Privacy Policy

TripNov, Lda. (“TripNov,” “we,” “us,” or “our”) is a private limited company incorporated under the laws of Portugal, with registered offices in Lisbon, Portugal. TripNov is the data controller of the personal data you provide to us when using this website and when subscribing to and using our platform as a travel consultant or agency owner.

For the personal data of your own clients that you store and manage within TripNov, you (the subscriber) are the data controller and TripNov acts solely as a data processor on your behalf. This distinction is explained in detail in Section 6 below.

This Privacy Policy applies to:

• Visitors to our marketing website at tripnov.com and its subdomains.
• Individuals who register for a TripNov account (travel consultants, agency owners, and team members).
• Individuals who submit enquiries or lead forms on consultant-hosted TripNov websites (traveller-side portal and public lead forms).
• Anyone who contacts us for support, sales, or partnership enquiries.

This policy does not cover the personal data of clients managed by TripNov subscribers within their own workspace. Subscribers who collect and process their clients' personal data via TripNov are independently responsible for maintaining their own privacy notices towards their clients, as required by applicable data protection law.

Account and profile information. When you register for TripNov, we collect your full name, email address, company or agency name, job title, phone number, bio, preferred language, timezone, and password (stored as an Argon2 hash — your actual password is never stored). If you sign up via Google OAuth, we receive your name, email address, and profile picture as authorised by your Google account.

Workspace and subscription information. We collect your chosen workspace slug (subdomain), agency branding assets (logo, brand colours, fonts), subscription plan and status, billing address, and Stripe customer identifier. Payment card details are handled exclusively by Stripe and are never stored on TripNov systems.

Client and travel data (processed on your behalf). As a travel consultant, you input data about your clients — including names, contact details, travel preferences, passport information (if provided by your client), trip itineraries, proposals, booking records, messages, and payment information. This data is stored in your isolated workspace. TripNov processes it solely as your data processor.

Traveller lead submissions. Travellers who submit enquiry forms on a consultant's TripNov-hosted website provide their name, email, phone number, trip type preferences, and message. This data is stored in the consultant's workspace and processed by TripNov as a data processor.

Usage and activity data. We automatically collect information about how you interact with TripNov — pages visited, features used, proposal templates viewed, actions taken, session durations, and API usage metrics (call type, AI model, tokens consumed, cost). This telemetry is used to operate, improve, and secure the platform.

Device and technical information. We collect browser type, operating system, IP address, referring URL, and device identifiers when you access TripNov. This is used for security monitoring, fraud prevention, and diagnostic purposes.

Communication data. If you contact our support team or reply to emails we send, we retain those communications to resolve issues and improve our service. Automated emails (account verification, proposal notifications, billing receipts) may include tracking pixels to record open and click rates; you can disable image loading in your email client to prevent this.

Marketing and contact form data. If you submit our public contact form or subscribe to our newsletter, we collect your name, email address, company, and message. This data is used solely to respond to your enquiry or send you product-related updates.

Under the General Data Protection Regulation (GDPR) and Portuguese data protection law (Law 58/2019), we must have a valid legal basis for each processing activity. The bases we rely on are:

Service delivery. We use your information to operate TripNov — authenticating your identity, rendering your workspace, processing travel proposals, managing client records, generating AI-assisted content, running your traveller chatbot, publishing your TripNov-hosted website, and enabling third-party integrations (WhatsApp, Telegram, Google Drive, etc.).

Billing and subscriptions. We use your account information and payment data (via Stripe) to process subscription charges, issue invoices, manage renewals and cancellations, and handle AI credit top-ups.

Transactional communications. We use your email address to send messages that are strictly necessary for the service — account verification, password resets, team invitation notifications, subscription receipts, security alerts, and notices of material changes to these policies.

Optional marketing communications. With your consent, we may send you product news, feature announcements, case studies, and promotional offers. You may opt out at any time via the unsubscribe link in each email or by contacting privacy@tripnov.com.

Analytics and product improvement. Aggregated, anonymised usage data helps us understand which features are most valuable, identify friction points, and prioritise our roadmap. We do not sell individual usage data to any third party.

Security and fraud prevention. We analyse access patterns, IP addresses, and session behaviour to detect and prevent unauthorised access, abuse, and violations of our Terms of Service.

Legal compliance. We may process or disclose your data where required to comply with a legal obligation, respond to lawful requests from public authorities, or enforce our Terms of Service.

The GDPR distinguishes between entities that determine the purposes and means of processing (“controllers”) and entities that process data on behalf of controllers (“processors”).

TripNov as controller. TripNov is the data controller for account registration data, billing data, usage analytics, and any personal data you share with us through our marketing website or support channels. We determine why and how this data is processed.

TripNov as processor. When you use TripNov to store and manage your clients' personal data (names, contact details, travel preferences, passport data, messages, and payment records), you are the data controller and TripNov is acting solely as your data processor. We process this data only to deliver the platform's functionality, according to your instructions, and not for our own purposes.

Data Processing Agreement (DPA). As required by GDPR Article 28, our Data Processing Agreement is incorporated into our Terms of Service. By subscribing to TripNov, you agree to the terms of that DPA. The DPA sets out the subject matter, duration, nature and purpose of processing, the type of personal data processed, and the rights and obligations of both parties. Enterprise and agency customers may request a signed standalone DPA by contacting legal@tripnov.com.

Your obligations as controller. If you are a data controller of your clients' personal data, you are independently responsible for: having a lawful basis for collecting and processing your clients' data; providing your clients with appropriate privacy notices; responding to your clients' data subject rights requests; and complying with GDPR and any other applicable data protection laws in your jurisdiction.

We do not sell your personal data. TripNov does not sell, rent, or trade your personal information or your clients' data to third parties for marketing or advertising purposes.

Sub-processors. We share data with the following categories of trusted sub-processors who help us operate TripNov. All sub-processors are bound by data processing agreements and, where required, Standard Contractual Clauses:

When you enable optional third-party integrations (WhatsApp Business API, Telegram, Google Drive, Google Sheets), data is also shared with those services under their own terms. You are responsible for ensuring those integrations comply with applicable data protection law in your use case.

Legal requirements. We may disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect the rights, property, or safety of TripNov, our users, or the public. Where permitted, we will notify you before disclosing.

Business transfers. If TripNov is acquired, merged, or undergoes a change of ownership, your data may be transferred as part of that transaction. We will notify you before your personal data becomes subject to a materially different privacy policy and give you the opportunity to object.

Team members. If you invite team members to your TripNov workspace, those individuals will have access to your workspace data in accordance with the roles you assign them. This is entirely under your control as workspace owner.

We retain personal data only for as long as necessary for the purposes for which it was collected, subject to legal obligations.

• Active accounts: Account data, workspace data, client records, proposals, itineraries, and website content are retained for the duration of your active subscription.
• Post-cancellation grace period: Upon cancellation, your workspace and all associated data are retained for 30 days to allow you to export or reactivate. After 30 days, data is permanently and irreversibly deleted from our production systems.
• Backup retention: Database backups are stored on a 90-day rolling schedule. Data deleted from production systems may persist in backups for up to 90 days, after which backups containing that data are destroyed.
• Financial records: Billing history, invoices, and transaction records are retained for seven (7) years to comply with Portuguese and EU accounting, tax, and financial reporting obligations.
• Support communications: Support tickets and email exchanges are retained for up to three (3) years for quality assurance and dispute resolution purposes.
• Analytics data: Aggregated, anonymised usage statistics are retained indefinitely for product analytics. Individual event logs are retained for up to 12 months.
• Account deletion requests: If you request deletion of your account before subscription expiry, we will initiate deletion within 7 business days. Certain data may be retained longer where we have a statutory obligation to do so.

We use cookies and similar technologies on our website and application. In accordance with the ePrivacy Directive and GDPR, non-essential cookies are only set with your prior, freely given consent.

Managing your preferences. You can withdraw cookie consent at any time by clicking “Cookie Preferences” in the footer of our website. You can also configure your browser to refuse all cookies or alert you when cookies are being sent. Disabling strictly necessary cookies will prevent you from logging in to TripNov.

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, as required by GDPR Article 32.

Encryption. All data transmitted to and from TripNov is encrypted in transit using TLS 1.2 or higher. Data stored in our databases and object storage is encrypted at rest. Passwords are hashed using Argon2 and are never stored in plain text. Authentication tokens (API keys) are hashed using SHA-256 before storage.

Access controls. TripNov implements role-based access control (RBAC) within workspaces. Platform administrators, workspace owners, and team members have differentiated access levels. We follow the principle of least privilege. TripNov staff may only access customer workspace data when strictly necessary to resolve support issues, and all such access is logged and auditable.

Infrastructure. Our application runs on infrastructure protected by a Traefik reverse proxy with automatic SSL termination. Our databases (PostgreSQL) and cache (Redis) are not exposed to the public internet. File storage uses S3-compatible object storage with server-side encryption.

Incident response and breach notification. We maintain an incident response procedure. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority (CNPD — Comissão Nacional de Proteção de Dados) within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to individuals, we will also notify affected users without undue delay, describing: the nature of the breach; the categories and approximate number of individuals and records concerned; the likely consequences; and the measures taken or proposed to address the breach (GDPR Art. 34).

Your responsibilities. You are responsible for maintaining the security of your account credentials. Use a strong, unique password and enable two-factor authentication where available. Notify us immediately at privacy@tripnov.com if you suspect unauthorised access to your account.

TripNov is operated from Portugal, a Member State of the European Union, and our primary data infrastructure is located within the EU/EEA. Certain third-party sub-processors listed in Section 7 (notably Stripe, Google, OpenAI, and Cloudflare) may process data in the United States or other third countries outside the EEA.

Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place as required by GDPR Chapter V, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Decision 2021/914) — our primary transfer mechanism for US-based processors.
• Adequacy decisions by the European Commission, where applicable.
• Binding Corporate Rules, where applicable.

You may request a copy of the transfer safeguards applicable to your data by contacting us at privacy@tripnov.com.

TripNov does not make automated decisions about you that produce legal effects or similarly significantly affect you, as described in GDPR Article 22. Our AI-assisted content tools (proposal generation, itinerary drafting, chatbot responses) generate suggestions for your review — all final decisions are made by you as the human user.

We do not use your personal data to build individual profiles for advertising, credit scoring, or any other purpose that involves automated decision-making with significant effects.

TripNov is a business platform designed for travel professionals and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are under 16, you must not use TripNov or provide any personal information to us.

If we become aware that we have inadvertently collected personal data from a child under 16 without a valid legal basis (such as verifiable parental consent where required), we will take prompt steps to delete that data. If you believe we have collected personal data from a minor, please contact us at privacy@tripnov.com and we will investigate.

Under the GDPR, you have the following rights with respect to your personal data processed by TripNov as controller. These rights apply to the extent permitted by applicable law and may be subject to certain conditions or limitations.

To exercise any of these rights, email us at privacy@tripnov.com with the subject line “GDPR Data Rights Request” and specify which right you wish to exercise and, where relevant, the personal data concerned. We will respond within 30 calendar days of receiving your request. In complex cases, or where we receive multiple requests, we may extend this period by a further 60 days — in which case we will notify you within the initial 30 days. We will not charge a fee for reasonable requests.

We may need to verify your identity before processing a request. If we cannot verify your identity, we may ask for additional information.

You have the right to lodge a complaint at any time with the competent supervisory authority for data protection matters. Our lead supervisory authority, as a company incorporated in Portugal, is:

If you are located in another EU Member State, you may also have the right to lodge a complaint with the supervisory authority in your country of habitual residence or place of work. EU supervisory authorities are listed at edpb.europa.eu.

We would, however, appreciate the opportunity to address your concerns before you approach a supervisory authority. Please contact us first at privacy@tripnov.com.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or product functionality. When we make material changes — in particular, changes that expand the purposes for which we use your personal data, introduce new categories of data, or alter your rights — we will notify you by email (to the address associated with your account) and by displaying a prominent notice within the TripNov application at least 14 days before the changes take effect.

For non-material changes (corrections, clarifications), we will update the “Last updated” date at the top of this page. Your continued use of TripNov after the effective date of the updated policy constitutes your acknowledgment of the changes. If you do not agree to the revised policy, you must stop using TripNov and may request deletion of your data.

If you have any questions, concerns, or requests regarding this Privacy Policy or the way TripNov handles your personal data, please contact our privacy team. We are committed to resolving all privacy-related communications seriously and will respond within 30 calendar days.