GDPR Compliance Statement

Last Updated: October 2, 2025

Introduction

AI Travel Planner is committed to protecting the rights of individuals under the General Data Protection Regulation (GDPR). This document outlines our GDPR compliance measures and your rights as a data subject.

Our Commitment

We comply with GDPR principles by ensuring that personal data is:

• Processed lawfully, fairly, and transparently
• Collected for specified, explicit, and legitimate purposes
• Adequate, relevant, and limited to what is necessary
• Accurate and kept up to date
• Kept only as long as necessary
• Processed securely with appropriate safeguards

Legal Basis for Processing

We process your personal data under the following legal bases:

Consent (Article 6(1)(a))

• Marketing communications
• Optional cookies and tracking
• Data sharing with third parties (beyond service providers)
• Processing of special category data (if applicable)

Contract Performance (Article 6(1)(b))

• Creating and managing your account
• Providing travel itinerary services
• Processing payments
• Delivering customer support

Legal Obligation (Article 6(1)(c))

• Complying with tax and accounting requirements
• Responding to law enforcement requests
• Maintaining records as required by law

Legitimate Interests (Article 6(1)(f))

• Improving our services and user experience
• Detecting and preventing fraud
• Network and information security
• Analytics and business intelligence

Data Controller Information

Data Controller: AI Travel Planner
Address: Austria
Email: gdpr@aitravelplanner.com
Data Protection Officer: dpo@aitravelplanner.com

Your Rights Under GDPR

As a data subject in the European Union, you have the following rights:

Right to Access (Article 15)

You have the right to:

• Confirm whether we process your personal data
• Access your personal data
• Receive information about processing activities

How to exercise: Contact us at gdpr@aitravelplanner.com or use your account settings to download your data.

Right to Rectification (Article 16)

You have the right to:

• Correct inaccurate personal data
• Complete incomplete personal data

How to exercise: Update your information through account settings or contact us.

Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data when:

• Data is no longer necessary for the original purpose
• You withdraw consent (where consent is the legal basis)
• You object to processing and there are no overriding grounds
• Data was unlawfully processed
• Legal obligation requires deletion

How to exercise: Request account deletion through settings or email gdpr@aitravelplanner.com.

Exceptions: We may retain data when required by law or for legitimate interests (e.g., legal claims).

Right to Restriction of Processing (Article 18)

You have the right to restrict processing when:

• You contest the accuracy of personal data
• Processing is unlawful but you oppose deletion
• We no longer need data but you need it for legal claims
• You object to processing pending verification

How to exercise: Contact gdpr@aitravelplanner.com with your request.

Right to Data Portability (Article 20)

You have the right to:

• Receive your personal data in a structured, machine-readable format
• Transmit your data to another controller

How to exercise: Download your data through account settings or request it via email.

Scope: Applies to data processed based on consent or contract, and by automated means.

Right to Object (Article 21)

You have the right to object to:

• Processing based on legitimate interests
• Direct marketing (absolute right)
• Profiling related to direct marketing

How to exercise:

• Marketing: Click "unsubscribe" in emails or adjust preferences in account settings
• Other objections: Contact gdpr@aitravelplanner.com

Right Not to be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects.

Our Position: We use AI for itinerary generation, but this does not produce legal effects or significantly affect you in a similar manner. You maintain control over all decisions.

Right to Withdraw Consent (Article 7(3))

Where we process data based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

How to exercise: Account settings, email preferences, or contact us.

Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with a supervisory authority, particularly in your EU member state of habitual residence, place of work, or place of alleged infringement.

• UK: Information Commissioner's Office (ICO) - ico.org.uk
• Germany: State Data Protection Authorities - bfdi.bund.de
• France: CNIL - cnil.fr
• EU List: edpb.europa.eu

Data Processing Activities

Categories of Data Collected

• Identity Data: Name, username
• Contact Data: Email address, phone number (optional)
• Financial Data: Payment information (processed by third parties)
• Technical Data: IP address, browser type, device information
• Profile Data: Travel preferences, saved locations
• Usage Data: How you use our service
• Marketing Data: Communication preferences

Categories of Data Subjects

• Website visitors
• Registered users
• Subscribers
• Customer support contacts

Recipients of Personal Data

• Cloud hosting providers (AWS, Vercel)
• Payment processors (Stripe, PayPal)
• Email service providers
• Analytics providers (Google Analytics)
• Mapping services (Google Maps API)
• Customer support tools

International Data Transfers

Your data may be transferred to:

• United States: Under Standard Contractual Clauses (SCCs)
• Other countries: Only with appropriate safeguards

Safeguards:

• Standard Contractual Clauses approved by EU Commission
• Adequacy decisions where applicable
• Additional security measures

Retention Periods

• Active accounts: Duration of service use plus legal retention period
• Closed accounts: 90 days, then deleted (except legal requirements)
• Marketing data: Until consent withdrawn or 3 years of inactivity
• Transaction records: 7 years (legal requirement)
• Support tickets: 3 years

Security Measures

We implement appropriate technical and organizational measures:

Technical Measures

• Encryption in transit (TLS/SSL)
• Encryption at rest for sensitive data
• Secure password hashing (bcrypt/Argon2)
• Regular security audits and penetration testing
• Intrusion detection systems
• Access logging and monitoring

Organizational Measures

• Data protection by design and default
• Staff training on data protection
• Confidentiality agreements
• Access controls and authentication
• Incident response procedures
• Regular policy reviews

Data Breach Notification

In the event of a personal data breach:

• To Supervisory Authority: Within 72 hours of becoming aware (if high risk)
• To Data Subjects: Without undue delay if high risk to rights and freedoms
• Documentation: All breaches documented, regardless of notification requirement

You will be informed of:

• Nature of the breach
• Likely consequences
• Measures taken or proposed
• Contact point for more information

Children's Data

We do not knowingly process data of children under 16 without parental consent. If we discover such processing, we will delete the data promptly.

Special Category Data

We do not intentionally collect special category data (racial/ethnic origin, political opinions, religious beliefs, health data, biometric data, sexual orientation) under Article 9 GDPR.

If you voluntarily provide such data (e.g., health considerations for travel), we process it only with your explicit consent.

Exercising Your Rights

Response Time

We will respond to your request within one month. This may be extended by two months for complex requests, with notification.

Verification

We may request additional information to verify your identity before processing requests.

Free of Charge

Requests are generally free. We may charge a reasonable fee for:

• Manifestly unfounded or excessive requests
• Additional copies of data (beyond the first copy)

Refusal

We may refuse requests that are:

• Manifestly unfounded or excessive
• Prohibited by law
• Would adversely affect others' rights

If refused, we will explain the reasons and inform you of your right to complain.

Contact Us

General GDPR Inquiries: gdpr@aitravelplanner.com
Data Protection Officer: dpo@aitravelplanner.com
Data Subject Requests: requests@aitravelplanner.com

Mail:
GDPR Compliance Team
AI Travel Planner, Inc.
123 Tech Street
San Francisco, CA 94105
USA

Updates to This Statement

We may update this GDPR Compliance Statement to reflect:

• Changes in our processing activities
• New legal requirements
• Best practices and guidance from supervisory authorities

Material changes will be communicated through email notification, website notice, and account notification.

Resources

• Full Privacy Policy: Privacy Policy
• Terms of Service: Terms of Service
• European Data Protection Board: edpb.europa.eu
• ICO GDPR Guide: ico.org.uk

---

This GDPR Compliance Statement demonstrates our commitment to protecting your rights and complying with EU data protection law. If you have questions or concerns, please don't hesitate to contact us.