to direct us to email such person.

User Experience

TripIt also processes information that relates to your visit to our Site to improve your user experience, identify your individual demand and to personalize the way we provide you with the information you are looking for. For this purpose, we collect information regardless of whether you register with a user profile or not.

Cookies

TripIt processes Personal Data about the users of the TripIt Services using cookies or similar technologies for the purposes described in this Privacy Statement. By visiting the “Cookie Preferences” link in the footer of the Site, you will find further information and have the option to exercise your cookie preferences.

B. To develop products and services and industry metrics

To the extent permitted by applicable law, TripIt may process your Personal Data for internal research, technological demonstration and development, and to help TripIt create, develop, operate, deliver, improve, upgrade or enhance TripIt products and services. TripIt may create anonymized or de-identified and aggregated data sets, statistics or other metrics from Personal Data to improve our products and services or provide information about travel generally.

C. To ensure compliance with laws and regulations

TripIt processes your Personal Data for the purpose of ensuring an adequate level of technical and organizational security of TripIt’s products, services, online events, facilities, and premises. For this, TripIt will take the measures necessary to verify or maintain the quality and safety of a product or service which is owned, manufactured by or for, or controlled by TripIt. This may comprise the use of Personal Data for sufficient identification and authorization of designated users, internal quality control through auditing, analysis, and research, debugging to identify and repair errors that impair existing or intended functionality, account and network security, replication for loss prevention, detecting security incidents, protection against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for such kind of activity. We may further process your name, likeness, and other contact or compliance related data when you visit a local TripIt affiliate or lab in the context of access management and video surveillance to protect the security and safety of our locations and assets.

TripIt and its products, technologies, and services are subject to the export laws of various countries including, without limitation, those of the European Union and its member states, and of the United States of America. Applicable export laws, trade sanctions, and embargoes issued by these countries oblige TripIt to prevent organizations, legal entities and other parties listed on government-issued sanctioned-party lists from accessing certain products, technologies, and services through TripIt’s websites or other delivery channels (e.g. the European Union Sanctions List, the US sanctions lists including the Bureau of Industry and Security’s (BIS) Denied Persons Lists (DPL), the Office of Foreign Assets Control’s (OFAC) Specially Designated Nationals and Blocked Persons List (SDN-List) and the US DOCs Bureau of Industry and Security’s Entity Lists and the United Nations Security Council Sanctions). TripIt processes Personal Data to the extent necessary to comply with these legal requirements. Specifically, TripIt processes Personal Data to conduct automated checks against applicable sanctioned-party lists, to regularly repeat such checks whenever a sanctioned-party list is updated or when a user updates his or her information. In case of a potential match, TripIt will block the access to TripIt’s services and systems and contact the user to confirm his or her identity.

If necessary, TripIt uses Personal Data to prevent or prosecute criminal activities such as any form of cybercrime, the illegal use of our products and services or fraud, to assert our rights or defend TripIt against legal claims.

To comply with data protection and unfair competition law related requirements. Depending on the country in which the relevant SAP group entity operates, and whether you have expressly consented to or opted out of receiving commercial information, TripIt may process Personal Data necessary to accommodate your data protection and privacy choices for the receipt of such information and, when necessary to ensure compliance, exchange such information with the other entities of the SAP group.

D. To search for talent

TripIt may collect and process Personal Data of qualified individuals and people interested in our career opportunities from various sources. Job applicants and candidates are asked to apply via the SAP Career Portal, regardless of whether this is done initiatively or in response to an advertised posting. If you apply, TripIt collects Personal Data by means of the SAP Career Portal for the purposes of carrying out the application procedures and selecting applicants. You may find further information about how SAP collects and processes applicant’s data in the Privacy Statement specific to the SAP Careers Portal.

E. To offer TripIt products and services

TripIt collects and processes Personal Data for sales and marketing purposes. We aim to keep you updated on upcoming events and TripIt’s latest products and services. You can manage your email preferences through the selections within the Site or the App by updating your email subscription settings. You can also unsubscribe from promotional emails. You may update your email preferences from time to time. Please note that even if you unsubscribe from promotional email messages, we may still need to contact you with important transactional information related to your account and your use of the Service. For example, even if you have unsubscribed from our email messages, we will still send you emails relating to security, billing, or account services such as password reset.

Request feedback, questionnaires and surveys

To the extent allowed by applicable law, TripIt may contact you for feedback regarding the improvement of the relevant material, product, or service. TripIt may also invite you to participate in questionnaires and surveys. These will generally be designed so you can participate without having to provide information that identifies you as a participant. If you nonetheless provide your Personal Data, TripIt will use it for the purpose stated in the questionnaire or survey or to improve its products and services.

Personalized Content

TripIt processes information about your interactions with the TripIt Services to provide you with the requested products and services and to improve our personal communications with you. This data may also be used to efficiently operate TripIt’s business, which also includes: the automation and aggregation of data to support various analytic and statistical efforts, performance and predictive analytics and exploratory data science to support your user journey and to fulfill such requests. To the extent permitted by law, TripIt may combine and use such information in an aggregated manner to help us understand your interests and demands, develop our business insight and marketing strategies, and to create, develop, deliver, and improve our personalized communications with you. It may also be used by TripIt to display relevant content on TripIt owned or third-party websites.

Advertising ID’s

Provided your consent or to the extent permitted by applicable law, TripIt may create a hashed user ID to provide to third party operated social networks or other web offerings (such as Twitter, LinkedIn, Facebook, Instagram or Google). This information is then matched against the third party’s own user database to display to you more relevant TripIt content.

3. What Personal Data does TripIt process?

TripIt processes various types of Personal Data about the people we interact with when conducting our business or operating the TripIt Services and other communication channels.

Depending on the individual case, this may comprise the following types of Personal Data:

A. Data generated through your use of the TripIt Services

Profile and transactional information

You provide Personal Data directly into the TripIt Services. For example, as part of activating an account with TripIt, we collect your name, email address and password, and home airport or country/region. If you create the account using one of the available social networking or third-party platform connection options (a “social sign-in” like Google, Facebook, or Yahoo), we will collect your associated email address and related profile information from the social sign-in provider. You may also identify your company or employer, as well as provide a photo of yourself. You may also provide us with additional email addresses for purposes of collecting itinerary information and to ensure that you retain access to your account even if you no longer have access to your primary email address.

To take full advantage of features and functionality of the TripIt Services, you may also provide us with additional information for your profile, such as your travel preferences, like seat and meal preference. And you may input emergency contact details and government-issued identification numbers needed for travel, such as your passport or driver license number. This information helps you to keep your itinerary and travel information in one place. If you wish to receive alerts via text messages, you must provide your mobile phone number. If you purchase additional TripIt Services, such as upgrading your account to TripIt Pro, we will collect certain billing and payment information. We process any payments using third parties, and we would retain only the last four digits of your credit card number and expiration date.

If required by applicable law, we will collect your date of birth for the limited purpose of validating your identity if necessary to meet our compliance obligations.

Through the profile and settings pages within the Site and the App, you can update profile information associated with your account at any time, such as contact and payment information, travel preferences, privacy and sharing settings, and alerts and connected applications. If you have granted access to your account to team members to manage your itineraries, they may also be permitted to edit the information you have provided to us and to designate others to access and edit such information. You may change who has access to your information by changing your publishing options in your account settings. You may choose to display certain information you give us in your public profile. Our Site may offer publicly accessible blogs or community forums. You should be aware that any information you choose to share in these areas may be read, collected, and used by others.

Company SAP Concur Account

If your company has enabled you to connect the SAP Concur account you use through your company (“SAP Concur Account”) with your TripIt Services account, by allowing the TripIt Services to access your SAP Concur Account, the TripIt Services will have access to account profile, itineraries, and traveler preferences contained within your SAP Concur Account. The TripIt Services may use and store this Personal Data and combine it with other Personal Data maintained by the TripIt Services. Travel itineraries available to your SAP Concur Account will also be collected into your TripIt Services account so that you may manage these itineraries with the TripIt Services. Once connected, any itineraries or travel information within the TripIt Services may be available to your company. This may include your personal itineraries within the TripIt Services unless you exclude them using the “Link to Concur” setting or delete them from your SAP Concur Account. If you choose to disconnect your TripIt Services account from your SAP Concur account, or you no longer have access to your SAP Concur Account, any Personal Data shared with your company prior to such time is governed by the terms between your company and SAP Concur or an SAP group entity, and you will need to contact your company regarding use and retention of that data. If you intend to continue to use your TripIt Services account after you no longer have access to your SAP Concur Account, you will need to update your TripIt Services account email to a personal email account.

Third-Party Connected Services

The TripIt Services also enable you to connect your TripIt Services account with third-party applications and service providers. Third-party applications that connect to the TripIt Services will usually indicate that they connect to the TripIt Services. These connected third-party applications may enable Personal Data about you to be transferred into the TripIt Services. For example, if you book airline travel using a connected third-party application from the airline, the corresponding booking information may be transferred into the TripIt Services. In other cases, Personal Data may be transferred to and from a third-party service so you can use the TripIt Services with a third-party application you have chosen. Your use of any third-party applications or third-party services is subject to the terms and conditions you have agreed to with such third parties, including third-party privacy notices, and TripIt is not responsible for the quality or accuracy of third-party data available to the TripIt Services from third parties or how such third parties may use Personal Data. Other third-party services you have chosen to connect with the TripIt Services may be enabled or disabled through selections in the Site or the App. You usually can also enable or disable connections through the third-party services themselves. Certain third-party services we may feature through our TripIt Services give you social-media options to interact with buttons or widgets that let you “like” information or post information about your activities publicly from the TripIt Services to third-party sites and platforms or privately within your network. By connecting your TripIt Services account with third-party services, you enable third-party services to access the TripIt Services API and gain access to your itinerary information, as well as your profile information. Their use of this information is governed by their user terms with you and their privacy policies.

Connecting Your Email and Reward Accounts

You can choose to enable us to access one or more of your email accounts by connecting such account(s) with your TripIt account. If you connect your email account, the TripIt Services will automatically access and analyze the contents of emails in your email account(s) on an ongoing basis for the purpose of identifying travel and travel-reward related emails that may contain recent travel bookings, boarding passes, or reward-program statements. Once identified, travel itinerary and reward-program information is then extracted from your emails into your TripIt Services account so that you may access this information in the TripIt Services. Notwithstanding anything else in this Privacy Statement, TripIt only uses such information to provide or improve user-facing features and will not use or transfer such information (even if aggregated or anonymized) for serving ads, including retargeting, personalized, or interest-based advertising. TripIt’s access to the email account is authorized through the email provider’s access mechanism. If you choose to have the TripIt Services track your travel-reward points, the TripIt Services will store account details for each of your travel-reward accounts, including your sign-in user name and password for tracked accounts. This information will be used to enable the TripIt Services, directly or indirectly through third-party service providers, to automatically access your applicable reward accounts and analyze and extract information from such accounts for use in the TripIt Services. You will be asked in each case whether you want to connect a third-party email or reward account. You may manage your connections to email and reward accounts and disconnect at any time in the settings menu and Point Tracker menu, respectively.

Third-Party Social Sign-Ins

You can sign in to our TripIt Services using third-party social sign-ins (e.g., Google, Facebook, and Yahoo). These social sign-in providers will share certain Personal Data with us as described in their sign-in notices or in their privacy policies, which might include information such as your name, profile picture, age range, gender, and other public information. We encourage you to review prior to signing in through the applicable service.

Contacts

From the Site, you can access and import contacts from your other online address books, like Google, Yahoo, and Outlook. If you would like us to invite another individual to join the TripIt Services, you may provide us their email address so that we may send them an invitation on your behalf to visit the TripIt Services. When using the App, the App may also access your device contacts if you enable those permissions.

Location Data

Certain features of the TripIt Services may collect precise geolocation data, including through GPS (global positioning systems), IP address, and other location-based technologies to provide features that require your precise location and the use of location services on your mobile device through the App. Some of these features may be available only to users of the premium “Pro” version of the TripIt Services. You may enable or disable these TripIt Services within the App and the privacy settings in your mobile device. Features such as Go Now (alerts you about important events, such as when you should leave for your drive to the airport based on your current location, flight status, and real-time traffic conditions) and Terminal and Gate Reminders (alerts you to your terminal and gate number when you’re close to the airport) require that location services on your mobile device be set to always provide location information, but these features only begin to detect your location a few hours prior to your scheduled departure and do not continuously collect your location. The TripIt Services may also provide you with navigation services within certain airports or between destinations based on your itinerary or destinations that you have specified. These services require that location services on your mobile device be enabled only when you are using the App.

Usage data

TripIt processes certain user related information, e.g., info regarding your browser, operating system, your IP address, or device information when you visit the Site or use the App. We also process information regarding your use of the Site and the App, like the pages you visit, the amount of time you spend on a page, the page which has referred you to our page and the links on our sites you select.

B. Compliance related Personal Data

If required by statutory law or regulation, TripIt may process data categories like date of birth, academic credentials, identity cards or other ID numbers, geolocation, business partner relevant information about e.g., significant litigation or other legal proceedings, and other export control or custom compliance relevant information.

C. Personal data received by third parties, including publicly available sources

TripIt generally aims to collect Personal Data directly from the data subjects. If you or applicable law allows TripIt to do so, TripIt may obtain Personal Data also from third party sources. These third-party sources may include: your company through a connected SAP Concur Account (as described above), third parties you directed to share your Personal Data with TripIt, third party sources and publicly available sources like business oriented social networks or information broker.

When we collect Personal Data from third party sources, established internal controls aim to ensure that the third-party source was permitted to provide this information to TripIt and that we may use it for this purpose. TripIt will treat this Personal Data according to this Privacy Statement, plus any additional restrictions imposed by the third party that provided the Personal Data to TripIt or by applicable national law.

D. Personal data necessary for customer satisfaction

To the extent permitted by law or based on your consent, TripIt may combine the information we collect either directly or indirectly about specific users to ensure the completeness and correctness of the data and to help us better tailor our interactions with you and determine the information which best serves your respective interest or demand.

4. How long does TripIt process my Personal Data?

TripIt processes your Personal Data only for as long as it is required: (i) to make the TripIt Services available to you; (ii) for TripIt to comply with statutory obligations to retain Personal Data, resulting, for example, from applicable export, finance, tax or commercial laws; (iii) to fulfill TripIt’s legitimate business purposes as further described in this Privacy Statement, unless you object to TripIt’s use of your Personal Data for these purposes; (iv) until you revoke a consent you previously granted to TripIt to process your Personal Data. To learn more about how you may revoke consent, please see guidance below in section titled, “What are your data protection rights".

TripIt may process your Personal Data for product or service development until this no longer necessary.

TripIt may retain your Personal Data for additional periods if necessary for compliance with legal obligations to process your Personal Data or if the Personal Data is needed by TripIt to assert or defend itself against legal claims. TripIt will retain your Personal Data until the end of the relevant retention period or until the claims in question have been settled.

5. Who are the recipients of your Personal Data?

Your Personal Data may be passed on to the following categories of third parties:

A. SAP Concur and Entities of the SAP Group

If you connect your TripIt Services account with your SAP Concur Account, as described above, TripIt may transfer your Personal Data to SAP Concur as described above. Other entities of the SAP Group may also receive or gain access to Personal Data either when rendering group internal services centrally and on behalf of SAP Concur and the other SAP group entities or when Personal Data is transferred to them on a respective legal basis. In these cases, these entities may process the Personal Data for the same purposes and under the same conditions as outlined in this Privacy Statement.

B. Third party service providers

TripIt may engage third party service providers to process Personal Data on TripIt’s behalf, e.g., for consulting or other services, the provision of the TripIt Services, the fulfillment and provisioning of offers from TripIt or other communications. These service providers may receive or are granted with access to Personal Data when rendering their services and will constitute recipients within the meaning of the relevant data protection law.

C. Third Party Connected Services

TripIt may share your Personal Data with those third-party applications and service providers you have chosen to connect to your TripIt account, as described above. TripIt may access Google address or mapping information through a Google Maps or similar Google API as part of your use of the service, such as autocompleting a hotel address when adding a hotel to an itinerary, generating directions to a location in your itinerary or within an airport, or responding to your request for a time to leave for the airport. When you click on a location icon in an itinerary plan, TripIt may also launch a Google mapping application or browser page using such address. Depending on the use, data such as search terms, address, or location information may be transferred to and used by Google and its affiliates to provide the mapping and address services and to improve Google products and services. Your use of such mapping or address information is subject to Google Maps/Google Earth Additional Terms of Service and location or address information provided to Google is subject to Google’s Privacy Policy.

D. Other third parties

TripIt may share Personal Data other TripIt users or the public through your public profile in accordance with your privacy settings, if you share itineraries, and if you grant another TripIt user access to manage or view your travel plans.

6. What are your data protection rights?

A. Right to access, correct and delete

You can request from TripIt at any time access to information about which Personal Data TripIt processes about you and, if necessary, the correction or deletion of such Personal Data. Please note, however, that TripIt can or will delete your Personal Data only if there is no statutory obligation or prevailing right of TripIt to retain it. If you request from TripIt to delete your Personal Data, you may not be able to continue to use any TripIt service that requires TripIt’s use of your Personal Data.

B. Right to receive Personal Data back from TripIt

If TripIt uses your Personal Data based on your consent or to perform a contract with you, you can further request from TripIt a copy of the Personal Data you provided to TripIt. In this case, please contact privacy-request@concur.com and specify the information or processing activities to which your request relates, the format in which you would like to receive the Personal Data, and whether it should be sent to you or another recipient. TripIt will carefully consider your request and discuss with you how it can best be fulfilled.

C. Right to restrict

You can request TripIt to restrict your Personal Data from further processing in any of the following events: (i) you state the Personal Data about you is incorrect, subject to the time TripIt requires to check the accuracy of the relevant Personal Data; (ii) there is no legal basis for TripIt to process your Personal Data and you demand TripIt to restrict your Personal Data from further processing; (iii) TripIt no longer requires your Personal Data, but you state you require TripIt to retain such data to claim or exercise legal rights or to defend against third party claims; (iv) or in case you object to the processing of your Personal Data by TripIt based on TripIt’s legitimate interest (as further set out below), subject to the time required for TripIt to determine whether it has a prevailing interest or legal obligation in processing your Personal Data.

D. Right to object

If and to the extent TripIt is processing your Personal Data based on TripIt’s Legitimate Interest, specifically where TripIt pursues its legitimate interest to engage in direct marketing or to apply profiling in relation to direct marketing, you have the right to object to such a use of your Personal Data at any time. When you object to TripIt’s processing of your Personal Data for direct marketing purposes, TripIt will immediately cease to process your Personal Data for such purposes. In all other cases, TripIt will carefully review your objection and cease further use of the relevant information, subject to TripIt’s compelling legitimate grounds for continued use of the information, which may override your interest in objecting, or if TripIt requires the information for the establishment, exercise, or defense of legal claims.

E. Right to revoke consent

Wherever TripIt is processing your Personal Data based on your consent, you may at any time withdraw your consent by unsubscribing or giving us respective notice of withdrawal. In case of withdrawal, TripIt will not process Personal Data subject to this consent any longer unless legally required to do so. In case TripIt is required to retain your Personal Data for legal reasons your Personal Data will be restricted from further processing and only retained for the term required by law. However, any withdrawal has no effect on past processing of Personal Data by TripIt up to the point in time of your withdrawal. Furthermore, if your use of an TripIt offering requires your prior consent, TripIt will no longer be able to provide the relevant service, offer or event to you after your revocation.

F. Right to lodge a complaint

If you take the view that TripIt is not processing your Personal Data in accordance with the requirements in this Privacy Statement or under applicable data protection laws, you can at any time, to the extent required by applicable law, lodge a complaint with your locally relevant data protection authority, specifically when you are located in an EEA country, or with the data protection authority of the country or state where TripIt has its registered seat.

7. How can you exercise your data protection rights?

Please direct any requests to exercise your rights to privacy-request@concur.com.

8. How will TripIt verify requests to exercise data protection rights?

TripIt will take steps to ensure it verifies your identity to a reasonable degree of certainty before it will process the data protection right you want to exercise. When feasible, TripIt will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by TripIt. This could include matching two or more data points you provide when you submit a request with two or more data points that are already maintained by TripIt.

TripIt will decline to process requests that are manifestly unfounded, excessive, fraudulent, represented by third parties without duly representing respective authority or are otherwise not required by local law.

9. Can I use TripIt’s products and services if I am a minor or child?

In general, the TripIt Services are not directed to users below the age of 16 years, or equivalent minimum age in the relevant jurisdiction. If you are younger than 16, you cannot register with and use the TripIt Services.

10. Additional Country and Regional Specific Provisions

A. Where TripIt is subject to privacy requirements in the EU, EEA, or other GDPR relevant countries

Who is the Data Protection Officer of the Controller?

You can reach SAP Group’s data protection officer any time at privacy@sap.com.

Who is the relevant Data Protection authority of the Controller?

SAP’s lead data protection supervisory authority is in Germany, the Landesbeauftragter für den Datenschutz und die Informationsfreiheit Baden-Württemberg and can be reached at Lautenschlagerstraße 20, 70173 Stuttgart. If you are in any other EU or EWR country, you may find the contact details of your competent data protection supervisory authority here.

What are the legal permissions for TripIt to process Personal Data?

TripIt is processing your Personal Data for the business purposes set out above based on the following legal permissions:

General remark regarding TripIt’s processing of Personal Data based on your prior consent

TripIt may process your Personal Data for the specific processing purposes based on your prior consent.

General remark regarding TripIt’s processing of Personal Data based on legitimate business interest

Where we refer to GDPR Article 6.1 (f) and consequently TripIt’s legitimate business interest as our legal permission to process your Personal Data, TripIt is pursuing its legitimate business interests, to efficiently manage and perform its business operations, to maintain and operate intelligent and sustainable business processes in a group structure optimized for the division of labor and in the best interest of our employees, customers, partners, and shareholders, to operate sustainable business relationships with TripIt users (each of which as further set out below), serve you with the best possible user experience when using TripIt’s web services, comply with extraterritorial laws and regulations, or assert or defend itself against legal claims.

We believe that our interest in pursuing these business purposes is legitimate and thereby not outweighed by your personal rights and interest to refrain from processing. In any of these cases, we duly factor into our balancing test: the business purpose reasonably pursued by TripIt in the given case, the categories, amount and sensitivity of Personal Data that is necessarily being processed, the level of protection of your Personal Data which is ensured by means of our general data protection policies, guidelines, and processes, and the rights you have in relation to the processing activity.

If you wish to obtain further information on this approach, please contact privacy-request@concur.com.

Ensure compliance with laws and regulation

When ensuring compliance with applicable laws and regulations, TripIt and SAP group entities may process your Personal data based on GDPR Article 6.1 (c) if necessary, to fulfill legal requirements under European Union or EU Member State law to which TripIt is subject, GDPR Article 6.1 (f) if necessary, to fulfill laws and regulations extraterritorial to the EU (legitimate interest to comply with extraterritorial laws and regulations), or the equivalent articles under other national laws, when applicable.

Operate the TripIt Services

When operating the TripIt Services and depending on the respective operating purpose, TripIt or the SAP group entity is processing your Personal Data on the basis of the following legal permissions: GDPR Article 6.1 (b) and (f) to provide the services and functions, create and administer your online account, updating, securing, troubleshooting the service, providing support, improving, and developing the web service, answering and fulfilling your requests or instructions, (legitimate interest to efficiently perform or manage TripIt’s business operation); GDPR Article 6.1 (c) and (f) to manage and ensure the security of our services and prevent and detect security threats, fraud or other criminal or malicious activities and as reasonably necessary to enforce the services terms, to establish or preserve a legal claim or defense, to prevent fraud or other illegal activities, including attacks on our information technology systems (legitimate interest to efficiently perform or manage TripIt’s business operation and assert or defend itself against legal claims); GDPR Article 6.1 (a) if it is necessary that we ask you for your consent to process your Personal Data; or equivalent legal permissions under other relevant national laws, when applicable.

Cookies and similar tools

When tracking and evaluating the usage behavior of users of our services by means of cookies or similar technologies, TripIt is processing your Personal Data on the basis of the following legal permissions: GDPR Article 6.1 (a) if it is necessary that we ask you for your consent to process your Personal Data; GDPR Article 6.1 (b) if necessary to fulfill (pre-)contractual obligations with you; or equivalent legal permissions under other relevant national laws, when applicable.

Collection of data from third parties, including publicly available sources

When collecting Personal Data about you from third parties, the legal basis for the collection by TripIt or the local TripIt group entity may be based on: GDPR Article 6.1 (a) if it is necessary that we or the third party transferring your Personal Data to TripIt has asked you for your consent to process your Personal Data, GDPR Article 6.1 (c) if necessary to fulfill legal requirements under European Union or EU Member State law to which TripIt is subject; GDPR Article 6.1 (f) if necessary to fulfill laws and regulations extraterritorial to the EU (legitimate interest to comply with extraterritorial laws and regulations) or to maintain our business relationships with you, ensure your satisfaction as a user, and provide you with information about other TripIt products and services as indicated by your interest or demand (legitimate interest to operate sustainable business relationship with TripIt users); or equivalent legal permissions under other relevant national laws, when applicable.

Offering TripIt products and services

When engaging in marketing activities, TripIt is processing your Personal Data on the basis of the following legal permissions: GDPR Article 6.1 (a) if your consent is required by law for TripIt to process your data for this purpose; GDPR Article 6.1 (f) to maintain our business relationships with you, to ensure your satisfaction as a user, to map the relevant group internal structures and bundle relevant business activities at central sources within the SAP Group to operate them uniformly and to provide you with information about other TripIt products and services as indicated by your interest or demand, which may also comprise the combination about you from different sources (profiling) (legitimate interest to maintain and operate intelligent and sustainable business processes in a group structure optimized for the division of labor and in the best interest of our employees, customers, partners, and shareholders and to operate sustainable business relationship with TripIt users). TripIt may provide you with this information to your postal address to pursue our legitimate interest to address users for the purpose of advertising our products and services, to your email address for the purpose of direct marketing of similar products or services provided that we (i) received your email address in connection with the purchase of our products or services, (ii) you did not object to the use of your email address for direct advertising and (iii) and we inform you in every approach that you may object to our use of your email address for marketing purposes at any time, and by other electronic means (e.g., telephone, MMS) to the extent permitted under applicable law, generally either explicit or presumed consent; or equivalent legal permissions under other relevant national laws, when applicable.

How does TripIt justify international data transfers?

As a global group of companies, SAP has group entities and uses third party service providers also in countries outside the European Economic Area (the “EEA”). TripIt, as part of the SAP group, may transfer your Personal Data to countries outside the EEA as part of TripIt’s international business operations. If we transfer Personal Data from a country in the EU or the EEA to a country outside the EEA and for which the EU Commission has not issued an adequacy decision, TripIt uses the EU standard contractual clauses to contractually require the data importer to ensure a level of data protection consistent with the one in the EEA to protect your Personal Data. You may obtain a copy (redacted to remove commercial or irrelevant information) of such standard contractual clauses by sending a request to privacy-request@concur.com. You may also obtain more information from the European Commission on the international dimension of data protection here.

B. Where TripIt is subject to certain privacy requirements in the United States, the following also applies:

U.S. Children’s Privacy

TripIt does not knowingly collect the Personal Data of children under the age of 13. If you are a parent or guardian and believe TripIt collected information about a child, please contact TripIt as described in this Privacy Statement. TripIt will take steps to delete the information as soon as possible. Given that TripIt websites and online services are not directed to users under 16 years of age and in accordance with the disclosure requirements of the CCPA, TripIt does not sell the Personal Data of any minors under 16 years of age.

C. Where TripIt is subject to certain privacy requirements in the United States in the State of California, the following also applies:

You have the right: to request from TripIt access to your Personal Data that TripIt collects, uses, or discloses about you; to request that TripIt delete Personal Data about you; to opt-out of the use or disclosure of your sensitive personal information; to non-discriminatory treatment for exercise of any of your data protection rights; and if you request access to your Personal Data, for such information to be portable, if possible, in a readily usable format that allows you to transmit this information to another recipient without hindrance.

In accordance with the disclosure requirements under the California Consumer Privacy Act (“CCPA”), TripIt does not sell or share your Personal Data. In the course of our business activities, we may share Personal Data with third parties, or permit third parties to collect data across various TripIt websites.

Data Subject Access Requests:

TripIt receives Data Subject Access Requests from across the globe and works to ensure all valid requests where TripIt is the Controller are responded to within the appropriate timeframe. In accordance with the verification process set forth in the CCPA, TripIt will require a more stringent verification process for deletion requests, or for Personal Data that is considered sensitive or valuable, to minimize the harm that might be posed to you by unauthorized access or deletion of your Personal Data. If TripIt must request additional information from you outside of information that is already maintained by TripIt, TripIt will only use it to verify your identity so you can exercise your data protection rights, or for security and fraud-prevention purposes.

In addition to contacting TripIt at privacy-request@concur.com, you may also exercise your rights by contacting Concur Technologies, Inc., 601 108th Avenue NE, Suite 1000, Bellevue, WA 98004, USA, Attention: Privacy Manager/TripIt.

You can also designate an authorized agent to submit requests to exercise your data protection rights to TripIt. Such authorized agent must be registered with the California Secretary of State and submit proof that you have given authorization for the agent to act on your behalf.”

D. Where TripIt is subject to the requirements of the Brazilian General Data Protection Law (“LGPD”), the following also applies:

SAP has appointed a Data Protection Officer for Brazil. Written inquiries, requests or complaints to our Data Protection Officer may be addressed to: Paulo Nittolo Costa, Email: webmaster@sap.com, Address: Avenida das Nações Unidas 14171 - Marble Tower - 7th Floor - São Paulo-SP, Brazil 04794-000

E. When TripIt is subject to the requirements of the Malaysian Personal Data Protection Act ("PDPA"), a Malaysian Bahasa version of this privacy statement may be made available.

F. Where TripIt is subject to certain privacy requirements in the Philippines, the following also applies:

For individuals within the Philippines, to exercise your rights you can call or write to TripIt to submit a request at: webmaster@sap.com, Phone: +632-8705-2500, Address: SAP Philippines, Inc., Attn: Data Protection Officer, 27F Nac Tower, Taguig City 1632, Philippines. The following provisions apply to residents and citizens of the Philippines: You may claim compensation as finally awarded by the National Privacy Commission or the courts if you suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Data, considering any violation of your rights and freedoms as a data subject; If you are the subject of a privacy violation or Personal Data breach or are otherwise personally affected by a violation of the Data Privacy Act, you may file a complaint with the National Privacy Commission. Your Transmissibility Rights. Your lawful heirs and assigns may invoke your rights at any time after your death or when you are incapacitated or incapable of exercising your rights.

G. Where TripIt is subject to the requirements of the Singapore’s Personal data Protection Act (“PDPA”), the following also applies:

TripIt has appointed a Data Protection Officer for Singapore. Written inquiries, requests or complaints to our Data Protection Officer may be addressed to Subject: [Attn.] Tina Bhatia, DPO (Singapore), Email: webmaster@sap.com, Address: Mapletree Business City, 30 Pasir Panjang Rd, Singapore 117440, Contact: +65 6664 6868.

H. Where TripIt is subject to the requirements of the Protection of Personal Information Act, 2013 (“POPIA”) in South Africa, the following also applies:

“Personal data” as used in this Privacy Statement means Personal Information as such term is defined under POPIA. “You” and “Your” as used in this Privacy Statement means a natural person or a juristic person as such term is used under POPIA. Systems Applications Products (Africa Region) Proprietary Limited & Systems Applications Products (South Africa) Proprietary Limited with registered address at 1 Woodmead Drive, Woodmead (SAP South Africa) is subject to South Africa’s Protection of Personal Information Act, 2013 (Act 4 of 2013) and responsible party under the POPIA. Should you as an individual or a juristic person believe that SAP South Africa as responsible party has utilized your personal information contrary to POPIA, you undertake to first attempt to resolve any concerns with SAP South Africa. webmaster[@]sap.com. phone: 011 325 6000, Address: 1 Woodmead Drive, Woodmead, Johannesburg South Africa 2148. If you are not satisfied with such process, you have the right to lodge a complaint with the Information Regulator, using the contact details listed below: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001, P.O. Box 31533, Braamfontein, Johannesburg, 2017, Email: complaints.IR[@]justice.gov.za, Enquires: inforeg[@]justice.gov.za. You may request details of personal information which we hold about you under the Promotion of Access to Information Act 2 of 2000 (“PAIA”). For further information please review the SAP PAIA manual.

I. Where TripIt is subject to certain privacy requirements in Turkey, the following also applies:

When TripIt is collecting Personal Data during the central operation of this website and other globally operated TripIt business activity for residents and citizens of Turkey and in a manner subject to the requirements of the Law on the Protection of Personal Data #6698 (“LPDP”) in Turkey, your data controller is: SAP Türkiye Yazilim Üretim ve Ticaret A.Ş, located in Emaar Square Ofis Kulesi, Libadiye Cd No:82-F D:Kat: 17-18, 34700 Ünalan/Üsküdar/İstanbul with MERSİS No: 744017604300017 and phone number: +90 216 330 03 00.

J. Other

China-Specific Provisions apply to citizens of the People’s Republic of China.

Colombia-Specific Provisions apply to citizens of the Republic of Colombia.

K. Language

This Privacy Statement is written in the English language. If any translated versions of this Privacy Statement conflict with the English language version, the English language version of this Privacy Statement shall control.