Privacy Policy

Travix Lab Limited is the data controller responsible for your personal data. We are registered in England and Wales and headquartered at:

Our Data Protection Officer (DPO) can be reached at dpo@travixlab.com.

We collect personal data in the following categories depending on how you interact with us:

• Identity data:Full name, job title, company name, username or similar identifier.
• Contact data:Email address, telephone number, billing and delivery address.
• Account & profile data:Login credentials (hashed passwords), platform preferences, API key associations and subscription tier.
• Financial data:Payment card details (processed and stored by PCI-DSS certified processors — we do not store raw card numbers), billing history, invoice records.
• Technical & usage data:IP address, browser type and version, time zone, operating system, device identifiers, API call logs (endpoint, timestamp, response code, latency), error logs.
• Communication data:Emails, support tickets, live-chat transcripts and any other communications you send us.
• Marketing preferences:Your opt-in/opt-out status for marketing communications and cookie consent choices.
• Aggregated analytics data:Anonymised, aggregated usage statistics that cannot identify you individually.

We collect data through:

• Direct interactions — account registration, contact forms, demo requests, support tickets, contract signing.
• Automated technologies — our platform, APIs and server logs automatically record technical and usage data.
• Third parties — identity verification providers, payment processors, publicly available business directories, and referral partners.
• Cookies and tracking technologies — see Section 9 below.

We process your personal data only where we have a lawful basis to do so:

• Register and manage your account, authenticate API access and issue credentials.
• Deliver purchased services and send service-related notifications (e.g. downtime alerts, version deprecation notices).
• Process payments, generate invoices and manage subscriptions.
• Monitor platform security, detect fraud and abuse, and investigate incidents.
• Provide customer support and respond to enquiries.
• Improve our products and services through aggregated analytics.
• Send marketing emails about new features, case studies or events — only where you have opted in.
• Comply with legal obligations such as tax, accounting and law-enforcement requests.

We do not sell, rent or trade your personal data. We share data only in the following circumstances:

• Service providers (sub-processors) — cloud infrastructure (AWS, Google Cloud), payment processing (Stripe), CRM (HubSpot), email delivery (SendGrid), error monitoring (Sentry), analytics and support tools. All sub-processors are bound by Data Processing Agreements.
• Travel suppliers — when you use our platform to make bookings, necessary booking data is transmitted to the relevant supplier (airline, hotel, GDS, etc.) as required to fulfil the transaction.
• Professional advisers — lawyers, auditors and insurers under strict confidentiality obligations.
• Law enforcement and regulators — where required by applicable law, court order or regulatory authority.
• Business transfers — in the event of a merger, acquisition or asset sale, your data may be transferred to the acquiring entity, subject to equivalent privacy protections.

You may request a current list of our sub-processors by contacting privacy@travixlab.com.

We are headquartered in the United Kingdom and operate globally. Some of our sub-processors process data outside the UK and EEA (e.g. in the United States).

Whenever we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place, including:

• UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs).
• Adequacy decisions issued by the UK Secretary of State or European Commission.
• Binding Corporate Rules where applicable.

We retain personal data only for as long as necessary for the purpose it was collected, or as required by law:

• Account data — retained for the duration of your contract plus 3 years after closure.
• Financial/billing records — 7 years from the relevant transaction date (UK legal requirement).
• API access logs — 12 months rolling (security and debugging purposes).
• Support communications — 3 years from ticket closure.
• Marketing preferences — until you withdraw consent or unsubscribe.
• Anonymised analytics — indefinitely (no personal data retained).

After the applicable retention period, data is securely deleted or anonymised.

We use cookies and similar technologies on our website. You can manage your preferences via the cookie consent banner displayed on first visit. Our cookies fall into the following categories:

• Essential cookies — required for the site to function (session tokens, CSRF protection, load balancing). Cannot be disabled.
• Analytics cookies — help us understand aggregate usage patterns (e.g. page views, bounce rate). Enabled only with your consent.
• Marketing cookies — used to show relevant advertising and measure campaign effectiveness. Enabled only with your consent.

Most browsers allow you to refuse cookies. Disabling essential cookies may affect site functionality.

Under UK GDPR and EU GDPR, you have the following rights regarding your personal data:

• Right of access:Request a copy of the personal data we hold about you.
• Right to rectification:Request correction of inaccurate or incomplete data.
• Right to erasure:Request deletion of your data where there is no lawful reason to retain it.
• Right to restriction:Request that we limit processing of your data in certain circumstances.
• Right to data portability:Receive your data in a machine-readable format or have it transferred to another controller.
• Right to object:Object to processing based on legitimate interests or for direct marketing.
• Rights related to automated decision-making:Not be subject to solely automated decisions that significantly affect you.
• Right to withdraw consent:Withdraw consent at any time where processing is consent-based (this does not affect past processing).

To exercise any right, email privacy@travixlab.com. We will respond within 30 days. We may need to verify your identity before processing a request.

If you are unhappy with how we handle your request, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or your local EU supervisory authority.

We implement technical and organisational security measures proportionate to the risk, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Role-based access controls and principle of least privilege.
• Multi-factor authentication for all internal systems.
• Regular penetration testing and vulnerability scanning.
• Security awareness training for all staff.
• Incident response and breach notification procedures (we will notify you and regulators of any notifiable breach within 72 hours of discovery).

Our services are directed at businesses and professionals. We do not knowingly collect personal data from individuals under the age of 16. If you believe we have inadvertently collected such data, please contact us immediately at privacy@travixlab.com and we will delete it promptly.

Our website and platform may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies independently.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements or services. We will notify you of material changes by email (where you have provided one) and by updating the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

For any questions, requests or concerns about this Privacy Policy or our data practices: