Privacy notice · TravelCities

"We collect the minimum needed to make your trip work. We don't sell it. We don't share it with advertisers. We delete what we no longer need. Full stop."

01 · Who we are

TravelCities Editions Ltd (registered in England, Co. 14289110) is the data controller for personal data processed via this site. You can reach our data team at [email protected] or by post at 86 Newington Causeway, London SE1 6DN. We are not required to appoint a DPO, but the head of the desk acts as your point of contact.

02 · What we collect, why, and for how long

The whole list, in one table — nothing hidden in fine print:

WhatWhyRetention

Destination, dates, traveller countTo search inventory and price your cart correctly.90 days from last activity (cart) / 7 years (confirmed)

Lead traveller name + emailTo send you the itinerary and reach you about the trip.7 years from confirmation, then anonymised

Phone numberOnly for trip-day issues (delays, lockouts). Not used for marketing.7 years from confirmation

Last 4 digits of cardShown in your itinerary so you recognise the charge. Full PAN is never seen by us — Stripe tokenises it.7 years (legal/accounting)

IP address & user-agent at confirmationFraud detection and to comply with chargeback evidence rules.12 months

Cart events (which components added/removed)To help the desk if you contact us with an issue mid-cart.90 days from last activity

Cookie identifiers (first-party only)To keep you signed in and remember your active cart ID across sessions.12 months or until you sign out

03 · What we don't do

We don't sell email lists. Ever.
We don't share booking data with advertisers, affiliates, or data brokers.
We don't run third-party tracking pixels (no Meta Pixel, no Google Ads tag).
We don't store your full card number — only the last four.
We don't enrich your profile with data bought from third parties.
We don't send marketing email unless you explicitly opted in.

04 · Cookies & local storage

We use a small number of first-party cookies and localStorage items. None of them track you across other sites:

travelcities_trip_id (localStorage) — remembers your active cart ID so it survives a refresh.
travelcities_session (localStorage) — set when you sign in to your account.
travelcities_view_mode (localStorage) — remembers your last view preference (hotels/flights/both).
travelcities_bookings (localStorage) — a local index of past confirmation numbers for your itinerary page.

No third-party analytics scripts are loaded without explicit opt-in. You can clear all of this at any time from your browser's site-data settings.

05 · Sub-processors we use

To run the service we share the minimum data necessary with a small set of vetted sub-processors. The current list:

Stripe (payment processing, USA / Ireland) — last-4 digits + amount + currency only. We never see the full PAN.
Postmark (transactional email, USA) — itinerary and confirmation emails.
Cloudflare (CDN + edge, global) — request routing and DDoS protection.
Railway (hosting, EU + USA regions) — runs the application servers.

All sub-processors are bound by DPAs that match GDPR Standard Contractual Clauses. We do not transfer your data outside their stated regions.

06 · Your rights

Wherever you live, you can do the following by emailing [email protected]:

Request a full export of your data (we'll send a JSON file within 14 days).
Correct anything that's wrong.
Delete your account and all associated data, subject to legal hold (e.g. tax records for confirmed bookings).
Object to processing, or restrict it temporarily while a complaint is resolved.
Receive a portable copy of your data.
Withdraw consent for marketing email (you can also click "unsubscribe" in any such email).

Under GDPR you may also complain to the UK ICO (ico.org.uk) or your local supervisory authority. Under CCPA, you may opt out of any sale of personal information — we never sell, so this is moot, but the right is yours. Under India's DPDP Act you have equivalent rights, exercised through the same email.

07 · How we secure data

All traffic is served over TLS 1.3 with HSTS. Mixed-content requests are blocked.
Payment details are tokenised at the browser and never stored on our servers.
Application databases are encrypted at rest with AES-256.
Access to production data is limited to a small number of named engineers, audited weekly.
We follow OWASP top-10 hardening on our APIs and run dependency scans on every deploy.
In the event of a breach, we'll notify affected users within 72 hours of confirmation, as required by GDPR.

08 · Children

The service is not intended for users under 16. We do not knowingly collect personal data from children. If you believe we have, contact [email protected] and we will delete it promptly.

09 · International transfers

Data may be processed in the EU (primary), UK, USA (via Stripe), and India (via the Delhi desk). All transfers outside the EEA rely on the EU Commission's adequacy decisions or Standard Contractual Clauses, with supplementary technical measures (encryption, pseudonymisation) where required.

10 · Changes to this notice

If we change anything material, we'll surface a notice in your account and on this page at least 14 days before the change takes effect. We won't bury updates inside a "we've updated our terms" email you'll never read.

11 · Contact & complaints

For any data-related question, write to [email protected] — a real person reads it, usually within one business day. For a complaint we can't resolve, your local supervisory authority is the next step (UK ICO, Irish DPC, Indian Data Protection Board, your state AG, etc.).

Privacynotice.