API License Agreement

• 'API Credentials':The client ID, client secret, API key, bearer token or other authentication material issued to you to access the APIs.
• 'Application':Any software product, service, website or integration that you build using the APIs.
• 'API Call':A single programmatic request made to a Travix Lab API endpoint.
• 'Sandbox':The non-production test environment provided by Travix Lab for development and integration testing.
• 'Production Environment':The live Travix Lab API infrastructure that interacts with real travel supplier systems and live customer data.
• 'Supplier Rules':The content, distribution and technology policies imposed by GDS providers, airlines, hotels, car rental companies and other third-party travel content suppliers.
• 'SLA':The Service Level Agreement specifying availability targets and support response times applicable to your subscription tier.

Subject to your compliance with this API Agreement and payment of applicable fees, Travix Lab grants you a limited, non-exclusive, non-transferable, revocable licence to:

• Access and call the APIs solely to build and operate your Application for your internal business purposes or to provide services to your end users.
• Use Travix Lab's sandbox environment for development, testing and quality assurance prior to production launch.
• Reproduce and display API documentation and code samples solely to facilitate your internal development efforts.

This licence does not grant you any right to: sublicense, resell or white-label the APIs themselves (as distinct from your Application built on top of them) without a separate written agreement; access API endpoints not explicitly enabled on your account; or use the APIs in a manner inconsistent with our documentation.

You are solely responsible for safeguarding your API Credentials. Specifically, you must:

• Store all API keys, secrets and tokens in a secure secrets management system (e.g., AWS Secrets Manager, HashiCorp Vault) and never hard-code them in source code or commit them to version control.
• Restrict access to API Credentials to team members with a legitimate need and enforce least-privilege principles.
• Rotate API keys at least every 90 days, or immediately upon any suspected compromise.
• Use HTTPS/TLS 1.2 or higher for all API requests; never transmit credentials over unencrypted connections.
• Implement appropriate controls to prevent credential leakage through client-side JavaScript, mobile app binaries or public repositories.

You must notify Travix Lab immediately at security@travixlab.com if you suspect your credentials have been compromised. Travix Lab will revoke compromised credentials and issue new ones upon verified request. Travix Lab is not liable for any damage resulting from unauthorised use of your credentials prior to notification.

You may use the APIs to:

• Search, price, book, modify and cancel travel inventory (flights, hotels, car hire, rail, ancillaries) in accordance with supplier rules applicable to your channel type.
• Retrieve booking records, PNR data, itinerary details and pricing information associated with transactions you have originated.
• Access real-time availability, fares and rates for display within your Application in compliance with supplier display rules.
• Trigger automated workflows such as fare monitoring, schedule change notifications and post-booking fulfilment steps.
• Integrate payment processing, ancillary upsell and customer notification services as documented.
• Build reporting dashboards and analytics tools using aggregated data returned by the APIs.

You must not use the APIs to:

• Conduct screen scraping, crawling or bulk data extraction beyond normal transactional API use.
• Train, fine-tune or enrich machine-learning models using API response data without Travix Lab's prior written consent.
• Simulate bookings ("ghost bookings") or generate requests without genuine commercial intent in violation of GDS or airline fair-use policies.
• Circumvent, spoof or tamper with rate limiting, authentication, logging or monitoring mechanisms.
• Resell raw API access or API response data to third parties without a distribution licence agreement.
• Build applications that facilitate ticket touting, price manipulation or fraudulent booking practices.
• Access passenger name records, itineraries or personal data of customers who are not your own end users.
• Transmit malware, denial-of-service payloads or any content designed to degrade API availability.
• Use the APIs for any purpose that violates applicable law, including sanctions, export control, anti-money-laundering or consumer protection regulations.
• Exceed your contracted transaction volumes or quotas without prior written approval.

Violations of this section may result in immediate revocation of API Credentials, account suspension and potential legal action.

All API access is subject to rate limits and usage quotas defined by your subscription tier. Current limits are published in the developer documentation and may be adjusted with reasonable notice.

* Fair-use policy applies. Sustained load patterns that degrade service for other customers may be throttled.

When you approach or exceed rate limits, the API will return HTTP 429 responses with a Retry-After header. You are required to implement exponential back-off with jitter in your integration. Persistent overuse may result in temporary suspension of your API credentials.

Usage-based overage fees apply where your transaction volume exceeds the quota included in your subscription. Overage rates are specified in your Order Form. We will provide reasonable prior notice before charging overages where technically feasible.

Travix Lab provides a sandbox environment to allow you to develop and test integrations without affecting live supplier systems or incurring real transaction charges. Sandbox usage is subject to the following conditions:

• Sandbox data is synthetic; availability, fares and PNRs generated in sandbox do not reflect real inventory and should never be presented to end users as live offers.
• Sandbox credentials are distinct from production credentials and must not be used interchangeably.
• Sandbox SLAs are best-effort only; no uptime guarantees apply.
• Sandbox data may be reset periodically without notice.
• Automated load or stress testing against the sandbox requires prior written approval from Travix Lab.

The APIs provide access to content and services from third-party travel suppliers, including global distribution systems (GDS), airlines, hotels, car rental companies and ancillary providers. Your use of this content is subject to the applicable Supplier Rules, which may include:

• GDS content policies — Amadeus, Sabre, Travelport and other GDS providers impose specific restrictions on how their content may be displayed, cached, stored and processed. You must comply with the GDS policies applicable to your channel type (B2B, B2C, self-service, etc.).
• Airline NDC and fare rules — Airline NDC content is subject to carrier-specific distribution policies. You must not manipulate displayed fares, suppress mandatory taxes or present combined fares in ways that violate carrier rules.
• Hotel rate parity — Where applicable, hotel rate parity clauses may restrict your ability to display or market rates below certain thresholds. You are responsible for compliance.
• IATA regulations — If you are an IATA-accredited agent or BSP participant, your use of air content must comply with IATA resolutions and your accreditation conditions.

Travix Lab accepts no liability for your failure to comply with Supplier Rules. Supplier violations may result in suspension of your access to affected content streams.

When you use the APIs, you will receive and process personal data relating to travellers and end users. You are an independent data controller in respect of your end-user data. Your obligations include:

• Processing traveller personal data (names, passport numbers, contact details, payment information) only to the extent necessary to fulfil the relevant travel transaction or service.
• Maintaining a lawful basis for all personal data processing under applicable data protection law (UK GDPR, EU GDPR or equivalent).
• Implementing appropriate technical and organisational security measures to protect traveller data, including encryption in transit (TLS 1.2+) and at rest.
• Not storing full payment card numbers (PANs), CVVs or magnetic stripe data; relying solely on tokenised payment references provided through PCI-DSS-certified processors.
• Complying with PCI-DSS requirements applicable to your integration profile and handling of cardholder data.
• Providing travellers with transparent notice of how their data is used and honouring data subject rights requests in accordance with applicable law.
• Reporting any personal data breach affecting traveller data to us at privacy@travixlab.com within 24 hours of discovery.

Where Travix Lab processes personal data on your behalf as a data processor (e.g. logging API requests containing traveller data), a Data Processing Agreement (DPA) governs such processing and is available on request.

Travix Lab IP: All intellectual property rights in the APIs, documentation, SDKs, underlying technology and Travix Lab trademarks remain the exclusive property of Travix Lab Limited. This API Agreement grants you no ownership rights whatsoever in any Travix Lab IP.

Your Application: You retain all intellectual property rights in your Application, excluding any Travix Lab components (API client libraries, SDKs) embedded within it.

Data: Supplier content (fares, schedules, availability, descriptions, images) returned through the APIs is owned by or licensed to the respective suppliers and Travix Lab. You may use such content solely as necessary to operate your Application within the scope of this API Agreement. You may not archive, redistribute or commercialise raw supplier data independently of your end-user-facing Application.

Feedback: If you provide Travix Lab with bug reports, feature requests or API improvement suggestions, Travix Lab may incorporate such feedback into its products without obligation of attribution or compensation.

Travix Lab commits to the following API service levels for Production environments, subject to your subscription tier:

• Availability target: 99.9% monthly uptime for Starter and Professional tiers; negotiated targets for Enterprise.
• Planned maintenance: Travix Lab will provide at least 48 hours' advance notice via the developer status page and email for planned maintenance windows. Emergency maintenance may be performed with shorter notice when required for security or stability.
• Latency: Median API response time targets are published in the developer documentation and vary by endpoint and supplier connectivity.
• Status page: Real-time API status and incident history are available at the Travix Lab status page. You are encouraged to subscribe to status notifications.

Support is provided through the developer portal ticketing system. Response time SLAs vary by tier: Starter (best effort), Professional (next business day), Enterprise (defined in Order Form). Production-impacting incidents are escalated to our on-call engineering team regardless of tier.

Scheduled downtime does not count against uptime calculations. Credits for unplanned downtime are available under your SLA and must be requested within 30 days of the incident.

Travix Lab maintains a versioned API to enable stable integrations. Our versioning and deprecation policy is as follows:

• API versions are designated by a date or version number in the URL path or request headers (e.g. v2, v3).
• Breaking changes (changes to request/response schemas, removal of fields, authentication changes) will only be introduced in new major API versions.
• Deprecated versions will remain available for a minimum of 12 months from the deprecation announcement, during which we will assist you in migrating to the current version.
• Security-related deprecations (e.g. retirement of insecure TLS versions or authentication methods) may be accelerated with shorter notice to protect platform integrity.
• Deprecation notices will be communicated via the developer portal, changelog, email to registered developers, and response headers (Deprecation / Sunset).

You are responsible for monitoring deprecation notices and migrating your integration in a timely manner. Travix Lab is not liable for disruption caused by your failure to migrate away from deprecated endpoints before their end-of-life date.

Certain information shared through or in connection with the APIs — including API Credentials, sandbox configuration details, unpublished API schemas, supplier pricing logic and Travix Lab's technical architecture — constitutes Confidential Information of Travix Lab.

You agree to:

• Keep all Travix Lab Confidential Information strictly confidential and use it only to exercise your rights under this API Agreement.
• Not disclose Confidential Information to third parties without Travix Lab's prior written consent, except to your employees or contractors with a genuine need-to-know who are bound by equivalent obligations.
• Take reasonable steps to prevent unauthorised disclosure, no less rigorous than those you apply to your own confidential information (and in any event no less than reasonable care).

These confidentiality obligations survive termination of this API Agreement for a period of 3 years.

Travix Lab reserves the right to monitor API usage to ensure compliance with this API Agreement, detect security threats, enforce rate limits and protect supplier systems. Monitoring may include logging of request metadata (endpoint, timestamp, response code, latency, IP address, API key identifier) and statistical analysis of usage patterns.

Travix Lab may audit your Application and integration practices upon 14 days' written notice to verify compliance with this API Agreement and applicable Supplier Rules. You agree to provide reasonable cooperation and access to relevant documentation. Audit costs are borne by Travix Lab unless a material breach is discovered, in which case costs may be passed to you.

THE APIS ARE PROVIDED "AS IS" AND "AS AVAILABLE". TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, TRAVIX LAB DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

Travix Lab does not warrant that: (a) the APIs will be uninterrupted, error-free or completely secure; (b) supplier content (fares, availability, schedules) will be accurate, complete or current; (c) defects will be corrected within any specific timeframe; or (d) the APIs will meet your specific business requirements.

Travix Lab's liability for SLA breaches is limited to the service credits described in your SLA, which constitute your sole remedy for availability failures.

TO THE EXTENT PERMITTED BY LAW:

• Travix Lab will not be liable for any indirect, incidental, special, consequential or punitive damages arising from your use of or inability to use the APIs, including loss of bookings, lost revenue, data loss or reputational damage.
• Travix Lab's total aggregate liability under this API Agreement — whether in contract, tort, breach of statutory duty or otherwise — is limited to the fees paid by you in the 3 months immediately preceding the claim.
• Travix Lab is not liable for any failure or delay caused by: supplier system outages or GDS downtime; internet infrastructure failures; events of force majeure; or your failure to implement recommended back-off and retry logic.

Nothing in this API Agreement excludes or limits liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any liability that cannot be limited by law.

Term: This API Agreement commences on the date you first obtain API Credentials and continues for the duration of your active subscription to Travix Lab's Services, unless earlier terminated.

Termination by Travix Lab: Travix Lab may terminate or suspend your API access:

• Immediately, without notice, for a material breach of Sections 5 (Prohibited Use), 3 (API Credentials & Security), 9 (Data Handling) or 13 (Confidentiality).
• With 14 days' written notice for any other breach that you fail to cure within that period.
• With 30 days' notice for any reason, including discontinuation of specific API products.
• Immediately, if required by a supplier to protect their systems or content from harm.

Termination by you: You may terminate this API Agreement at any time by ceasing all use of the APIs, destroying your API Credentials and notifying Travix Lab in writing.

Effect of termination: On termination, your API Credentials are revoked and you must immediately cease all API calls and delete any cached API responses. Sections 9, 10, 13, 15, 16 and 18 survive termination.

This API Agreement is governed by and construed in accordance with the laws of England and Wales. Any dispute arising out of or in connection with this API Agreement will be subject to the exclusive jurisdiction of the courts of England and Wales.

Before commencing legal proceedings, the parties agree to attempt to resolve any dispute through good-faith negotiations for a period of 30 days following written notice of the dispute.

• Entire agreement: This API Agreement, together with the Travix Lab Terms of Service and any applicable Order Form, constitutes the entire agreement between the parties relating to API access and supersedes all prior agreements on this subject.
• Amendments: Travix Lab may update this API Agreement by posting the revised version at travixlab.com/api-agreement with 30 days' notice. Continued use of the APIs after the effective date constitutes acceptance of the updated terms.
• Severability: If any provision is held invalid or unenforceable, it will be modified to the minimum extent necessary and the remaining provisions will remain in full force.
• Assignment: You may not assign this API Agreement without Travix Lab's prior written consent. Travix Lab may assign this API Agreement in connection with a merger, acquisition or sale of assets.
• No waiver: Failure by Travix Lab to enforce any provision does not constitute a waiver of the right to enforce it in the future.

For questions, API access requests, DPA enquiries or to report security issues: