Privacy Policy

Privacy Policy - Refund Travel Association

Effective Date: November 6, 2025
Last Updated: November 6, 2025

1. Introduction

Welcome to Refund Travel Association (“Refund Travel,” “we,” “us,” or “our”). We are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you:

Visit our website at https://refund.travel (the “Site”)
Use our refundable booking protection services (the “Services”)
Interact with our widget, API, or other technology platforms
Contact us for support or inquiries

Our Contact Information:

Company Name: Refund Travel Association
Address: 22535 Kettner Blvd #3A3, San Diego, CA 92101
Phone: 833-411-7768
Email for Privacy Inquiries: [email protected]

This Privacy Policy applies to all users of our Services, including:

Customers: Individuals who purchase refundable booking protection
Partners: Travel providers, hotels, event organizers, and other businesses that integrate our Services
Website Visitors: Anyone who accesses our Site

2. Legal Basis and Compliance

For individuals in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data in accordance with the General Data Protection Regulation (GDPR). Our lawful bases for processing include:

Contract Performance: Processing necessary to provide our Services when you purchase refundable booking protection
Consent: When you explicitly agree to specific processing activities
Legitimate Interests: To improve our Services, prevent fraud, and operate our business efficiently
Legal Obligations: To comply with applicable laws, regulations, and legal processes

2.2 CCPA Compliance (California Users)

For California residents, we comply with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). You have specific rights detailed in Section 10 below.

2.3 Other Jurisdictions

We also comply with applicable privacy laws in other jurisdictions where we operate, including but not limited to Canada’s PIPEDA and Australia’s Privacy Act.

3. Information We Collect

3.1 Information You Provide Directly

When you use our Services, we may collect:

Account and Registration Information:

Full name
Email address
Phone number
Postal address
Date of birth (for refund verification purposes)

Booking and Transaction Information:

Travel booking details (dates, destinations, accommodations)
Refund assistance purchase information
Payment information (processed securely through third-party payment processors)
PayPal email address (if different from account email)
Transaction history and refund claim details

Communication Information:

Customer support inquiries and correspondence
Feedback, survey responses, and testimonials
Contact form submissions
Email and SMS communications preferences

Refund Claim Documentation:

Medical certificates or doctor’s notes (for illness-related claims)
Death certificates (for bereavement claims)
Employment termination letters (for redundancy claims)
Travel disruption documentation (for transport-related claims)
Court summons or jury duty notices
Government travel restrictions or advisory notices
Any other evidence supporting your refund claim under our Terms & Conditions

3.2 Information Collected Automatically

When you access our Site or Services, we automatically collect:

Device and Browser Information:

IP address and approximate geolocation
Browser type and version
Operating system
Device identifiers (mobile device ID, advertising ID)
Screen resolution and device type

Usage Information:

Pages visited and time spent on pages
Clickstream data and navigation patterns
Referring and exit URLs
Search queries on our Site
Widget interactions and conversion data

Cookies and Similar Technologies:

Session cookies for functionality
Persistent cookies for preferences
Analytics cookies for performance tracking
Marketing cookies for targeted advertising (with your consent)

For detailed information about our cookie practices, please see Section 8 below.

3.3 Information from Third Parties

We may receive information from:

Partner Businesses:

Booking reference numbers and customer details from our distribution partners
Transaction data from travel providers, hotels, event organizers, and sports venues
Integration and API usage data from partners

Payment Processors:

Payment confirmation and transaction status
Fraud detection signals (without accessing full payment card details)

Analytics and Marketing Providers:

Aggregated demographic information
Marketing campaign performance data
Website analytics and user behavior insights

Social Media Platforms:

Public profile information if you interact with us on social media
Advertising audience data (in aggregated form)

Data Enrichment Services:

Email validation and verification
Fraud prevention and risk assessment data

4. How We Use Your Information

We use your personal information for the following purposes:

4.1 Service Delivery and Contract Performance

Processing Refund Assistance: Administering refundable booking protection, evaluating refund claims, and issuing refunds
Customer Support: Responding to inquiries, resolving issues, and providing technical assistance
Partner Services: Facilitating widget integration, API access, and revenue sharing with distribution partners
Transaction Management: Processing payments, preventing fraud, and maintaining transaction records

4.2 Communication and Updates

Service Communications: Sending booking confirmations, refund status updates, and important service notifications
Marketing Communications: Providing information about new services, features, and promotional offers (with your consent where required)
Partner Communications: Sharing performance reports, integration updates, and business development opportunities with our partners
Surveys and Feedback: Requesting your input to improve our Services

4.3 Business Operations and Improvements

Analytics and Research: Analyzing usage patterns, conversion rates, and customer behavior to improve our Services
Product Development: Developing new features, AI-based pricing models, and service enhancements
Security and Fraud Prevention: Detecting and preventing fraudulent claims, unauthorized access, and security threats
Quality Assurance: Monitoring customer service interactions and evaluating claim handling procedures

4.4 Legal and Compliance

Legal Obligations: Complying with applicable laws, regulations, and legal processes
Dispute Resolution: Resolving disputes, enforcing our Terms & Conditions, and protecting our rights
Audit and Compliance: Maintaining records for regulatory compliance and internal audits
Risk Management: Assessing and managing business risks

4.5 Legitimate Business Interests

Business Intelligence: Understanding market trends, customer preferences, and competitive positioning
Partnership Development: Identifying and evaluating potential business partners
Financial Management: Managing revenue, commissions, and financial reporting
Corporate Transactions: Facilitating mergers, acquisitions, or other business transfers

We do not sell your personal information. We share your information only in the following circumstances:

5.1 Service Providers and Business Partners

We share information with trusted third-party service providers who assist us in operating our business:

Technology Infrastructure:

Cloud Hosting: Google Cloud Platform (for data storage and processing)
CDN and Performance: Cloudflare (for content delivery and security)
Analytics: Google Analytics, website analytics platforms
Payment Processing: Stripe, PayPal, and other payment processors (who have their own privacy policies)

Communication Services:

Email Providers: For sending transactional and marketing emails
SMS Services: For sending text message notifications and updates
Customer Support: Live chat, helpdesk, and ticketing systems

Marketing and Advertising:

Advertising Networks: Google Ads, Facebook/Meta, LinkedIn, Twitter/X (with your consent where required)
Marketing Automation: Email marketing and campaign management platforms
Social Media: When you interact with our social media presence

Business Operations:

Document Processing: For handling and verifying refund claim documentation
Fraud Prevention: For detecting and preventing fraudulent activity
Legal and Compliance: Legal counsel, auditors, and compliance consultants

All service providers are contractually obligated to protect your information and use it only for the purposes we specify.

5.2 Distribution Partners

We share necessary information with our distribution partners (travel providers, hotels, event organizers, sports venues) to:

Process refund requests on their behalf
Provide reporting on refundable booking conversions and performance
Facilitate revenue sharing and commission payments
Coordinate customer service and support

Partners are contractually obligated to comply with applicable data protection laws and maintain confidentiality.

5.3 Legal Requirements and Protection

We may disclose your information when required by law or to protect our rights:

To comply with legal obligations, court orders, or regulatory requirements
To respond to lawful requests from public authorities (including national security or law enforcement)
To enforce our Terms & Conditions and other agreements
To protect the rights, property, safety, or security of Refund Travel, our users, or the public
To detect, prevent, or investigate fraud, security breaches, or illegal activities

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information may be transferred to the successor organization. We will notify you of any such change and the choices you may have regarding your information.

5.5 Aggregated and De-identified Data

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you with:

Partners for business intelligence and reporting
Industry analysts and researchers
The public for transparency and educational purposes

6. International Data Transfers

6.1 Data Storage and Processing

Your information may be transferred to and processed in countries outside your country of residence, including the United States, where our servers and service providers are located. These countries may have different data protection laws than your jurisdiction.

Primary Data Locations:

United States: Primary operations and data processing (Google Cloud Platform)
Europe: Secondary data centers for EU/EEA users (when applicable)
Global CDN: Content delivery through Cloudflare’s global network

6.2 Safeguards for International Transfers

When transferring data internationally, we implement appropriate safeguards:

For EU/EEA to US Transfers:

Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with all service providers
Additional security measures including encryption and access controls

For UK Transfers:

UK-approved Standard Contractual Clauses
International Data Transfer Agreements (IDTAs)

General Safeguards:

Encryption in transit (TLS/SSL) and at rest
Access controls and authentication requirements
Regular security audits and compliance assessments
Contractual commitments from all data processors

6.3 Data Localization

For certain jurisdictions with data localization requirements, we may store data locally or implement specific data handling procedures to comply with local laws.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy and to comply with legal obligations.

7.1 General Retention Periods

Active Accounts and Services:

Account information: Retained while your account is active and for 3 years after account closure
Transaction records: Retained for 7 years for financial, tax, and legal compliance purposes
Refund claim documentation: Retained for 7 years from claim resolution
Customer support communications: Retained for 3 years from last interaction

Marketing and Communications:

Marketing communications list: Until you unsubscribe or withdraw consent
Email engagement data: Retained for 2 years from last interaction
Website analytics: Aggregated data retained indefinitely; individual data anonymized after 26 months

Legal and Compliance:

Legal hold: Retained as required by ongoing legal proceedings or investigations
Regulatory requirements: Retained as mandated by applicable laws and regulations
Audit trails: Retained for 7 years for compliance and audit purposes

7.2 Deletion and Anonymization

After retention periods expire:

Personal information is securely deleted or anonymized
Backups are purged according to our data retention schedule
Anonymized data may be retained indefinitely for research and analytics

7.3 Your Right to Request Deletion

You may request deletion of your information earlier (see Section 10 - Your Rights). We will honor such requests except where we have legal obligations or legitimate interests to retain certain information.

8. Cookies and Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files placed on your device when you visit our Site. We use cookies and similar technologies (web beacons, pixels, local storage) to enhance your experience, analyze usage, and deliver personalized content.

8.2 Types of Cookies We Use

Strictly Necessary Cookies (Cannot be disabled):

Session management and authentication
Security and fraud prevention
Load balancing and website functionality
Cookie consent preferences

Functional Cookies (Can be disabled):

Language and region preferences
User interface customization
Accessibility settings
Widget configuration for partners

Analytics and Performance Cookies (Can be disabled):

Google Analytics (traffic analysis, user behavior, conversion tracking)
Website performance monitoring
Error tracking and debugging
A/B testing and optimization

Marketing and Advertising Cookies (Require consent):

Google Ads (remarketing and conversion tracking)
Facebook Pixel (custom audiences and analytics)
LinkedIn Insight Tag (professional audience targeting)
Twitter/X Pixel (campaign measurement)
Third-party ad networks

8.3 Third-Party Cookies

We use services that may set their own cookies:

Google Analytics: https://policies.google.com/privacy
Google Ads: https://policies.google.com/technologies/ads
Facebook/Meta: https://www.facebook.com/privacy/explanation
LinkedIn: https://www.linkedin.com/legal/privacy-policy
Cloudflare: https://www.cloudflare.com/privacypolicy/

8.4 Managing Cookies

Browser Controls:

Most browsers allow you to refuse cookies or delete existing cookies
Browser settings typically found in “Privacy,” “Security,” or “Settings” menus
Note: Disabling necessary cookies may affect website functionality

Cookie Consent Tool:

Upon first visit, you can manage cookie preferences through our consent banner
Update preferences anytime via the cookie settings link in our footer

Opt-Out Tools:

Google Analytics Opt-out: https://tools.google.com/dlpage/gaoptout
NAI Opt-out: https://optout.networkadvertising.org/
DAA Opt-out: https://optout.aboutads.info/

Do Not Track Signals:

We currently do not respond to Do Not Track (DNT) browser signals
We will update this policy if our DNT practices change

9. Data Security

We implement comprehensive technical, administrative, and physical security measures to protect your personal information from unauthorized access, disclosure, alteration, and destruction.

9.1 Technical Safeguards

Encryption:

TLS/SSL encryption for all data in transit (minimum TLS 1.2)
AES-256 encryption for sensitive data at rest
End-to-end encryption for payment information

Access Controls:

Multi-factor authentication (MFA) for employee access
Role-based access control (RBAC) with least privilege principle
Regular access audits and reviews
Automated session timeouts

Infrastructure Security:

Secure cloud hosting with Google Cloud Platform
Firewall protection and intrusion detection systems
DDoS protection through Cloudflare
Regular security patches and updates
Isolated production and development environments

Application Security:

Secure coding practices and code reviews
Regular vulnerability scanning and penetration testing
Web application firewall (WAF)
SQL injection and XSS protection
CSRF token validation

9.2 Administrative Safeguards

Data Governance:

Designated Data Protection Officer (DPO) for GDPR compliance
Privacy by design and default principles
Data protection impact assessments (DPIAs) for high-risk processing
Documented data processing procedures

Employee Training:

Mandatory privacy and security training for all employees
Confidentiality and non-disclosure agreements
Role-specific security training
Regular security awareness updates

Vendor Management:

Due diligence assessments for all service providers
Data processing agreements with privacy and security requirements
Regular vendor security audits
Contractual liability and indemnification provisions

9.3 Physical Safeguards

Data Center Security:

Google Cloud Platform certified data centers (SOC 2, ISO 27001)
24/7 physical security and monitoring
Biometric access controls
Environmental controls and disaster recovery systems

Office Security:

Secure office access controls
Locked storage for physical documents
Secure disposal of sensitive information (shredding, degaussing)
Clean desk and screen lock policies

9.4 Incident Response

Breach Notification:

We will notify affected individuals and authorities within 72 hours of discovering a data breach (as required by GDPR)
Notifications will include the nature of the breach, likely consequences, and mitigation measures
For California residents, we will comply with CCPA breach notification requirements

Incident Management:

Documented incident response plan
Regular testing and updates of response procedures
Forensic investigation capabilities
Communication protocols for affected parties

9.5 Security Limitations

While we implement industry-standard security measures, no system is 100% secure. You are responsible for:

Maintaining the confidentiality of your account credentials
Using strong, unique passwords
Not sharing your account access with others
Promptly notifying us of any unauthorized access or security concerns

10. Your Rights and Choices

Under GDPR, you have the following rights:

Right to Access:

Request a copy of the personal information we hold about you
Receive information about how we process your data

Right to Rectification:

Correct inaccurate or incomplete personal information
Update your account information at any time

Right to Erasure (“Right to be Forgotten”):

Request deletion of your personal information when:
- It’s no longer necessary for the purposes collected
- You withdraw consent and no other legal basis exists
- You object to processing and no overriding legitimate interests exist
- The data was unlawfully processed
- Legal obligations require erasure
Note: We may retain certain information for legal compliance or legitimate interests

Right to Restriction of Processing:

Request limitation of processing when:
- You contest the accuracy of the data
- Processing is unlawful but you don’t want erasure
- We no longer need the data but you need it for legal claims
- You’ve objected to processing pending verification of legitimate interests

Right to Data Portability:

Receive your personal information in a structured, commonly used, machine-readable format
Request transfer of your data to another service provider (where technically feasible)

Right to Object:

Object to processing based on legitimate interests or for direct marketing purposes
We will stop processing unless we demonstrate compelling legitimate grounds

Right to Withdraw Consent:

Withdraw consent at any time for processing based on consent
Withdrawal doesn’t affect the lawfulness of processing before withdrawal

Right to Lodge a Complaint:

File a complaint with your local data protection authority
EU/EEA: Find your authority at https://edpb.europa.eu/about-edpb/board/members_en
UK: Information Commissioner’s Office (ICO) at https://ico.org.uk

Automated Decision-Making:

Right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects
Note: We use AI-based pricing, but human oversight is involved in significant decisions

10.2 Rights for California Residents (CCPA/CPRA)

Under California law, you have the following rights:

Right to Know:

Categories of personal information collected
Categories of sources from which information is collected
Business or commercial purposes for collecting information
Categories of third parties with whom we share information
Specific pieces of personal information we’ve collected about you

Right to Delete:

Request deletion of your personal information (subject to exceptions)
We may retain information necessary for legal compliance or legitimate business purposes

Right to Correct:

Request correction of inaccurate personal information

Right to Opt-Out of Sale/Sharing:

While we don’t “sell” personal information for monetary consideration, we may “share” information for targeted advertising
Opt-out of such sharing via our “Do Not Sell or Share My Personal Information” link
We honor Global Privacy Control (GPC) signals

Right to Limit Use of Sensitive Personal Information:

Request limitation of use of sensitive personal information to specific purposes
We don’t process sensitive personal information beyond what’s reasonably necessary for our Services

Right to Non-Discrimination:

Exercise privacy rights without discriminatory treatment
We won’t deny services, charge different prices, or provide different quality of service for exercising rights

Authorized Agent:

You may designate an authorized agent to submit requests on your behalf
We may require verification of the agent’s authority

10.3 Marketing and Communication Preferences

Email Marketing:

Unsubscribe from marketing emails via the link in each email
Update preferences in your account settings
You’ll still receive transactional emails necessary for our Services

SMS Marketing:

Reply STOP to any marketing text message
Manage SMS preferences in your account settings

Push Notifications:

Manage notification preferences in your device settings or app preferences

Postal Mail:

10.4 How to Exercise Your Rights

To exercise any of these rights, contact us at:

Email: [email protected]
Phone: 833-411-7768
Mail: Refund Travel Association, Attn: Privacy Team, 22535 Kettner Blvd #3A3, San Diego, CA 92101

Verification Process:

We’ll verify your identity before processing requests (to protect your information)
May require additional information to confirm your identity
Responses typically provided within 30 days (45 days for complex requests)

No Fee:

We don’t charge fees for reasonable requests
May charge a fee for excessive, repetitive, or manifestly unfounded requests

11. Children’s Privacy

Our Services are not directed to children under 18, and we do not knowingly collect personal information from children under 18.

Age Restrictions:

You must be at least 18 years old to use our Services
Partners must ensure they don’t process orders from minors

Parental Notice:

If we discover we’ve collected information from a child under 18, we will promptly delete it
Parents or guardians who believe we’ve inadvertently collected their child’s information should contact us immediately

Exception:

We may process information about minors as part of family travel bookings made by adults, but only as necessary to provide the Services

12. Third-Party Links and Services

Our Site may contain links to third-party websites, services, or resources that are not operated or controlled by Refund Travel.

No Responsibility:

We are not responsible for the privacy practices or content of third-party sites
Linking doesn’t imply endorsement

Partner Websites:

Our distribution partners (hotels, travel providers, event organizers) have their own privacy policies
Review their policies when making bookings or providing information

Social Media:

Interactions on social media platforms are governed by those platforms’ privacy policies
Information shared publicly on social media may be visible to other users

Payment Processors:

Payment information is processed by third-party payment processors (Stripe, PayPal, etc.)
Review their privacy policies for information about how they handle your payment data

Recommendation:

Always review privacy policies of third-party sites before providing personal information

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

Notification of Changes:

Material Changes: We will notify you by email and/or prominent notice on our Site at least 30 days before changes take effect
Non-Material Changes: We will update the “Last Updated” date at the top of this policy
Continued Use: Your continued use of our Services after changes take effect constitutes acceptance of the updated policy

Review Regularly:

We encourage you to review this Privacy Policy periodically
Check the “Last Updated” date to see when it was last revised

Prior Versions:

Archived versions of this Privacy Policy are available upon request

14. Additional Information for Specific Jurisdictions

14.1 European Economic Area, United Kingdom, and Switzerland

Data Controller:

Refund Travel Association is the data controller for your personal information
Our representative in the EU (if applicable): [To be designated if processing significant EU data]

Legal Rights:

See Section 10.1 for your GDPR rights
Right to lodge a complaint with your supervisory authority

Data Protection Officer:

Contact: [email protected]

14.2 California

California Privacy Rights:

See Section 10.2 for your CCPA/CPRA rights
“Shine the Light” Law: Request disclosure of information shared with third parties for direct marketing

Do Not Sell or Share My Personal Information:

We don’t sell personal information for monetary consideration
We may share information for targeted advertising (which may be considered a “sale” under CCPA)
Opt-out: [email protected] or via our cookie consent tool

14.3 Nevada

Nevada Privacy Rights:

Nevada residents may opt out of the “sale” of personal information (as defined under Nevada law)
Contact: [email protected]

14.4 Canada

PIPEDA Compliance:

We comply with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)
Privacy Commissioner of Canada: https://www.priv.gc.ca

14.5 Australia

Privacy Act Compliance:

We comply with the Australian Privacy Principles (APPs)
Office of the Australian Information Commissioner: https://www.oaic.gov.au

14.6 Other Jurisdictions

If you’re located in a jurisdiction with specific privacy laws not listed here, we will make reasonable efforts to comply with applicable requirements. Contact us for jurisdiction-specific information.

15. Business Contact Information

15.1 General Inquiries

Refund Travel Association

Address: 22535 Kettner Blvd #3A3, San Diego, CA 92101, United States
Phone: 833-411-7768
Email: [email protected]
Website: https://refund.travel

15.2 Privacy-Specific Contacts

Privacy Inquiries and Rights Requests:

Email: [email protected]
Subject Line: Please include “Privacy Request” or your specific right (e.g., “GDPR Access Request,” “CCPA Deletion Request”)

Data Protection Officer (GDPR):

Email: [email protected]

Security Concerns:

Email: [email protected]
Report Data Breaches: Immediately notify us if you suspect unauthorized access to your account

15.3 Partner Support

For Distribution Partners:

Technical Support: [email protected]
API Documentation: Contact your account manager or [email protected]

By using our Services, you acknowledge that:

You have read and understood this Privacy Policy
You consent to the collection, use, and disclosure of your information as described
If you’re in the EU/EEA, you understand your GDPR rights
If you’re in California, you understand your CCPA/CPRA rights
You’re at least 18 years old or have parental consent to use our Services

For Partners:

By integrating our Services, you confirm you have the right to share customer information with us
You’re responsible for obtaining necessary consents from your customers
You’ll comply with applicable data protection laws in your operations

17. Questions and Complaints

If you have questions, concerns, or complaints about our privacy practices or this Privacy Policy:

Contact Us First:
- Email: [email protected]
- We’ll investigate and respond within 30 days
Supervisory Authorities:
- EU/EEA: Contact your local data protection authority
- UK: Information Commissioner’s Office (ICO) - https://ico.org.uk
- California: California Attorney General - https://oag.ca.gov/privacy
- Other Jurisdictions: Contact your local privacy regulator
Alternative Dispute Resolution:
- We’re committed to resolving complaints fairly and promptly
- For unresolved disputes, we may participate in alternative dispute resolution procedures

Appendix A: Data Processing Details

Categories of Personal Information (CCPA)

Category	Examples	Collected	Sources	Business Purpose	Third Parties Shared With
Identifiers	Name, email, phone, postal address, IP address, device ID	Yes	Directly from you, automatically, partners	Service delivery, customer support, marketing	Service providers, partners
Commercial Information	Booking details, transaction history, purchase records	Yes	Directly from you, partners	Service delivery, analytics, business operations	Service providers, partners, payment processors
Financial Information	Payment method (not full card numbers), PayPal email	Yes	Directly from you, payment processors	Transaction processing, fraud prevention	Payment processors, service providers
Internet Activity	Browsing history, search history, interactions with website	Yes	Automatically via cookies and tracking	Analytics, personalization, marketing	Analytics providers, advertising networks
Geolocation Data	IP-based location, approximate location	Yes	Automatically	Service delivery, analytics, fraud prevention	Service providers
Professional/Employment	Employer information (for redundancy claims)	Sometimes	Directly from you	Refund claim processing	Service providers
Health Information	Medical certificates (for illness claims)	Sometimes	Directly from you	Refund claim processing	Service providers (claim administrators)
Inferences	Customer preferences, behavior predictions, propensity scores	Yes	Derived from other information	Personalization, marketing, pricing	Service providers

Sensitive Personal Information (CPRA)

We may collect sensitive personal information in limited circumstances:

Health Information: Medical certificates or doctor’s notes for illness-related refund claims
Government IDs: Passport numbers or government ID numbers (only when required for travel booking verification)

We limit use and disclosure of sensitive personal information to purposes necessary for providing our Services and as permitted by law.

Data Controller: Refund Travel Association

Processing Activity 1: Refundable Booking Protection Service

Purpose: Provide refundable booking protection, process refund claims
Legal Basis: Contract performance, legitimate interests
Categories of Data Subjects: Customers who purchase refundable booking protection
Categories of Personal Data: Identifiers, booking details, transaction data, refund claim documentation (may include health data)
Categories of Recipients: Service providers (cloud hosting, payment processing, document management), distribution partners
International Transfers: United States (Standard Contractual Clauses)
Retention Period: 7 years from transaction date or claim resolution
Security Measures: Encryption, access controls, secure hosting, regular audits

Processing Activity 2: Marketing and Communications

Purpose: Send marketing communications, promotional offers, service updates
Legal Basis: Consent (where required), legitimate interests
Categories of Data Subjects: Customers, website visitors who subscribe, partner contacts
Categories of Personal Data: Identifiers, communication preferences, engagement data
Categories of Recipients: Email service providers, marketing platforms, analytics providers
International Transfers: United States (Standard Contractual Clauses)
Retention Period: Until consent withdrawn or 2 years of inactivity
Security Measures: Encryption, access controls, secure transmission

Processing Activity 3: Website Analytics and Optimization

Purpose: Analyze website usage, improve user experience, optimize conversions
Legal Basis: Consent (for non-essential cookies), legitimate interests
Categories of Data Subjects: Website visitors
Categories of Personal Data: Internet activity, device information, geolocation, usage patterns
Categories of Recipients: Analytics providers (Google Analytics), performance monitoring services
International Transfers: United States (Privacy Shield, Standard Contractual Clauses)
Retention Period: 26 months (Google Analytics), aggregated data indefinitely
Security Measures: Anonymization, IP masking, encryption

Appendix C: Glossary of Terms

Data Controller: The entity that determines the purposes and means of processing personal data (Refund Travel Association).

Data Processor: An entity that processes personal data on behalf of the data controller (e.g., our service providers).

Data Subject: An identified or identifiable natural person whose personal data is processed.

GDPR: General Data Protection Regulation - EU regulation on data protection and privacy.

CCPA/CPRA: California Consumer Privacy Act and California Privacy Rights Act - California laws on consumer data privacy.

Personal Information/Personal Data: Information relating to an identified or identifiable individual.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

Consent: Freely given, specific, informed, and unambiguous indication of agreement to processing.

Legitimate Interests: Processing necessary for legitimate business interests that don’t override individual rights.

Sensitive Personal Information: Special categories of data requiring additional protections (e.g., health data, biometric data).

Anonymization: Process of removing personal identifiers so data can no longer identify an individual.

Pseudonymization: Replacing identifying information with pseudonyms, allowing re-identification with additional information.

Data Breach: Unauthorized access, disclosure, or loss of personal data.

END OF PRIVACY POLICY

This Privacy Policy is effective as of November 6, 2025. For previous versions, please contact [email protected].

Ready To Sign Up?

Step 1. Request a Membership Agreement & Tech Credentials
Step 2. Add the Widget to your Booking Flow
Step 3. GO LIVE with Refund Travel’s full support