← Back to home

Privacy Policy

Last Updated: 12 June 2026

1. Introduction

TravelCS ("TravelCS", "we", "our", or "us") respects your privacy and is committed to protecting your personal information.

This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our website, platform, applications, and services.

2. Information We Collect

We may collect the following categories of information:

Account Information

• Name
• Email address
• Phone number
• Company information
• User account credentials

Business Information

• Booking information
• Customer communications
• Operational and business data uploaded to the platform

Technical Information

• IP address
• Browser type
• Device information
• Log data
• Usage analytics

Connected Third-Party Services

When authorized by you, we may access information from connected services such as Google Workspace and Gmail.

3. How We Use Information

We use information to:

• Provide and maintain our services
• Deliver AI-powered customer service solutions
• Process customer enquiries
• Improve operational workflows
• Communicate with users
• Improve platform performance
• Maintain security and prevent abuse
• Comply with legal obligations

4. Google API Services

TravelCS may access Google user data when users explicitly authorize integration with Google services.

Data obtained through Google APIs is used solely for providing and improving the functionality requested by the user.

TravelCS does not sell, rent, or share Google user data with third parties for advertising purposes.

TravelCS's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

5. Data Sharing

We may share information with:

• Infrastructure and hosting providers
• AI service providers necessary for platform functionality
• Payment processors
• Legal authorities when required by law

The complete, up-to-date register of sub-processors (Supabase, Lovable, Google, Microsoft, Resend) — including hosting region, data categories and the DPA they sign with us — is published at /sub-processors. Operators can sign our standard Art. 28 GDPR Data Processing Agreement at /dpa. The full Art. 30 Record of Processing Activities is at /ropa.

We do not sell personal information.

6. Data Retention

We retain information only as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce agreements. The full per-category retention schedule (operator accounts, landing leads, booking leads, channel messages, AI drafts, DSAR records, breach register, security logs and backups) is published at /retention. Our cookie and online-identifier inventory is at /cookies.

Key documented periods enforced by automated jobs (see /retention for the full schedule):

• Landing / marketing leads: retained for a maximum of 30 days from capture, then automatically deleted by our daily retention job (rule R2/R3).
• Online identifiers attached to landing leads (IP address, User-Agent, Referrer): masked or nullified after 48 hours by an hourly minimisation job (rule R2-minimisation). IPs are reduced to a coarse network prefix, User-Agent is nullified, and Referrer is truncated to scheme + host only.
• Unconfirmed or unassigned admin / auth accounts: automatically purged after 24 hours (rule R12).
• Operator deletion backups: kept for the documented restore window, then automatically purged (rule R11).

7. Security

We implement reasonable administrative, technical, and organizational safeguards designed to protect personal information.

No internet-based service can guarantee absolute security.

8. Your Rights

Depending on your location, you may have rights to:

• Access your information
• Correct inaccurate information
• Request deletion of information
• Restrict processing
• Object to processing
• Request data portability

To exercise these rights, use our Data Subject Access Request form or contact us using the details below. We respond within 30 days (Art. 12(3) GDPR).

8a. Security Incident Response

If you believe your personal data has been affected by a security incident, see our Security Incident Response Plan for how we triage, contain and notify supervisory authorities within 72 hours (Art. 33 GDPR) and affected subjects when required (Art. 34 GDPR).

9. International Data Transfers

Personal data is hosted in the EEA by default. Where a sub-processor unavoidably processes data outside the EEA, we rely on the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914, Module 2 / Module 3) as the transfer mechanism, supplemented by the EU–US Data Privacy Framework where applicable and encryption in transit and at rest. The SCC basis and per-sub-processor transfer details are listed at /sub-processors and §7 of our DPA.

10. Changes to this Policy

We may update this Privacy Policy from time to time. Updates will be published on this page.

11. Contact

TravelCS
Email: info@travelcs.ai
Website: https://www.travelcs.ai