Tripzy Privacy Policy

1. What we collect

We collect the following categories of personal data when you use Tripzy:

• Identity and contact data: your name, email address, and phone number.
• Traveller details: date of birth, nationality, and passport information where required for air travel; loyalty programme numbers (optional).
• Co-traveller data: names, dates of birth, and passport numbers of other travellers in a group booking, as provided by the person making the booking.
• Booking data: itineraries, flight PNRs (Passenger Name Records), hotel reservation details, prices, and currencies.
• Payment data: payment information tokenised via Stripe (PCI DSS Level 1 certified). We do not store full card numbers, expiry dates, or CVV codes at any time.
• Technical data: device type, browser, IP address, and approximate geographic location derived from your IP.
• AI interaction data: travel preferences, descriptions, and responses you provide when using our AI-powered recommendation engine to generate personalised destination suggestions.
• Support communications: messages, attachments, and issue history from your interactions with our customer support team.

2. Why we use your data (legal bases)

Under UK GDPR, we must have a lawful basis for each type of processing. The table below sets out how and why we use your data:

• Fulfil bookings and provide our services (lawful basis: contract). We process your identity, traveller, booking, and payment data to search for, book, and manage flights and hotels on your behalf.
• AI-powered travel recommendations (lawful basis: contract). When you use our recommendation engine, processing your travel preferences through AI is an integral part of the service you have requested.
• Customer support and safety notices (lawful basis: contract and legitimate interests). We use your contact details and booking data to respond to your enquiries and to notify you of disruptions, cancellations, or safety issues affecting your travel.
• Fraud prevention and security monitoring (lawful basis: legitimate interests). We have a legitimate interest in protecting our platform and our customers from fraud, unauthorised access, and other security threats. We monitor transactions and technical data for suspicious activity.
• Analytics and product improvement (lawful basis: legitimate interests). We have a legitimate interest in understanding how our service is used so that we can improve it. Analytics data is aggregated where possible and is only collected with your consent via cookies.
• Marketing communications (lawful basis: consent for new users; soft opt-in for existing customers under PECR Regulation 22, limited to similar products and services). Every marketing email includes an easy unsubscribe link, and you can withdraw consent at any time.
• Legal compliance and dispute resolution (lawful basis: legal obligation). We retain and process certain data to comply with tax, accounting, and aviation regulations, and to establish, exercise, or defend legal claims.

3. Right to object

You have the right to object to processing of your personal data that is based on our legitimate interests at any time. This includes processing for fraud prevention, analytics, and product improvement as described in section 2 above.

To exercise this right, contact us at [email protected]. Upon receiving your objection, we will stop the relevant processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims.

4. Co-traveller data

When you make a booking for other travellers, you provide their personal data on their behalf. This includes their names, dates of birth, and passport details as required by airlines and hotels to fulfil the booking.

By providing this data, you confirm that you have the authority of each co-traveller to share their personal information with us and that you have informed them about this privacy policy and how their data will be used.

Lawful basis: for the person making the booking, we process co-traveller data on the basis of contract (it is necessary to fulfil the booking you have requested). For the co-travellers themselves, we rely on legitimate interests — their data is necessary to fulfil the booking they are part of, and they have a reasonable expectation that their details will be shared for this purpose.

5. Children's data

Our service is intended for users aged 18 and over. You must be at least 18 years old to create an account or make a booking on Tripzy.

Children's personal data (names, dates of birth, and passport numbers) is processed only as part of group bookings made by an adult, as described in section 4 above. We do not knowingly collect personal data directly from children. If we become aware that we have collected personal data directly from a child without appropriate parental consent, we will take steps to delete that data promptly.

6. How we use AI

We use artificial intelligence from Anthropic (Claude) and Google (Gemini) to power our travel recommendation engine. This is a core part of the Tripzy service.

When you describe your travel preferences — such as your ideal vibe, budget, dates, and interests — this information is sent to our AI providers to generate personalised destination suggestions, activity recommendations, and travel descriptions. All booking decisions remain yours. You can also bypass AI recommendations entirely by using our "I Know Where" mode to select a destination directly.

Anthropic and Google process this data as sub-processors under data processing agreements with Tripzy. Your data is not used by these providers to train their AI models.

AI recommendations do not constitute automated decision-making with legal or similarly significant effects under Article 22 of UK GDPR. No profiling is used for pricing, eligibility, or access decisions. Prices come directly from airlines and hotels, not from AI.

International transfers of data to Anthropic and Google in the United States are covered by the UK International Data Transfer Agreement (UK IDTA) incorporating Standard Contractual Clauses (SCCs). See section 8 for further details.

7. Sharing your data

We share your personal data with the following categories of recipients, only to the extent necessary for the purposes described in this policy:

• Airlines: flight booking data including passenger names, dates of birth, passport details, and contact information as required by airlines to issue tickets and manage reservations.
• Hotel accommodation providers: guest names, contact details, and booking information necessary to confirm and manage hotel reservations.
• Stripe: payment processing. Stripe is PCI DSS Level 1 certified and processes your payment data securely. We do not handle or store full card details.
• Auth0: authentication and identity management. Auth0 processes your email address and login credentials to manage your account securely.
• PostHog: product analytics (with your consent via cookie settings). Used to understand how visitors interact with Tripzy so we can improve the service.
• Amplitude: product analytics (with your consent via cookie settings). Used alongside PostHog to analyse feature usage and user journeys.
• Resend: transactional email delivery. Used to send booking confirmations, travel documents, and service communications.
• Anthropic: AI-powered travel recommendations. Processes travel preference data you provide to generate destination suggestions (see section 6).
• Google: AI-powered travel recommendations. Processes travel preference data you provide to generate supporting content and suggestions (see section 6).
• Law enforcement and regulatory authorities: where we are required to do so by law, regulation, or legal process, or to protect the rights, property, or safety of Tripzy, our customers, or others.

8. International transfers

Some of our service providers are based outside the United Kingdom, primarily in the United States. This means your personal data may be transferred to, stored in, and processed in countries that may not provide the same level of data protection as the UK.

The following providers are based in the United States: Stripe (payments), Auth0 (authentication), Anthropic (AI recommendations), Google (AI recommendations), PostHog (analytics), Amplitude (analytics), and Resend (transactional email delivery).

For each transfer of personal data outside the UK, we rely on the UK International Data Transfer Agreement (UK IDTA) incorporating Standard Contractual Clauses (SCCs) as our transfer mechanism, in accordance with UK GDPR Article 46. We assess each provider's data protection practices and the legal framework of the recipient country to ensure your data receives an adequate level of protection.

9. Consequences of not providing data

You are not obliged to provide personal data to us. However, certain data is necessary for us to provide our services:

• Passport and traveller data: airlines require passenger names, dates of birth, nationality, and passport details to issue flight tickets. We cannot complete a flight booking without this information.
• Payment data: we cannot process a booking without valid payment information. This is a contractual requirement.
• Contact details (email, phone): required for booking management, sending confirmation emails and travel documents, and communicating important service information such as schedule changes or cancellations.
• AI travel preferences (optional): if you choose not to share your travel preferences with our AI recommendation engine, we cannot provide personalised destination suggestions. However, you can still use Tripzy by selecting a destination directly through our "I Know Where" mode.

10. Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods are set out below:

Where we have a legal obligation to retain data for longer (for example, in response to a regulatory investigation or ongoing legal proceedings), we will do so for the minimum period required.

11. Security measures

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it, including:

• Encryption in transit and at rest: all data transmitted between your browser and our servers is protected by HTTPS/TLS encryption. Data stored on our servers is encrypted at rest.
• PCI DSS Level 1 payment security: all payment data is handled by Stripe, which is certified to PCI DSS Level 1, the highest level of payment security certification. We never store, process, or transmit full card details on our own servers.
• Managed authentication: user authentication is managed by Auth0, a specialist identity platform, reducing the risk associated with credential storage and management.
• Role-based access controls: access to personal data within our organisation is restricted to authorised personnel on a need-to-know basis.
• Regular security reviews: we conduct periodic reviews of our security practices and the security posture of our third-party providers.

12. Your rights (UK GDPR)

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access: you can request a copy of the personal data we hold about you.
• Right to rectification: you can ask us to correct any personal data that is inaccurate or incomplete.
• Right to erasure: you can ask us to delete your personal data in certain circumstances (for example, where it is no longer necessary for the purpose for which it was collected).
• Right to restriction: you can ask us to restrict the processing of your personal data in certain circumstances (for example, where you contest the accuracy of the data).
• Right to data portability: you can request that we provide your personal data in a structured, commonly used, machine-readable format, or transmit it directly to another controller where technically feasible.
• Right to object: you can object to processing based on legitimate interests at any time (see section 3 above).
• Right to withdraw consent: where processing is based on consent (such as marketing communications or analytics cookies), you can withdraw your consent at any time. For marketing, use the unsubscribe link in any email. For analytics cookies, adjust your preferences via the Cookie Settings link in our website footer.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month, as required by law.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113

An internal data protection complaints procedure will be available by June 2026 in accordance with the Data Use and Access Act 2025.

13. Data breach

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify affected individuals without undue delay in accordance with UK GDPR Article 34. We will also report qualifying breaches to the Information Commissioner's Office within 72 hours of becoming aware of them, as required by UK GDPR Article 33.

14. Cookies

We use cookies and similar technologies to operate our website, remember your preferences, and (with your consent) to analyse how our service is used. For full details on the cookies we use, their purposes, and how to manage your preferences, see our Cookie Policy.

You can manage your cookie preferences at any time using the Cookie Settings link in our website footer.

15. Updates to this policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the version number and date at the top of this page and post the revised version here. Where changes are significant, we will take reasonable steps to notify you, such as by email or by placing a prominent notice on our website. We encourage you to review this policy periodically.