Legal · Privacy

Privacy Policy

Effective: 30 April 2026Last updated: 30 April 2026TripCreator, Inc.

We treat operator and traveler data with the seriousness the law and the trust of our customers require. This document is the canonical statement of how we collect, use, share, and protect personal data - written to map cleanly onto GDPR, the EU AI Act, and the patchwork of US state privacy statutes that apply to a B2B intelligence platform.

01

Overview & scope

TripCreator, Inc. (“TripCreator”, “we”, “us”) provides a business-to-business intelligence layer for custom-travel operators, destination marketing organisations, and event organisers. This Privacy Policy explains the categories of personal data we process, the purposes and legal bases for processing, our retention practices, and the rights available to data subjects.

This Policy is written to comply with - and is interpreted in light of - the following frameworks where they apply:

  • the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the UK GDPR;
  • the EU Artificial Intelligence Act (Regulation (EU) 2024/1689, “EU AI Act”), in particular Articles 5 (prohibited practices), 9-11 (data and data governance), and Articles 50 and 52 (transparency obligations for AI systems and general-purpose AI);
  • the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA / CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), the Utah Consumer Privacy Act (“UCPA”), and successor or comparable US state privacy laws;
  • sector-specific US laws where applicable, including the Children's Online Privacy Protection Act (“COPPA”) and the Federal Trade Commission Act §5 (unfair or deceptive practices);
  • the Brazilian Lei Geral de Proteção de Dados (“LGPD”) and Canada's PIPEDA, for partners and data subjects in those jurisdictions.
02

Our role: controller and processor

For the operator-facing platform, TripCreator typically acts as a data processor under GDPR Article 28 (and a service provider / contractorunder CCPA / CPRA): the operator (our customer) determines the purposes and means of processing, and we process traveler data on their documented instructions under a Data Processing Agreement (“DPA”).

For data we collect about our own customers, prospects, and website visitors - for example, contact forms, demo requests, and analytics - TripCreator acts as a data controller under GDPR (and a business under CCPA / CPRA).

03

Categories of personal data

We process the following categories, only to the extent necessary for the stated purposes:

  • Operator account data - names, work email addresses, organisation, role, and authentication identifiers of authorised users of the operator portal.
  • Operator inventory data - the operator's products (hotels, transfers, experiences, time windows, pricing) ingested via API or file upload. Inventory data may include personal data of the operator's suppliers; the operator is responsible for ensuring it has a valid legal basis to transmit such data.
  • Traveler intent data - preferences, interactions, and itinerary refinements collected via the embedded planner. This data is transmitted from the operator's website and is processed under the operator's privacy notice and lawful basis.
  • Website & product telemetry - IP address, device, locale, page-level events, error traces. Used to operate the service and detect abuse.
  • Communications - email correspondence, demo notes, support tickets.

We do not intentionally collect or process special-category data (GDPR Art. 9) or sensitive personal information (CPRA §1798.140(ae)), and our embedded planner is not designed for use by children under 13 (COPPA) or under 16 (GDPR Art. 8 - Member-State default).

04

Purposes & legal bases

For controller processing, we rely on the following GDPR Article 6 legal bases (with corresponding state-law business purposes under CPRA §1798.140(e) and analogues):

  • Performance of a contract (Art. 6(1)(b)) - providing the operator portal, generating itineraries, and enabling integrations.
  • Legitimate interests (Art. 6(1)(f)) - securing our service, preventing fraud, improving model accuracy and latency on aggregated, de-identified signals; subject to a documented balancing test available to supervisory authorities on request.
  • Legal obligations (Art. 6(1)(c)) - tax, accounting, lawful requests by competent authorities.
  • Consent (Art. 6(1)(a)) - for marketing communications and optional analytics cookies, withdrawable at any time without affecting prior processing.
05

AI systems, training data & EU AI Act compliance

TripCreator builds and operates AI systems - preference embeddings, graph-attention priors, an inventory-constrained beam search, and a narrative model - that together form a routing intelligence layer. We comply with the transparency and data-governance obligations of the EU AI Act, including:

  • Article 50 transparency - users are informed when they are interacting with an AI system; AI-generated content is identifiable as such where the AI Act requires.
  • Article 10 data governance - training, validation, and test datasets are documented; we retain a model card and data lineage record for each production model.
  • Article 5 prohibited practices - we do not use AI for social scoring, exploitation of vulnerabilities, or any practice listed in Article 5.

Operator data is not used to train base / foundation models. Where we fine-tune a model on aggregated operator data (for example, narrative voice or routing priors), we do so only with contractual authorisation, on a per-operator basis, and the resulting weights are not shared across operators.

Automated decision-making. Itinerary suggestions are not solely-automated decisions producing legal or similarly significant effects within the meaning of GDPR Article 22; human operators remain the bookers, sellers, and pricing authority. We provide meaningful information about the logic involved on request.

06

International transfers

TripCreator is established in the United States and operates infrastructure in the United States and the European Union. International transfers of personal data are protected by appropriate safeguards under GDPR Chapter V, including:

  • the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), where applicable, with transfer-impact assessments performed in line with EDPB Recommendations 01/2020;
  • the EU-US Data Privacy Framework (and its UK and Swiss extensions) for transfers to certified US recipients; and
  • equivalent contractual safeguards for transfers from the United Kingdom (UK IDTA / UK Addendum) and Switzerland.
07

Sub-processors & vendors

A current list of sub-processors is maintained at on request and provided to operators under DPA. We bind every sub-processor to data-protection terms equivalent to those we accept from operators (GDPR Art. 28(4)), and we provide reasonable notice of changes to allow operators to object.

08

Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, plus a limited statute-of-limitation tail. Default schedules:

  • operator account data: lifetime of the contract + 3 years;
  • inventory data: per operator instruction; deleted within 30 days of contract termination;
  • traveler intent data: per operator instruction (typical default: 12 months);
  • billing & tax records: 7 years (US) or as required by local law;
  • security logs: 12 months.
09

Your rights

Depending on your residence, you have the right to access, correct, delete, port, restrict, and object to processing of your personal data. In particular:

  • EU / UK / Swiss residents - rights under GDPR Articles 12-22, including the right to lodge a complaint with a supervisory authority.
  • California residents - rights under CCPA / CPRA, including the right to know, delete, correct, opt out of sale or sharing (we do not sell personal information), limit the use of sensitive personal information, and non-retaliation.
  • Virginia, Colorado, Connecticut, Utah residents - equivalent rights under VCDPA / CPA / CTDPA / UCPA, exercisable as set out in those statutes.
  • Brazilian residents - rights under Article 18 of LGPD.

To exercise any right, contact [email protected]. We respond within statutory timeframes (one month under GDPR; 45 days under CCPA / CPRA, extendable once for cause).

10

Security

We maintain technical and organisational measures appropriate to the risk (GDPR Art. 32), including encryption in transit (TLS 1.2+) and at rest, role-based access control, audit logging, vulnerability management, and incident-response procedures. To report a vulnerability, contact [email protected].

11

Children

Our service is intended for adult professional users (operators) and adult travelers. We do not knowingly collect personal data from children under the COPPA / GDPR thresholds. If we become aware that we have collected such data, we delete it promptly.

12

Changes to this Policy

We may update this Policy to reflect changes in our practices or applicable law. Material changes will be notified to operator administrators by email and posted on this page with an updated “last updated” date. The current version date is shown above.

This Policy does not constitute a contract. The legal terms governing your or your organisation's use of TripCreator are set out in the Master Services Agreement and the Data Processing Agreement executed with TripCreator, Inc.. In case of conflict, those agreements prevail.