Privacy Policy

← Back to Home

1. Data Controller

Cinnamon Travels Worldwide, LLC ("Cinnamon Travels", "we", "our") is the data controller for personal data processed in connection with our corporate travel management services.

Cinnamon Travels Worldwide, LLC
1601 Dodge Street, Suite 3700
Omaha, NE 68102, United States
Email: privacy@cinnamon-travels.com

2. Data We Collect

We collect the following categories of personal data in the course of providing our services:

2.1 Client Contact Information

• Business name, address, and registration details
• Contact person names, job titles, email addresses, and phone numbers
• Billing and payment information

2.2 Traveler Information

• Full name, date of birth, nationality
• Passport and travel document details (as required by airlines/hotels)
• Travel preferences and loyalty program numbers
• Dietary and accessibility requirements

2.3 Usage & Technical Data

• Platform login timestamps and IP addresses
• API usage logs and request metadata
• Email delivery events (sent, delivered, bounced, opened)
• Browser type and device information (for web portal access)

3. How We Use Data

We process personal data for the following purposes:

• Service Delivery: Processing bookings, managing itineraries, and coordinating travel logistics.
• Transactional Notifications: Sending itinerary confirmations, schedule changes, safety alerts, and invoice notifications via email.
• Duty of Care: Monitoring traveler locations and issuing emergency or safety alerts when necessary.
• Billing: Generating invoices, processing payments, and maintaining financial records.
• Platform Operation: Maintaining security, preventing fraud, and improving service reliability.
• Legal Compliance: Meeting regulatory obligations, tax requirements, and responding to lawful data requests.

4. Legal Bases for Processing (GDPR)

For individuals in the European Economic Area (EEA), we process data under the following legal bases:

• Performance of Contract: Processing necessary to fulfill our Service Agreement with the Client (primary basis).
• Legitimate Interest: Platform security monitoring, fraud prevention, and service improvements.
• Legal Obligation: Compliance with tax, accounting, and regulatory requirements.
• Consent: Where specifically required (e.g., optional analytics cookies).

5. No Data Selling

We do not sell, rent, or trade personal data to any third party. We never share personal data for marketing purposes. Data is only shared with sub-processors strictly necessary for service delivery.

6. Sub-Processors

We use the following third-party sub-processors:

• Amazon Web Services (AWS): Cloud infrastructure hosting (US-East-1, Virginia). Covered by EU-US Data Privacy Framework.
• Mailgun (Sinch): Transactional email delivery. GDPR-compliant, Data Processing Agreement in place.
• Stripe: Payment processing. PCI-DSS Level 1 certified.

A complete list of sub-processors is available upon request. We notify clients at least 30 days before adding a new sub-processor.

7. International Data Transfers

Personal data may be transferred to and processed in the United States. For transfers from the EEA/UK, we rely on:

• Standard Contractual Clauses (SCCs): Approved by the European Commission (2021/914/EU), incorporated into all relevant contracts.
• EU-US Data Privacy Framework: Our primary sub-processors (AWS, Stripe) participate in the DPF.

8. Data Retention

• Client Account Data: Retained for the duration of the Service Agreement + 3 years for legal and accounting purposes.
• Traveler PII: Retained for 12 months after the last associated booking, then anonymized or deleted.
• Email Delivery Logs: Retained for 90 days, then automatically purged.
• Platform Access Logs: Retained for 12 months.
• Financial/Invoice Records: Retained for 7 years as required by US tax law.

9. Your Rights

Depending on your jurisdiction, you may have the following rights:

For EEA/UK Residents (GDPR)

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data (subject to legal retention requirements).
• Right to Restriction: Request that we limit the processing of your data.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, withdraw at any time.

We respond to all data subject requests within 30 days. Complex requests may take up to 60 days with prior notice.

For California Residents (CCPA/CPRA)

• Right to Know: What personal information we collect, use, disclose, or sell.
• Right to Delete: Request deletion of personal information we hold.
• Right to Opt-Out of Sale: We do not sell personal information, but you have the right to confirm this.
• Right to Non-Discrimination: We will not discriminate against you for exercising any privacy right.

To exercise any of these rights, email us at privacy@cinnamon-travels.com. We will verify your identity before processing the request.

10. Cookies

Our website uses only strictly necessary cookies for session management and security. We do not use tracking cookies, advertising pixels, or analytics cookies that profile individual users.

• Session Cookie: Maintains your authenticated session. Expires when you close the browser.
• CSRF Token: Prevents cross-site request forgery. Expires per session.

11. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• Role-based access controls with MFA for all administrators
• Regular security assessments and vulnerability scanning
• Incident response plan with 72-hour breach notification (GDPR-compliant)

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to active clients at least 30 days in advance via email. The "Last Updated" date at the top of this page reflects the most recent revision.

13. Contact

For privacy-related questions or to exercise data subject rights:

Privacy Officer
Cinnamon Travels Worldwide, LLC
1601 Dodge Street, Suite 3700
Omaha, NE 68102
Email: privacy@cinnamon-travels.com
Phone: +1 (402) 555-0198

If you believe your privacy rights have been violated, you have the right to lodge a complaint with a supervisory authority, including your local Data Protection Authority.