Privacy Policy

Version 2026-06-16

Vectrip ("we", "us", "our") provides a corporate travel workflow platform for organizations and their travelers. This Privacy Policy describes what data we collect, how we use it, who we share it with, and the rights you have over your data. It applies to vectrip.com and the Vectrip web application and iOS Companion App.

1. Controller and contact

For data you submit through your organization's workspace, your organization is the controller and Vectrip is the processor. For account-level data (sign-up, billing contact), Vectrip is the controller. Contact us at privacy@vectrip.com.

2. What we collect

  • Account data — name, email, password hash, sign-in metadata (IP, user agent, timestamps), MFA enrollment.
  • Organization data — workspace name, branding, settings, billing contact, sub-organizations and roles.
  • Traveler profile data — contact details, role, department, preferred airports, airline and hotel preferences, loyalty numbers.
  • Sensitive traveler data (optional) — passport number, expiry, country, TSA PreCheck, Global Entry, driver license, emergency contact. Stored in a separate encrypted table with audit-logged access.
  • Travel request data — destinations, dates, preferences, free-text instructions.
  • Itinerary and booking data — flight, hotel, ground transport, and confirmation details.
  • Communications — support messages, concierge conversations, approval comments, change requests.
  • Payment data — handled by Stripe. We store only the customer ID, masked last four digits, brand, expiry, and billing address. We do not store full card numbers or CVV.
  • Notifications — email, SMS, and push delivery status with provider message IDs.
  • Cookies and local storage — see our Cookie Policy.
  • Logs and audit trail — sign-in IP, user agent, role changes, sensitive-field access, approval actions.
  • Legal acceptances — record of which policy versions you accepted, when, and from which IP.

3. How we use it

  • To provide, secure, and operate the Vectrip product for you and your organization.
  • To process travel requests, generate proposals and itineraries, and coordinate bookings with third-party suppliers.
  • To send transactional notifications (approvals, itineraries, booking confirmations, billing receipts).
  • To enforce travel policies and approval workflows you have configured.
  • To detect abuse, debug issues, and improve the product.
  • To meet legal, accounting, tax, and audit obligations.

4. Legal bases (GDPR)

  • Contract — providing the Service to your organization.
  • Legitimate interest — security, fraud prevention, product improvement.
  • Legal obligation — tax, accounting, lawful requests.
  • Consent — non-essential analytics cookies and optional marketing communications, where applicable.

5. Sub-processors

We rely on the following sub-processors to deliver the Service:

  • Lovable Cloud / Supabase — hosting, database, authentication, edge compute.
  • Cloudflare — edge runtime, CDN, DDoS protection.
  • Mailgun — transactional email delivery.
  • Twilio — SMS notifications.
  • Stripe — billing and payment processing.
  • Duffel — flight and hotel inventory.
  • OpenAI — AI-powered request extraction (zero-retention configuration).

6. International transfers

Data may be transferred and stored in the United States and the European Union depending on your workspace region. Where required, we rely on Standard Contractual Clauses or equivalent safeguards for cross-border transfers.

7. Data retention

Default retention windows are described in our Data Retention Policy. Trip and audit records are retained for up to 7 years; backups for up to 30 days after deletion.

8. Your rights

  • Access, export, or correct your personal data.
  • Request deletion of your account or traveler profile.
  • Object to or restrict certain processing.
  • Withdraw consent for non-essential communications and analytics cookies.
  • Lodge a complaint with a supervisory authority (EU/UK residents).

9. Data deletion requests

Submit a request at /data-deletion, or email privacy@vectrip.com. We process requests within 30 days; backup purge takes up to 30 additional days.

10. Security

See our Security Overview. We use TLS in transit, AES-256 at rest, envelope encryption for sensitive traveler fields, and role-based access enforced at the database layer.

11. Children

Vectrip is not intended for users under 16 and we do not knowingly collect data from children.

12. Changes to this policy

We may update this Policy. Material changes are announced to workspace admins via email and surfaced inside the product; you may be asked to re-accept the updated version before continuing to use the Service.

13. Contact

Privacy questions, data requests, or DPA inquiries: privacy@vectrip.com.