How we handle your data — and your clients’.

01. Overview

SuperTravel AI (“we,” “our,” “us”) provides travel infrastructure to travel agencies, tour operators, and OTAs. We process two categories of data: agency operator data (the businesses who use our platform) and traveler data (the end-clients of those businesses, passed to us through the booking flow).

This policy covers both. Where there are material differences in how we treat the two, we flag them.

02. What we collect

Agency operator data

• Account information — business name, contact name, work email, phone number, billing address, tax identifier, and authentication credentials.
• Integration metadata — webhook endpoints, API keys, booking system identifiers, and platform configuration settings.
• Financial records — banking details for commission payouts, transaction history, and reconciliation metadata.
• Usage data — dashboard activity, support interactions, and platform telemetry.

Traveler data (passed to us by our agency customers)

• Booking information — flight and hotel confirmations, passenger names, passport nationality, and travel dates.
• Trip activity — in-app interactions, add-ons purchased through the AI concierge, and notification preferences.
• Payment information — tokenized card data processed through our Merchant of Record partner (Airwallex); we never store raw card numbers.
• VAT receipts — where the traveler opts into VAT refund assistance, images of purchase receipts and the associated transaction data.

03. How we use data

We process data for the following purposes, and only these purposes:

• To deliver the service — monitoring prices, rebooking flights and hotels, recommending add-ons, processing payments, and sending trip-related notifications.
• To operate the business — billing, commission sweeps, accounting reconciliation, fraud prevention, customer support.
• To improve the product — aggregated and anonymized analytics on how the platform performs, where integrations succeed or fail, and which categories drive attach rates.
• To comply with legal obligations — tax reporting, anti-money-laundering checks, sanctions screening, and responding to lawful requests from regulators.

We do not sell personal data. We do not share it with advertisers. We do not use it to train third-party AI models.

04. Who we share it with

We share data only with parties who have a legitimate operational role:

• Technology partners — Wenrix (flight price monitoring), Pruvo (hotel rate monitoring), AeroDataBox (flight status), Airwallex (payments), and our supplier network (GetYourGuide, Viator, Klook, Civitatis, Airalo, Welcome Pickups, Sherpa, Planet). Each receives only the minimum data required to perform its specific role.
• Infrastructure providers — cloud hosting, database, email, and SMS delivery providers, under standard data processing agreements.
• Professional advisors — auditors, accountants, and legal counsel, bound by professional confidentiality obligations.
• Regulators and legal authorities — where required by applicable law, court order, or valid legal process.

05. How long we keep it

• Active booking data — retained through trip completion plus 30 days for post-trip support.
• Transaction records — retained for 7 years for tax and accounting purposes (jurisdictional requirements may vary).
• Account records — retained for the duration of the agency’s relationship with us, plus a reasonable period thereafter.
• Aggregated analytics — retained indefinitely in anonymized form.

06. Your rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Delete your data (subject to legal retention obligations)
• Restrict or object to certain processing
• Port your data to another provider
• Withdraw consent where processing is based on consent

For travelers: if you’re an end-client whose data was passed to us by an agency, your first point of contact is the agency that arranged your trip. We’ll coordinate with them to fulfill verified requests.

To exercise any of these rights, email privacy@supertravelai.com. We’ll respond within 30 days.

07. Security

We operate on SOC 2-aligned infrastructure with encryption in transit and at rest. Payment data flows through PCI-DSS compliant systems operated by Airwallex; our platform is scoped to avoid handling raw card data directly. Access to production systems is restricted to named personnel, logged, and reviewed quarterly.

No system is ever completely secure. If a breach affects your data, we’ll notify you and the relevant regulators as required by applicable law — generally within 72 hours of discovery.

08. International transfers

SuperTravel AI operates across jurisdictions, primarily the United States and Israel, and our partner network spans Europe, Asia-Pacific, and beyond. Where we transfer data internationally, we rely on Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms as required.

09. Children

The SuperTravel AI platform is designed for use by travel businesses and adult travelers. We do not knowingly collect data from children under 16. If a booking includes a minor traveler, the agency or guardian who initiated the booking is responsible for providing any necessary consents.

10. Changes to this policy

We may update this policy from time to time. Material changes will be flagged on our website and, for existing partners, communicated via email. The “Last Updated” date at the top of this page reflects the most recent revision.

11. Contact us

Questions about this policy? Email privacy@supertravelai.com.

SuperTravel AI
A Delaware-registered entity · United States