01Who we are
This Privacy Policy is issued by Innovate Solution Global FZ-LLC
(trading as Reservationhub; "we", "us", "our"), a free-zone limited liability
company registered in Ras Al Khaimah, United Arab Emirates.
- Registered office
- Flat FDBC3254, Compass Building, Al Shohada Road, AL Hamra Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates.
- Privacy contact
- [email protected] · [email protected]
- Telephone
- +971 50 748 7131
- Data Protection Officer (DPO)
- For GDPR-related matters, contact [email protected].
For website visitors and self-service trial users we generally act as a data controller.
For data we process on behalf of our paying customers through the booking platform, API or hosted services,
we generally act as a data processor; in that capacity our processing is also governed by our
Data Processing Agreement.
02Scope of this policy
This policy applies to personal data processed in connection with:
- The Reservationhub website at reservationhub.net and any subdomains.
- Our hosted SaaS booking platform (Subscription Cloud Edition).
- The Source Code Edition where we host or support deployments on a customer's behalf.
- The Travel Content API and TripGic Travel Content API services.
- Mobile applications we publish on the Apple App Store and Google Play Store.
- Sales, marketing, support, recruitment, partnership and finance interactions.
It does not apply to third-party websites, products or services linked from ours,
or to personal data processed inside customer-controlled instances of the Source Code Edition
where the customer is the sole controller and operator.
03Personal data we collect
We collect the following categories of personal data. Not every category applies to every person.
a. Identifiers and contact details
Name, business name, job title, work email, business phone number, work address, country/region.
b. Account and authentication data
Username, hashed passwords, multi-factor authentication tokens, login timestamps, IP address used to log in, session identifiers.
c. Commercial and contract data
Quotes accepted, contracts signed, plan selected, products and modules subscribed to, renewal dates, billing addresses, tax identifiers (VAT/GST/TIN), purchase orders.
d. Payment data
Billing name and address, last four digits of payment card, card brand and expiry, bank account reference,
and transaction identifiers. Full card numbers and CVV are never stored on our systems;
they are tokenized by our PCI-DSS Level 1 payment processors.
e. Booking and travel data (processor capacity)
Where our customers use the platform to sell travel to their own end-travellers, the bookings flowing
through the system may contain passenger names, dates of birth, passport numbers, nationality,
contact details, dietary or accessibility preferences, frequent-flyer numbers, itineraries, and other
information necessary to complete a travel booking. We process this data on our customers' instructions
as their data processor.
f. Technical data
IP address, device identifiers (IDFA/AAID for mobile apps), browser type and version, operating system,
screen resolution, time zone, referring URL, pages visited, click paths, error logs, API request and response
metadata (excluding raw payment data).
g. Mobile-specific data
For our mobile apps we may, with your permission, process: precise or approximate location (only when you
actively use a feature that needs it, e.g. "find the nearest airport"), push-notification tokens, crash logs
and performance diagnostics, and (where you opt in) advertising identifiers for measurement and attribution.
We honour the Apple ATT (App Tracking Transparency) framework and Google's user-choice controls.
h. Communications and support data
Emails, chat transcripts, screen recordings of in-product issues you voluntarily share, support-ticket history,
satisfaction-survey responses, call recordings (only with your consent and where lawful).
i. Marketing data
Your preferences about which marketing channels you accept, newsletter subscriptions, event attendance,
content downloads, and engagement signals (opens/clicks) from emails we send you.
j. Recruitment data
If you apply for a role with us: CV/résumé, cover letter, references, right-to-work documents, interview
notes. Sensitive data (e.g. health information for accommodations) only when you choose to share it.
Special category data
We do not seek to collect special-category data (race, religion, health, biometrics, sexual orientation,
trade-union membership). If processing such data is unavoidable for a booking — for example, a dietary
requirement that implies religion, or accessibility information that implies health — we process it
only on the documented instructions of our customer (the controller) under
the DPA.
04Sources of personal data
- Directly from you — when you fill a form, request a demo, sign a contract, create an account, contact support, or use our products.
- Automatically — through cookies, server logs, mobile SDKs and analytics tools when you visit the website or use the apps. See our Cookie Policy.
- From our customers — when their systems push booking data, employee accounts or end-traveller details into the platform we host for them.
- From third-party suppliers — airlines, hotels, GDS providers, payment gateways, identity-verification vendors, KYB providers, and credit bureaus return information in the course of a booking or onboarding.
- From public sources — company registries, sanctions lists, LinkedIn, news outlets, and similar, for due-diligence and sales-research purposes.
05How and why we use data
We use personal data for the following purposes:
- Provide our services — operate the platform, route bookings to suppliers, return search results, send confirmations, run mobile apps.
- Manage accounts — register users, authenticate logins, enforce permissions, handle account recovery.
- Billing and finance — generate invoices, process payments and refunds, recover unpaid amounts, meet accounting and tax obligations.
- Customer support — respond to tickets, diagnose issues, train support staff, improve documentation.
- Security and fraud prevention — detect intrusions, prevent abuse, block fraudulent transactions, run audit logs, run vulnerability scans.
- Service improvement — analyse aggregate usage, run A/B tests, measure performance, fix bugs.
- Sales and marketing — send relevant communications about our products, run events, retarget on advertising platforms (only where lawful and with consent where required).
- Legal compliance — respond to lawful requests from authorities, satisfy tax, anti-money-laundering, sanctions and aviation/travel regulations.
- Corporate transactions — evaluate, structure and complete mergers, acquisitions, financings or asset sales (with appropriate confidentiality).
- Recruitment — evaluate candidates and onboard hires.
06Legal bases (GDPR / UK-GDPR)
Where the GDPR or UK-GDPR applies, we rely on the following lawful bases (Article 6):
- Performance of a contract (Art. 6(1)(b)) — to deliver services you or your employer contracted for.
- Legitimate interests (Art. 6(1)(f)) — to run, secure, improve and market the business, balanced against your rights.
- Legal obligation (Art. 6(1)(c)) — to comply with tax, AML, sanctions, aviation/travel and corporate-records laws.
- Consent (Art. 6(1)(a)) — for direct marketing where required, non-essential cookies, optional location and notification permissions on mobile, and certain product analytics.
- Vital interests (Art. 6(1)(d)) — only in rare emergencies where life or safety requires it.
You may withdraw consent at any time without affecting the lawfulness of processing before the withdrawal.
07Who we share data with
We share personal data only with the following categories of recipients, under contract and with appropriate safeguards:
a. Sub-processors and service providers
- Cloud hosting and storage providers (e.g. AWS, Azure, GCP regions selected per contract).
- Email-delivery, customer-support, helpdesk and analytics platforms.
- Payment processors and acquirers (PCI-DSS Level 1 certified).
- Identity-verification, KYB and fraud-prevention vendors.
- Error-monitoring and crash-reporting tools.
A current list of sub-processors is maintained in our DPA, Schedule III.
b. Travel suppliers
Airlines, hotels, ground-transport providers, GDS systems (Amadeus, Sabre, Travelport), aggregators and consolidators receive only the data necessary to complete a booking the user requests.
c. Partners and resellers
Where you engaged with us through an authorised reseller, partner or referral, we may share limited information with them for account-management and commission purposes.
d. Professional advisers
Lawyers, auditors, bankers, tax advisers and insurers, under duty of confidence.
e. Authorities
Government and regulatory authorities, courts, law-enforcement and tax administrations where legally required or where we believe in good faith it is necessary to protect rights, property or safety.
f. Successors
An acquirer or successor in a corporate transaction; we will notify affected users where required by law.
We do not sell personal data for monetary consideration. We do not engage in "share" or "sale" as defined under the California Consumer Privacy Act / CPRA, except as may apply to limited online advertising — see Section 12 below.
08International data transfers
Our business is global. Personal data may be transferred to and processed in countries other than the
one where you live, including the United Arab Emirates, European Economic Area, United Kingdom,
United States, India, Singapore, and other jurisdictions where we or our sub-processors operate.
For transfers from the EEA, UK or Switzerland to a country without an adequacy decision, we rely on one or more of the following safeguards:
- The European Commission's Standard Contractual Clauses (2021/914).
- The UK International Data Transfer Addendum (IDTA) or UK Addendum to the EU SCCs.
- The Swiss FADP addendum.
- Binding Corporate Rules, where applicable, or derogations under Article 49 GDPR.
- Supplementary technical and organisational measures (encryption at rest and in transit, key segregation, access controls).
You may request a copy of the transfer mechanism applicable to your data by emailing [email protected].
09How long we keep data
We retain personal data for as long as needed for the purposes set out above and to comply with our legal obligations. Typical retention periods:
| Category | Retention period |
|---|
| Account & profile data | Active life of the account + up to 24 months after closure |
| Booking records (controller-instructed) | Per customer's instruction in the DPA; default 7 years for tax |
| Billing & invoice records | Up to 10 years (UAE corporate-tax and VAT requirements) |
| Support tickets | Up to 5 years for service-quality analysis |
| Marketing data | Until you unsubscribe, then 90-day suppression list |
| Server & security logs | 30 days to 2 years depending on log type |
| Recruitment data | 12 months after a decision, longer with your consent |
| Cookies | See Cookie Policy for per-cookie durations |
After the relevant period we delete or anonymise the data so it can no longer be linked back to you.
10Security
We protect personal data with administrative, technical and physical safeguards proportionate to the risk, including:
- TLS 1.2+ encryption in transit; AES-256 encryption at rest for primary stores.
- Role-based access control, least-privilege principles and mandatory MFA for staff.
- Network segmentation, web-application firewalls, DDoS protection.
- Continuous vulnerability scanning, regular penetration testing, secure SDLC.
- Documented incident response and 72-hour breach-notification protocol (GDPR Art. 33).
- SOC 2 Type II programme, PCI-DSS scoping with tokenised payments.
- Background checks for staff with access to production systems; mandatory annual security training.
No system is perfectly secure. If we learn of a personal-data breach affecting you, we will notify you and the competent authority where required by law.
11Your rights
Depending on your location, you may have some or all of the following rights:
- Access — a copy of the personal data we hold about you.
- Rectification — correction of inaccurate or incomplete data.
- Erasure — deletion of data, subject to legal exceptions (e.g. tax records).
- Restriction — pausing certain processing.
- Portability — a machine-readable export of data you provided.
- Objection — to processing based on legitimate interests or direct marketing.
- Withdraw consent — at any time, where processing relies on consent.
- No automated decisions — not to be subject to a decision based solely on automated processing with legal effects (we do not currently make such decisions).
- Complain — to a supervisory authority in your country (see Section 12).
To exercise a right, email [email protected].
We will respond within 30 days (extendable by 60 days for complex requests). For booking data held on
behalf of a customer, please contact the customer (your travel agency or company); we will assist them.
We do not charge a fee unless your request is manifestly unfounded or excessive.
12Region-specific rights
European Economic Area, United Kingdom & Switzerland (GDPR / UK-GDPR / FADP)
You have the rights described in Section 11. You can lodge a complaint with your national data-protection authority. In the UK, that is the Information Commissioner's Office (ico.org.uk); the Irish Data Protection Commission acts as a leading authority for many EU matters concerning us.
California, USA (CCPA / CPRA)
California residents may request to know, delete or correct personal information, opt out of "sale" or "sharing" (we do not sell, and our limited use of advertising cookies can be opted out via our cookie banner), and not face discrimination for exercising these rights. We do not knowingly sell or share the personal information of consumers under 16 without consent. Submit requests via [email protected] or call +971 50 748 7131.
Other US States
Residents of Colorado, Virginia, Connecticut, Utah, Texas, Oregon, Montana, and other US states with comprehensive privacy laws have similar rights of access, correction, deletion, portability and opt-out of targeted advertising/sale. Submit requests as above.
Brazil (LGPD)
Brazilian data subjects may request confirmation of processing, access, correction, anonymisation, portability, deletion, information about sharing, and revocation of consent. Contact [email protected].
India (DPDPA 2023)
Indian data principals may obtain summary of processing, correction/erasure of personal data, grievance redressal, and nomination. Our grievance officer is reachable at [email protected].
China (PIPL)
If you are in mainland China, additional rights apply, including access to personal-information processing rules, copy of data, deletion, restriction, and rights upon death of a data subject. Cross-border transfers are subject to the Standard Contract for outbound personal information.
Singapore, Malaysia, Thailand (PDPA)
You may request access to and correction of your personal data, and withdraw consent for marketing communications.
Australia (Privacy Act)
Australian residents have rights to access and correct their personal information and complain about a privacy breach to the OAIC.
Canada (PIPEDA / Quebec Law 25)
Canadian residents may request access, correction and withdrawal of consent. Quebec residents have additional rights including portability and information about automated decisions.
United Arab Emirates (PDPL — Federal Decree-Law 45 of 2021)
As a UAE-resident company, we also comply with the UAE Personal Data Protection Law. UAE residents have rights of access, correction, deletion, restriction, transfer and to object to processing.
13Children's privacy
Our services are intended for business users (B2B) and travellers acting as adults. We do not knowingly
collect personal data from children under the age of 13 (or under 16 in some EU member states) without
parental consent. Travellers booked by our customers may include minors; in that case the responsible
adult booker provides the data on the child's behalf. If you believe a child has provided personal data
to us, please contact [email protected] and we
will delete it.
We comply with the U.S. Children's Online Privacy Protection Act (COPPA) and Apple's Kids Category requirements where applicable. None of our mobile apps are listed in the Kids Category.
14Mobile applications
The following supplements this policy for our iOS and Android applications.
Apple App Store (iOS)
- We follow Apple's App Tracking Transparency (ATT) framework. We will not access the IDFA or track you across other apps and websites without your prompt-based permission.
- Our Apple "Privacy Nutrition Labels" disclose the data we collect; the most current version is on each app's App Store listing and authoritative.
- For Health, HomeKit, ClassKit, ResearchKit, Wallet or similar Apple-restricted data: not currently collected.
Google Play (Android)
- Our Play Console Data Safety section identifies each data category collected, whether it is shared, and the purposes — that section is authoritative for Play Store users.
- Permissions (camera, location, contacts, storage, notifications) are requested at runtime and only when needed by a specific feature.
- Account deletion in-app is available; you can also email [email protected] for full account closure per Google Play requirements.
Push notifications
If you grant the OS-level permission, we may send transactional and (where you opt in) marketing push notifications. You can revoke this at any time in your device's notification settings or in-app.
Location
We request location only when a feature needs it (for example, "find airports near me"). You can deny or revoke location permission at any time.
Crash and performance data
We collect crash logs and performance telemetry to fix bugs. Where required by law we obtain consent before collecting this data.
In-app purchases
If you make a purchase inside a mobile app, the platform (Apple or Google) processes the payment. We receive a transaction reference and confirmation but not your full payment details. Refunds for in-app purchases are governed by the relevant store's policy.
15Automated decision-making and profiling
We do not currently take decisions that produce legal or similarly significant effects on you based
solely on automated processing. Some operational systems use automation (e.g. fraud-risk scoring of
payment attempts, rate-limiting of suspicious traffic, spam filtering) but a human review is available
on request where the outcome materially affects you.
16Cookies and tracking technologies
Detailed information about the cookies, SDKs and similar technologies we use, their purposes and how to
control them is in our Cookie Policy. EEA/UK visitors are presented with a
consent banner on first visit; non-essential cookies are not set until you accept.
17Changes to this policy
We may update this policy from time to time to reflect changes in our services, the law or how we
operate. The "Last updated" date at the top reflects the latest revision. For material changes we will
give reasonable advance notice — e.g. by email, in-product banner or a notice on this page — before the
changes take effect. Continued use after the effective date constitutes acceptance.
18How to contact us
Questions, requests, complaints or feedback about privacy: email
[email protected] or
[email protected],
call +971 50 748 7131, or write to:
Data Protection Officer
Innovate Solution Global FZ-LLC (Reservationhub)
Flat FDBC3254, Compass Building
Al Shohada Road, AL Hamra Industrial Zone-FZ
Ras Al Khaimah, United Arab Emirates
If you are not satisfied with our response, you may complain to the data-protection authority in your jurisdiction. We will not retaliate against you for exercising your rights.