Privacy Policy

1. Introduction

1.1 About This Policy

This Privacy Policy ("Policy") describes how Tech For Travel Agents, LLC ("Company," "we," "us," or "our") collects, uses, discloses, and protects information when you use Travel Office Suite Pro (the "Platform," "Suite," or "Service").

1.2 About Travel Office Suite Pro

Travel Office Suite Pro is a comprehensive suite of software applications designed for travel professionals, including:

Currently Available:

• Booking Pro – Client management, trip planning, invoicing, itineraries, proposals, group bookings, comparisons, and client portal
• AI Navigator Pro – Destination intelligence, AI-powered business analytics, natural language search, and research assistance
• Forms Pro – Customizable forms, waivers, and document collection

Planned Additions:

• Marketing Pro – Marketing automation, email campaigns, and client outreach tools
• Bookkeeping Pro – Financial tracking, expense management, and accounting integration

This Policy applies to all applications within Travel Office Suite Pro.

1.3 Acceptance

By creating an account or using any application within Travel Office Suite Pro, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Policy, please do not use our Service.

1.4 Relationship to Terms of Service

This Privacy Policy is incorporated into and subject to our Terms of Service (last updated May 25, 2026). Capitalized terms not defined in this Policy have the meanings given in our Terms of Service.

2. Information We Collect

We collect information in several ways depending on how you interact with Travel Office Suite Pro.

2.1 Information You Provide Directly

2.1.1 Account Information

When you create an account, we collect:

• Full name
• Email address
• Password (encrypted)
• Phone number (optional)
• Company/agency name
• Business address
• Travel industry credentials and certifications
• Seller of Travel registration numbers
• Profile photo (optional)
• Company logo (optional)

2.1.2 Billing Information

When you subscribe, we collect:

• Payment method details (processed and stored by Stripe, our payment processor)
• Billing address
• Transaction history

2.1.3 Client Data (Entered by Travel Advisors)

Travel advisors using our Platform enter information about their clients, including:

• Client names and contact information
• Date of birth and gender
• Passport and travel document details
• Travel preferences and history
• Dietary restrictions and accessibility needs
• Emergency contact information
• Trip details and itineraries
• Payment and invoice records
• Communication history
• Additional traveler information (including name, date of birth, and gender)
• Text message (SMS) communication opt-in preferences
• Referral relationships and referral credit history

Important: Travel advisors are responsible for obtaining appropriate consent from their clients before entering client data into the Platform.

2.1.4 Content You Create

• Trip proposals and presentations
• Itineraries and travel documents
• Invoices and financial records
• Email communications sent through the Platform
• Notes and internal documentation
• Custom forms and waivers (Forms Pro)
• Marketing campaigns and newsletters (Marketing Pro)
• Financial records and expense reports (Bookkeeping Pro)

2.1.5 Communications

• Support requests and correspondence
• Feedback and suggestions
• Survey responses

2.2 Information Collected Automatically

2.2.1 Usage Data

When you use the Platform, we automatically collect:

• Pages and features accessed
• Actions taken within the Platform
• Time spent on pages
• Click patterns and navigation paths
• Feature usage statistics
• AI Navigator Pro queries and search history
• Destination Intelligence card views and search patterns

2.2.2 Device and Technical Information

• IP address
• Browser type and version
• Operating system
• Device type and identifiers
• Screen resolution
• Language preferences
• Referring URLs

2.2.3 Cookies and Similar Technologies

We use cookies and similar technologies to:

• Maintain your session and authentication
• Remember your preferences
• Analyze Platform usage
• Improve user experience

For more details, see Section 7 (Cookies and Tracking Technologies).

2.3 Information from Third Parties

2.3.1 Payment Processor

Stripe provides us with limited transaction information (e.g., payment success/failure, last four digits of card) but does not share full payment card details with us.

2.3.2 Authentication Providers

If you sign in using third-party authentication (e.g., Google), we receive basic profile information from that provider.

2.3.3 Integrated Services

When you connect third-party services (e.g., presentation tools, email services), we may receive data necessary to provide those integrations.

3. How We Use Your Information

3.1 Providing and Improving the Service

We use your information to:

• Create and manage your account
• Process subscriptions and payments
• Provide access to Platform features
• Enable client management functionality
• Generate invoices, itineraries, and proposals
• Facilitate email communications
• Provide customer support
• Fix bugs and troubleshoot issues
• Develop new features and improvements

3.2 AI-Powered Features

We use information to power AI-assisted features, including:

• Trip parsing from text, images, and PDF documents
• Itinerary generation and suggestions
• Content creation assistance
• Data extraction and organization
• AI Navigator Pro natural language search across your business data (clients, trips, invoices, commissions, and vendors)
• AI Navigator Pro business analytics and metrics aggregation
• Destination Intelligence research and recommendations

Note: AI processing is performed to assist your workflow. You are responsible for reviewing and verifying all AI-generated content. Destination intelligence data is curated and maintained by Tech For Travel Agents, LLC and should be independently verified with authoritative sources before advising clients.

3.3 Destination Intelligence

The AI Navigator Pro Destination Intelligence feature processes and stores the following data:

• A curated database of verified destinations across 80+ countries and 53 regions
• Entry requirements, visa policies, health advisories, and local insights for each destination
• Your destination search history and recently viewed destinations
• User-requested destination submissions (including review status)

This data is used to provide contextual travel intelligence, improve destination recommendations, and enhance the overall advisory experience. Destination data is maintained internally and is not sourced from or shared with third-party data brokers.

3.4 Communications

We use your contact information to:

• Send account-related notifications
• Provide subscription and billing updates
• Deliver product updates and announcements
• Respond to support requests
• Send marketing communications (with your consent)

3.5 Analytics and Research

We use aggregated and anonymized data to:

• Analyze Platform usage patterns
• Measure feature effectiveness
• Conduct research and development
• Generate industry insights (without identifying individuals)

3.6 Security and Compliance

We use information to:

• Protect against fraud and unauthorized access
• Enforce our Terms of Service
• Comply with legal obligations
• Respond to legal requests

3.7 Business Operations

We use information for:

• Internal administration
• Financial reporting and auditing
• Business planning and strategy

4. How We Share Your Information

4.1 With Your Consent

We share information when you explicitly authorize us to do so.

4.2 Service Providers

We share information with third-party service providers who assist us in operating the Platform, including:

Our service providers are contractually obligated to protect your information and use it only for the purposes we specify.

4.3 Client Payment Processing

Travel Office Suite Pro facilitates client payment collection through external payment links and an optional PCI Vault feature for secure card-on-file storage. For payment transactions, the Platform uses an external redirect model:

• Stripe Payment Links: Travel advisors may configure Stripe Payment Links within the Platform. When a client clicks a payment link, they are redirected to Stripe's hosted checkout page to complete payment. No card data passes through or is stored on the Platform.
• External Payment URLs: Travel advisors may configure custom external payment URLs pointing to their own payment processors (e.g., host agency consortia payment portals). Clients are redirected to those external sites to complete payment.
• Planning Fee Links: Travel advisors may create Stripe Payment Links for planning fees. Clients pay via Stripe's hosted checkout and funds settle directly to the advisor's Stripe account.
• PCI Vault (Card-on-File): The Platform includes an optional PCI Vault feature that allows clients to securely submit their payment card information through a tokenized collection form hosted by a PCI-DSS Level 1 certified third-party provider. The card data is encrypted and tokenized by the third-party provider before any reference reaches the Platform. The Platform never sees, stores, or has access to raw card numbers, expiration dates, or CVVs. Only secure tokens and masked card references (e.g., last 4 digits, card brand) are stored within the Platform. Travel advisors may retrieve masked card references to manually enter card details into a travel vendor's own PCI-DSS compliant booking system. PCI Vault is available on Pro, Team, and Enterprise plans, with metered access during the free trial.

Important: For payment transactions, the Platform uses an external redirect model, so no raw payment card data enters or passes through the Platform during transactions. The optional PCI Vault feature uses a PCI-DSS Level 1 certified third-party provider for tokenized card-on-file storage — the Platform itself never handles raw card data. Travel advisors are responsible for ensuring that their chosen external payment processors (Stripe or other providers) comply with applicable payment industry regulations, and for using PCI Vault card data only for authorized booking purposes as described in the Terms of Service (Section 9.7).

4.4 Client Portal Access

When travel advisors share information with their clients through the Client Portal, clients can access:

• Trip itineraries and details
• Invoices and payment information (including external payment links)
• Travel documents shared by the advisor
• Proposal presentations

Advisors control what information is shared with their clients.

4.5 Legal Requirements

We may disclose information when required by law, including:

• In response to subpoenas, court orders, or legal process
• To comply with government requests
• To protect our rights, privacy, safety, or property
• To protect against fraud or security threats
• In connection with legal proceedings

4.6 Business Transfers

If Tech For Travel Agents, LLC is involved in a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.

4.7 Aggregated and Anonymized Data

We may share aggregated, anonymized data that cannot reasonably be used to identify you for:

• Industry research and benchmarking
• Marketing and promotional purposes
• Public reports and statistics

4.8 What We Do NOT Sell

We do not sell your personal information or your clients' personal information to third parties.

5. Data Ownership and Responsibilities

5.1 Your Data Ownership

You retain ownership of all data you input, upload, or create through the Platform ("Your Data"). This includes client records, trip details, invoices, documents, and communications.

5.2 Travel Advisor Responsibilities

As a travel advisor using our Platform, you are responsible for:

5.2.1 Client Consent

• Obtaining appropriate consent from your clients before collecting and storing their personal information in the Platform
• Informing clients about how their data will be used
• Honoring client requests regarding their data
• Obtaining explicit opt-in consent before sending text message (SMS) communications to clients

5.2.2 Data Accuracy

• Ensuring the accuracy of client information you enter
• Updating or correcting client data as needed
• Deleting client data when no longer necessary or upon client request

5.2.3 Legal Compliance

• Complying with all applicable privacy laws (GDPR, CCPA, etc.) in your interactions with clients
• Maintaining appropriate data protection practices
• Responding to client data requests
• Complying with the Telephone Consumer Protection Act (TCPA) and other applicable regulations when sending SMS communications

5.2.4 External Payment Processing & PCI Vault

• Ensuring that any external payment processor you configure (Stripe Payment Links or custom URLs) complies with applicable payment industry regulations
• Maintaining the accuracy and validity of configured payment links
• Resolving any payment disputes directly with clients and/or the external payment processor
• Using PCI Vault card-on-file data solely for the purpose of booking travel on behalf of the authorizing client
• Obtaining proper authorization from cardholders before storing their card data via PCI Vault
• Never storing raw cardholder data (full card numbers, CVVs, expiration dates) anywhere on the Platform outside of the designated PCI Vault feature

5.3 Data Processing Agreement

For travel advisors subject to GDPR or similar regulations, we act as a "data processor" on your behalf. You are the "data controller" for your clients' personal data. Contact us for a Data Processing Agreement if required.

6. Data Security

6.1 Security Measures

We implement comprehensive security measures to protect your information, including:

• Encryption: Data is encrypted in transit (TLS 1.2/1.3 with HSTS) and at rest (AES-256)
• Access Controls: Dual-layer role-based access controls (RBAC) on all 329 API routes with session validation and tenant scoping
• Multi-Tenant Data Isolation: Every database query is scoped by tenant ID — agencies cannot access other agencies' data under any circumstances
• Infrastructure Security: Enterprise-grade managed hosting via Abacus AI Platform with DDoS protection, automated scaling, and edge caching
• Password Protection: Passwords are hashed using bcrypt with unique per-password salts and never stored in plain text. Passwords must meet minimum complexity requirements (8+ characters, uppercase, lowercase, digit, special character)
• Mandatory Password Rotation: All user passwords expire every 180 days. The Platform displays warnings 14 days before expiration and requires a new password before access is restored
• Two-Factor Authentication (2FA): Optional TOTP-based two-factor authentication via authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) for an additional layer of login security
• Login Rate Limiting: After 5 consecutive failed login attempts, accounts are temporarily locked for 30 minutes to protect against brute-force attacks
• Session Management: JWT tokens stored in secure, HttpOnly cookies with CSRF protection and automatic session refresh on critical actions
• Monitoring: Continuous platform-level health monitoring and alerting
• File Security: Files uploaded via presigned URLs directly to AWS S3 with server-side encryption, time-limited download URLs, and tenant namespacing
• Audit Logging: Comprehensive, tenant-isolated audit trails recording every sensitive action with actor identity, IP address, user agent, and timestamp
• Zero Raw Card Data Architecture: External redirect payment model for transactions ensures no raw payment card data enters the Platform. The optional PCI Vault feature uses a PCI-DSS Level 1 certified third-party provider for tokenized card-on-file storage — the Platform stores only secure tokens and masked card references, never raw card numbers or CVVs (see Section 4.3)

For a comprehensive overview of our security architecture, compliance posture, and data protection measures, please see our Platform Security Whitepaper.

6.2 Security Limitations

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for:

• Maintaining the confidentiality of your login credentials
• Using strong, unique passwords
• Logging out of shared devices
• Reporting any suspected security incidents promptly

6.3 Data Breach Notification

In the event of a data breach that affects your personal information, we will:

• Notify affected users as required by applicable law
• Provide information about the breach and steps taken
• Offer guidance on protective measures you can take

7. Cookies and Tracking Technologies

7.1 Types of Cookies We Use

7.2 Essential Cookies

These cookies are necessary for the Platform to function and cannot be disabled. They include:

• Session authentication tokens
• Security tokens (CSRF protection)
• Load balancing identifiers

7.3 Functional Cookies

These cookies remember your preferences, such as:

• Language and display settings
• Recently viewed items
• Form data for convenience

7.4 Analytics Cookies

We use analytics to understand how users interact with the Platform. This helps us improve features and user experience. Analytics data is aggregated and does not identify individual users.

7.5 Managing Cookies

You can control cookies through your browser settings. Note that disabling certain cookies may affect Platform functionality.

7.6 Do Not Track

Our Platform does not currently respond to "Do Not Track" browser signals. However, you can manage tracking preferences through cookie settings.

8. Your Rights and Choices

8.1 Account Information

You can access, update, or correct your account information at any time through your Profile Settings.

8.2 Data Export

You can export your data from the Platform at any time during your active subscription. Export options are available within the application.

8.3 Data Deletion

You can request deletion of your account and associated data by contacting us. Upon account deletion:

• Your account will be deactivated
• Your data will be deleted within 30 days
• Some data may be retained for legal or legitimate business purposes

8.4 Email Communications

You can manage email preferences:

• Transactional Emails: Cannot be opted out (account-related, security alerts)
• Marketing Emails: Unsubscribe link provided in each email
• Product Updates: Manage in account settings

8.5 Rights Under GDPR (European Users)

If you are in the European Economic Area, you have the following rights:

To exercise these rights, contact us at [email protected].

8.6 Rights Under CCPA (California Residents)

If you are a California resident, you have the right to:

• Know what personal information we collect and how it is used
• Delete your personal information (with certain exceptions)
• Opt-Out of the sale of personal information (we do not sell personal information)
• Non-Discrimination for exercising your privacy rights

To exercise these rights, contact us at [email protected].

8.7 Response Time

We will respond to verified requests within:

• GDPR requests: 30 days
• CCPA requests: 45 days

Complex requests may require additional time with notice.

9. Data Retention

9.1 Active Accounts

We retain your data for as long as your account is active and as needed to provide services.

9.2 After Account Termination

Upon account termination or cancellation:

• You have 30 days to export your data
• After 30 days, your data will be deleted from our active systems
• Backup copies may be retained for up to 90 days
• Certain data may be retained longer for legal compliance

9.3 Legal Retention Requirements

We may retain certain information as required by law, including:

• Financial records for tax and accounting purposes (typically 7 years)
• Data needed for legal proceedings or disputes
• Data required by regulatory authorities

9.4 Anonymized Data

Anonymized data that cannot reasonably identify you may be retained indefinitely for analytics and research purposes.

10. Children's Privacy

Travel Office Suite Pro is designed for use by travel professionals and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

If you believe we have inadvertently collected information from a child, please contact us immediately at [email protected], and we will take steps to delete the information.

11. International Data Transfers

11.1 Data Location

Travel Office Suite Pro is operated from the United States. Your information may be stored and processed in the United States or other countries where our service providers operate.

11.2 Transfer Safeguards

When we transfer data internationally, we implement appropriate safeguards, including:

• Standard Contractual Clauses approved by the European Commission
• Data Processing Agreements with service providers
• Compliance with applicable data protection laws

11.3 Your Consent

By using Travel Office Suite Pro, you consent to the transfer of your information to the United States and other jurisdictions as described in this Policy.

12. Third-Party Services and Links

12.1 Integrated Services

Travel Office Suite Pro integrates with third-party services. When you use these integrations, you are also subject to the privacy policies of those services:

• Abacus AI Platform (Cloud Hosting, Database, Infrastructure): Abacus AI Privacy Policy
• Stripe (Advisor Subscription Billing & Client Payment Links): Stripe Privacy Policy
• PCI Vault Provider (Tokenized Card-on-File Storage): PCI-DSS Level 1 certified third-party provider for secure card tokenization and storage
• AWS S3 (File Storage): AWS Privacy Policy
• Gamma (Presentations): Gamma Privacy Policy

12.2 External Links

The Platform may contain links to external websites. We are not responsible for the privacy practices of external sites. We encourage you to review the privacy policies of any external sites you visit.

12.3 External Payment Processors & PCI Vault

If you configure external payment URLs for client payments, your clients' use of those external payment services is governed by the respective privacy policies of those services. If you use the PCI Vault feature, client card data submitted through PCI Vault is processed and stored by a PCI-DSS Level 1 certified third-party provider — the provider's privacy practices govern the handling of that card data. The Platform stores only secure tokens and masked card references. Tech For Travel Agents, LLC is not responsible for how external payment services or the PCI Vault provider handle client payment data.

13. Changes to This Privacy Policy

13.1 Policy Updates

We may update this Privacy Policy from time to time. Material changes will be communicated to you via:

• Email notification to your registered email address
• Prominent notice within the Platform
• Updated "Last Updated" date at the top of this Policy

13.2 Review and Acceptance

We encourage you to review this Policy periodically. Your continued use of the Platform after changes take effect constitutes acceptance of the updated Policy.

13.3 Prior Versions

Prior versions of this Privacy Policy may be available upon request.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

15. Additional Disclosures

15.1 California "Shine the Light" Law

California residents may request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

15.2 Nevada Residents

Nevada residents may opt out of the sale of personal information. We do not sell personal information as defined by Nevada law.

15.3 Virginia, Colorado, and Connecticut Residents

Residents of these states have rights similar to CCPA, including the right to access, delete, and opt out of certain processing. Contact us to exercise these rights.