Privacy Policy

Last Updated: [DATE]

IMPORTANT: This is a template document and should be reviewed by qualified legal counsel before publication. It is provided for informational purposes only and does not constitute legal advice.

1. Introduction

Welcome to [COMPANY_NAME] (“we,” “us,” or “our”). We operate iTravelFree, a multi-sided marketplace platform that connects travelers with curated travel experiences. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our platform.

By accessing or using iTravelFree, you agree to the terms of this Privacy Policy. If you do not agree with our practices, please do not use our services.

2. Information We Collect

We collect various types of information to provide and improve our services. The data we collect depends on your role on our platform.

2.1 Account Information

When you create an account, we collect:

  • Email address (required for account creation and communication)
  • Password (stored in encrypted form)
  • Full name
  • Username and display username
  • Phone number (optional, for account security and notifications)
  • Profile image/avatar (optional)
  • Email and phone verification status
  • Account role (Customer, Vendor, Ambassador, or Admin)
  • Account creation and last update timestamps
2.2 Session Information

When you use our platform, we automatically collect:

  • IP address (for security and fraud prevention)
  • User agent (browser and device information)
  • Session tokens (for authentication)
  • Active organization ID (if applicable)
  • Login timestamps and session duration
2.3 Role-Specific Information
For Customers:
  • Trip purchases (templates purchased, customization choices)
  • Trip preferences and saved favorites
  • Selected locations for each trip day
  • Discount code usage (if referred by an Ambassador)
  • Purchase history and timestamps
For Vendors:
  • Business information (business name, description, category)
  • Location details (address, coordinates, contact information)
  • Business documents (business registration certificates, owner identity verification)
  • Gallery images of your location
  • Operating hours, website, phone number
  • Approval status and review history
  • Organization membership (if managing multiple locations)
For Ambassadors:
  • Discount codes and usage statistics
  • Commission earnings (referral fees and trip creator fees)
  • PayPal email address (for payout processing)
  • Payout history and transaction records
  • Trip templates created (subject to admin approval)
  • Tax reporting information (as required by law)
2.4 User-Generated Content

We collect content you create on our platform:

  • Reviews and ratings of locations and trips
  • Trip templates created by Ambassadors
  • Location information submitted by Vendors
  • Photos and images uploaded to the platform
  • Comments and feedback
2.5 Payment Information
  • Payment processing is handled by Stripe. We do not store your full credit card numbers.
  • We store transaction IDs, payment amounts, currency, and transaction timestamps.
  • For Ambassadors, we store PayPal email addresses for payout processing.
2.6 Analytics and Usage Data

We collect information about how you interact with our platform:

  • Pages viewed and features used
  • Time spent on different sections
  • Search queries and filters applied
  • Click patterns and navigation paths
  • Error logs and performance metrics
3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Provide Services
  • Authentication and account management (login, password reset, session management)
  • Trip booking and customization (process purchases, save preferences)
  • Payment processing (via Stripe for customers, PayPal for Ambassador payouts)
  • Location management (for Vendors to claim and update their businesses)
  • Commission tracking (for Ambassadors to earn and receive payouts)
  • Content moderation (review submissions, approve trip templates and locations)
3.2 Communication
  • Transactional emails (order confirmations, password resets, account notifications)
  • Service updates (changes to terms, new features, platform announcements)
  • Customer support (respond to inquiries, resolve issues)
  • Marketing communications (with your consent, which you can withdraw at any time)
3.3 Platform Improvement
  • Analytics (understand usage patterns, identify popular features)
  • Bug fixes (diagnose and resolve technical issues)
  • Feature development (build new functionality based on user needs)
  • Performance optimization (improve speed and reliability)
  • Fraud prevention (detect and prevent fraudulent transactions)
  • Tax reporting (for Ambassadors earning commissions, as required by law)
  • Dispute resolution (investigate and resolve conflicts between users)
  • Legal obligations (comply with court orders, law enforcement requests)

For users in the European Economic Area (EEA), we process your personal data based on the following legal grounds:

  • Contractual Necessity: Processing is necessary to provide our services (account management, payments, trip bookings)
  • Legitimate Interest: We have a legitimate interest in improving our platform, preventing fraud, and ensuring security
  • Consent: For marketing communications and optional features, we obtain your explicit consent
  • Legal Obligation: We process data to comply with tax laws, court orders, and other legal requirements
5. Information Sharing and Disclosure

We share your information with third parties only as described below. We do NOT sell your personal information.

5.1 Third-Party Service Providers

We use the following services to operate our platform:

  • Stripe (United States) - Payment processing for trip purchases. Stripe’s privacy policy: https://stripe.com/privacy
  • PayPal (United States) - Payout processing for Ambassador commissions. PayPal’s privacy policy: https://www.paypal.com/privacy
  • Resend (United States) - Email delivery service for transactional and marketing emails
  • Cloudflare R2 (United States) - File and image storage (S3-compatible)
  • Neon (United States) - PostgreSQL database hosting
  • Fly.io (United States) - Application hosting and infrastructure
  • Better Auth - Authentication and session management services

Each of these providers has access only to the information necessary to perform their specific functions and is contractually obligated to protect your data.

5.2 Public Information

Certain information is publicly visible on our platform:

  • Vendor locations (business name, address, description, photos, reviews)
  • Trip templates (created by Ambassadors, visible to all users)
  • Reviews and ratings (your username and review content)

We may disclose your information if required by law:

  • Court orders and legal processes
  • Law enforcement requests (with valid legal authority)
  • Protection of rights (to enforce our Terms of Service, protect our property)
  • Safety concerns (to prevent harm to individuals or the public)
5.4 Business Transfers

If [COMPANY_NAME] is involved in a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our platform before your information is transferred and becomes subject to a different privacy policy.

6. International Data Transfers

[COMPANY_NAME] operates globally, and our service providers are primarily located in the United States. If you are accessing our platform from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States.

We rely on the following mechanisms for international data transfers:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Your explicit consent for transfers necessary to provide our services

The United States may have data protection laws that differ from those in your country. We take appropriate safeguards to ensure your information is protected in accordance with this Privacy Policy.

7. Data Retention

We retain your personal information for as long as necessary to provide our services and comply with legal obligations.

7.1 Active Accounts
  • Your account information is retained while your account is active.
  • Session data is retained for security and fraud prevention purposes.
7.2 Deleted Accounts
  • When you delete your account, we retain your data for 30 days in backups to allow for account recovery.
  • After 30 days, your personal information is permanently deleted, except where we are required by law to retain it longer.

Certain information must be retained for legal compliance:

  • Tax records for Ambassadors (typically 7 years, varies by jurisdiction)
  • Transaction history (as required by financial regulations)
  • Legal disputes (information relevant to ongoing litigation or investigations)
8. Your Rights (GDPR - EU/EEA Users)

If you are located in the European Economic Area, you have the following rights regarding your personal data:

8.1 Right to Access

You have the right to request a copy of the personal information we hold about you.

8.2 Right to Rectification

You have the right to correct inaccurate or incomplete personal information.

8.3 Right to Erasure (“Right to be Forgotten”)

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations).

8.4 Right to Data Portability

You have the right to receive your personal information in a structured, commonly used, and machine-readable format and to transmit it to another controller.

8.5 Right to Restrict Processing

You have the right to request that we limit how we use your personal information in certain circumstances.

8.6 Right to Object

You have the right to object to our processing of your personal information based on legitimate interests or for direct marketing purposes.

Where we rely on your consent to process your personal information, you have the right to withdraw that consent at any time.

8.8 How to Exercise Your Rights

To exercise any of these rights, please contact us at [PRIVACY_EMAIL]. We will respond to your request within 30 days.

You also have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.

9. Your Rights (CCPA - California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

9.1 Right to Know

You have the right to request that we disclose:

  • The categories of personal information we have collected about you
  • The categories of sources from which we collected your personal information
  • The business or commercial purpose for collecting your personal information
  • The categories of third parties with whom we share your personal information
  • The specific pieces of personal information we have collected about you
9.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions.

9.3 Right to Opt-Out of Sale

We do NOT sell your personal information. We do not and will not sell your personal data to third parties.

9.4 Right to Non-Discrimination

You have the right to not receive discriminatory treatment for exercising your CCPA rights. We will not:

  • Deny you goods or services
  • Charge you different prices or rates
  • Provide you a different level or quality of goods or services
  • Suggest that you may receive a different price or level of quality
9.5 How to Exercise Your Rights

To exercise your CCPA rights, please contact us at [PRIVACY_EMAIL]. We will verify your identity before processing your request and respond within 45 days.

10. Security Measures

We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect it.

10.1 Encryption
  • In Transit: All data transmitted between your device and our servers is encrypted using HTTPS/TLS.
  • At Rest: Sensitive data stored in our databases is encrypted.
10.2 Access Controls
  • Authentication: Multi-factor authentication options for account security.
  • Authorization: Role-based access controls limit who can access your information.
  • Audit Logs: We maintain logs of access to sensitive data.
10.3 Security Assessments
  • Regular Reviews: We conduct periodic security assessments and vulnerability scans.
  • Third-Party Audits: Our service providers undergo independent security audits.
10.4 Limitations

While we strive to protect your personal information, no system is 100% secure. We cannot guarantee absolute security, and you use our platform at your own risk. Please use strong passwords and do not share your account credentials with others.

11. Cookies and Tracking

We use cookies and similar technologies to provide and improve our services. For detailed information about our cookie practices, please see our Cookie Policy (link to cookie-policy.md).

11.1 Cookies We Use
  • Session Cookies: Required for authentication and security (strictly necessary)
  • Locale Cookie: Stores your language preference for internationalization (functional)
11.2 Third-Party Cookies

When you use payment services (Stripe, PayPal), these providers may set their own cookies. Please refer to their respective privacy and cookie policies for more information.

12. Age Requirements

iTravelFree is intended for users who are 18 years of age or older. We do not knowingly collect personal information from individuals under 18.

If you are under 18, you may not create an account or use our services. If we become aware that we have collected personal information from someone under 18, we will delete that information immediately.

If you believe we have inadvertently collected information from a minor, please contact us at [PRIVACY_EMAIL].

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

13.1 Notification of Changes
  • Material Changes: We will notify you via email and/or a prominent notice on our platform at least 30 days before the changes take effect.
  • Minor Changes: We will update the “Last Updated” date at the top of this policy.
13.2 Continued Use

Your continued use of iTravelFree after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you must stop using our services and may request deletion of your account.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Privacy Inquiries: [PRIVACY_EMAIL]
  • Postal Address: [COMPANY_ADDRESS]
  • Data Protection Officer (if applicable): [DPO_EMAIL]

We will respond to your inquiry within a reasonable timeframe, typically within 30 days.

This Privacy Policy is effective as of [DATE] and applies to all users of the iTravelFree platform.