When you sign up for PassportTrail and get started logging your travel history, you're trusting us with information that matters. Your travel history. Your passport number. Your family members' details. Your date of birth and nationality.
We don't take that lightly. Here's exactly what we do to protect it — not in legal language, but in plain English.
Your passport number is encrypted
This is the most sensitive piece of data PassportTrail holds. We encrypt every passport number using AES-256-CBC — the same encryption standard used by banks and governments worldwide.
What that means in practice: your passport number is never stored as readable text in our database. It's encrypted the moment you save it, and only decrypted when you need to see it — on your screen, in your session, never anywhere else. Even if someone somehow accessed our database directly, they would see meaningless encrypted text, not your passport number.
The encryption key is stored separately from the data, server-side only. It never touches your browser.
Your data is stored in enterprise-grade infrastructure
PassportTrail runs on Supabase, hosted in Seoul, South Korea. Supabase is built on PostgreSQL and used by thousands of companies worldwide — it meets enterprise security standards including SOC 2 compliance.
All data is encrypted at rest and in transit. Every connection to PassportTrail uses HTTPS — your data is encrypted between your device and our servers at all times.
Cloudflare sits in front of everything
Before any request reaches PassportTrail, it passes through Cloudflare — one of the world's largest network security companies. Cloudflare handles DDoS protection, bot detection, IP reputation filtering, and SSL at the network level.
This means automated attacks, credential stuffing attempts, and malicious traffic are blocked before they ever reach our application.
We use cookie-free analytics
Most websites track you across the internet using advertising cookies. We don't. PassportTrail uses Plausible Analytics — a privacy-first, cookie-free analytics tool that tells us how many people visit which pages, nothing more.
We don't know who you are from analytics. We don't track your behaviour across other websites. We don't build advertising profiles. We don't sell analytics data.
Rate limiting and bot protection on every form
Every form on PassportTrail — login, signup, waitlist, contact — has rate limiting built in. If someone tries to brute-force a password or flood our system with fake signups, they hit a hard limit and get blocked.
We also use honeypot fields on public forms — invisible fields that humans never fill in but bots always do. Any submission that triggers the honeypot is silently discarded.
We will never sell your data
PassportTrail's business model is subscriptions. You pay us directly for a useful product. That's it.
We have no advertising partnerships. We have no data broker relationships. We don't sell anonymised travel data, aggregated location data, or any other derivative of your information to any third party.
Our incentive is to make PassportTrail genuinely useful so you keep subscribing. Not to extract value from your data behind your back.
Your GDPR rights — and how to use them
Regardless of where you live, PassportTrail gives you full GDPR-standard rights over your data:
Right to access — download a complete copy of everything we hold about you, in JSON format, from your account settings.
Right to deletion — delete your account and all associated data permanently from your account settings. Type DELETE to confirm. This cannot be undone and we don't retain your data after deletion.
Right to correction — edit your profile, trips, passports, and visa information directly from the app at any time.
Right to portability — your data export is in JSON format, machine-readable, usable anywhere.
These aren't things you need to email us to request. They're built into the product, available to you directly, any time.
What we don't do
We don't share your data with third parties except where strictly necessary to operate the service — for example, sending you a transactional email requires passing your email address to our email provider (Resend), under a data processing agreement.
We don't use your travel data to train AI models. We don't sell your email address to marketers. We don't monetise your behaviour.
If that ever changes — if we are acquired, if our business model changes, if we need to update this — we will tell you clearly and give you the option to delete your account before any change takes effect.
Your travel history is yours. PassportTrail is the travel history tracker where you keep it — and these are the protections we put in place to earn that trust.
