Data Processing & Protection

This policy describes how Travories processes the personal data entrusted to us by travelers, agencies, guides, and partners. It covers our lawful bases for processing, the principles we apply to every data flow, and how long we keep different categories of information. It complements our Privacy Policy, Cookie Policy, Security Measures, and International Data Transfer notice.

Lawful Bases for Processing

We only process personal data when we have a lawful basis to do so. Depending on the activity, that basis may be: contract (processing necessary to deliver a booking you have requested), legitimate interest (operating, securing, and improving the marketplace), legal obligation (tax, anti-money-laundering, regulatory reporting), or consent (optional marketing emails and non-essential cookies, which you may withdraw at any time).

How We Protect Your Data

  • We only process data for the specific service need that justifies it — no speculative or unrelated use.
  • Sensitive information (identity documents, payment tokens) is segregated from general profile data and protected by stronger access controls.
  • Our systems and infrastructure are designed around least-privilege access, encrypted storage, and audit logging.
  • We conduct regular internal reviews and risk assessments of our data processing activities.
  • All staff with access to user data receive training in responsible data handling and confidentiality.
  • Third-party processors are reviewed before engagement and bound by written data-processing agreements.

Wherever a service need can be met with anonymised or pseudonymised data — particularly for product analytics and machine-learning experiments — we do so by default.

Data Retention

We keep your personal data only for as long as necessary to deliver the service you booked, comply with legal obligations, or resolve disputes. Indicative retention periods are:

  • Active account data — retained while your account is open. You can request closure at any time.
  • Booking records — retained for the longer of (a) seven years for tax and accounting compliance, or (b) the operator's own statutory retention period.
  • Payment metadata — retained for the period required by our payment processor and applicable anti-money-laundering regulation. Card numbers are never stored on Travories servers; we hold only a tokenised reference.
  • Support and dispute records — retained for two years after the matter is closed.
  • Marketing-consent records — retained for as long as the consent is valid, plus a short audit window after withdrawal.

Once the retention period expires and no overriding legal claim applies, we securely delete or anonymise the data on our regular purge cycle. Backups are overwritten on the same cycle.

Changes to This Policy

We may update this policy from time to time to reflect changes in our services, technology, or legal obligations. Material changes will be communicated by email to registered users and announced on this page. The effective date of the current version is shown in our main Privacy Policy.

Need to get in touch?

If you have questions about how we process or protect your data, our support team is here to help.

Contact Us