Privacy Policy

1. Introduction & Who We Are

This Privacy Policy describes how [Company Name, LLC](“TravelSync,” “we,” “our,” or “us”) collects, uses, discloses, and protects personal information when you use our collaborative travel planning platform, including our website, web application, and any related services (collectively, the “Service”).

This policy applies to all users of the Service, including trip organizers, collaborators, and visitors. Our Terms of Service govern your overall use of the Service and are incorporated here by reference.

If you have questions or concerns about this policy or our data practices, please contact us at the address in Section 14.

2. Information We Collect

We collect information in three ways: information you provide directly, information collected automatically, and information received from third parties.

2.1 Information You Provide Directly

• Account Information: Name, email address, and profile details when you register through Clerk authentication.
• Trip & Itinerary Data: Destination names, travel dates, trip notes, and any other content you enter to describe your trips.
• Booking Records: Details about flights, hotels, rental cars, tours, activities, and restaurants — including confirmation numbers, passenger names, dates, prices, and other booking details you input or upload.
• Uploaded Documents: Booking confirmation PDFs, email screenshots, or other travel documents you upload for AI-powered extraction.
• Collaboration Content: Suggestions, comments, votes, reactions, and checklist items you create within shared trip workspaces.
• Billing Information: Payment method details submitted for subscription billing. We do not store full card numbers; this data is processed and held by our payment processor, Stripe.
• Communications: Feedback, support requests, and other messages you send us.

2.2 Information Collected Automatically

• Usage Data: Actions taken within the Service (pages viewed, features used, timestamps), session identifiers, and interaction logs.
• Device & Browser Data: IP address, browser type and version, operating system, device type, screen resolution, and referring URLs.
• Cookies & Similar Technologies: Session cookies, preference tokens, and authentication tokens are used to keep you logged in and remember settings. We do not currently use third-party advertising or tracking cookies. See Section 5 for details.
• AI Usage Logs: Metadata about AI processing requests (document type, model used, token counts, cost), used for billing, abuse prevention, and service improvement. The content of processed documents is not logged beyond what is necessary to populate your booking records.

2.3 Information from Third Parties

• Authentication Providers: If you sign in with a social login (e.g., Google), Clerk may share basic profile information (name, email, profile photo) with us to create your account.
• Payment Processors: Stripe provides us with subscription status, billing cycle, and payment outcome information, but does not share full card details.
• Affiliate & Referral Partners: If you access the Service via a referral link, the referring partner may share attribution data (such as a referral code or partner ID) with us.

3. AI Processing & Document Intake

3.1 How It Works

When you upload a travel document for AI-powered extraction, the content of that document is transmitted over encrypted connections to one or more of our AI model providers — currently OpenAI, Inc. and Anthropic, PBC— for processing. The AI model reads the document and returns structured booking data (e.g., flight details, confirmation numbers), which we then store in your trip workspace.

3.2 Data Shared with AI Providers

The following data is transmitted to AI providers when you use Document Intake:

• The full text or image content of your uploaded document;
• A system-level prompt describing the extraction task (no personal account data); and
• A session identifier used to associate the response with your request.

We have contractual agreements with our AI providers that restrict the use of your data. Under those agreements, your document content is used only to fulfill the extraction request and is not used to train AI models. However, you should be aware that third-party AI providers operate under their own data retention and security practices.

3.3 What We Recommend You Do Not Upload

While we take reasonable steps to secure your data, we recommend you avoid uploading documents containing:

• Government-issued ID numbers (passport, driver’s license, Social Security numbers);
• Full financial account or credit card numbers;
• Medical or health information; or
• Sensitive personal information about third parties who have not consented to this processing.

3.4 No AI Training on Your Data

TravelSync does not use your User Content or uploaded documents to train our own AI models or any third-party AI models. Our AI provider contracts include data processing restrictions consistent with this commitment.

4. How We Use Your Information

We use your information to:

• Provide and operate the Service — authenticate your identity, store and display your trips and bookings, and enable collaboration with trip members;
• Process AI document extraction — transmit uploaded documents to AI providers and return structured booking data to your workspace;
• Manage billing and subscriptions — process payments through Stripe, send billing notices, and manage your subscription plan;
• Send transactional communications — account confirmations, security alerts, payment receipts, and service notifications;
• Send marketing communications — product updates and promotional offers, subject to your opt-out rights;
• Improve the Service — analyze usage patterns, diagnose issues, and develop new features (using aggregated or de-identified data where possible);
• Enforce our Terms — detect and prevent fraud, abuse, and violations of our Terms of Service;
• Comply with legal obligations — respond to lawful requests from authorities, comply with applicable laws, and protect our legal rights;
• Support affiliate relationships — track referrals and calculate commissions owed to or from referral partners; and
• Facilitate travel booking connections — if you click a referral link to a third-party travel provider, share attribution data with that provider as described in Section 7.

5. Cookies & Tracking Technologies

We use the following categories of cookies and similar technologies:

• Strictly Necessary: Session and authentication tokens required to log you in and maintain your session. These cannot be disabled without disrupting the Service.
• Functional: Preference cookies that remember settings such as theme, language, and last-viewed trip.
• Analytics: We may use privacy-respecting analytics tools to understand aggregate usage patterns. Where used, we configure these tools to anonymize IP addresses.

We do not currently use cross-site advertising cookies or sell data to advertising networks. You can manage cookie preferences through your browser settings, but disabling strictly necessary cookies will prevent you from logging in.

6. Legal Basis for Processing (EEA & UK Users)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

• Contract Performance: Processing necessary to provide the Service you have signed up for, including storing your trips, processing bookings, and managing your subscription.
• Legitimate Interests: Improving the Service, preventing fraud, enforcing our Terms, and maintaining Service security, where these interests are not overridden by your rights.
• Consent: AI document processing and marketing communications, where we rely on your explicit consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Legal Obligation: Processing required to comply with applicable laws.

7. Sharing of Information

We do not sell your personal information to third parties.

We share information only in the following circumstances:

7.1 Within Your Trip Workspaces

Trip members and collaborators you invite can see trip data, booking records, and collaboration content within the shared workspace, according to their assigned role and permissions. You control who has access to your trips.

7.2 Sub-Processors (Service Providers)

We engage the following categories of third-party service providers who process personal data on our behalf, subject to data processing agreements:

We may update this list as our sub-processors change. Material changes will be reflected in the revised policy.

7.3 Affiliate & Referral Partners

When you click a referral link to a third-party travel provider (such as an airline, hotel, or booking aggregator) from within the Service, we may share a referral identifier or attribution token with that provider so that TravelSync can receive a referral commission. We do not share your name, email address, or booking details with travel providers solely for commission attribution purposes. See our Terms of Service § 8 for full affiliate disclosure.

7.4 Legal Requirements & Protection

We may disclose your information if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation, court order, or government request; (b) enforce our Terms of Service; (c) protect the rights, property, or safety of TravelSync, our users, or the public; or (d) detect, prevent, or address fraud or security issues.

7.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice within the Service before your information becomes subject to a different privacy policy.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention practices:

• Account Data: Retained for the lifetime of your account, plus up to 90 days after account deletion to allow for recovery requests and fulfill legal obligations.
• Trip & Booking Data: Retained until deleted by a trip administrator or until your account is deleted.
• Uploaded Documents:Documents uploaded for AI processing are stored in our file storage system until you delete them or delete your account. Document content transmitted to AI providers is subject to those providers’ own retention policies (typically not retained beyond the immediate request).
• Billing Records: Transaction records retained for seven (7) years as required by tax and financial regulations.
• Audit Logs: System security and access logs retained for up to twelve (12) months.
• AI Usage Logs: Metadata (token counts, model, cost) retained for up to twelve (12) months for billing reconciliation and abuse prevention.

When retention periods expire, we delete or anonymize your information in accordance with our internal data lifecycle policies.

9. Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your personal information and account. Certain information may be retained for legal or safety reasons.
• Data Portability: Request an export of your trip and booking data in a structured, machine-readable format (where technically feasible).
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to processing based on legitimate interests, including direct marketing.
• Withdraw Consent: Where processing is based on consent (e.g., AI document processing, marketing emails), withdraw that consent at any time without affecting prior lawful processing.
• Opt Out of Sale / Sharing (CCPA):California residents have the right to opt out of the “sale” or “sharing” of personal information. We do not sell personal information. We do share limited attribution data with referral partners as described in Section 7.3; contact us to opt out.
• Non-Discrimination: We will not discriminate against you for exercising any privacy rights.

To exercise any of these rights, contact us at the address in Section 14. We will respond to verifiable requests within thirty (30) days (or forty-five (45) days where permitted by law). We may need to verify your identity before processing your request. EEA and UK residents have the right to lodge a complaint with their local data protection authority.

10. Security

We implement commercially reasonable administrative, technical, and physical safeguards designed to protect your personal information, including:

• Encrypted data transmission (TLS/HTTPS) for all Service communications;
• Authentication and session management via Clerk, including support for multi-factor authentication;
• Role-based access controls restricting data access to authorized personnel and systems;
• Encrypted database storage through Neon’s managed infrastructure;
• Comprehensive audit logging of sensitive data access events; and
• Regular security assessments of our infrastructure and code.

No method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, and you use the Service at your own risk. If you believe your account has been compromised, please contact us immediately.

11. International Data Transfers

TravelSync is operated from the United States. If you are located outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

Where required by applicable law (such as the GDPR), we implement appropriate transfer mechanisms, such as Standard Contractual Clauses (SCCs) approved by the European Commission, to govern the transfer of personal data from the EEA or UK to the United States. By using the Service, you consent to the transfer of your information to the United States on the terms described in this policy.

12. Children’s Privacy

The Service is intended for use by individuals aged 18 and older. We do not knowingly collect personal information from children under the age of 13. If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately and we will take steps to delete such information.

Minor travelers (under 18) may be included in trip itineraries as subjects of booking records. Parents and guardians are responsible for ensuring that including minors’ travel information is appropriate and complies with applicable laws. We treat such information with the same protections as all user data.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top of this page and notify you by email (to your registered address) or by displaying a prominent notice within the Service at least thirty (30) days before material changes take effect.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with the changes, you should stop using the Service and may request deletion of your account.

14. Contact Us

For privacy questions, requests to exercise your rights, or complaints about our data practices, please contact us:

Note to TravelSync team: Replace all bracketed placeholders with your finalized entity name, address, and contact email before publishing. EEA users may require a designated EU representative or Data Protection Officer; consult legal counsel to determine whether this applies to your business.