Trip Memories is a per-trip photo shelf inside the client portal. Travelers upload pictures from their phone while they're away (or after they're home), captioned and timestamped, and see them alongside the rest of the trip. Memories are private to the travelers on the trip — your agency team cannot view them.
Where it lives
When a client signs in to the portal and opens their trip, the Memories tab sits alongside the trip's overview, itinerary, files, and messages. Empty state shows an Upload photos button; once there are memories the shelf renders as a chronological grid, newest first.
Each memory shows a thumbnail, the caption (if any), the uploader's name, and the date the photo was taken — pulled from the EXIF data if the phone embedded it, otherwise the upload date. Tapping a thumbnail opens the medium-size view in a lightbox; tapping again downloads the original.
Uploading
From the empty state or the toolbar at the top of the shelf:
The traveler taps Upload photos.
They pick photos from their phone or computer (up to 30 at a time; 50 MB per file).
They optionally add a caption that applies to the whole batch.
Each photo is uploaded, scanned for malware, thumbnailed, and encrypted at rest before it appears in the grid.
Captions can be edited or photos deleted later — but only by the traveler who uploaded them. Other travelers on the trip can see the photos but can't edit or remove them. That's a courtesy guard, not a security boundary — it stops one family member accidentally clobbering another's captions.
Agent-blind by design
Memories are deliberately invisible to the agency. There is no agent-side route, no list in the trip detail page, no preview in the dashboard. The portal layer is the sole authorization point — the photos never appear in any agent surface.
The portal UI surfaces this guarantee to clients on every page load via a small privacy callout, so they know what to expect. Don't promise clients anything that breaks the contract — this is a load-bearing trust feature.
Storage and security
Encrypted at rest. Every variant (thumbnail, medium, original) is AES-256-GCM encrypted before it hits object storage. Photos can only be served by streaming the decrypted bytes back through the portal after the auth guard passes.
Virus-scanned on upload. Each file is scanned before it lands in the shelf. Anything flagged is rejected on the spot.
Private bucket. Photos are stored in a private R2 bucket; there is no public URL to share or guess. URLs that point at memory images only work for a signed-in traveler on the trip.
Turning Memories off
If you don't want any of your trips offering a Memories tab — for example you run a luxury host program where clients prefer a no-tech experience — you can disable it agency-wide.
Open Settings → Client portal.
Toggle Trip Memories off and save.
The Memories tab disappears from every trip in your org. Existing photos are NOT deleted — they're just inaccessible until you flip the toggle back on.
Troubleshooting
A client says they uploaded but the photo isn't showing up.
Most often: it failed virus scanning or exceeded the 50 MB per-file cap. The upload UI shows per-file errors at the time of upload — ask the client to look for a red row, or retry the upload smaller.
Can I see how many photos a client has uploaded?
No. Counts and bytes are agent-blind alongside the photos themselves. If you need to confirm uploads happened (e.g. for a marketing case study), ask the client.
A traveler deleted a photo by mistake — can we recover it?
We keep soft-deleted memories for a short window before they're purged; open a support ticket fast with the trip ID and a description of the photo. After the purge window there's no recovery.