Travtech Data Privacy Policy v1.3


Overview

Travtech is a provider of software technology, based in Fairfax, Virginia, U.S.A. Travtech builds and supports a software platform for cruise and travel related services, called Cruisebase, to customers all over the world. Travtech's customers are typically travel agencies from small businesses to large corporations and thus provides the ability for agencies to follow the data privacy policies that apply to them.

Cruisebase has three major components; the Agent Booking Engine (ABE) which is a software application that provides a booking workflow for travel agents operating under the corporate policies of the travel agency, the Consumer Booking Engine (CBE), which allows the agency to offer an online booking engine on their website and the Agent Booking Center (ABC) which tracks financial transactions, invoicing, manages the profiles of agencies and rules of operations for the agency in booking the travel products.

Cruisebase has the capability of collecting and storing data related to the agency, personal data of the agencies customers, i.e., travelers, in order to fulfill their travel needs. Cruisebase is therefore is the data processor, while the agency is the data collector in terms of GDPR terminology.

Scope of Policy

This data privacy policy applies to all personal data collected.

Purpose of Data Collection

In order for a travel agency to facilitate the purchase of travel products, it is necessary to collect and process the traveller's personal information to complete the transaction. This data is entered by the agency staff or the traveller directly and is stored in Cruisebase.

For the purposes of completing the transactions the traveller requires, Cruisebase does the following:

Scope of Information Collected or Received

An agency may collect the traveller data using Cruisebase and it may include the following

Automatic Logging of Visitor Data on CBE

Cruisebase uses Google Analytics to capture generic information about users of the CBE while on the agency's website. This is called 'session data' and consists of non-PII (Personally Identifiable Information) data elements such as IP address, operating system and type of browser software being used and the activities conducted by the user while on its consumer websites. An IP address is stored to be able to know where to send data back to the user, such as the pages of the site the user wishes to view. It is possible to determine from an IP address a visitor's Internet Service Provider (ISP) and the approximate geographic location of his or her point of connectivity.

The purpose of this data collection is to understand and optimize the ways CBE users are clicking through the site, to learn how many visitors are visiting various pages, for how long visitors are staying on a given site and how often they are returning to visit.

The agency may also choose to use Google Analytics and have more in-depth information related to the customer which is out of scope of Travtech's control.

Session Cookies

Cruisebase uses a kind of cookie called 'session cookie' which contains no information other than a 'session id' that helps correlate the different web pages that a user has visited so as to be able to manage the flow of data through screens.

Information Uses, Sharing and Disclosure

When Cruisebase processes traveller's information, the purpose is to provide the agency the ability to perform and improve their services and keep the services safe and secure.

The personal data of the traveller and the agency is used by the agencies for the following reasons,

When an agency processes personal data about the travel, they are expected to do so with the traveller's consent and is necessary to meet contractual and legal obligations in providing the requested services.

In the process of making bookings, Cruisebase electronically transfers the data relating to the traveller and the agency to the third-party service or product provider in order to complete the booking. Such third-party providers include companies that sell products like hotels, airlines, excursion groups and travel insurance.

Limitations

Travtech will retain, access, transfer, or disclose personal data when we have a good faith belief that doing so is necessary to do any of the following:

Data Retention

In general, the transaction data will be stored for a period of seven years.

Security

In order to protect personal data, Cruisebase system maintains physical, electronic and procedural safeguards and regularly makes update to keep up to date with technological advancements. We restrict access to personal data, and we also train our employees in the proper handling of personal data.

Cruisebase follows accepted industry standards to protect the personal information submitted to us, both during transmission and after it is received. By default, the credit card number and CCV is masked and only the last four digits are retained for reference purposes. In some cases, by request of the travel agency, Cruisebase encrypts credit card numbers using AES 256 Encryption technology and stores it in a separate database field. Access to this database field is limited to a limited list of users.

Rights to data

The purpose for collecting personal information and data is to successfully process and complete the travel product purchase(s) made on the Cruisebase platform.

From the perspective of GDPR, a traveller has the following rights:

Consent

Travtech Inc. does not collect personal data directly. Travtech Inc. receives consent through the data controller and complies with any withdrawal of consent received by the data controller. By consenting to this privacy notice from the data collector you are giving Travtech (data processor) permission to process your personal data specifically for the purposes identified. Consent is required for Travtech Inc. to process both types of personal data, but it must be explicitly given. Where we are asking you for sensitive personal data, we will always tell you why and how the information will be used. Consent must be withdrawn through the travel agency (data controller). The travel agency will then request Travtech (data processor) to remove the data. Withdrawals will be handled according to the Withdrawal of Consent policy.

Disclosure

Travtech Inc. will only pass personal data to third parties identified by the travel agency (data controller).

The agency is able to fulfil most of these requests by virtue of the fact that they have access to the data in Cruisebase. For requests that an agency may not have access that is required to fulfil the request, they may contact Travtech in the manner describe in this document.

To be more specific, the agency has certain choices and control over the personal data about a traveller that is as follows:

Process for requesting changes to data

Any requests concerning deletion of data or request to stop processing data from the traveller that the agency or its staff cannot complete as referred to in GDPR policy may be directed to the Chief Data Officer (cdo@travtech.com) If there is no response from this email address in 2 business days, please email Vinod George (vgeorge@travech.com) , Executive Vice President, Travtech Inc., 3102 Omega Office Park, Fairfax, VA 22031.

Privacy Policy Changes

This policy may be amended or updated at any time. Changes to this data privacy policy will be made promptly and posted and presented as the policy on the website:http;//travtech.com/privacy-policy/