1. Who we are
This Privacy Policy describes how Voyaje, Inc. ("Voyaje," "we," "us," or "our") collects, uses, shares, and protects personal information in connection with the Voyaje for Business platform and its public-facing website at business.voyajeboard.com (the "Service").
Voyaje, Inc. is incorporated in the State of Delaware, United States. For privacy questions or to exercise your rights under this Policy, contact us at privacy@voyaje.com.
2. Information we collect
We collect the following categories of personal information:
- Account information. Name, email address, role within the company, and other information provided when an account is created or maintained.
- Traveler information. When a traveler books through the platform, we process information needed to complete the booking: legal name, contact details, frequent-flyer or loyalty numbers, passport details (when required by the supplier), date of birth, and travel preferences.
- Payment information. Payment-card details are transmitted directly to and stored by our payment processor (Stripe, Inc.). Voyaje does not store full payment-card numbers on its own systems.
- Trip and expense data. Bookings, itineraries, expenses, receipts, and reconciliation data submitted through the Service.
- Support communications. Information you submit when contacting us for support, including the content of your messages and attachments.
- Usage data. Information about how you interact with the Service, including pages visited, features used, time spent, device and browser information, IP address, and approximate location derived from IP address.
- Cookies and similar technologies. See section 9.
3. How we use information
We use personal information to:
- Provide and maintain the Service.
- Process bookings and transmit traveler information to suppliers (airlines, hotels, ground transportation, expense providers) as needed to fulfill the booking.
- Process payments and prevent fraud.
- Provide customer support and respond to inquiries.
- Send service-related communications, including security alerts, policy updates, and changes to the Service.
- Send duty-of-care communications during disruption or safety-relevant events.
- Improve the Service, including through aggregated and de-identified analysis.
- Comply with legal obligations.
- Detect, prevent, and address fraud or abuse of the Service.
Under the GDPR, we rely on the following legal bases: performance of a contract (account, booking, payment), legitimate interests (security, fraud prevention, service improvement), legal obligation (tax, accounting, regulatory), and consent (marketing communications when applicable).
4. How we share information
We share personal information with the following categories of recipients:
- Travel suppliers. Information needed to fulfill a booking is shared with the airline, hotel, ground transportation provider, or other supplier the traveler is booking with.
- Service providers (subprocessors). We use third-party service providers to operate the Service, including: Appwrite (database hosting, NYC region), Stripe (payment processing), Postmark (transactional email), ScaleKit (organization SSO and identity management), Sentry (error and performance monitoring), Vercel (web hosting and content delivery). A current list of subprocessors is available on request.
- The Customer organization. Travelers' booking, expense, and policy data is visible to the administrators of the Customer organization the traveler belongs to. Voyaje provides the platform; the Customer is responsible for who within their organization has access.
- Legal and safety. We may share information when required by law, in response to a valid legal request, or to protect the safety of travelers or others.
- Business transactions. In the event of a merger, acquisition, financing, or sale of assets, personal information may be transferred to the successor entity, subject to the terms of this Policy or a successor policy.
We do not sell personal information. We do not share personal information with third parties for their independent marketing or advertising purposes.
5. International data transfers
Voyaje is headquartered in the United States and the Service is currently hosted in the United States (the Appwrite NYC region). If you are located in the European Economic Area, the United Kingdom, or Switzerland, your information may be transferred to and processed in the United States.
For transfers from the European Economic Area, the United Kingdom, and Switzerland, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum where applicable. Copies of the relevant transfer mechanisms are available on request.
6. Data retention
We retain personal information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods:
- Account information: retained for the life of the account plus 12 months after closure.
- Booking and expense data: retained for at least 7 years to comply with accounting and tax obligations.
- Support communications: retained for 24 months after the related ticket is closed.
- Audit-log entries: retained for at least 7 years for compliance and security purposes.
- Marketing and analytics data: retained for up to 24 months, unless an individual exercises a deletion right.
7. Your rights
Depending on your location, you may have the following rights with respect to your personal information:
- Access. Request a copy of the personal information we hold about you.
- Correction. Request that we correct inaccurate or incomplete information.
- Deletion. Request that we delete your personal information, subject to legal retention requirements.
- Portability. Receive your personal information in a structured, commonly used, machine-readable format.
- Restriction or objection. Request that we restrict or stop processing your personal information in certain circumstances.
- Withdraw consent. Where processing is based on consent, withdraw consent at any time.
- Opt-out of sale or sharing (CCPA). Although we do not sell personal information, California residents may exercise this right at any time.
- Right to lodge a complaint. File a complaint with a supervisory authority in your jurisdiction.
To exercise any of these rights, contact us at privacy@voyaje.com. We will respond within the time required by applicable law (typically 30 days under the GDPR; 45 days under the CCPA).
We honor Global Privacy Control (GPC) signals on the website where applicable.
8. Children's privacy
The Service is intended for use by businesses and their employees, not by individuals under the age of 16. We do not knowingly collect personal information from individuals under 16. If you believe a child under 16 has provided personal information through the Service, contact us at privacy@voyaje.com and we will delete it.
9. Cookies and tracking technologies
We use cookies and similar technologies to operate the Service, keep you signed in, remember your preferences, and analyze how the Service is used. Cookie categories:
- Strictly necessary. Required for the Service to function (authentication, security, session management). Cannot be disabled.
- Functional. Remember your preferences (theme, language, table density). Can be controlled in browser settings.
- Analytics. Help us understand how the Service is used, in aggregate. Disabled by default for users in jurisdictions that require opt-in consent.
We do not use advertising cookies on the Service. You can manage cookie preferences through your browser settings.
10. Security
We use industry-standard security measures to protect personal information, including encryption in transit (TLS), encryption at rest where applicable, role-based access controls, audit logging of administrative actions, and step-up authentication on sensitive operations. No security measure is perfect; we cannot guarantee that information will never be accessed, disclosed, altered, or destroyed without authorization.
In the event of a data breach that affects your personal information, we will notify you and the relevant authorities in accordance with applicable law.
11. AI and automated processing
We use third-party AI services (including, currently, DeepSeek for sentiment classification and response drafting in our support workflow) to operate certain features of the Service. AI-assisted outputs are reviewed by a human operator before any customer-facing action is taken. We do not use customer data to train third-party AI models, and our agreements with AI providers prohibit them from using customer data for their own model training.
Where automated decision-making produces legal or similarly significant effects, the affected individual has the right to human review, to express their point of view, and to contest the decision.
12. Changes to this Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this Policy reflects the most recent change. We will notify you of material changes by email or through the Service before they take effect.
13. Contact us
For privacy questions or to exercise your rights, contact us at privacy@voyaje.com. For general inquiries, see the Contact page.
EU and UK residents may also contact our representative for data-protection matters when one is appointed. The contact details will be published here at that time.
