Privacy Policy

We collect only what's necessary to provide the TravlOps service:

• Account Data — name, email address, business name, phone number, and profile information you provide during sign-up or in Settings.
• Business Data — CRM records (leads, customers, bookings, itineraries, invoices) that your agency creates within the platform.
• Usage Data — feature usage events, page views, session duration, and error logs to improve the product. We do not track unauthenticated visitors with ad-tracking technologies.
• Billing Data — subscription plan, billing history, and invoice records. Card details are processed exclusively by Stripe — we never store raw card numbers.
• Cookies — session cookies required for authentication (Supabase auth tokens). No third-party tracking or advertising cookies are set for unauthenticated visitors.

• Provide the Service — to operate, authenticate, and display your agency's data within TravlOps.
• Billing & Subscriptions — to process payments, send invoices, and manage plan upgrades/downgrades via Stripe.
• Product Analytics — to understand which features are most used so we can prioritize improvements. Data is aggregated and never sold.
• Communications — to send transactional emails (password reset, payment receipts, critical service notices). We do not send unsolicited marketing without explicit opt-in.
• Support — to diagnose bugs and assist with support tickets. Support staff access is logged and audited.

Your data is stored on infrastructure operated by:

• Supabase (PostgreSQL) — primary database, hosted on AWS. All data is encrypted at rest using AES-256. Data in transit is protected by TLS 1.3.
• Vercel — application hosting and edge network. SOC 2 Type II certified.
• Upstash Redis — rate limiting and caching layer. No personally identifiable information is stored here.

Row Level Security (RLS) is enforced at the database level — your agency's data is logically isolated from all other tenants. No shared queries touch multiple tenants' data.

We share data with the following third parties only to the extent necessary to operate the service:

• Stripe — processes billing. We send your email and subscription amount. Card data is processed by Stripe under PCI DSS Level 1 compliance. Stripe's privacy policy applies to payment data.
• Twilio — sends WhatsApp messages and SMS on your behalf. We send the recipient's phone number and message content you create. Twilio's data retention policy applies.
• OpenAI — powers the AI chat assistant. When you use the chat feature, message contents are sent to OpenAI's API. OpenAI does not train on API inputs by default. Do not send sensitive personal data through the chat.

We do not sell your data to any third party. We do not use your business data to train machine learning models.

Depending on your location, you have the following rights:

• Right to Access (GDPR Art. 15) — request a full export of all data we hold about you and your agency.
• Right to Erasure (GDPR Art. 17 / CCPA) — request deletion of your account and all associated data. We will fulfill erasure requests within 30 days.
• Data Portability (GDPR Art. 20) — export your CRM data, bookings, itineraries, and invoices in JSON or CSV format from Settings → Data Export.
• Correction — update any inaccurate personal information directly from Settings or by contacting us.
• Opt-Out of Communications — unsubscribe from marketing emails at any time. Transactional emails (payment receipts, security alerts) cannot be opted out of while your account is active.

To exercise any right, email privacy@travlops.com. We respond within 72 hours.

TravlOps uses a minimal cookie footprint:

• Session Cookies (Required) — set by Supabase Auth to maintain your login session. These are HttpOnly, Secure, and expire when you sign out or your session expires (7 days by default).
• No Tracking Cookies — we do not set Google Analytics, Facebook Pixel, or any advertising cookies for unauthenticated users.
• Preference Cookies — optional cookies to remember UI settings (e.g., theme). These contain no personal data.

You can clear all cookies by signing out. Essential session cookies cannot be disabled while using the service.

• Active Accounts — data is retained for the lifetime of your subscription.
• Cancelled Accounts — account data and all associated business data is deleted 30 days after subscription cancellation. This gives you time to export your data.
• Audit Logs — retained for 12 months for security purposes.
• Billing Records — payment records are retained for 7 years as required by Indian GST law.

For any privacy-related questions or to exercise your rights:

• Privacy Email: privacy@travlops.com
• General Support: support@travlops.com

This policy was last updated in March 2026. We will notify active subscribers of material changes via email at least 30 days in advance.