Privacy Policy

1. Scope and Application

This Privacy Policy applies to all users who access bookingtrip.io, our mobile-optimized interfaces, native app wrappers, embedded widgets, affiliate redirect APIs, and any communication with our customer support operations. It does not govern third-party platforms — including airlines, hotels, car rental agencies, or tour operators — to which we may redirect you. Those entities maintain their own separate privacy frameworks.

2. Information We Collect

We collect information necessary to operate a global travel aggregation service. This includes data you provide directly, data collected automatically, and data obtained from third-party partners.

3. Legal Basis for Processing

We process personal data only when a lawful basis exists. Depending on the context, we rely on: (a) contractual necessity — to fulfill bookings you initiate; (b) legitimate interest — to prevent fraud and improve service quality; (c) legal obligation — to comply with tax, audit, and anti-money-laundering regulations; and (d) your explicit consent — for marketing communications and non-essential cookies.

4. How We Use Your Information

5. Sharing and Disclosure of Data

We do not sell your personal information. We share data only in the following defined circumstances: (a) with travel providers strictly necessary to fulfill your reservation; (b) with cloud infrastructure partners (AWS, Vercel) under data processing agreements; (c) with payment processors under PCI-DSS compliance; (d) with analytics vendors under contractual data minimization obligations; (e) when required by law, subpoena, or regulatory authority order; (f) in connection with a corporate merger, acquisition, or asset sale.

6. Affiliate Attribution & Commission Tracking

BookingTrip.io maintains revenue-sharing affiliate relationships with travel providers including Kiwi.com. When you click through to a partner platform, a session-based tracking identifier is generated. This identifier does not expose personal identity but is used to validate commercial commission attribution. You may opt out of affiliate tracking through your browser's cookie controls without affecting core platform functionality.

7. International Data Transfers

Our platform operates globally and your data may be processed in jurisdictions outside your country of residence. For users in the European Economic Area (EEA) or United Kingdom, transfers to non-adequate countries are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission. We ensure all cross-border transfers are subject to equivalent data protection standards.

8. GDPR — European User Rights

If you are located in the EEA or UK, you have the following rights under GDPR: (a) Right of Access — request a copy of all personal data we hold; (b) Right to Rectification — correct inaccurate or incomplete data; (c) Right to Erasure — request deletion of data we no longer have a legal basis to retain; (d) Right to Restriction — limit processing while a dispute is resolved; (e) Right to Portability — receive your data in a machine-readable format; (f) Right to Object — object to processing based on legitimate interest, including profiling; (g) Right to Withdraw Consent — at any time, without affecting the lawfulness of prior processing. Submit requests to: privacy@bookingtrip.io

9. CCPA / CPRA — California Resident Rights

California residents have the right to: (a) know what personal information we collect, use, share, or sell; (b) delete personal information we hold about them, subject to legal exceptions; (c) opt out of the sale or sharing of personal information; (d) correct inaccurate personal information; (e) limit use of sensitive personal information; (f) not be discriminated against for exercising their privacy rights. We do not sell personal information. Submit CCPA requests to: privacy@bookingtrip.io or via the platform's Privacy Settings panel.

10. Children's Privacy (COPPA)

BookingTrip.io is not directed to children under the age of 16. We do not knowingly collect personal information from minors. If we become aware that personal data has been collected from a child under 16 without verifiable parental consent, we will delete such data immediately. Parents or guardians who believe their child has submitted information to us should contact privacy@bookingtrip.io immediately.

11. Data Retention

We retain personal data only as long as necessary to fulfill the purpose for which it was collected and to comply with legal obligations. Active account data is retained for the duration of the account lifecycle plus 7 years for financial audit compliance. Booking records are retained for 5 years per applicable tax regulations. Marketing consent logs are retained for 3 years. Data subject to a legal hold may be retained beyond standard timelines.

12. Security Measures

We implement layered technical and organizational security measures including: AES-256 encryption for data at rest; TLS 1.3 for all data in transit; multi-factor authentication for administrative access; regular third-party penetration testing; access-controlled data environments; security incident response protocols; and continuous vulnerability monitoring. No system is entirely immune from breach. In the event of a data breach affecting your rights, we will notify you as required by applicable law within 72 hours.

13. Cookies and Tracking Technologies

We use cookies, pixels, and local storage to power our platform. See our separate Cookie & Tracking Policy for full details. You can manage cookie preferences via our consent banner or your browser settings.

14. Third-Party Links and Embedded Services

Our platform includes links to and embedded content from third-party websites, booking engines, and social platforms. Once you navigate to a third-party domain, their privacy policy governs. We are not responsible for the privacy practices of external sites and encourage you to review their policies before submitting personal information.

15. Automated Decision-Making and Profiling

We may use automated processing to personalize search results, detect fraud, and surface relevant promotions. No purely automated decision will produce significant legal effects on you without a human review mechanism available upon request. You may object to profiling-based decisions at any time by contacting privacy@bookingtrip.io.

16. Your Communication Preferences

We may send transactional emails (booking confirmations, itinerary changes) and, where consented, marketing communications. You may unsubscribe from marketing emails at any time using the unsubscribe link in any email or by updating your account settings. Transactional messages are required for service delivery and cannot be opted out of while your account is active.

17. Data Protection Officer

BookingTrip.io has designated a Data Protection Officer (DPO) responsible for overseeing compliance with this policy and applicable data protection regulations. You may contact our DPO at: dpo@bookingtrip.io. All privacy-related correspondence should include your full name, account email, and a description of your request or concern.

18. Policy Updates

We may amend this Privacy Policy from time to time to reflect changes in law, our data practices, or platform functionality. Material changes will be communicated via a prominent notice on the platform and, where required by law, by direct notification to your registered email. Continued use of the platform after the effective date of any amendment constitutes acceptance of the revised policy.