← Back to Home

PRIVACY POLICY

Last Updated: October 20, 2025

Effective Date: October 20, 2025

INTRODUCTION

Cloudvante Pty Ltd (ABN 28 681 142 683, ACN 681 142 683, "we," "us," "our," or "TravlAgent") is committed to protecting your privacy and handling your personal information transparently and securely. This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use the TravlAgent platform, including our website at https://travlagent.com and https://app.travlagent.com, and our mobile applications for iOS and Android (collectively, the "Service").

This Privacy Policy applies to all users globally and complies with:

  • Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
  • European Union General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • Other applicable international privacy laws

By using the Service, you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy.

If you do not agree with this Privacy Policy, please do not use the Service.

TABLE OF CONTENTS

1. Information We Collect

2. How We Collect Information

3. How We Use Your Information

4. Artificial Intelligence and Automated Decision-Making

5. How We Share Your Information

6. International Data Transfers

7. Data Retention

8. Your Privacy Rights

9. Cookies and Tracking Technologies

10. Security of Your Information

11. Children's Privacy

12. Third-Party Services and Links

13. Changes to This Privacy Policy

14. Contact Us

15. Jurisdiction-Specific Information

1. INFORMATION WE COLLECT

We collect several categories of personal information to provide and improve the Service.

1.1 Information You Provide Directly

Account Registration Information:

  • Email address (required)
  • Name (required)
  • Profile image (optional)
  • Password (if not using social login)

Travel Preference Information:

  • Tourist spot preferences (iconic attractions, balanced, authentic experiences)
  • Trip vibe intensity (very chill to packed schedule)
  • Accommodation style preferences (hostels, budget, mid-range, upscale, luxury)
  • Party type (solo, couple, friends, family)
  • Budget tier ($, $$, $$$, $$$$, $$$$$)
  • Mobility level (low, moderate, high)
  • Temperature unit preference (Celsius/Fahrenheit)
  • Climate range preferences (warm, mild, cool, cold, dry/exotic)
  • Home airport code
  • Travel interests (up to 15 categories including: historical sites, museums, architecture, food & dining, nightlife, family-friendly activities, beaches, nature & parks, adventure sports, shopping, cultural experiences, photography, wellness & spa, art galleries, local experiences)

Trip Planning Information:

  • Trip titles and descriptions
  • Destination selections (countries, cities, continents)
  • Trip dates and schedules (exact dates, month ranges, or flexible timing)
  • Trip status (draft, planning, finalized, archived)
  • Custom notes and preferences for specific trips
  • Activity selections and modifications
  • Points of interest (POI) selections
  • Transportation preferences between locations
  • Lodging preferences and selections

Visited Places History:

  • Places you've visited previously
  • First and last visited timestamps for each location

User-Generated Content:

  • Custom trip notes and descriptions
  • Modifications to AI-generated itineraries
  • Personal annotations and comments

1.2 Information Collected Automatically

Device and Usage Information:

  • IP address
  • User agent (browser type and version, operating system)
  • Device type and model (for mobile apps)
  • Device identifiers (iOS IDFA, Android Advertising ID where permitted)
  • Mobile operating system version
  • App version number
  • Session duration and timestamps
  • Pages or screens viewed within the Service
  • Features used and interactions with the Service
  • Time zone and language preferences

Location Information:

  • Geographic coordinates (latitude/longitude) of destinations you select for trip planning
  • Timezone information for selected destinations
  • Country, region, and city data for trip stops
  • We do NOT collect real-time device location tracking unless you explicitly enable location services for specific features

Log and Analytics Data:

  • API request IDs for tracing
  • Error logs and crash reports
  • Performance metrics and response times
  • Query performance data
  • Diagnostic information for troubleshooting

Cookie and Tracking Data:

  • Session cookies for authentication
  • Functional cookies for Service operation
  • Analytics cookies (with consent where required)
  • See Section 9 for detailed cookie information

1.3 Information from Third-Party Sources

Social Authentication Providers:

When you sign in using Google or Apple:

  • Email address
  • Name
  • Profile picture (where available)
  • User ID from the authentication provider
  • OAuth access and refresh tokens (stored securely)

Third-Party API Data (Embedded in Your Itineraries):

We retrieve and display data from external services based on your travel preferences:

Google Places API:

  • Venue names, addresses, and descriptions
  • Business ratings and review counts
  • Price level indicators
  • Geographic coordinates
  • Phone numbers and website URLs
  • Operating hours
  • Photo references

Azure Maps (Microsoft Bing):

  • Geocoding data (addresses to coordinates conversion)
  • Reverse geocoding (coordinates to addresses)
  • Place search results and suggestions
  • Timezone information for locations
  • Route planning data

OpenAI:

  • AI-generated trip recommendations and itineraries
  • Activity suggestions and scheduling
  • Preference-based destination analysis
  • (Note: Your preference data is sent to OpenAI for processing; see Section 4)

This third-party data is incorporated into your trip plans but is not collected as your personal information. However, your selections and interactions with this data become part of your User Content.

1.4 Categories of Sensitive Personal Information

Under certain privacy laws (CCPA/CPRA, GDPR), some information may be considered "sensitive":

  • Precise geolocation data (coordinates of trip destinations you select)
  • Account login credentials (passwords, OAuth tokens)

We do NOT collect:

  • Government-issued identification numbers (SSN, passport numbers, driver's license)
  • Financial account information (credit card numbers, bank accounts)
  • Health or medical information
  • Racial or ethnic origin, religious or philosophical beliefs
  • Trade union membership
  • Genetic or biometric data for identification purposes
  • Sexual orientation or sex life information

2. HOW WE COLLECT INFORMATION

We collect information through the following methods:

2.1 Direct Submission

  • Account registration and profile setup
  • Form submissions and preference selections
  • Trip creation and editing activities
  • Email communications with support

2.2 Automatic Collection

  • Cookies and similar tracking technologies
  • Server logs and analytics tools
  • Session management systems
  • Error tracking and monitoring tools

2.3 Third-Party Authentication

  • OAuth flows with Google and Apple
  • Social login integrations

2.4 API Integrations

  • Requests to Google Places API (based on your search queries)
  • Requests to Azure Maps (based on your destination inputs)
  • Requests to OpenAI (based on your preferences and trip parameters)

3. HOW WE USE YOUR INFORMATION

We use your personal information for the following purposes:

3.1 Service Provision and Core Functionality

Lawful Basis:

  • Contract performance (providing the Service you've signed up for)
  • Legitimate interests (improving and operating our business)

Specific Uses:

  • Creating and managing your account
  • Authenticating your identity and managing sessions
  • Generating AI-powered trip itineraries based on your preferences
  • Providing personalized destination and activity recommendations
  • Enabling trip sharing and collaborative planning features
  • Storing and retrieving your saved trips and preferences
  • Processing and responding to your requests and inquiries
  • Delivering transactional emails (account verification, trip invitations, password resets)

3.2 Service Improvement and Development

Lawful Basis:

  • Legitimate interests (improving our Service and user experience)
  • Consent (where required for analytics)

Specific Uses:

  • Analyzing usage patterns and feature adoption
  • Identifying and fixing bugs and technical issues
  • Conducting internal research and development
  • Testing new features and functionality
  • Optimizing AI recommendation algorithms
  • Improving search and discovery features
  • Enhancing user interface and user experience

3.3 Security and Fraud Prevention

Lawful Basis:

  • Legitimate interests (protecting our users and systems)
  • Legal obligations (compliance with security laws)

Specific Uses:

  • Detecting and preventing fraud, abuse, and unauthorized access
  • Monitoring for security threats and vulnerabilities
  • Investigating suspicious activity
  • Enforcing our Terms of Service
  • Protecting against legal liability

3.4 Legal Compliance

Lawful Basis:

  • Legal obligations (compliance with applicable laws)

Specific Uses:

  • Responding to legal requests, court orders, and government inquiries
  • Complying with tax and financial reporting requirements (if applicable)
  • Meeting data breach notification obligations
  • Responding to intellectual property claims
  • Complying with export control and sanctions laws

3.5 Communication

Lawful Basis:

  • Consent (for marketing communications)
  • Contract performance (for transactional communications)
  • Legitimate interests (for important Service updates)

Specific Uses:

  • Sending trip invitation emails (via Postmark)
  • Delivering account verification codes (OTP via email)
  • Notifying you of Service changes or updates
  • Responding to support inquiries
  • Sending important security or policy updates

Marketing Communications: We do NOT currently send marketing emails. If we introduce marketing communications in the future, we will obtain your explicit consent and provide clear opt-out mechanisms.

3.6 Analytics and Aggregated Insights

Lawful Basis:

  • Legitimate interests (understanding Service usage)
  • Consent (where required)

Specific Uses:

  • Creating aggregated, anonymized statistics about Service usage
  • Understanding travel preference trends (anonymized)
  • Measuring feature performance and user engagement
  • Generating reports for business planning

Note: Aggregated data does not identify individual users and is not considered personal information.

4. ARTIFICIAL INTELLIGENCE AND AUTOMATED DECISION-MAKING

4.1 Use of AI Systems

TravlAgent uses OpenAI's language models (including GPT-series models) to generate personalized trip itineraries and recommendations. This involves automated decision-making based on your travel preferences.

4.2 Data Sent to OpenAI

When you request an AI-generated itinerary, the following information is transmitted to OpenAI's servers:

  • Your travel preferences (tourist spot preference, trip vibe, accommodation style, party type, budget tier, mobility level, climate preferences, travel interests)
  • Trip parameters (destinations, date ranges, number of travelers, trip duration)
  • Selected stops and cities for your trip
  • Context about places you're planning to visit

4.3 How AI Makes Decisions

The AI uses your preferences and trip parameters to:

  • Select appropriate cities and destinations
  • Determine optimal trip duration and pacing
  • Suggest daily activities and schedules
  • Recommend points of interest aligned with your interests
  • Propose accommodation types and locations
  • Calculate appropriate time allocations for activities

Guidance Mappings: We provide OpenAI with specific guidance based on your preferences:

  • Tourist spots: Iconic landmarks vs. authentic local experiences vs. balanced mix
  • Trip vibe: Slow-paced relaxation vs. moderate activity vs. fast-paced packed schedules
  • Mobility: Preferences for travel frequency and distance between stops
  • Climate: Temperature and weather preferences
  • Interests: Prioritization of activities matching your 15 interest categories
  • Budget: Appropriate venue and activity price ranges
  • Party type: Solo flexibility vs. couple romance vs. family logistics vs. group coordination

4.4 Limitations and Human Oversight

Important Limitations:

  • AI recommendations are NOT reviewed by human travel experts before being presented to you
  • The AI does not have real-time information about closures, safety conditions, or current events
  • Generated itineraries may contain errors or inappropriate suggestions
  • Recommendations are based solely on the preferences you provide and may not account for personal circumstances

4.5 Your Rights Regarding Automated Decisions

Under GDPR Article 22 and certain state privacy laws, you have the right to:

  • Opt out of automated decision-making for trip generation (you may create trips manually)
  • Request human review of AI-generated recommendations
  • Obtain an explanation of how specific recommendations were generated
  • Challenge decisions and provide additional context to refine results

To exercise these rights, contact us at support@travlagent.com.

4.6 OpenAI Data Processing

OpenAI's Role: OpenAI acts as a data processor (sub-processor under GDPR) on our behalf.

Data Protection:

  • OpenAI has committed to GDPR-compliant data processing through their Data Processing Addendum
  • As of March 1, 2023, OpenAI does NOT use customer data submitted via API to train their models (unless you explicitly opt in)
  • API data may be retained by OpenAI for up to 30 days for abuse monitoring, then deleted

For more information: See OpenAI's Privacy Policy at https://openai.com/privacy and their API Data Usage Policies at https://openai.com/policies/api-data-usage-policies

4.7 Transparency Obligations (Connecticut AI Disclosure)

We use personal data to train and improve AI systems for trip recommendation purposes. This includes using aggregated, anonymized trip preference data and user interactions to refine our recommendation algorithms. Individual trip content is not used for AI training without anonymization.

5. HOW WE SHARE YOUR INFORMATION

We do NOT sell your personal information to third parties. We share information only in the following circumstances:

5.1 Service Providers and Sub-Processors

We share personal information with trusted third-party service providers who process data on our behalf:

| Service Provider | Purpose | Data Shared | Location |

|-----------------|---------|-------------|----------|

| OpenAI | AI-powered trip generation and itinerary recommendations | Travel preferences, trip parameters, destination data | United States |

| Google (Google Places API) | Venue information, ratings, location data for points of interest | Search queries, location coordinates, venue selections | United States (Google Cloud) |

| Microsoft (Azure Maps) | Geocoding, place search, mapping, timezone data | Location queries, coordinates, place names | United States / Australia (Azure regions) |

| Postmark | Transactional email delivery (verification codes, trip invitations) | Email addresses, recipient names, invitation details | United States |

| Cloudflare | Infrastructure, DDoS protection, Workers platform, Durable Objects, KV storage, Analytics Engine | All data processed through our Service (as hosting provider) | Global network (Australia, US, EU) |

| Microsoft Azure | PostgreSQL database hosting (via Azure Managed PostgreSQL and Hyperdrive) | All stored user data and trip information | Australia (primary region) |

Contractual Safeguards: All service providers are bound by data processing agreements requiring them to:

  • Process data only on our instructions
  • Implement appropriate security measures
  • Comply with applicable privacy laws (GDPR, CCPA, Australian Privacy Act)
  • Maintain confidentiality
  • Delete or return data upon request

5.2 Collaborative Features (User-Initiated Sharing)

With Your Explicit Action:

  • When you invite other users to collaborate on a trip, their email addresses are shared with Postmark for invitation delivery
  • Trip details you choose to share become accessible to invited users based on their assigned role (Owner, Editor, Viewer)
  • Other users who have access to a shared trip can view all trip information you've included

You control: Who receives invitations and what access level they have.

5.3 Business Transfers

If TravlAgent is involved in a merger, acquisition, asset sale, bankruptcy, or reorganization, your personal information may be transferred to the successor entity. We will:

  • Provide notice via email and/or prominent notice on our website
  • Inform you of any choices you may have regarding your information

5.4 Legal Requirements and Protection

We may disclose your information when we believe in good faith that disclosure is necessary to:

  • Comply with applicable law, regulation, legal process, or government request
  • Enforce our Terms of Service and investigate potential violations
  • Detect, prevent, or address fraud, security, or technical issues
  • Protect the rights, property, or safety of TravlAgent, our users, or the public as required or permitted by law

5.5 Aggregated and Anonymized Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you, including:

  • Usage statistics and trends
  • Anonymized travel preference insights
  • Performance metrics

This data is not considered personal information and is not subject to this Privacy Policy.

5.6 With Your Consent

We may share your information for purposes not described in this Privacy Policy with your explicit consent.

6. INTERNATIONAL DATA TRANSFERS

6.1 Cross-Border Transfers

TravlAgent is based in Australia, but your personal information may be transferred to, stored in, and processed in countries outside Australia, including:

  • United States (OpenAI, Google, Postmark, Cloudflare, Microsoft Azure)
  • European Union (Cloudflare edge network)
  • Other countries where our service providers operate infrastructure

Data protection laws in these countries may differ from those in your country of residence, including Australia.

6.2 Safeguards for International Transfers

We implement the following safeguards to protect your data during international transfers:

For EU/EEA/UK Users:

  • We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to countries without adequacy decisions
  • Service providers with US operations may rely on the EU-U.S. Data Privacy Framework (where applicable and certified)
  • We conduct Transfer Impact Assessments (TIAs) for high-risk transfers

For Australian Users:

  • By using the Service, you consent to the transfer of your personal information to overseas recipients as described in this Privacy Policy, in accordance with Australian Privacy Principle 8.1
  • We take reasonable steps to ensure overseas recipients comply with the APPs or are subject to substantially similar privacy protections

For California Users:

  • We implement appropriate safeguards including contractual commitments from service providers
  • You have the right to opt out of certain data sharing (see Section 8)

6.3 Data Storage Locations

Primary Data Storage:

  • Azure Managed PostgreSQL (Australia region) - primary database for user accounts, trips, and preferences
  • Cloudflare Workers/Durable Objects - distributed globally with data residency controls

Backup and Redundancy:

  • Database backups may be stored in multiple Azure regions for disaster recovery
  • Session and cache data stored in Cloudflare KV (global distribution)

7. DATA RETENTION

7.1 How Long We Keep Your Data

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account Data:

  • Active accounts: Retained for the duration of your account plus 7 years after last activity (Australian business record-keeping requirements)
  • Email, name, authentication data: Retained while your account exists

Trip and Preference Data:

  • Active trips: Retained indefinitely while your account exists
  • Archived trips: Retained for 7 years from archival date
  • Deleted trips: Soft-deleted (marked as deleted but retained in backups for 90 days), then permanently deleted

Usage and Log Data:

  • Access logs and session data: 12 months
  • Error logs and diagnostics: 24 months
  • Analytics data: 36 months (aggregated and anonymized after 12 months)

Email Communications:

  • Transactional emails (sent via Postmark): Logs retained for 45 days by Postmark, metadata retained by us for 12 months
  • Support correspondence: 7 years from last interaction

Legal and Financial Records:

  • Minimum 7 years where required by Australian taxation law and corporate record-keeping requirements

7.2 Deletion Timeframes After Account Closure

When you delete your account or request data deletion:

| Data Type | Deletion Timeline |

|-----------|------------------|

| Active systems | Within 30 days |

| Backup systems | Within 90 days |

| Log files | Next scheduled purge (within 12 months) |

| Third-party systems (OpenAI, Postmark) | 30-45 days (per their retention policies) |

| Anonymized analytics | Retained permanently (cannot identify you) |

| Legal hold data | Retained until legal matter resolved |

7.3 Exceptions to Deletion

We may retain certain information longer when:

  • Required by law (e.g., tax records, legal holds, subpoenas)
  • Necessary to resolve disputes or enforce agreements
  • Required for legitimate business purposes (fraud prevention, security)
  • Retained in backup systems that are not actively accessible (deleted in next backup cycle)

Note: After anonymization, data no longer identifies you and is not subject to deletion rights.

8. YOUR PRIVACY RIGHTS

Your privacy rights vary depending on your location. Below are the rights available to users in different jurisdictions.

8.1 Rights for All Users (Universal)

Right to Access: Request confirmation of what personal information we hold about you and receive a copy.

Right to Correction: Request correction of inaccurate or incomplete personal information.

Right to Deletion: Request deletion of your personal information (subject to legal exceptions).

Right to Withdraw Consent: Withdraw previously granted consent for data processing (where consent is the lawful basis).

Right to Complain: Lodge a complaint with a data protection authority (see Section 14).

8.2 Additional Rights for Australian Users (Privacy Act 1988)

Under the Australian Privacy Principles (APPs), you have the right to:

  • Access your personal information we hold (APP 12)
  • Request correction of inaccurate, out-of-date, incomplete, or misleading information (APP 13)
  • Make a complaint about our handling of your personal information (see Section 14.3)

Note: We may charge a reasonable fee for processing access requests where permitted by law, but we will advise you of any fees before processing your request.

8.3 Additional Rights for EU/EEA/UK Users (GDPR)

Under the GDPR, you have the right to:

Right to Rectification (Article 16): Correct inaccurate personal data.

Right to Erasure / "Right to be Forgotten" (Article 17): Request deletion of your personal data when:

  • No longer necessary for the purposes collected
  • You withdraw consent (where consent was the lawful basis)
  • You object to processing and no overriding legitimate grounds exist
  • Data was unlawfully processed
  • Required for legal compliance

Right to Restriction of Processing (Article 18): Request that we limit processing of your data in certain circumstances.

Right to Data Portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

Right to Object (Article 21):

  • Object to processing based on legitimate interests
  • Object to direct marketing (absolute right)
  • Object to automated decision-making (see Section 4.5)

Right Not to be Subject to Automated Decision-Making (Article 22): Right to human intervention for decisions based solely on automated processing with legal or significant effects.

Response Timeline: We will respond to requests within 30 days (may be extended by 2 months for complex requests).

8.4 Additional Rights for California Users (CCPA/CPRA)

Under the California Consumer Privacy Act and California Privacy Rights Act, you have the right to:

Right to Know (Categories and Specific Pieces):

  • Request disclosure of categories of personal information collected, sources, purposes, and third parties with whom shared (in the preceding 12 months)
  • Request specific pieces of personal information we hold about you

Right to Delete: Request deletion of personal information we've collected from you (subject to exceptions).

Right to Correct: Request correction of inaccurate personal information.

Right to Opt Out of Sale/Sharing: Opt out of the "sale" or "sharing" of personal information (as defined by CCPA/CPRA).

  • Note: We do NOT sell your personal information in the traditional sense. However, use of analytics or advertising cookies may constitute "sharing" under CCPA definitions.
  • To opt out, email support@travlagent.com with "Opt Out of Data Sharing" in the subject line, or enable Global Privacy Control (GPC) in your browser

Right to Limit Use of Sensitive Personal Information: Restrict use of sensitive personal information to purposes necessary for providing the Service.

Right to Non-Discrimination: Exercise privacy rights without discriminatory treatment (pricing, service quality, etc.).

Global Privacy Control (GPC): We honor Global Privacy Control signals where technically feasible. You may also opt out by contacting us directly via email.

Response Timeline: We will respond to verifiable requests within 45 days (may be extended by an additional 45 days if necessary).

Verification: We may require verification of your identity before processing requests (e.g., matching email address, authentication).

8.5 Additional Rights for Other Jurisdictions

If you are located in other jurisdictions with comprehensive privacy laws (e.g., Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Brazil LGPD), you may have similar rights to access, correct, delete, and portability. Contact us at support@travlagent.com to exercise these rights.

8.6 How to Exercise Your Rights

To exercise any of the above rights:

Email: support@travlagent.com with "Privacy Rights Request" in the subject line

What to Include in Your Email:

  • Your name and registered email address
  • Specific right you wish to exercise (e.g., "I would like to access my data" or "Please delete my account")
  • Any additional details to help us locate your information
  • For correction requests, specify what information is inaccurate and what it should be

Our Process:

1. We will verify your identity (typically by confirming your email address or asking security questions)

2. We will acknowledge receipt of your request within 3 business days

3. We will process your request and respond within the legally required timeframe:

- 30 days for Australian and EU/EEA/UK users

- 45 days for California users (may extend an additional 45 days if needed)

4. You will receive a confirmation email when your request is completed

For Data Export Requests:

We will compile your personal data and provide it in a structured, commonly used format (typically JSON or PDF in a ZIP file). You will receive a secure download link via email that expires after 7 days.

For Account Deletion Requests:

We will send a confirmation email requiring you to verify your deletion request. Once confirmed, your account and data will be permanently deleted within 30 days (some data may remain in backup systems for up to 90 days before final deletion).

Current Process:

As a growing startup, we currently process privacy rights requests manually via email. This ensures personalized attention to your request. We will implement automated self-service tools as we scale.

In-App Tools:

You can also manage certain privacy settings directly in your account:

  • Update or correct your profile information (name, email, preferences)
  • Delete individual trips
  • Adjust privacy preferences
  • Delete your account (Settings > Account > Delete Account)

Authorized Agents (California):

California residents may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization (power of attorney or written permission signed by you).

9. COOKIES AND TRACKING TECHNOLOGIES

9.1 What Are Cookies?

Cookies are small text files stored on your device by your web browser when you visit websites or use apps. We use cookies and similar technologies (session tokens, local storage, device identifiers) to provide and improve the Service.

9.2 Types of Cookies We Use

Strictly Necessary Cookies (Always Active):

  • Session authentication cookies: Keep you logged in and maintain your session
  • Security cookies: Prevent fraud and enhance security
  • Load balancing cookies: Distribute traffic across servers

Functional Cookies (Enabled by Default):

  • Preference cookies: Remember your settings (language, temperature unit, etc.)
  • Feature enablement: Enable collaborative features and trip sharing

Analytics and Performance Cookies (Require Consent in EU/EEA/UK):

  • Usage analytics: Understand how users interact with the Service
  • Error tracking: Identify and fix technical issues
  • Performance monitoring: Measure load times and optimize performance

Advertising/Targeting Cookies:

  • We do NOT currently use advertising or targeting cookies
  • If introduced in the future, we will obtain consent where required

9.3 Third-Party Cookies and Tracking

Cloudflare:

  • DDoS protection and content delivery
  • May set cookies for security and performance purposes
  • Privacy Policy: https://www.cloudflare.com/privacypolicy/

Mobile App Analytics (if implemented):

  • iOS: May use Apple's App Analytics (anonymized)
  • Android: May use Google Play Console analytics (anonymized)

9.4 How to Control Cookies

Web Browser Settings:

  • Most browsers allow you to refuse or delete cookies through settings
  • Blocking strictly necessary cookies may prevent you from using the Service

Browser-Specific Instructions:

  • Chrome: Settings > Privacy and Security > Cookies and other site data
  • Firefox: Settings > Privacy & Security > Cookies and Site Data
  • Safari: Preferences > Privacy > Cookies and website data
  • Edge: Settings > Cookies and site permissions

Mobile App Settings:

  • iOS: Settings > Privacy > Tracking (to limit tracking across apps)
  • Android: Settings > Google > Ads > Opt out of Ads Personalization

Global Privacy Control (GPC):

  • We honor Global Privacy Control signals where technically feasible
  • California users can also opt out by emailing support@travlagent.com with "Opt Out of Data Sharing" in the subject line
  • We will process your opt-out request within 15 business days

Cookie Consent Management:

  • EU/EEA/UK users: We will implement cookie consent management as we scale
  • For now, you can manage cookie preferences via browser settings (see above)
  • To opt out of non-essential cookies, email support@travlagent.com

9.5 Do Not Track (DNT)

We do not currently respond to "Do Not Track" signals, as there is no industry standard for DNT. We do honor Global Privacy Control (GPC) signals for CCPA compliance.

9.6 Mobile Device Identifiers

iOS:

  • We may collect IDFA (Identifier for Advertisers) only with your consent via ATT (App Tracking Transparency) prompt
  • We use IDFA only for analytics and attribution purposes (if applicable)

Android:

  • We may collect Android Advertising ID for analytics purposes
  • You can reset or opt out in Android Settings > Google > Ads

For detailed cookie information, see our Cookie Policy at https://travlagent.com/cookies.

10. SECURITY OF YOUR INFORMATION

10.1 Our Security Commitment

We implement reasonable technical and organizational measures designed to protect your personal information from unauthorized access, disclosure, alteration, and destruction.

10.2 Technical Security Measures

Encryption:

  • Data in transit: All data transmitted between your device and our servers is encrypted using TLS 1.2+ (HTTPS)
  • Data at rest: Database encryption at rest via Azure Managed PostgreSQL encryption
  • Password storage: Passwords hashed using industry-standard algorithms (bcrypt or similar)

Access Controls:

  • Role-based access control (RBAC) for internal systems
  • Multi-factor authentication (MFA) for administrative access
  • Principle of least privilege for employee access
  • Regular access reviews and permission audits

Infrastructure Security:

  • DDoS protection via Cloudflare
  • Web Application Firewall (WAF) rules
  • Rate limiting to prevent abuse
  • Regular security patches and updates
  • Isolated production environments

Application Security:

  • Input validation and sanitization to prevent injection attacks
  • CSRF (Cross-Site Request Forgery) protection
  • XSS (Cross-Site Scripting) prevention
  • Secure session management with HttpOnly and Secure cookie flags
  • Content Security Policy (CSP) headers

Monitoring and Logging:

  • Audit logs for data access and modifications
  • Real-time security monitoring and alerting
  • Error tracking and anomaly detection
  • Regular security vulnerability scans

10.3 Organizational Security Measures

Policies and Procedures:

  • Data protection and privacy policies for employees
  • Incident response and data breach protocols
  • Regular security awareness training
  • Confidentiality agreements for employees and contractors

Vendor Management:

  • Due diligence and security assessments of third-party providers
  • Data Processing Agreements (DPAs) with contractual security requirements
  • Regular vendor security reviews

10.4 Limitations of Security

No security system is impenetrable. While we strive to protect your personal information, we cannot guarantee absolute security. You acknowledge that:

  • Internet transmission is never completely secure
  • Unauthorized access, hardware/software failure, and other factors may compromise security
  • You provide information at your own risk

10.5 Your Responsibilities

You are responsible for:

  • Maintaining the confidentiality of your password and account credentials
  • Logging out of your account when using shared devices
  • Notifying us immediately of any suspected unauthorized access (email support@travlagent.com)
  • Using strong, unique passwords
  • Keeping your device and software updated with security patches

10.6 Data Breach Notification

In the event of a data breach that affects your personal information, we will:

Australian Users (Notifiable Data Breaches Scheme):

  • Assess whether the breach is likely to result in serious harm
  • If so, notify affected individuals as soon as practicable
  • Notify the Office of the Australian Information Commissioner (OAIC)

EU/EEA/UK Users (GDPR):

  • Notify the relevant supervisory authority within 72 hours of becoming aware
  • Notify affected individuals without undue delay if high risk to rights and freedoms

California Users (CCPA):

  • Notify affected individuals without unreasonable delay as required by California Civil Code § 1798.82

Other Users:

  • Comply with applicable breach notification laws in your jurisdiction

Notification will include:

  • Description of the breach and data affected
  • Likely consequences and potential harm
  • Measures taken to address the breach
  • Recommended steps you can take to protect yourself
  • Contact information for questions

11. CHILDREN'S PRIVACY

11.1 Age Restrictions

The Service is not intended for children under 18 years of age (or under 16 for EU/EEA/UK users).

We do not knowingly collect, use, or disclose personal information from children under the applicable age without verifiable parental consent.

11.2 Parental Notice

If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at support@travlagent.com.

11.3 Deletion of Children's Data

If we learn that we have collected personal information from a child under the applicable age without proper parental consent, we will:

  • Delete the information as soon as reasonably practicable
  • Terminate the associated account
  • Prevent further collection

11.4 Verification

We may request proof of age during account registration to prevent underage access.

12. THIRD-PARTY SERVICES AND LINKS

12.1 Third-Party Websites and Services

The Service may contain links to third-party websites, services, or applications, including:

  • Accommodation booking platforms
  • Venue websites and contact information
  • Social media platforms
  • Transportation services
  • Tourism boards and travel resources

We are not responsible for the privacy practices, content, or security of third-party services. These third parties have their own privacy policies, and we encourage you to review them before providing any personal information.

12.2 Third-Party Data Sources

We display information from third-party APIs (Google Places, Azure Maps) within the Service. This data is provided by those third parties and is subject to their terms and privacy policies:

  • Google Maps/Places: https://policies.google.com/privacy
  • Microsoft Azure Maps: https://privacy.microsoft.com/en-us/privacystatement
  • OpenAI: https://openai.com/privacy

12.3 Social Login Providers

When you use social login (Google, Apple), you authorize those providers to share certain information with us. Review their privacy policies:

  • Google: https://policies.google.com/privacy
  • Apple: https://www.apple.com/legal/privacy/

12.4 No Endorsement

Inclusion of third-party links or data does not constitute endorsement of those services or their privacy practices.

13. CHANGES TO THIS PRIVACY POLICY

13.1 Updates and Modifications

We may update this Privacy Policy from time to time to reflect:

  • Changes in our data practices
  • New features or services
  • Legal or regulatory requirements
  • Feedback from users or regulators

13.2 Notice of Changes

When we make material changes to this Privacy Policy:

  • We will update the "Last Updated" date at the top
  • We will notify you via email to your registered email address (at least 30 days before changes take effect)
  • We may display an in-app notification or banner
  • We will post the updated Privacy Policy at https://travlagent.com/privacy

EU/EEA/UK Users: For material changes, we will obtain your explicit consent where required by GDPR.

13.3 Your Acceptance

Your continued use of the Service after the effective date of changes constitutes acceptance of the updated Privacy Policy.

If you do not agree to the changes, you must stop using the Service and may delete your account (see Section 8).

13.4 Version History

Previous versions of this Privacy Policy may be available upon request. Contact support@travlagent.com.

14. CONTACT US

14.1 General Inquiries

For questions, concerns, or requests regarding this Privacy Policy or our data practices:

Cloudvante Pty Ltd

ABN: 28 681 142 683

ACN: 681 142 683

Address: 470 St Kilda Road, Melbourne, VIC 3004, Australia

Email: support@travlagent.com

Website: https://travlagent.com

14.2 Privacy Rights Requests

To exercise your privacy rights (access, correction, deletion, etc.):

  • Email: support@travlagent.com
  • Subject Line: "Privacy Rights Request" or "Data Subject Request"
  • Include: Your name, registered email, and specific request

14.3 Complaints (Australian Users)

If you believe we have breached the Australian Privacy Principles, you may:

Step 1: Contact us at support@travlagent.com with your complaint

  • We will investigate and respond within 30 days

Step 2: If unsatisfied with our response, you may contact:

Office of the Australian Information Commissioner (OAIC)

Phone: 1300 363 992 (within Australia)

Email: enquiries@oaic.gov.au

Website: www.oaic.gov.au

Online complaint form: https://www.oaic.gov.au/privacy/privacy-complaints

14.4 Supervisory Authorities (EU/EEA/UK Users)

You have the right to lodge a complaint with your local data protection supervisory authority:

EU Data Protection Authorities: https://edpb.europa.eu/about-edpb/board/members_en

UK Information Commissioner's Office (ICO):

Website: https://ico.org.uk

Phone: 0303 123 1113

14.5 California Privacy Rights

California residents may contact us to exercise CCPA/CPRA rights:

  • Email: support@travlagent.com
  • Subject: "CCPA Request" or "California Privacy Rights"

15. JURISDICTION-SPECIFIC INFORMATION

15.1 For Australian Users

Collection Statement (APP 5):

We collect your personal information to provide the TravlAgent Service, including AI-powered trip planning, collaborative features, and personalized recommendations. Collection is necessary for the performance of our contract with you and for our legitimate business interests.

Overseas Disclosure (APP 8):

Your personal information will be disclosed to overseas recipients located in:

  • United States (OpenAI, Google, Microsoft, Postmark, Cloudflare)
  • Other countries where Cloudflare operates edge servers

By using the Service, you consent to these overseas disclosures. We take reasonable steps to ensure recipients comply with the APPs or have substantially similar protections.

Direct Marketing (APP 7):

We do not currently use your personal information for direct marketing. If we do in the future, we will:

  • Obtain your consent (opt-in)
  • Provide a simple opt-out mechanism in every communication
  • Honor opt-out requests within 7 days

Access and Correction (APPs 12 & 13):

You may request access to or correction of your personal information at any time by contacting support@travlagent.com. We will respond within 30 days.

We may charge a reasonable fee for access requests (we will inform you before processing). We will not charge for correction requests.

Australian Consumer Law:

Nothing in this Privacy Policy excludes or limits rights you may have under the Australian Consumer Law or other mandatory consumer protections.

15.2 For EU/EEA/UK Users

Legal Basis for Processing (GDPR Article 6):

We process your personal data based on the following lawful bases:

  • Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service
  • Legitimate Interests (Article 6(1)(f)): Service improvement, security, analytics
  • Consent (Article 6(1)(a)): Marketing communications (if applicable), optional features, analytics cookies
  • Legal Obligation (Article 6(1)(c)): Compliance with laws, breach notification

Special Categories of Data:

We do not intentionally collect special categories of personal data (Article 9) such as health, biometric, or religious data.

Data Controller:

Cloudvante Pty Ltd is the data controller for your personal data.

EU/UK Representative:

As an Australian company, we are currently evaluating whether we require an EU/UK representative under Articles 27 (GDPR) and UK GDPR. If required, representative details will be updated here.

Data Protection Officer (DPO):

We do not currently have a designated Data Protection Officer. For data protection inquiries, contact support@travlagent.com.

International Transfers:

We rely on Standard Contractual Clauses (SCCs) for transfers of personal data from the EU/EEA/UK to countries without adequacy decisions.

Automated Decision-Making:

See Section 4 for information about AI and automated decision-making, including your rights under Article 22.

15.3 For California Users (CCPA/CPRA)

Categories of Personal Information Collected (Last 12 Months):

| Category | Examples | Collected | Sources |

|----------|----------|-----------|---------|

| Identifiers | Email, name, IP address, device ID | YES | You, automatic collection, authentication providers |

| Personal information (Cal. Civ. Code § 1798.80(e)) | Name, email | YES | You |

| Protected classifications | Age (18+ verification) | YES | You |

| Commercial information | Trip preferences, budget tier | YES | You |

| Internet/network activity | Browsing history within Service, interactions | YES | Automatic collection |

| Geolocation data | Precise coordinates of trip destinations (not real-time device location) | YES | You (trip planning inputs) |

| Sensory information | Profile photos (optional) | YES | You, authentication providers |

| Professional/employment information | NOT COLLECTED | NO | N/A |

| Education information | NOT COLLECTED | NO | N/A |

| Inferences | Travel preferences, predicted interests | YES | Derived from your activity |

Purposes for Collection:

See Section 3 for detailed purposes.

Categories of Third Parties with Whom We Share Personal Information:

  • Service providers (OpenAI, Google, Microsoft, Postmark, Cloudflare)
  • Collaborative feature participants (users you invite to trips)

Sale or Sharing of Personal Information:

We do NOT sell personal information in the traditional commercial sense. We do NOT share personal information for cross-context behavioral advertising purposes.

If analytics cookies or similar technologies are enabled, this may constitute "sharing" under CCPA definitions. You can opt out via:

  • Global Privacy Control (GPC) signals
  • Cookie preference settings
  • Contacting support@travlagent.com

Sensitive Personal Information:

We collect the following sensitive personal information:

  • Precise geolocation (coordinates of trip destinations you select, NOT real-time tracking)
  • Account login credentials

We do NOT use or disclose sensitive personal information for purposes other than providing the Service.

Retention:

See Section 7 for detailed retention periods.

Shine the Light (Cal. Civ. Code § 1798.83):

California residents may request information about disclosure of personal information to third parties for direct marketing purposes. We do not currently share data for third-party direct marketing.

Financial Incentives:

We do not offer financial incentives for collection, retention, or sale of personal information.

15.4 For Users in Other U.S. States

If you reside in Virginia, Colorado, Connecticut, Utah, Montana, Oregon, Texas, or other states with comprehensive privacy laws, you may have similar rights to access, correct, delete, and data portability. Contact support@travlagent.com to exercise these rights.

15.5 For Users in Other Countries

We strive to comply with privacy laws globally. If you have questions about how your local privacy laws apply, contact support@travlagent.com.

ADDITIONAL DISCLOSURES

Apple App Store Privacy Nutrition Label

In compliance with Apple's App Privacy requirements, we disclose:

Data Linked to You:

  • Contact Info (email, name)
  • User Content (trip plans, preferences)
  • Identifiers (user ID)
  • Usage Data (interactions, features used)
  • Diagnostics (crash data, performance)

Data Not Linked to You:

  • Aggregated analytics (anonymized)

Data Used to Track You:

  • We do NOT track you across apps and websites owned by other companies for advertising purposes
  • IDFA collected only with explicit ATT consent (if implemented)

Google Play Data Safety

In compliance with Google Play's Data Safety requirements, we disclose:

Data Collected:

  • Personal info (name, email)
  • Location (trip destinations, not real-time device tracking)
  • App activity (interactions, generated itineraries)

Data Shared:

  • Third-party service providers (for Service functionality)
  • Users you invite to shared trips

Data Security:

  • Data encrypted in transit (TLS/HTTPS)
  • Data encrypted at rest (database-level encryption)
  • You can request data deletion

END OF PRIVACY POLICY

Version 1.0

Copyright © 2025 Cloudvante Pty Ltd. All rights reserved.

Summary: This Privacy Policy explains how TravlAgent collects, uses, shares, and protects your personal information. We use AI (OpenAI) to generate trip recommendations based on your preferences. Your data is shared with essential service providers (Google, Microsoft, Postmark, Cloudflare) to operate the Service. You have rights to access, correct, and delete your information. We do not sell your personal information. For questions, contact support@travlagent.com.