Inspiration

This started with my own suitcase. Every time I travel, my agency sends me the trip as fifteen separate PDFs — one per flight leg, the hotel voucher, an insurance policy per passenger, the transfers. By the time I'm at the check-in counter and someone asks for my confirmation number, I'm scrolling through a dozen attachments trying to find it. And the one time I really needed tomorrow's pickup time — somewhere with no signal — the PDF simply wouldn't open.

The information already existed. It was just trapped in the wrong format, in the wrong place, at the wrong moment. So I set out to build the thing I wished my agency could hand me: the whole trip in one link, that works even offline.

One more thing about how this was built: I'm not a programmer. I designed HolaTrip and built it with Claude Code as my pair — I make the product, architecture and security decisions, and the AI writes the code under that direction. This project is, in itself, a small proof of what that collaboration can ship: a production, security-hardened, multi-tenant SaaS.

## What it does

HolaTrip turns a pile of booking PDFs into one clean trip.

  • An agent drops in every PDF — flights, hotels, insurance, transfers — and AI reads all of them in about 30 seconds, assembling the trip automatically.
  • The traveler opens a signed link (no account, no install) and sees the whole trip in one branded view. The confirmation number is one tap away.
  • It's white-label: the link carries the agency's own name and colors — the traveler sees their agency, never "HolaTrip".
  • The entire trip lives on the device, so it works fully offline — at the counter, on the plane, or with no signal at all.
  • Behind the scenes, every AI extraction is logged to Amazon DynamoDB(fire-and-forget, zero personal data), powering a live dashboard that shows the real cost per agency in real time. One tap when it matters most. Need to activate the insurance abroad? The traveler taps WhatsApp or SMS and their phone's native app opens with everything already filled in — the recipient number, plus their name, document and policy number — ready to send. No digging through a dozen PDFs for a policy number and an emergency contact while you're stressed and far from home.

## What it means for the agency

The customer here is the travel agency — so the product is built around their day:

  • White-label, their brand front and center. Every trip looks like the agency's own premium product: their name, their colors. HolaTrip stays invisible.
  • No re-typing. The agent drops in the PDFs they already have and the AI does the rest — no manual data entry, ~30 seconds per trip.
  • Fewer "where's my booking?" messages. Travelers self-serve the whole trip, even offline, which cuts down the back-and-forth that eats an agent's day.
  • An organizer, not a replacement. HolaTrip references the providers' bookings and links — it never competes with them, it just puts everything in one place.
  • Cost and margin visibility per agency, in real time, from the AI-usage ledger.

## How I built it

  • Frontend + functions on Vercel (Next.js 16, App Router), running in production across two apps: the agency operator and the traveler view.
  • AI via the Vercel AI Gateway routing to Google Gemini 2.5 Flash for multimodal PDF → structured-data extraction, behind a provider-agnostic adapter (no lock-in).
  • Supabase (Postgres + RLS + Auth + Storage) for multi-tenant data and encrypted PDF storage.
  • White-label by design: each agency picks from a curated color palette and gets its own URL slug, so the traveler view is branded per agency with no custom work.
  • AWS DynamoDB as the AI-usage ledger: one record per extraction, with the real cost read straight from the Gateway response — never a hardcoded price.
  • The traveler app is a PWA that caches the whole trip on first open, so it survives going offline.

## Security (built in from day one)

Travelers' documents are sensitive, so security wasn't an afterthought:

  • Multi-tenant isolation enforced by Postgres RLS — one agency can never see another's data. I ran a pentest against the live production app: zero cross-tenant leaks, brute-force login throttled, internal functions not exposed.
  • PII encrypted at rest (pgcrypto + Vault); PDFs stored encrypted and auto-deleted on a schedule.
  • The traveler link is a signed, opaque JWT token — non-enumerable, expirable, and revocable, and it expires automatically after the trip ends.
  • Document numbers are masked on screen to defend against shoulder-surfing.
  • Zero PII ever leaves for AWS — the cost ledger carries only IDs and numbers.

## Challenges I ran into

  • Speed is existential. If extraction takes minutes, the product has no reason to exist. The fix was parallelism — reading PDFs concurrently through Route Handlers instead of serialized server actions.
  • A real batch broke everything. A 16-PDF trip read zero documents: a hidden all-or-nothing file limit rejected the whole batch and swallowed the error silently. I reworked it to read in batches and never fail quietly.
  • Bugs that only show up in production. Dates arriving as JSON strings (not Date objects) made duplicate-detection go blind; offline cold-start behaves differently on iOS Safari than on Chromium.
  • Directing a build without writing the code. Working through Claude Code meant I had to get sharp at describing what and why — the architecture and the edge cases — instead of the how.

## Accomplishments I'm proud of

  • It's live in production on real domains, and validated end-to-end with real, multi-PDF trips (16-PDF itineraries read correctly).
  • Security that holds up: RLS-enforced multi-tenancy that survived a production pentest with zero cross-tenant leaks.
  • Honest economics: I can tell you the exact AI cost of any trip.
  • A non-programmer shipped a production, multi-cloud, white-label SaaS.

## What I learned

  • The hard parts (AI extraction) tend to go fine; the basic criteria (a file limit, a date type) are what bite you. Design review beats more tests.
  • Multi-cloud doesn't have to mean complexity: Vercel + AWS + Google + Supabase, each doing the one thing it's best at, glued by thin agnostic adapters.
  • With clear product thinking, the gap between "non-programmer" and "shipped a secure SaaS" is mostly direction, not syntax.

## What's next

  • Onboarding my first agencies and turning the AI-cost ledger into a real margin and pricing tool.
  • An installable PWA with push notifications (one-tap home-screen access).
  • Wiring real payments and subscriptions to close the loop on the business.

Built With

Share this project:

Updates