Data Policy

Data Policy

LegalEffective January 1, 2026

A more technical companion to our Privacy Policy — describing the legal bases, processors and safeguards behind how we handle your data.

What this data policy covers

This page is a more detailed companion to our Privacy Policy. It describes the legal bases we rely on, where your data is processed, and the specific safeguards we put in place.

Legal bases for processing

  • Performance of a contract — to deliver the tour you booked.
  • Legal obligation — to meet tax, accounting and aviation reporting rules.
  • Legitimate interest — to keep the site safe, prevent fraud and improve our services.
  • Consent — for optional marketing communications.

Where your data lives

Customer records are stored on managed PostgreSQL infrastructure (Neon, US/EU regions). Transactional emails are processed by Resend. Payments are handled by our PCI-DSS compliant payment processor.

When data is transferred outside your home region we rely on Standard Contractual Clauses or equivalent legal mechanisms.

Sub-processors

  • Neon — database hosting.
  • Resend — transactional email delivery.
  • Vercel — application hosting and edge delivery.
  • Stripe — payment processing (where Stripe is selected as payment method).

Data minimisation

We collect only the data needed to deliver the service you booked. We do not enrich your profile from third-party data sets.

Breach notification

If a breach occurs that is likely to result in a risk to your rights, we will notify the appropriate supervisory authority within 72 hours and email you directly without undue delay.

Data protection contact

Email dpo@travelora.app for any data protection matter. We aim to respond within five business days.

Questions? Reach out to us at hello@travelora.app.