Travelpop Ltd is a company registered in England and Wales that provides a business-to-business (B2B) hotel booking technology platform ("the Platform"). Travelpop Ltd is the technology provider only — it is not a travel agent, tour operator, or financial services provider.
The Platform is operated commercially by a licensed travel agent ("the Operator") who contracts directly with travel agencies ("Agencies") that use the Platform.
Registered address: [COMPANY_ADDRESS]
Data protection contact: [DPO_EMAIL]
Under UK GDPR, the roles are as follows:
| Data category | Controller | Processor |
|---|---|---|
| Agency staff account data (names, email addresses, login credentials) | Travelpop Ltd / Operator | — |
| Hotel guest data (names submitted in bookings) | The Agency that made the booking | Travelpop Ltd (processing on behalf of the Agency) |
| Booking data (dates, hotel selections, pricing) | Travelpop Ltd / Operator | — |
| Platform usage and access logs | Travelpop Ltd | — |
| Data | Legal basis | Rationale |
|---|---|---|
| Agency staff accounts | Contract performance (Art. 6(1)(b)) | Necessary to provide platform access under the service agreement |
| Booking data | Contract performance (Art. 6(1)(b)) | Necessary to fulfil hotel booking requests |
| Guest data (as processor) | Processor agreement with the Agency | Processed on documented instructions from the Agency (the controller) |
| Platform logs | Legitimate interest (Art. 6(1)(f)) | Security monitoring, fraud prevention, and service reliability |
We share personal data with the following categories of recipients, strictly as necessary to operate the Platform:
| Recipient | Data shared | Purpose | Location |
|---|---|---|---|
| HotelBeds (Hotelbeds Technology S.L.U.) | Guest names, booking details | Hotel reservation fulfilment | EU (Spain) |
| Agoda (Agoda Company Pte. Ltd.) | Guest names, booking details | Hotel reservation fulfilment | Singapore (adequate jurisdiction) |
| ETG (Emerging Travel Group) | Guest names, booking details | Hotel reservation fulfilment | EU |
| Dida Travel (Beijing Dida Travel Technology Co., Ltd.) | Guest names, booking details | Hotel reservation fulfilment | China — see Section 6 |
| Sweego (email provider) | Recipient email addresses, email content | Transactional email delivery | EU |
| Microsoft Azure | All platform data (encrypted at rest and in transit) | Cloud hosting and infrastructure | UK / EU regions |
We do not sell personal data. We do not share data with advertisers or marketing platforms.
The majority of data processing occurs within UK and EU data centres (Microsoft Azure). Where data is transferred outside the UK, we rely on the following safeguards:
Data may also be transferred from Malaysia, Singapore, and Indonesia to the United Kingdom and EU for processing. These transfers are protected by contractual clauses requiring data protection standards equivalent to or exceeding those in the originating jurisdiction, and by the security measures documented in our Security Policy.
Where the Platform is used by agencies or individuals in the following jurisdictions, the following additional protections apply:
Processing of personal data of individuals in Malaysia complies with the Personal Data Protection Act 2010 (PDPA), as amended in 2024. Data subjects in Malaysia have rights under Sections 30–44 of the PDPA, including the right of access to personal data (Section 30), the right to correct personal data (Section 34), and the right to withdraw consent for processing. To exercise these rights or make an inquiry, contact our Data Protection Officer at [DPO_EMAIL] or the office of the Malaysian Personal Data Protection Commissioner (www.pdp.gov.my).
Processing of personal data of individuals in Singapore complies with the Personal Data Protection Act 2012 (PDPA). Data subjects may contact the Personal Data Protection Commission (PDPC) regarding any concerns about our data handling practices. Our Data Protection Officer is registered with the PDPC as required. To exercise your rights under the Singapore PDPA, contact us at [DPO_EMAIL] or the PDPC (www.pdpc.gov.sg).
Processing of personal data of individuals in Indonesia complies with Law No. 27 of 2022 on Personal Data Protection (PDP Law). Data subjects in Indonesia have rights under Articles 5–16 of the PDP Law, including the right of access, correction, deletion, restriction of processing, objection, and data portability. For certain requests, we will acknowledge receipt within 3×24 hours (72 hours) as required by the PDP Law. To exercise these rights, contact us at [DPO_EMAIL].
| Data category | Retention period | Rationale |
|---|---|---|
| Booking data (including guest names) | 7 years from check-out date | UK tax and accounting requirements (HMRC) |
| Agency staff accounts | Duration of contract + 1 year | Operational necessity and reasonable dispute resolution period |
| Access and security logs | 90 days | Security monitoring and incident investigation |
| Failed login attempts | 90 days | Brute-force detection and security analysis |
Under UK GDPR, individuals have the following rights:
To exercise your rights regarding your staff account data, contact us at [DPO_EMAIL] or ask your agency administrator.
Travelpop Ltd processes guest data as a data processor on behalf of the Agency that made the booking. If you are a hotel guest and wish to exercise your data rights, please contact the travel agency that arranged your booking. They are the data controller for your personal data and are responsible for handling data subject access requests (DSARs).
The Platform uses only strictly necessary cookies. We do not use analytics, advertising, or third-party tracking cookies. For full details, see our Cookie Policy.
We implement appropriate technical and organisational measures to protect personal data, including:
The Platform does not store, process, or transmit credit card or payment card information.
We may update this Privacy Policy from time to time. Material changes will be communicated to Agency administrators via email. The "Last updated" date at the top of this page indicates the most recent revision.
For questions about this policy or to exercise your data rights, contact:
Email: [DPO_EMAIL]
Address: [COMPANY_ADDRESS]
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
https://ico.org.uk/make-a-complaint/