Privacy Policy

1. Data controller

The controller responsible for processing your personal data is:

• Name: PayTravel (REVIEW NEEDED: registered legal entity name)
• Registered address: REVIEW NEEDED: registered address in Spain
• Privacy contact: privacy@paytravel.co
• General contact: support@paytravel.co

We have not appointed a Data Protection Officer (DPO); under GDPR Article 37 we are not required to do so. For any privacy-related question please write to privacy@paytravel.co.

2. Personal data we collect

We process the following categories of personal data:

2.1 Account & service data

• Name, email, password hash, and organization details you provide when signing up.
• Content you submit through the Service (trips, applications, customer records, files you upload).
• Communications you send to us (support emails, contact form submissions).
• Payment metadata returned by our payment processor. We do not store full card numbers ourselves.

2.2 Usage & device data (analytics)

• Pages visited, clicks, scroll, session duration, referrer.
• Device and browser information (user agent, screen size, language).
• Approximate location derived from your IP address (typically city / region level — never a precise GPS coordinate).
• Identifiers stored in cookies and local storage used to recognize your browser across visits (see our Cookie Policy).

2.3 Hashed identifiers from form submissions (Google "user-provided data")

When you submit a form on our site (for example, the contact form or an application form), our Google tag may detect form fields such as your email, phone number, name, or address, hash them on your device using SHA-256, and send the hashed values to Google. These hashes are used by Google to improve conversion measurement and audience matching across Google services. We only do this when you have granted analytics or marketing consent through our cookie banner. The plain-text values never leave your device.

We do not knowingly collect special categories of personal data (Article 9 GDPR) such as health, biometric, or political data, nor data from anyone under 16.

3. Legal basis (GDPR Article 6)

• Performance of a contract (Art. 6(1)(b)) — to provide the Service to you and your organization (account creation, authentication, storing your data, sending you transactional emails).
• Legitimate interest (Art. 6(1)(f)) — to keep the Service secure, prevent fraud and abuse, and debug technical issues.
• Consent (Art. 6(1)(a)) — for all analytics, advertising, and personalization cookies and similar technologies, and for the user-provided data hashing described above. You give this consent through our cookie banner and can withdraw it at any time (see Section 8).
• Legal obligation (Art. 6(1)(c)) — when required to comply with applicable law (e.g., responding to a court order).

4. Purposes of processing

4.1 Necessary for service operation

Authenticating you, storing the trips, applications, bookings, and customer records you create, sending transactional emails (magic links, booking confirmations), and keeping the platform secure.

4.2 Analytics and measurement (consent-based)

Understanding how visitors find and use the Service so we can improve it. We use Google Analytics 4 with Google signals enabled, which associates your activity with your signed-in Google account only if you have Ads Personalization enabled in your Google account.

4.3 Advertising and remarketing (consent-based)

Measuring the effectiveness of advertising campaigns, building audience segments for remarketing on Google services, and improving the accuracy of those measurements through hashed user-provided data.

We do not sell your personal data. We do not share your personal data with third parties for their own independent marketing purposes.

5. Third-party processors and recipients

We rely on the following processors. Each acts on our instructions under a Data Processing Agreement (Art. 28 GDPR):

• Google LLC (Google Tag Manager + Google Analytics 4, Google signals) — tag management, analytics, audience measurement, advertising. May process data in the United States under the EU-US Data Privacy Framework, of which Google is a certified participant. See Google's privacy policy and the Data Privacy Framework list.
• Cloudflare, Inc. — hosting, content delivery, edge security, transactional email, database (D1) and object storage (R2). Data processed primarily in the European Union; some traffic may be served from the nearest Cloudflare edge globally. See Cloudflare's privacy policy.
• Stripe Payments Europe, Ltd. — payment processing and fraud prevention on checkout. Stripe acts as an independent controller for some processing activities (e.g., fraud detection); see Stripe's privacy policy.
• Functional Software, Inc. (Sentry) — error and performance monitoring. Captures stack traces, request metadata, and (where available) the user ID for diagnostic purposes. May process data in the United States under the EU-US Data Privacy Framework. See Sentry's privacy policy.
• PostHog, Inc. — product analytics, session and event analysis on the authenticated dashboard. Hosted in the EU where available; see PostHog's privacy policy.
• Microsoft Corporation (Microsoft Clarity) — session replay and heatmaps to understand how visitors interact with our pages. May process data in the United States under the EU-US Data Privacy Framework, of which Microsoft is a certified participant. See Microsoft's privacy statement.

6. International transfers

Some of our processors, notably Google, are based in the United States. Transfers outside the European Economic Area rely on the EU-US Data Privacy Framework (Commission Decision (EU) 2023/1795) where the recipient is certified, or on the Standard Contractual Clauses issued by the European Commission, supplemented by technical measures such as IP truncation and encryption in transit.

7. Cross-device tracking (Google signals)

With your consent, we enable Google signals. This feature allows Google Analytics to associate the activity of users who are signed in to Google with their Google account, across the different devices they use, when they have enabled Ads Personalization in their Google account settings. We see this only as aggregated reporting in our analytics dashboard — we do not receive your Google account identity. You can disable Ads Personalization in your Google account at any time, independently of our cookie banner.

8. Retention

• Google Analytics 4 event and user data: 14 months from the user's last visit, then automatically deleted by Google.
• Account data: for as long as your account is active, plus a short retention window after deletion for legal/financial obligations.
• Cookie consent record (our cookie_consent cookie): 6 months from your last choice, after which we ask again.
• Server logs: typically 30 days for security and debugging.
• Email records: retained as long as commercially or legally necessary.

9. Your rights

Under GDPR Articles 15–22 and the LOPDGDD, you have the right to:

• Access the personal data we hold about you (Art. 15).
• Rectification of inaccurate or incomplete data (Art. 16).
• Erasure ("right to be forgotten") (Art. 17).
• Restriction of processing (Art. 18).
• Portability in a machine-readable format (Art. 20).
• Object to processing based on legitimate interest (Art. 21).
• Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal (Art. 7(3)).

To exercise any of these rights, write to privacy@paytravel.co. We will respond within one month as required by Article 12(3) GDPR.

10. How to withdraw consent

Open our cookie preferences at any time via the Cookie preferences link in the footer. From there you can toggle analytics, marketing, and personalization off, and your choice replaces any prior consent immediately on every subsequent page load.

11. Right to lodge a complaint

If you believe our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the Spanish data protection authority, the Agencia Española de Protección de Datos:

• Web: www.aepd.es
• Address: C/ Jorge Juan, 6, 28001 Madrid, Spain

We would appreciate the opportunity to address your concerns first — please email privacy@paytravel.co before filing a complaint.

12. Changes to this Policy

We may update this Policy to reflect changes in our practices or in the law. Material changes will be announced on this page and the "Last updated" date above will change. Continued use of the Service after a change indicates acceptance of the updated Policy.

13. Contact

Privacy questions: privacy@paytravel.co
General support: support@paytravel.co