Travyxo — Privacy Policy
Effective date: {{EFFECTIVE_DATE}} Last updated: {{LAST_UPDATED_DATE}} Version: 1.0-draft
Plain-English summary. Travyxo is a tool that tour operators use to build and share travel itineraries. This policy explains what personal data we collect (about tour-company staff, about end travelers, and about people who open shared itinerary links), why we collect it, who we share it with, how long we keep it, and what rights you have. If you only have a moment: we are a processor for tour companies' end-traveler data and a controller for our customers' own account data; we do not sell personal information; you can contact us at {{PRIVACY_EMAIL}}.
Status. This is a draft pending legal review.
1. Who we are and how to contact us
{{COMPANY_LEGAL_NAME}} ({{COMPANY_TRADING_NAME}}) of {{COMPANY_ADDRESS}} operates the Travyxo service at {{WEBSITE_URL}} and {{APP_URL}}.
- Privacy contact: {{PRIVACY_EMAIL}}
- Data Protection Officer: {{DPO_EMAIL}} (omit this line if no DPO appointed)
- EU Article 27 representative: {{EU_REP_NAME}}, {{EU_REP_ADDRESS}} (omit if not appointed)
- UK Article 27 representative: {{UK_REP_NAME}}, {{UK_REP_ADDRESS}} (omit if not appointed)
2. Which part of this policy applies to you
Travyxo serves three audiences. The collection and use sections below are labelled accordingly.
- You are a Travyxo customer or staff member if you signed up for a Travyxo account to manage tour packages for a tour company. See §§3a, 4a.
- You are an end traveler if a tour company has entered your information into Travyxo, you have submitted an intake form on a tour company's behalf, or you use the Client Portal. See §§3b, 4b.
- You are a shared-itinerary viewer if you opened a link of the form
{{APP_URL}}/i/<token>to view an itinerary. See §§3c, 4c.
For each audience, Travyxo's role under data-protection law differs:
| Audience | Travyxo's role |
|---|---|
| Customers and their staff | Controller |
| End travelers | Processor on behalf of the relevant tour company (which is the Controller) |
| Shared-itinerary viewers | Controller for technical request data |
3. Personal data we collect
3a. Customers and staff
| Category | Examples | Source |
|---|---|---|
| Identity | Name, email address | You / Clerk during signup |
| Authentication metadata | Account creation date, last sign-in, IP at sign-in, session identifiers | Clerk |
| Billing identifiers | Stripe customer ID, billing email, last-4 of card, billing country | Stripe |
| Usage information | Features used, pages viewed, packages created, error events | Automatic |
| Device and request metadata | IP address, browser type, operating system, time zone | Automatic |
| Communications | Support emails, in-app messages | You |
3b. End travelers
| Category | Examples | Source |
|---|---|---|
| Identity and contact | Name, email, phone, nationality | The tour company, or you (via intake form / Client Portal) |
| Travel details | Arrival and departure dates, tour interest description, notes | The tour company, or you |
| Account credentials | Client Portal login credentials (password stored in hashed form; email stored in plaintext) | You (when you create a Client Portal account) |
| Chat and message history | Messages exchanged with tour-company staff via the Client Portal | You and the tour company |
| Profile information | Any profile fields you complete in the Client Portal | You |
3c. Shared-itinerary viewers
| Category | Examples | Source |
|---|---|---|
| Request metadata | IP address, browser, time of access, share token | Automatic |
No account data is collected from viewers, and no marketing or analytics cookies are set without consent.
4. How we use your data and our legal bases
4a. Customers and staff
- Provide and operate the Service — Lawful basis: performance of a contract with you / your employer.
- Billing and tax — Lawful basis: performance of a contract; legal obligation (tax records).
- Security, fraud prevention, and abuse handling — Lawful basis: legitimate interest in protecting the Service and other Customers.
- Product improvement — Lawful basis: legitimate interest in understanding and improving the Service. We use only the minimum data needed and prefer aggregated views.
- Service communications (transactional emails, security notices) — Lawful basis: performance of a contract.
- Optional marketing communications — Lawful basis: consent (opt-in). You can withdraw at any time via the unsubscribe link in any marketing email.
4b. End travelers
For end-traveler personal data, the tour company is the Controller and decides why and how the data is used. Travyxo is a Processor and acts only on the tour company's instructions, as set out in the Data Processing Agreement at ./dpa.md.
Travyxo's processing on the tour company's behalf typically covers: storing and retrieving traveler details to build itineraries, generating PDF and shareable-link itineraries, supporting Client Portal accounts (sign-in, password reset, profile management), and delivering transactional emails (where the tour company has configured them).
To exercise data-protection rights in respect of your end-traveler data, contact the tour company directly. We will forward any request received directly from you to the tour company without further action, except to acknowledge receipt.
4c. Shared-itinerary viewers
Request metadata is processed to deliver the itinerary content and to detect abuse. Lawful basis: legitimate interest in operating the Service securely. The data is not used to build a profile of you and is not sold or shared for advertising.
5. How we share your data
We share personal data only as follows:
- Within Travyxo — on a need-to-know basis among authorized personnel.
- With sub-processors — service providers acting on our instructions under appropriate data-protection terms. The full list, with categories of data and locations, is in DPA Annex III.
- With the relevant tour company — for end-traveler data, the tour company that entered your data (or whose intake form you submitted) receives it; that is the purpose of the Service.
- With law-enforcement or regulatory authorities — when we are legally required to do so or to protect rights, safety, or property.
- In corporate transactions — if Travyxo is involved in a merger, acquisition, financing, or asset sale, personal data may be transferred subject to the protections in this policy.
We do not sell personal information, and we do not share personal information for cross-context behavioral advertising under CCPA/CPRA.
6. International data transfers
Travyxo operates infrastructure in regions determined by deployment configuration; some processing happens outside the EEA and the UK, including in the United States. Where personal data is transferred to a country without an EEA / UK adequacy decision, we rely on:
- the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), and
- the UK International Data Transfer Addendum to those clauses,
as incorporated into the Data Processing Agreement at ./dpa.md.
Sub-processors that receive personal data and their locations and transfer mechanisms are listed in DPA Annex III. Those sub-processors include: Clerk, Inc. (authentication); Stripe, Inc. (payments); Neon, Inc. (database); Cloudflare, Inc. (R2); Vercel, Inc. (hosting); Resend, Inc. (email); Upstash, Inc. (caching); Google LLC (Maps Platform); and Svix, Inc. (webhook delivery).
You can request a copy of the safeguards by writing to {{PRIVACY_EMAIL}}.
7. Data retention
| Category | Retention period |
|---|---|
| Customer account data | While the account is active, plus up to 60 days after termination (a 30-day export window followed by deletion from active production systems within 30 days) |
| End-traveler data | Per the tour company's instructions; by default, retained until the tour company deletes it or until the tour company's account is terminated plus up to 60 days (consistent with the 30-day export window and subsequent 30-day deletion period in DPA §13) |
| Billing records (invoices, tax records) | 7 years, to meet legal accounting obligations |
| Support correspondence | 24 months from last interaction |
| Security and audit logs | 12 months |
| Shared-itinerary access logs | 90 days |
After the retention period expires, data is deleted from production systems and removed from backups in line with the standard backup rotation (7-day point-in-time recovery window; see DPA Annex II).
8. Your rights
8a. EEA and UK
If you are in the EEA or the UK, you have the following rights under the GDPR or UK GDPR:
- Access to your personal data.
- Rectification of inaccurate or incomplete data.
- Erasure (the "right to be forgotten"), subject to legal-retention exceptions.
- Restriction of processing.
- Data portability (where processing is based on consent or contract and carried out by automated means).
- Objection to processing based on legitimate interests.
- Withdrawal of consent (where processing is based on consent), without affecting prior lawful processing.
- The right to lodge a complaint with your local supervisory authority.
To exercise these rights for data we control, email {{PRIVACY_EMAIL}}. We may need to verify your identity before responding. We respond within one month and may extend by up to two further months for complex requests, with notice. For end-traveler data, contact the relevant tour company.
8b. California (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we have collected, used, disclosed, and (if any) sold or shared.
- Delete personal information, subject to exceptions.
- Correct inaccurate personal information.
- Opt-out of the sale or sharing of personal information. Travyxo does not sell or share personal information for cross-context behavioral advertising.
- Limit the use of sensitive personal information. Travyxo does not knowingly collect sensitive personal information for inferring characteristics about you.
- Non-discrimination for exercising your rights.
You may use an authorized agent. To make a request, email {{PRIVACY_EMAIL}}. We respond within 45 days and may extend once by 45 days, with notice.
Categories collected in the past 12 months (CCPA Notice at Collection):
- As a business / controller (for Travyxo customer accounts): identifiers (name, email, IP address), commercial information (billing data), internet activity (usage logs), professional information (job role within your tour company).
- As a service provider (for end-traveler personal data on the tour company's instructions): identifiers (name, email, phone, nationality), customer records (travel dates, tour interest, free-form notes), internet/electronic activity (Client Portal session metadata, chat content).
We do not collect biometric, precise-geolocation (beyond approximate IP-based), or sensitive identifiers. Categories are disclosed to the sub-processors listed in DPA Annex III for the purposes described in §4. For end-traveler categories, the tour company is the "business" under CCPA/CPRA and Travyxo acts as a "service provider"; California residents seeking to exercise rights over end-traveler data should contact the relevant tour company.
If Travyxo denies a rights request, you may appeal by replying to the denial notice or by writing to {{PRIVACY_EMAIL}} within 60 days. We will respond to appeals within 60 days. If we deny your appeal, you may lodge a complaint with the California Privacy Protection Agency or the California Attorney General.
8c. Other regions
Where local law grants similar rights, we will honour them on a best-effort basis. Contact {{PRIVACY_EMAIL}}.
9. Cookies
Travyxo uses a small set of cookies and similar local-storage technologies — strictly necessary (sign-in, security, routing), one functional cookie for your theme preference, and one localStorage key for builder UI state. We do not currently use analytics or advertising cookies. Full details are in our Cookie Policy.
10. Children's privacy
The Service is not directed at children under 16, and we do not knowingly collect personal data from children. If you believe we hold data about a child, contact {{PRIVACY_EMAIL}} and we will delete it.
11. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls enforced through Clerk, multi-factor authentication for production access, application-level tenant isolation backed by PostgreSQL Row-Level Security, audit logging, and documented incident response procedures. The full set of measures is in DPA Annex II. No security is perfect; if we become aware of a breach affecting your data, we will notify you in accordance with applicable law and within the timeframes committed to in our DPA.
12. Changes to this policy
We may update this policy from time to time. For material changes, we will give at least 30 days' notice to Customers via in-app banner and email to the address on file. The "Last updated" date at the top reflects the most recent revision.
13. Region-specific notices
EEA
If you are in the EEA, our Article 27 representative is {{EU_REP_NAME}} at {{EU_REP_ADDRESS}}. (Omit this section if no representative is appointed.)
United Kingdom
If you are in the UK, our Article 27 representative is {{UK_REP_NAME}} at {{UK_REP_ADDRESS}}. (Omit this section if no representative is appointed.)
California
The California-specific rights summary is in §8b above. To request information under California Civil Code §1798.83 ("Shine the Light"), email {{PRIVACY_EMAIL}}; we do not currently share personal information with third parties for their direct-marketing purposes.