Privacy Policy

Introduction

Bluepath Journeys ("Company," "we," "us," or "our") is committed to protecting and respecting the privacy of every individual who interacts with our services, website, online platforms, and communications. This Privacy Policy explains in detail how we collect, use, store, share, protect, and dispose of your personal information when you visit our website, use our corporate travel management platform, engage our booking or event planning services, communicate with our team, or otherwise interact with Bluepath Journeys in any capacity.

This Privacy Policy applies to all personal data we process, regardless of the medium or method through which it is collected — whether through our website, mobile applications, email, telephone, in-person meetings, paper forms, or through third-party platforms and integrations used in connection with our Services. By using any of our Services or providing your personal information to us, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.

We encourage you to read this Privacy Policy carefully and in its entirety. If you have any questions or concerns about our privacy practices, please do not hesitate to contact us using the information provided at the end of this document. We are committed to addressing your concerns promptly and transparently.

Information We Collect

In order to provide our corporate travel management Services effectively, we collect several categories of personal and business information. The types and scope of information collected depend on the nature of your relationship with us, the Services you engage, and how you interact with our platforms.

2.1 Personal Identification Information

We collect personal identification details necessary for travel booking and coordination, including but not limited to: full legal name as it appears on government-issued identification; date of birth; gender; nationality and citizenship; passport number, issue date, and expiration date; visa information; government-issued photo identification numbers; known traveler numbers (TSA PreCheck, Global Entry, NEXUS); frequent flyer and hotel loyalty program membership numbers; and emergency contact information. This information is essential for airline ticketing, hotel reservations, border crossing, immigration compliance, and traveler safety.

2.2 Contact and Communication Information

We collect contact details to facilitate communication regarding your travel arrangements and account management, including: business and personal email addresses; office, mobile, and home telephone numbers; business mailing address; company name, department, and job title; preferred communication channels and language preferences. We also retain records of communications exchanged between you and our team, including emails, chat logs, call recordings (where permitted and disclosed), and written correspondence.

2.3 Travel Preference and Profile Information

To personalize and optimize your travel experience, we collect and maintain traveler profile information, including: airline seating preferences (window, aisle, class of service); hotel room preferences (bed type, floor preference, smoking/non-smoking); dietary restrictions and food allergies; mobility requirements and disability accommodations; ground transportation preferences; travel insurance preferences; preferred airlines, hotel chains, and car rental companies; and any other preferences you voluntarily provide to us.

2.4 Health and Medical Information

In certain circumstances, we may collect limited health-related information necessary for travel arrangements, including: food allergies relevant to catering and meal planning; mobility limitations requiring special transportation or accommodation arrangements; medical conditions that may affect travel eligibility or require special accommodations; vaccination records where required by destination countries or travel carriers; and emergency medical information for duty-of-care purposes. We treat all health-related information with heightened confidentiality and process it only to the extent necessary to fulfill our travel management obligations.

2.5 Financial and Payment Information

We collect financial information necessary for billing and payment processing, including: corporate billing information and purchase order numbers; credit card or payment card details (processed through PCI-DSS compliant payment processors); bank account information for wire transfer payments; expense reimbursement data; and budget authorization details. We do not store full credit card numbers on our systems; all payment card data is handled by our PCI-DSS Level 1 certified payment processing partners.

2.6 Technical and Usage Data

When you access our website or platform, we automatically collect certain technical information, including: IP address and approximate geolocation; browser type, version, and language settings; operating system and device type; screen resolution and display settings; pages visited, time spent on pages, and navigation paths; referral URLs and search terms used to find our website; click patterns and interaction data within our platform; and session duration and frequency of visits.

2.7 Information from Third Parties

We may receive personal information about you from third-party sources in connection with our Services, including: travel suppliers (airlines, hotels, car rental companies) providing booking confirmations and itinerary updates; your employer or organization providing authorized traveler lists and corporate travel policies; background check providers for compliance purposes; credit agencies for payment verification; and publicly available business information from professional networking platforms and corporate directories.

How We Use Your Information

We use the information we collect for the following purposes, all of which are necessary for the performance of our contractual obligations, compliance with legal requirements, or based on our legitimate business interests:

• Service delivery: To research, plan, book, manage, and support your corporate travel arrangements, including flights, accommodations, ground transportation, event venues, and related services.
• Account management: To create and maintain your client account, manage user access to our platform, process approvals and workflows, and administer your travel program.
• Communication: To send booking confirmations, itinerary updates, travel alerts, schedule changes, gate changes, delay notifications, and other time-sensitive information relevant to your travel plans.
• Financial processing: To generate invoices, process payments, issue refunds or credits, track expenses, produce financial reports, and manage your billing account.
• Reporting and analytics: To generate travel spend reports, budget variance analyses, travel pattern insights, and other business intelligence that helps you optimize your corporate travel program.
• Safety and duty of care: To locate and assist travelers during emergencies, natural disasters, political instability, or health crises; to provide emergency contact information to relevant authorities when necessary; and to fulfill our duty-of-care obligations to your traveling employees.
• Personalization: To remember traveler preferences, suggest optimized itineraries, recommend preferred suppliers, and deliver a more efficient and comfortable travel experience tailored to individual and organizational needs.
• Legal compliance: To comply with applicable laws, regulations, tax requirements, immigration requirements, sanctions screening, anti-money laundering obligations, and other legal or regulatory requirements.
• Service improvement: To analyze usage patterns, identify areas for improvement, develop new features and services, conduct internal research, and enhance the quality and reliability of our Services.
• Marketing: To send you newsletters, industry insights, travel tips, promotional offers, and information about new services that may be relevant to your organization, subject to your communication preferences and applicable opt-out rights.

Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. We share your information only in the following circumstances, and only to the extent necessary to fulfill the stated purpose:

4.1 Travel Suppliers and Service Providers

We share traveler information with airlines, hotels, car rental companies, ground transportation providers, event venues, catering companies, and other travel suppliers as necessary to make and manage reservations on your behalf. The information shared typically includes traveler name, contact details, travel dates, preferences, loyalty program numbers, and payment information. Each travel supplier processes your information according to their own privacy policies.

4.2 Technology and Infrastructure Partners

We engage trusted technology partners to support our platform and operations, including cloud hosting providers, payment processors, email delivery services, customer relationship management systems, analytics platforms, and cybersecurity providers. These partners process your information on our behalf under strict data processing agreements that require them to protect your information and use it only for the purposes we specify.

4.3 Your Organization

When we provide Services under a corporate account, we share relevant travel information with your designated organizational representatives, including trip itineraries, booking confirmations, expense reports, budget utilization data, and travel analytics. The scope of information shared with your organization is determined by your corporate travel policy and the service agreement between us and your employer.

4.4 Government and Regulatory Authorities

We may disclose your information to government authorities, regulatory bodies, law enforcement agencies, or other third parties when required to do so by applicable law, legal process, government request, or when we believe in good faith that disclosure is necessary to comply with a legal obligation; protect and defend our rights, property, or safety; prevent fraud, abuse, or illegal activity; or protect the personal safety of our clients, employees, or the public.

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, asset sale, bankruptcy, or similar corporate transaction, your personal information may be transferred to the acquiring entity or successor organization. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy, and we will use reasonable efforts to ensure that the acquiring entity honors the commitments made in this Privacy Policy.

Cookies and Tracking Technologies

Our website and platform use cookies, web beacons, pixel tags, and similar tracking technologies to collect information about your browsing behavior, preferences, and interactions with our digital properties. Cookies are small text files placed on your device by your web browser that enable us to recognize your device, remember your preferences, and provide a more personalized experience.

5.1 Types of Cookies We Use

• Essential cookies: Required for the basic functioning of our website and platform, including session management, authentication, security, and load balancing. These cookies cannot be disabled without significantly impairing your ability to use our Services.
• Functional cookies: Enable enhanced functionality and personalization, such as remembering your language preferences, display settings, and previously entered form data. These cookies improve your user experience but are not strictly necessary for basic functionality.
• Analytics cookies: Help us understand how visitors interact with our website by collecting information about pages visited, time spent, navigation paths, error encounters, and other usage metrics. We use this data to improve our website design, content, and performance. We use Google Analytics and similar services for this purpose.
• Marketing cookies: Used to track visitors across websites and display advertisements that are relevant to you. These cookies may be set by our advertising partners and are used to build a profile of your interests. We use marketing cookies only with your explicit consent where required by applicable law.

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies, set preferences for specific websites, and receive notifications when new cookies are set. Please note that blocking essential cookies may prevent you from accessing certain features of our website and platform.

Data Security

We take the security of your personal information seriously and implement a comprehensive set of technical, administrative, and physical safeguards designed to protect your data against unauthorized access, alteration, disclosure, destruction, loss, or misuse. Our security measures include but are not limited to:

• Encryption of data in transit using TLS 1.3 (Transport Layer Security) and data at rest using AES-256 encryption standards.
• Strict access controls with role-based permissions, multi-factor authentication, and the principle of least privilege applied to all employee and contractor access to personal data.
• Regular security assessments, penetration testing, and vulnerability scanning conducted by qualified internal and external security professionals.
• Secure, SOC 2 Type II certified data centers located in the United States with physical access controls, environmental monitoring, and redundant power and cooling systems.
• Employee security awareness training, background checks for personnel with access to sensitive data, and confidentiality agreements for all employees and contractors.
• Incident response and breach notification procedures designed to detect, contain, investigate, and report security incidents in accordance with applicable legal requirements.
• Regular data backup procedures with encrypted off-site storage and tested disaster recovery processes.

While we implement robust security measures, no method of transmission over the internet and no method of electronic storage is completely secure. We cannot guarantee absolute security of your personal information, and any transmission of data to us is at your own risk. In the unlikely event of a data breach affecting your personal information, we will notify you and the relevant regulatory authorities in accordance with applicable law.

Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with our legal and regulatory obligations, resolve disputes, enforce our agreements, and support our legitimate business operations. Specific retention periods vary based on the type of information and the purpose for which it is held:

• Active account data: Retained throughout the duration of your service relationship with us and for a period of three (3) years following the termination of our business relationship or your last engagement with our Services.
• Booking and travel records: Retained for a minimum of seven (7) years from the date of travel to comply with tax, accounting, and regulatory requirements.
• Financial and billing records: Retained for a minimum of seven (7) years to comply with applicable tax laws, accounting standards, and audit requirements.
• Communication records: Retained for a period of three (3) years from the date of communication, unless a longer retention period is required for legal, compliance, or dispute resolution purposes.
• Website analytics data: Retained in anonymized or aggregated form for up to three (3) years for trend analysis and service improvement purposes.
• Marketing consent records: Retained for as long as the consent is valid and for a period of two (2) years following the withdrawal of consent for record-keeping purposes.

When personal information is no longer required for any purpose, we will securely delete or anonymize it using industry-standard data destruction methods. Anonymized data that can no longer be linked to any identifiable individual may be retained indefinitely for statistical and research purposes.

Your Rights and Choices

Depending on your location and applicable privacy laws, you may have certain rights regarding your personal information. We respect these rights and will process any valid request in accordance with applicable law. Your rights may include:

• Right of access: You have the right to request a copy of the personal information we hold about you, along with information about how we process it, the categories of data collected, the sources of data, and the recipients or categories of recipients to whom data has been disclosed.
• Right to rectification: You have the right to request correction of any inaccurate or incomplete personal information we hold about you. We will make reasonable efforts to update your information promptly upon receiving a verified correction request.
• Right to erasure: Under certain circumstances, you have the right to request the deletion of your personal information. Please note that we may be unable to comply with erasure requests where we are required to retain information for legal, regulatory, or contractual reasons.
• Right to restriction: You have the right to request that we restrict the processing of your personal information in certain circumstances, such as when the accuracy of the data is contested or when processing is unlawful but you prefer restriction over erasure.
• Right to data portability: Where technically feasible, you have the right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
• Right to object: You have the right to object to the processing of your personal information for direct marketing purposes. You may also object to processing based on legitimate interests, and we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent: Where we process your information based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

To exercise any of these rights, please contact us using the information provided at the end of this document. We will respond to all verified requests within thirty (30) days or within the timeframe required by applicable law. We may need to verify your identity before processing your request to ensure the security of your personal information.

California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights regarding your personal information. Under these laws, California residents have the right to know what personal information we have collected about them in the preceding twelve (12) months, including the categories and specific pieces of personal information collected, the categories of sources from which information was collected, the business or commercial purpose for collecting the information, and the categories of third parties with whom the information was shared.

California residents also have the right to request the deletion of their personal information, subject to certain exceptions; the right to opt-out of the sale or sharing of their personal information (we do not sell personal information); the right to correct inaccurate personal information; and the right to limit the use and disclosure of sensitive personal information. We will not discriminate against you for exercising any of these rights. To submit a request under the CCPA/CPRA, please contact us using the information provided at the end of this document.

European Economic Area and GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and applicable national data protection laws provide you with enhanced rights regarding your personal data. We process personal data of EEA residents on the following legal bases: performance of a contract (to deliver our travel management Services); legitimate interests (to improve our Services, prevent fraud, and ensure security); compliance with legal obligations (to meet tax, accounting, and regulatory requirements); and consent (for marketing communications and non-essential cookies).

Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other recognized transfer mechanisms. You have the right to lodge a complaint with your local data protection supervisory authority if you believe our processing of your personal data violates the GDPR.

International Data Transfers

As a provider of corporate travel management services with clients and travel suppliers around the world, we may transfer your personal information to countries other than the country in which it was originally collected. These countries may have data protection laws that differ from those in your country of residence. When we transfer personal information internationally, we implement appropriate safeguards to ensure that your information remains protected in accordance with this Privacy Policy and applicable data protection laws.

Our primary data processing facilities are located in the United States. When we transfer data from the EEA, UK, or other jurisdictions with data transfer restrictions to the United States or other countries, we rely on appropriate legal mechanisms such as Standard Contractual Clauses, data processing agreements with our suppliers and partners, and, where applicable, the recipient's participation in recognized data protection frameworks.

Children's Privacy

Our Services are designed for business and corporate use and are not directed at individuals under the age of sixteen (16). We do not knowingly collect personal information from children under sixteen. In the event that we learn we have collected personal information from a child under sixteen without parental or guardian consent, we will take immediate steps to delete that information from our systems. If you believe that we may have collected information from a child under sixteen, please contact us immediately using the information provided below.

In cases where minors may be included as travelers in a corporate travel arrangement (such as dependents accompanying business travelers on extended assignments), we will collect only the minimum personal information necessary for booking and travel purposes, and we will obtain appropriate consent from the parent or legal guardian before processing such information.

Third-Party Links and Services

Our website and platform may contain links to third-party websites, applications, and services that are not owned or controlled by Bluepath Journeys, including airline websites, hotel booking engines, car rental platforms, event venue websites, payment processing portals, and other travel-related services. This Privacy Policy does not apply to the practices of third parties that we do not own or control. We encourage you to review the privacy policies of any third-party websites or services before providing them with your personal information. We are not responsible for the privacy practices, content, or security of third-party websites or services.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes to this Privacy Policy, we will notify you by posting the updated policy on our website with a revised "Last Updated" date, sending an email notification to clients with active accounts, and, where required by applicable law, obtaining your consent before applying material changes to the processing of your personal information.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your personal information. Your continued use of our Services after any changes to this Privacy Policy constitutes your acknowledgment of and agreement to the updated policy. If you disagree with any changes, you should discontinue use of our Services and contact us to discuss your concerns.

Do Not Track Signals

Some web browsers offer a "Do Not Track" (DNT) preference setting that sends a signal to websites you visit indicating that you do not wish to be tracked. At this time, there is no universally accepted standard for how companies should respond to DNT signals. Accordingly, our website does not currently alter its behavior or change its data collection and use practices in response to DNT signals. However, you can manage your tracking preferences through our cookie settings and by configuring your browser's privacy settings. We will continue to monitor developments in DNT standards and update our practices as appropriate.