Privacy Policy
This Privacy Policy describes how Pride Travelers, LLC d/b/a UrTravelPro ("Company," "we," "us," or "our") collects, uses, shares, and protects information when you use the UrTravelPro Platform and its applications, including UrTravelPro Books, UrTravelPro Marketing, and UrTravelPro Compass (each, an "App"; collectively, the "Service").
By using the Service, you agree to the practices described in this policy. This policy is part of, and incorporated into, our Terms of Service.
Contents
- Information We Collect
- How We Use Information
- When We Share Information
- Third-Party Service Providers
- Books — App-Specific Privacy
- Marketing — App-Specific Privacy
- Compass — App-Specific Privacy
- Data Retention
- Data Security
- Your Rights (GDPR, CCPA, CPRA)
- Children's Privacy
- International Transfers
- Cookies & Tracking
- Changes to This Policy
- Contact
1. Information We Collect
1.1 Account information
When you create an UrTravelPro account or sign in via Single Sign-On (SSO), we collect:
- Your name and email address
- The name of your organization (agency)
- Authentication credentials — passwords are hashed using bcrypt; we never store passwords in plain text. If you enable two-factor authentication, we store an encrypted TOTP secret or a passkey credential
- Account preferences and settings
- The Apps your organization has been granted access to (entitlements)
1.2 Information you provide through the Service
As you use each App, you provide additional information. The categories depend on the App; see Sections 5, 6, and 7 for App-specific detail. In general, you may provide:
- Business profile details (legal name, EIN, business type, address)
- Financial records, transactions, vendor and customer details, attachments (Books)
- Contacts, audiences, consent records, campaign content, recipient suppression data (Marketing)
- Published guides, photos, branding, embedded media, custom domain configuration (Compass)
- Support communications, including messages, screenshots, and metadata of any support ticket you open
1.3 Information collected automatically
When you use the Service, we automatically collect:
- IP address, browser type and version, operating system, and device identifiers
- Pages viewed, features used, timestamps, and referring URLs
- Server logs related to access, errors, and security events
- Authentication events (sign-ins, sign-outs, failed attempts, lockouts)
- Audit-log entries for security- or compliance-relevant actions (for example, access to encrypted attachments, billing changes, ownership transfers)
1.4 Information from third-party services you connect
Some features require you to connect a third-party service. When you do, we receive only what is necessary to provide the feature. For example:
- Plaid (Books only) — when you connect a bank feed, Plaid issues us a secure access token. We use it to retrieve transaction history, balances, account types, and account identifiers (last 4 digits only). We never see your bank login credentials.
- Stripe — when you subscribe to a paid plan, we receive a Stripe customer identifier and subscription metadata. Stripe handles your payment card information; we do not receive or store it.
2. How We Use Information
We use the information we collect to:
- Provide, operate, secure, and improve the Service
- Authenticate you and enforce access controls across the Platform
- Process subscriptions, billing, and entitlements
- Send transactional and account-related communications (password resets, billing receipts, security alerts, App invitations, support replies)
- Provide and improve the features of each App you use
- Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms
- Comply with legal obligations, respond to lawful requests, and enforce our agreements
- Generate aggregate, anonymized statistics about Service usage (these do not identify you)
We do not sell your personal information. We do not use your User Data to train third-party AI models.
3. When We Share Information
We share information only in the limited circumstances described below.
3.1 Third-party service providers
We share data with service providers that help us operate the Service, under contracts that require them to protect your data and use it only for our purposes. See Section 4 for the list.
3.2 Within your organization
Other members of your organization who have access to the same App may see User Data your organization has entered, subject to role-based permissions inside the App.
3.3 Legal compliance
We may disclose information if required by law, regulation, legal process, or governmental request, or to investigate or prevent fraud, security incidents, or violations of our Terms.
3.4 Business transfers
If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will provide notice through the Service before your information becomes subject to a different privacy policy.
3.5 With your consent
We may share information for any other purpose with your explicit consent.
4. Third-Party Service Providers
The Service uses the following service providers. Each is contractually bound to protect your data. Their links lead to their own privacy policies, which we encourage you to review.
| Provider | Purpose | Data shared |
|---|---|---|
| Stripe, Inc. | Subscription billing and payment processing for all Apps | Customer name, email, billing address, subscription metadata; payment card data is collected directly by Stripe (we never see or store it) |
| Plaid Inc. | Bank feed connections in Books (optional) | Bank account identifiers, transaction history, balances; bank login credentials go directly to Plaid and never to us |
| Cloudflare | Object storage (R2), content delivery, edge security, DNS | Uploaded attachments (encrypted at rest), published content, request metadata |
| Postmark / Brevo | Transactional email delivery (password resets, account invitations, billing, security notices, support replies) | Recipient email, sender email, message content as needed to deliver the email |
| SMS / email infrastructure providers | Outbound email and SMS for the Marketing App; suppression handling; carrier 10DLC registration | Recipient phone or email, sender identity, message content, unsubscribe / suppression records |
5. Books — App-Specific Privacy
5.1 What Books collects
Inside Books, you enter or import:
- Business profile (legal name, EIN, business type, registered state, business phone, business address)
- Transactions (date, amount, payee, category, description, notes, attachments)
- Uploaded files (bank statements, receipts, contracts, other documents you choose to attach)
- Vendor and payee records (names, email addresses, phone numbers)
- Chart of accounts and journal entries
5.2 Bank feed data (Plaid)
If you choose to connect a bank feed, Plaid retrieves data from your financial institution on your behalf using a secure access token. We receive from Plaid:
- Account names, account types, and the last 4 digits of account numbers
- Institution names
- Transaction amounts, dates, descriptions, and merchant names
- Current and historical balances
The bank feed connection is read-only — we cannot move money or modify anything at your bank. You can disconnect a bank feed at any time from the Banking page, which revokes our access at Plaid. Transactions previously imported into your books remain in your books because they form part of your accounting records.
Your banking credentials are entered directly into Plaid's interface and are never seen, transmitted to, or stored by UrTravelPro Books.
5.3 Encryption at rest for Books
Uploaded attachments in Books are encrypted at rest using AES-256-GCM with per-organization keys derived via HKDF from a master key held in our secret store. The keys are accessible only to our platform infrastructure for the purpose of serving them back to authorized users; they are never exposed to third parties.
6. Marketing — App-Specific Privacy
6.1 What Marketing collects
You upload, create, or manage:
- Contact records (name, email, phone number, address)
- Audience and tag assignments
- Notes, custom fields, and other relationship data
- Travel preferences (destinations, travel style, anniversaries, birthdays)
- Email and SMS message content, templates, and campaign configurations
6.2 Consent and compliance data
To support your compliance with CAN-SPAM, CASL, GDPR, TCPA, and 10DLC, we record:
- Consent timestamp — when a contact was added or opted in
- Consent IP address — the IP that submitted the opt-in (where collected through our forms)
- Consent source — the form, import, or manual action that brought the contact onto your list
- Consent text snapshot — a copy of the disclosure the contact saw when they opted in
- Unsubscribes and suppression — opt-out timestamp, source (link click, reply, manual), and reason where available
Suppression records are retained indefinitely so we can continue honoring an opt-out even after a contact is deleted. This is a legal requirement of anti-spam laws and is not subject to deletion on contact request.
6.3 Tracking inside marketing messages
Marketing emails may include open-tracking pixels and click-tracking redirects. These collect:
- The fact that a specific recipient opened a specific email and at what time
- The fact that a specific recipient clicked a specific link and at what time
- The recipient's IP address and approximate location (derived from IP)
- The recipient's user agent
Recipients of your marketing messages are subject to this tracking when they open or click. As the sender, you are responsible for disclosing this in your privacy policy and complying with applicable law.
6.4 SMS-specific data
SMS dispatch through Marketing also collects:
- Delivery status from the carrier (delivered, failed, suppressed, etc.)
- Inbound replies, including STOP / HELP keyword responses required by carrier rules
- 10DLC registration details (brand and campaign metadata you submit for carrier approval)
7. Compass — App-Specific Privacy
7.1 What Compass collects
You publish and manage:
- Guides, itineraries, and published content (text, images, video, embedded media)
- Branding settings (logo, colors, agency name, contact information)
- Custom domain configuration where supported by your plan
- Editorial drafts, revision history, scheduling metadata
- Recipient information for any "send to client" feature you use (recipient email, link generation, access events)
7.2 Visitor analytics on your published Compass content
When a reader visits content you publish through Compass, we may collect aggregate analytics (page view counts, referrer, country-level location, device class) to provide you with reporting and to operate the Service. We do not collect personally identifying information about your readers unless they submit it through a form you offer them.
8. Data Retention
We retain your information for as long as your account is active and as long as needed to provide the Service. Specific retention behaviors:
- Account closure. When you close your account, we begin a deletion process for your User Data, subject to the exceptions below. We may retain data for a limited recovery window (typically 30 days) before permanent deletion.
- Billing records. We retain billing-related records for as long as required by tax and accounting law (typically 7 years in the United States).
- Marketing suppression lists. Suppression / unsubscribe records are retained indefinitely so we can continue honoring opt-outs after a contact is deleted, as required by anti-spam law.
- Security and audit logs. We retain security-relevant logs (sign-ins, access to sensitive data, abuse signals) for a reasonable period to investigate and prevent abuse, typically 12–24 months.
- Backups. Encrypted backups for disaster recovery may continue to contain deleted data for a limited period after deletion. We do not access these backups except for disaster recovery.
- Legal holds. If we are required to preserve data for legal, regulatory, or investigative reasons, retention extends until the obligation expires.
9. Data Security
We use commercially reasonable administrative, technical, and physical safeguards designed to protect your information. These include:
- TLS in transit for all connections to the Service
- AES-256-GCM encryption at rest for sensitive attachments (passport scans in Trips, ticket attachments in support, and other sensitive media), using per-tenant keys
- Encrypted storage of authentication credentials (bcrypt-hashed passwords, encrypted TOTP secrets, WebAuthn credentials)
- Role-based access controls inside each App
- Network and infrastructure security via our hosting and edge providers
- Logging and monitoring of access to sensitive data, with audit trails surfaced to support and admin staff as needed
- Per-app process isolation and least-privilege secret management via our secret store
No system is perfectly secure. We cannot guarantee that information will never be accessed, disclosed, altered, or destroyed by breach. In the event of a data incident affecting your information, we will notify you in accordance with applicable law.
10. Your Rights (GDPR, CCPA, CPRA, and other privacy laws)
10.1 Universal rights
Regardless of where you live, you may:
- Access and review the personal information we hold about you
- Correct inaccuracies in your account information
- Export your User Data (subject to format availability per App)
- Delete your account, subject to the retention exceptions in Section 8
10.2 If you are in the European Economic Area, United Kingdom, or Switzerland (GDPR / UK GDPR)
You have additional rights under the GDPR and UK GDPR, including:
- The right to be informed about our processing
- The right of access (data subject access request)
- The right to rectification
- The right to erasure ("right to be forgotten")
- The right to restrict processing
- The right to data portability
- The right to object to processing, including direct marketing
- The right not to be subject to a decision based solely on automated processing (we do not make such decisions today)
- The right to withdraw consent at any time where processing is based on consent
- The right to lodge a complaint with a supervisory authority
To exercise these rights, contact [email protected].
10.3 If you are a California resident (CCPA / CPRA)
You have the right to:
- Know what categories of personal information we collect and the purposes for which we use them
- Access the specific pieces of personal information we hold about you
- Request deletion of your personal information, subject to legal exceptions
- Correct inaccurate personal information
- Limit the use and disclosure of sensitive personal information
- Opt out of "sale" or "sharing" of personal information for cross-context behavioral advertising — we do not sell or share personal information as those terms are defined under CPRA
- Be free from discrimination for exercising these rights
To exercise these rights, contact [email protected]. We will verify your identity before fulfilling the request.
10.4 If you are a contact of one of our customers
If your personal information was uploaded to the Service by one of our customers (for example, as a contact in their Marketing audience, or as a payee in their Books records), we act as a "service provider" or "data processor" with respect to your data. Your rights run primarily against that customer — they decide whether your information is collected and retained. If you reach us directly and we can identify the customer, we will forward your request to them.
11. Children's Privacy
The Service is intended for use by businesses and adults. We do not knowingly collect personal information from children under 13 (or under 16 in jurisdictions where that threshold applies). If we learn that we have collected information from a child without parental consent, we will delete it. Contact [email protected] if you believe we hold information about a child.
12. International Transfers
Our infrastructure is operated primarily in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States and in other countries where our service providers operate. We rely on appropriate safeguards (including, where applicable, Standard Contractual Clauses) for international transfers from the EEA, UK, and Switzerland.
13. Cookies & Tracking
We use essential cookies to authenticate sessions, remember your preferences, and protect against abuse. We may also use limited analytics cookies to understand how the Service is used in aggregate. We do not use cookies for cross-site advertising. You can control cookies through your browser settings, but disabling essential cookies will prevent you from signing in.
Our marketing site (urtravelpro.com) and each App may use additional analytics consistent with this section. A separate Cookie Policy may be published in the future with specific cookie names and purposes.
14. Changes to This Policy
We may update this Privacy Policy from time to time. The updated effective date will appear at the top of this page when changes are made. Material changes will be communicated through the Service or via email to the account owner. Continued use of the Service after an update constitutes acceptance of the updated Privacy Policy.
15. Contact
For questions about this Privacy Policy or to exercise your privacy rights, contact us at:
Pride Travelers, LLC
d/b/a UrTravelPro
1559 Oak Hill Trail
Kissimmee, FL 34747
[email protected]