GDPR Compliance

Travix Lab Limited is the data controller for personal data processed in connection with its products and services. Our registered address is:

Where Travix Lab processes personal data on behalf of a customer (e.g. end-traveller data handled through our booking engines), we act as a data processor and the customer is the data controller. A Data Processing Agreement (DPA) is available for such arrangements.

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection compliance programme, advising on GDPR obligations and acting as the contact point for data subjects and supervisory authorities.

We have identified a lawful basis for every processing activity we undertake. Our primary lawful bases are:

• Contract performance (Art. 6(1)(b)):Processing necessary to provide Services under a contract — account management, service delivery, billing.
• Legal obligation (Art. 6(1)(c)):Processing required to comply with UK/EU law — tax records, anti-money-laundering, data breach notification.
• Legitimate interests (Art. 6(1)(f)):Processing for security monitoring, fraud prevention, platform analytics and customer communications (where proportionate and not overridden by data subject interests).
• Consent (Art. 6(1)(a)):Marketing emails and non-essential cookies — only after clear, affirmative consent; withdrawable at any time.

For special category data (e.g. health data in travel insurance contexts handled by partners), we rely on explicit consent (Art. 9(2)(a)).

We respect and uphold all rights granted to data subjects under GDPR. Here is how to exercise each:

We respond to data subject requests within 30 calendar days (extendable to 60 days for complex requests with prior notice). There is no charge for requests unless they are manifestly unfounded or excessive.

Customers who use Travix Lab to process personal data of their end users (e.g. traveller names, passport details, payment data) are acting as data controllers, with Travix Lab as data processor. We offer a comprehensive DPA that includes:

• Subject matter, duration, nature and purpose of processing.
• Types of personal data and categories of data subjects.
• Travix Lab's obligations as processor (Art. 28 GDPR).
• Sub-processor authorisation and notification procedures.
• Security measures and breach notification timelines.
• Audit rights and return/deletion of data on termination.

Request the DPA by emailing legal@travixlab.com. Execution is typically within 3 business days.

We use the following categories of sub-processors to deliver our Services. All are bound by DPAs or equivalent contractual safeguards:

We provide customers with 30 days' prior notice before adding new sub-processors that may process their personal data. Customers may object on reasonable grounds within this period.

Some of our sub-processors are located outside the UK and European Economic Area (EEA). We ensure all international transfers are protected by appropriate safeguards:

• Standard Contractual Clauses (SCCs) — EU Commission-approved SCCs for EU-to-third-country transfers; UK International Data Transfer Agreements (IDTAs) for UK-to-third-country transfers.
• Adequacy decisions — transfers to countries with an EU or UK adequacy decision (e.g. Canada, Japan, Israel).
• Supplementary measures — where required following a Transfer Impact Assessment (TIA), we implement additional technical and contractual safeguards (e.g. encryption, pseudonymisation).

We retain personal data only for as long as necessary for the purpose it was collected, subject to legal retention obligations:

• Customer account data — subscription duration + 3 years post-termination.
• Financial records — 7 years (UK Companies Act / HMRC requirement).
• API & platform logs — 12 months rolling (security incident investigation).
• Support communications — 3 years from ticket closure.
• Booking/transaction data — as required by applicable supplier or airline rules (typically 5–7 years).
• Marketing consent records — duration of consent plus 3 years (evidencing compliance).

Data is securely deleted or anonymised at the end of the retention period using NIST 800-88 or equivalent standards.

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, including:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256).
• ISO 27001-aligned information security management.
• Role-based access control (RBAC) and principle of least privilege.
• Multi-factor authentication (MFA) for all internal systems and remote access.
• Annual penetration testing by an accredited third party.
• Continuous vulnerability scanning and patch management.
• Security awareness and GDPR training for all staff (mandatory on joining, annually thereafter).
• Data Protection Impact Assessments (DPIAs) for new high-risk processing activities.

We have a documented Incident Response Plan. In the event of a personal data breach:

• Regulatory notification: We will notify the UK Information Commissioner's Office (ICO) or relevant EU supervisory authority within 72 hours of becoming aware of a notifiable breach.
• Customer notification: We will notify affected customers without undue delay, including a description of the breach, likely consequences, and measures taken.
• Individual notification: Where required (high risk to individuals), affected data subjects will be notified directly and promptly.

To report a suspected breach or security incident, email security@travixlab.com.

Non-essential cookies (analytics, marketing) are only set after explicit opt-in consent via our cookie consent banner, in accordance with the UK Privacy and Electronic Communications Regulations (PECR) and ePrivacy Directive.

Consent is recorded with timestamp and version. Users can withdraw consent at any time via the cookie preference centre or by clearing browser cookies. We do not use cookie walls or make access contingent on accepting non-essential cookies.

Our lead supervisory authority is the UK Information Commissioner's Office (ICO). If you believe we have handled your personal data in violation of GDPR, you have the right to lodge a complaint:

We ask that you contact us first at dpo@travixlab.com so we have the opportunity to resolve your concern directly.