Privacy Policy
Effective date: 2026-06-04 · Last updated: 2026-06-04
1. Who we are
Tourbox Systems Limited ("Tourbox", "we", "us", "our") is a company registered in England and Wales under company number 15613075, incorporated on 3 April 2024. Our registered address is 125 Freshfield Road, Brighton, England, BN2 0BR.
We are registered with the Information Commissioner's Office (ICO) under registration number ZC103797.
For data protection enquiries, contact us at privacy@tourbox.com.
2. About this policy
This Privacy Policy explains how we collect, use, store, and share personal data when you use Tourbox as a tour operator, including our web application, APIs, and related services.
Tourbox is a software-as-a-service (SaaS) platform that helps tour operators manage bookings, customers, itineraries, communications, and finances.
If you are a traveller using the Tourbox consumer app, this policy does not apply to you. Please see our Consumer Privacy Policy.
3. Our dual role: controller and processor
We act in two distinct capacities:
- Data controller: for personal data we collect about you as a Tourbox user (your account, billing, and usage data). We decide how and why this data is processed.
- Data processor: for personal data you enter into Tourbox about your customers, bookings, and business operations. You (the tour operator) remain the controller of that data, and we process it only on your instructions. Our Data Processing Agreement governs this relationship.
4. Data we collect as controller
4.1 Account data
When you create a Tourbox account, we collect:
- Your name and email address (authenticated via Hanko, our passwordless authentication provider)
- Your organisation name
- Your role within the organisation (owner, admin, or editor)
- Your avatar image (if provided)
4.2 Billing data
Billing is handled by Paddle, who acts as our Merchant of Record. Paddle collects and processes your payment information directly. We do not store your card details or bank account information. We receive from Paddle: transaction references, subscription status, invoice amounts, and tax information.
4.3 Usage data
We collect data about how you use the platform, including:
- Feature usage and interaction patterns
- AI token consumption and associated costs (input tokens, output tokens, cost, and processing duration), tracked per organisation
- Error reports and performance data (via our self-hosted, EU-based error tracker)
4.4 Integration credentials
When you connect third-party services (such as Zoom, Slack, Vamoos, Xero, Gmail, or Outlook), we store the necessary authentication credentials. These are encrypted at rest using AES-256-CBC encryption.
5. Data we process on your behalf
When you use Tourbox to manage your business, you may input the following categories of personal data about your customers and contacts. You are the data controller for this information; we process it solely on your instructions.
5.1 Customer personal information
- Names: first name, last name, preferred name, middle name, and title
- Date of birth
- Postal address (up to four address lines, city, postcode, and country)
- Email addresses (one or more per customer)
- Phone numbers (one or more per customer)
5.2 Booking and enquiry data
- Booking details: dates, reference numbers, status, and cancellation information
- Financial summaries: amounts in one or more currencies
- Enquiry data: source, marketing source, qualification status, and contact information
5.3 Travel documents
Files you upload are stored in OVHcloud private object storage, hosted in the EU (France). We use content hashing to ensure file integrity.
5.4 Communications
When you use Tourbox to manage email communications, we process:
- Email subject lines, body text and HTML content
- Sender and recipient information
- Delivery status and metadata
5.5 Financial documents and payments
- Invoices and quotes: amounts, tax, and version history
- Customer payment records: payment method, amount, currency, and exchange rates
6. AI data processing
Tourbox includes AI-powered features such as document intelligence and content generation. When you use these features:
- Document content and text are sent to our AI provider for processing
- Text generation, document OCR, and classification use Mistral AI (Mistral AI SAS), hosted in the EU. Text and image embeddings used for search use Jina AI (Jina AI GmbH, now part of Elastic), also hosted in the EU
- All AI processing of your customers' personal data is performed by EU-based providers. We do not route customer personal data through US-based AI providers
- We track token usage per organisation (input tokens, output tokens, cost, and duration) for billing and monitoring purposes
- No AI provider uses your data for model training. All providers are contractually prohibited from training on data submitted through Tourbox
Separately, certain optional, business-tier media features (such as video streaming and AI image editing) use specialist providers based in the United States. These process uploaded media files only, never text prompts containing personal data, and operate under a Data Processing Agreement with UK IDTA / EU SCCs transfer safeguards. See our Sub-processor List for details.
7. Third-party integrations
All integrations are initiated by you and only active when you explicitly connect them. We do not activate integrations on your behalf.
- Gmail / Outlook: You connect your own email account to send and receive emails through Tourbox
- Zoom: Server-to-server OAuth connection for video conferencing features
- Slack: Outbound notifications for enquiries and events to your chosen Slack channels
- Vamoos: Synchronisation of travel product data with your Vamoos account
- Xero: Synchronisation of accounting and financial data with your Xero account
You can disconnect any integration at any time from your organisation settings.
8. Legal bases for processing
We rely on the following legal bases under UK GDPR Article 6:
| Legal basis | Processing activity |
|---|---|
| Contract (Art. 6(1)(b)) | Account creation and management, service delivery, processing your subscription and billing through Paddle |
| Legitimate interests (Art. 6(1)(f)) | Security monitoring, fraud prevention, service improvement, error monitoring via our self-hosted error tracker, and maintaining platform integrity |
| Consent (Art. 6(1)(a)) | Optional third-party integrations you choose to connect, and marketing communications (if any) |
| Legal obligation (Art. 6(1)(c)) | Retaining tax and billing records as required by UK law, and complying with legal requests |
Where we rely on legitimate interests, we have carried out balancing tests to ensure our interests do not override your rights. You may request details of these assessments by contacting us.
9. Who we share data with
We share personal data with the following categories of sub-processors, each of which is bound by appropriate data processing agreements:
- Authentication: Hanko (identity verification)
- Billing: Paddle (payment processing, invoicing, tax)
- Infrastructure: Northflank (hosting, EU), Cloudflare (Pages, DNS, Turnstile bot protection; transit only, no data at rest)
- Object storage: OVHcloud (uploaded media, generated PDFs, attachments; EU, France)
- Off-site backups: Scaleway (client-side encrypted backup ciphertext only; EU, France)
- Email delivery: Mailgun (transactional and operator email sending; EU)
- Mapping: MapTiler (map tile rendering, geocoding)
- AI providers: Mistral AI (text generation, OCR, classification; EU) and Jina AI / Elastic (embeddings; EU)
- Media processing: Mux (video encoding and playback), fal.ai (AI image editing), and RunPod (GPU vision) for business-tier media features (US, under IDTA / SCCs)
- OAuth providers: Google and Microsoft (where operators connect Gmail or Outlook)
Error monitoring is performed by a self-hosted, EU-based error tracker running on our own infrastructure; it is not a third-party sub-processor, and personal data in error reports is disabled by default.
For a complete and up-to-date list of sub-processors, including their locations and purposes, see our Sub-Processors page.
We do not sell your personal data to anyone.
10. International data transfers
Your data is primarily hosted in the EU on Northflank infrastructure. Some of our sub-processors are based in or transfer data to countries outside the UK and EU, including the United States.
Where data is transferred internationally, we ensure appropriate safeguards are in place:
- UK transfers: UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs
- EU transfers: Standard Contractual Clauses (SCCs) approved by the European Commission
AI processing of your customers' personal data is kept within the EU: text and document AI runs on Mistral AI (France) and embeddings on Jina AI / Elastic (EU). We do not transfer customer personal data to AI providers outside the UK and EU. International transfers to the United States are limited to optional, business-tier media features (Mux, fal.ai, and RunPod), which process uploaded media only under UK IDTA / EU SCCs safeguards.
11. Data retention
We retain personal data only for as long as necessary for the purposes described in this policy:
| Data category | Retention period |
|---|---|
| Account data | While your account is active, then deleted within 30 days of account closure |
| Customer data (processed on your behalf) | As directed by you; deleted or returned within 30 days of contract termination |
| Billing and tax records | 7 years from the date of the transaction, as required by UK tax law |
| Error logs | 90 days |
| AI usage logs | 12 months |
| Email delivery logs | 30 days |
When data is deleted, we remove it from our active systems. Residual copies in encrypted backups are overwritten in the normal backup rotation cycle.
12. Your rights under UK GDPR
You have the following rights in relation to personal data we hold about you as controller:
- Access: Request a copy of the personal data we hold about you
- Rectification: Ask us to correct inaccurate or incomplete data
- Erasure: Ask us to delete your data where there is no compelling reason for us to continue processing it
- Restriction: Ask us to suspend processing of your data in certain circumstances
- Portability: Request your data in a structured, commonly used, machine-readable format
- Object: Object to processing based on legitimate interests
- Withdraw consent: Where processing is based on consent, withdraw that consent at any time
- Complain: Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113
To exercise any of these rights, contact us at privacy@tourbox.com. We will respond within one month.
For data we process on your behalf (as processor), please direct your request to the tour operator who controls that data. If they ask us to assist, we will do so promptly.
13. Additional rights for California residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know: You may request details about the categories and specific pieces of personal information we have collected about you
- Right to delete: You may request deletion of your personal information, subject to certain exceptions
- Right to correct: You may request correction of inaccurate personal information
- Right to opt out of sale: We do not sell personal information. We do not share personal information for cross-context behavioural advertising
- Non-discrimination: We will not discriminate against you for exercising any of your privacy rights
To exercise these rights, contact us at privacy@tourbox.com.
14. Security
We take the security of your data seriously and implement appropriate technical and organisational measures, including:
- Multi-tenant isolation: Row-Level Security (RLS) at the PostgreSQL database level ensures each organisation's data is strictly separated
- Encryption at rest: Integration credentials are encrypted using AES-256-CBC
- Encryption in transit: All data is transmitted over HTTPS/TLS, including Redis connections (TLS)
- Authentication: Hanko JWT-based passwordless authentication
- Access control: Role-based organisation access with owner, admin, and editor roles
- Private storage: Files stored in OVHcloud object storage are not publicly accessible; access is controlled via signed URLs
No system is completely secure. If you discover a security vulnerability, please report it to privacy@tourbox.com.
15. Children
Tourbox is a business-to-business platform designed for use by tour operators. It is not directed at individuals under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
16. Cookies
We use cookies and similar technologies on our website and application. For full details, see our Cookie Policy.
17. Changes to this policy
We may update this policy from time to time. If we make material changes, we will notify you by email or through the platform. The "last updated" date at the top of this page indicates when the policy was last revised.
18. Related documents
19. Contact us
If you have any questions about this Privacy Policy or our data practices, contact us at:
Tourbox Systems Limited 125 Freshfield Road, Brighton, England, BN2 0BR Email: privacy@tourbox.com