Privacy Policy

1. Who We Are

QNVY Travel Ltd ("QNVY", "we", "us") is the data controller for personal information collected via https://qnvy.travel. We are committed to protecting your privacy and handling your data responsibly in accordance with UK GDPR and the Data Protection Act 2018.

2. What Data We Collect

Travellers:

• Name, email address, and phone number (provided on signup and trip submission)
• Trip details: destination, travel dates, budget, group size, preferences, and notes
• Account activity: trips posted, agencies contacted

Agencies:

• Agency name, contact email, phone, website, and social media handles
• Business details: years in operation, specialisms, supported destinations
• Payment information (processed by Stripe — we do not store card details)
• Lead purchase history and performance data

All users:

• IP address and browser/device information for security and analytics
• Usage data: pages visited, features used

3. How We Use Your Data

We use your data to:

• Match travellers with suitable specialist agencies using our AI engine
• Share traveller contact details with agencies who purchase a lead (travellers consent to this at submission)
• Send transactional emails: trip confirmation, agency notifications, account updates
• Process agency payments via Stripe
• Improve platform matching accuracy and performance
• Comply with legal obligations

Our legal basis for processing is: contract performance (to provide the service), legitimate interests (improving matching, security), and consent (marketing emails, where applicable).

4. Data Sharing

We share your data only as necessary:

• Agencies: When an agency purchases a lead, they receive the traveller's name, email, phone number, and trip details. Travellers acknowledge this when submitting a trip request.
• Supabase: Our database and authentication provider. Data is stored in the EU.
• Stripe: Payment processing for agency lead fees. Subject to Stripe's own privacy policy.
• Resend: Transactional email delivery.
• Vercel: Hosting provider. Logs may include IP addresses.

We do not sell your data. We do not share data with advertisers.

5. Data Retention

We retain your account data for as long as your account is active. If you request deletion, we will remove your personal information within 30 days, except where retention is required by law (e.g. financial records for 7 years). Trip data may be retained in anonymised form for platform analytics.

6. Your Rights

Under UK GDPR, you have the right to:

• Access — request a copy of the data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Restriction — limit how we process your data
• Portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interests

To exercise any of these rights, email privacy@qnvy.travel. We will respond within 30 days.

7. Cookies

QNVY uses essential cookies for authentication (session management via Supabase). We do not use advertising cookies or third-party tracking cookies. You can disable cookies in your browser settings, but this will prevent you from staying logged in.

8. Security

We use industry-standard security measures including HTTPS encryption, row-level security on our database, and role-based access controls. No transmission over the internet is completely secure — if you believe your account has been compromised, contact us immediately.

9. Changes to This Policy

We may update this policy periodically. Material changes will be communicated by email or a notice on the platform. Continued use after changes constitutes acceptance.

10. Contact & Complaints

For privacy questions, email privacy@qnvy.travel. If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.