The Trip Binder

Trust

Security overview

What's protected, who can see what, and how.

Data in transit

All communication between your device and our servers is encrypted with TLS 1.3. We do not accept unencrypted traffic.

Who can see what

Organizers

Teachers and trip leaders see only the student fields their organization is authorized to view. Sharing toggles per organization let guardians limit what's visible to a given school. Organizers see only the trips they create or co-own.

Chaperones

Chaperones see only the students in their assigned group, and only the fields needed to chaperone safely (basic identity, allergies, medical alerts, group, bus).

Guardians

Guardians see only the children they've claimed, plus the trips those children are enrolled in. Guardians control which fields each organization can read.

Us (Wondernook Studios)

Our team only accesses customer data when responding to an explicit support request or investigating a security or abuse incident. Production access is audited.

Sensitive student records

Expiring file links

Files in storage are accessed through time-limited signed URLs. Medical documents expire in 1 hour, permission slips in 7 days, and trip photos in 30 days.

Immutable audit log

Meaningful changes to a student record write an entry to a tamper-evident audit log. Sensitive field values are redacted in the log itself.

Verified guardian claims

Guardian claim tokens are emailed to the parent and require a date-of-birth match to redeem. The token is stored only as a SHA-256 hash.

File type validation

File uploads are inspected by content rather than by extension. Mismatches are rejected before they're written.

Passwords & account security

Passwords are never stored in readable form

We store only a one-way cryptographic hash of your password. Even in the event of a database breach, your actual password cannot be recovered from what we store.

Sign in with Google or Apple

If you use social sign-in, your password never passes through our systems. We receive only your name and email from the authentication provider.

CAPTCHA on every sign-in

Sign-in, sign-up, and password reset are protected by Cloudflare Turnstile to slow automated abuse.

Two-factor authentication

Time-based one-time codes (TOTP) can be added to your account from the Account screen.

Infrastructure

The Trip Binder is built on industry-standard, audited cloud infrastructure. Data is handled by Amazon Web Services, Supabase, Google Firebase, and Stripe.

What we will never do

  • Sell or rent student data to anyone, for any reason
  • Use student data for advertising, profiling, or any purpose unrelated to trip management
  • Run advertising trackers on any page of the app or website
  • Store your password in readable form
  • Store your payment card details (payments go through Stripe and Apple)
  • Allow chaperones to see students outside their assigned group
  • Share data with third parties outside our listed infrastructure providers

Regulatory compliance

FERPA

We act as a service provider processing student education records on behalf of schools and process those records only as directed by the school.

COPPA

Students do not create accounts or directly interact with the service as registered users. Student data is provided by organizers and managed by linked guardians.