Privacy policy

This is a template policy intended for self-hosters and prospects. Replace placeholders with your own legal entity, DPO contact, and jurisdiction-specific commitments before publishing.

1. Who we are

Travel ERP is operated by [Your Legal Entity] (referred to as "we", "us", "our"). For questions about this policy, contact [privacy@yourdomain]. EU/UK data subjects can reach our Data Protection Officer at [dpo@yourdomain].

2. What we process

• Account data — name, email, hashed password, role assignments, MFA secret (encrypted)
• Client and traveller PII — names, contact details, identity documents, payment tokens (never raw card numbers)
• Operational data — bookings, journals, audit logs, IP addresses, user agents
• Communications — content of messages you send via contact forms or support channels

3. Legal basis

• Contract — to provide the service you have signed up for
• Legitimate interest — security, fraud prevention, product improvement (subject to balancing test)
• Legal obligation — accounting record retention, tax compliance, regulator requests
• Consent — marketing communications, optional analytics

4. Retention

Operational accounting data is retained for the period required by applicable tax and travel-industry regulations (typically 7 years). Audit logs are retained for the lifetime of the tenant. Personal data not subject to retention obligations is deleted or anonymised within 90 days of account closure.

5. Subprocessors

We use vetted subprocessors for hosting, monitoring, email and payment tokenisation. A current list is available on request and is updated under contract with appropriate Standard Contractual Clauses for cross-border transfers.

6. Your rights

• Access — request a copy of personal data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion (subject to retention obligations)
• Restriction — limit processing in specific circumstances
• Portability — receive your data in a structured, machine-readable format
• Objection — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent
• Complain — to your supervisory authority (e.g. ICO in the UK)

Submit requests to [privacy@yourdomain].

7. Security

We apply administrative, technical and organisational measures appropriate to the risk: field-level encryption for sensitive data, MFA-protected access, append-only audit logs, RBAC, regular penetration testing. See our security page for technical detail.

8. Children

The service is not directed at children. We do not knowingly collect personal data from anyone under 16.

9. Changes

Material changes will be notified by email and via the account UI at least 30 days before they take effect.

10. Cookies

The application uses a single session cookie (HttpOnly, SameSite=Lax, Secure when over HTTPS) and a CSRF token cookie. No third-party analytics or advertising cookies are set on the application surface.