Travtech is a provider of software technology, based in Fairfax, Virginia, U.S.A. Travtech builds and supports a software platform for cruise and travel related services, called Cruisebase, to customers all over the world. Travtech's customers are typically travel agencies from small businesses to large corporations and thus provides the ability for agencies to follow the data privacy policies that apply to them.
Cruisebase has three major components; the Agent Booking Engine (ABE) which is a software application that provides a booking workflow for travel agents operating under the corporate policies of the travel agency, the Consumer Booking Engine (CBE), which allows the agency to offer an online booking engine on their website and the Agent Booking Center (ABC) which tracks financial transactions, invoicing, manages the profiles of agencies and rules of operations for the agency in booking the travel products.
Cruisebase has the capability of collecting and storing data related to the agency, personal data of the agencies customers, i.e., travelers, in order to fulfill their travel needs. Cruisebase is therefore is the data processor, while the agency is the data collector in terms of GDPR terminology.
In order for a travel agency to facilitate the purchase of travel products, it is necessary to collect and process the traveller's personal information to complete the transaction. This data is entered by the agency staff or the traveller directly and is stored in Cruisebase.
For the purposes of completing the transactions the traveller requires, Cruisebase does the following:
2. Connects to service providers' systems electronically. These service providers supply cruises, hotels, insurances, air, car, excursions and other similar products that are distributed through the travel agencies. Cruisebase only transfers consumer's information to service providers we have contracted with on behalf of the agencies using the agencies credentials with the service provider that provides the necessary products and services, in order to fulfil travel-related requests of the agencies and the traveller, who is the agency's customer. Travtech carefully selects partner service providers and ensures that their data security policies are in line with Travtech's expectations.
3. Stores the data of the traveller and transactions for financial and reconciliation purposes as defined by the law. Travtech stores information on every transaction made on the system on behalf of the travel agency that we are required by law to retain. Personal information may be divulged when required by law or when protecting the legal rights and/or property of Travtech and when requested by the agency
An agency may collect the traveller data using Cruisebase and it may include the following
Cruisebase uses Google Analytics to capture generic information about users of the CBE while on the agency's website. This is called 'session data' and consists of non-PII (Personally Identifiable Information) data elements such as IP address, operating system and type of browser software being used and the activities conducted by the user while on its consumer websites. An IP address is stored to be able to know where to send data back to the user, such as the pages of the site the user wishes to view. It is possible to determine from an IP address a visitor's Internet Service Provider (ISP) and the approximate geographic location of his or her point of connectivity.
The purpose of this data collection is to understand and optimize the ways CBE users are clicking through the site, to learn how many visitors are visiting various pages, for how long visitors are staying on a given site and how often they are returning to visit.
The agency may also choose to use Google Analytics and have more in-depth information related to the customer which is out of scope of Travtech's control.
Cruisebase uses a kind of cookie called 'session cookie' which contains no information other than a 'session id' that helps correlate the different web pages that a user has visited so as to be able to manage the flow of data through screens.
When Cruisebase processes traveller's information, the purpose is to provide the agency the ability to perform and improve their services and keep the services safe and secure.
The personal data of the traveller and the agency is used by the agencies for the following reasons,
When an agency processes personal data about the travel, they are expected to do so with the traveller's consent and is necessary to meet contractual and legal obligations in providing the requested services.
In the process of making bookings, Cruisebase electronically transfers the data relating to the traveller and the agency to the third-party service or product provider in order to complete the booking. Such third-party providers include companies that sell products like hotels, airlines, excursion groups and travel insurance.
Travtech will retain, access, transfer, or disclose personal data when we have a good faith belief that doing so is necessary to do any of the following:
In general, the transaction data will be stored for a period of seven years.
In order to protect personal data, Cruisebase system maintains physical, electronic and procedural safeguards and regularly makes update to keep up to date with technological advancements. We restrict access to personal data, and we also train our employees in the proper handling of personal data.
Cruisebase follows accepted industry standards to protect the personal information submitted to us, both during transmission and after it is received. By default, the credit card number and CCV is masked and only the last four digits are retained for reference purposes. In some cases, by request of the travel agency, Cruisebase encrypts credit card numbers using AES 256 Encryption technology and stores it in a separate database field. Access to this database field is limited to a limited list of users.
The purpose for collecting personal information and data is to successfully process and complete the travel product purchase(s) made on the Cruisebase platform.
From the perspective of GDPR, a traveller has the following rights:
a. Right to be informed
b. Right of access
c. Right of rectification
d. Right of erasure
e. Right to restrict processing
f. Right to data portability
g. Right to object
h. Rights in relation to automated processing and profiling
Travtech Inc. does not collect personal data directly. Travtech Inc. receives consent through the data controller and complies with any withdrawal of consent received by the data controller. By consenting to this privacy notice from the data collector you are giving Travtech (data processor) permission to process your personal data specifically for the purposes identified. Consent is required for Travtech Inc. to process both types of personal data, but it must be explicitly given. Where we are asking you for sensitive personal data, we will always tell you why and how the information will be used. Consent must be withdrawn through the travel agency (data controller). The travel agency will then request Travtech (data processor) to remove the data. Withdrawals will be handled according to the Withdrawal of Consent policy.
Travtech Inc. will only pass personal data to third parties identified by the travel agency (data controller).
The agency is able to fulfil most of these requests by virtue of the fact that they have access to the data in Cruisebase. For requests that an agency may not have access that is required to fulfil the request, they may contact Travtech in the manner describe in this document.
To be more specific, the agency has certain choices and control over the personal data about a traveller that is as follows:
a. The agency has access, via Cruisebase, to copy all or part of the data collected to provide to a traveller.
b. The agency has access via Cruisebase to correct inaccurate data relating to a traveller
c. The agency can request deletion of all or part of a traveller's data within the limitations set forth in this document
d. The agency can request to stop processing traveller's data within the limitations set forth in this document
Any requests concerning deletion of data or request to stop processing data from the traveller that the agency or its staff cannot complete as referred to in GDPR policy may be directed to the Chief Data Officer (email@example.com) If there is no response from this email address in 2 business days, please email Vinod George (firstname.lastname@example.org) , Executive Vice President, Travtech Inc., 3102 Omega Office Park, Fairfax, VA 22031.