Travala Privacy Policy 

Last Updated: 3 June 2026

Travala Pte. Ltd., a company incorporated in Singapore (hereinafter referred to as “us”, “we”, “our”, or “Travala”) recognises the importance of privacy. In this privacy policy, we describe how we collect, use, and disclose information that we obtain about visitors to our Services. This privacy policy is issued in accordance with Singapore’s Personal Data Protection Act 2012 (the “PDPA”), the EU General Data Protection Regulation (“GDPR”), and the UK General Data Protection Regulation (“UK GDPR”), as applicable to the relevant individual.

Terms used in this privacy policy

Throughout this privacy policy, we use particular terms that have a specific meaning. These specific terms are described below.

AI Agent: A third-party AI-powered software application that you may use to interact with our Services via the Travala Travel MCP;

AI Agent Provider: The third-party company that operates an AI Agent. AI Agent Providers are independent third parties, not our agents, employees, or partners;

Booking: A reservation made by you with a Service Provider via our Services for accommodation, flights, activities, vehicle rentals, or other travel products;

Coinbase Agentic Wallet MCP: A hosted digital asset wallet service operated by Coinbase Singapore Pte. Ltd. (“Coinbase”), a Major Payment Institution licensed by the Monetary Authority of Singapore (MAS), through which you fund and hold a balance of digital assets and from which payments and refunds in respect of Bookings made via the Travala Travel MCP are effected using the x402 Protocol, a stablecoin payment protocol;

Service Provider: The third-party providers of travel products and services available through our Services, including hotels, flight carriers, activity providers, vehicle rental providers, and travel membership and loyalty program providers;

Services: Travala's websites (including www.travala.com and concierge.io), our mobile applications, the Travala Travel MCP, and the products and services we offer through any of these channels;

Travala Travel MCP: An interface that allows AI agents to access our Services on your behalf to make travel bookings, as further described in our Terms and Conditions; and

Travala Wallet: The digital wallet associated with your Travala account that may be used to store digital assets in connection with your use of our Services.

1. Information we collect

We collect personal data directly from you, from third parties, and automatically through your use of our Services. We may combine information automatically collected with other information that we have collected about you. Where applicable, we may also collect “Anonymous Data” from you which means data, including aggregated and de-identified data, that is not associated with or linked to your personal data. Anonymous Data does not, by itself, permit the identification of individual persons.

• Personal data means any information that can be used to identify you.
• We are the data controller for data collected through our Services.
• If you are in the EU or the UK, we rely on the following lawful bases under the GDPR or UK GDPR, as applicable to the relevant processing purpose:
  • contract, where the processing is necessary to provide the Services to you or to take steps at your request before entering into a contract;
  • legitimate interests, including for fraud detection and prevention, security, service improvement, analytics, and the development of our artificial intelligence (AI) and machine learning (ML) systems as described in the section headed “How we use artificial intelligence and make automated decisions”;
  • legal obligation, where the processing is necessary to comply with applicable law, including for the purposes described in the “Compliance Requirements” purpose under “How we use your information”; and
  • consent, where you have given us your consent to process your personal data, including (where applicable) for direct marketing purposes. You may withdraw your consent at any time as described in the section headed “Your rights”.
• If you are in Singapore, we process your personal data on the basis of your consent, or on such other basis as is permitted under the PDPA, including the legitimate interests, business improvement, and legal-obligation exceptions.
• You may browse and use certain portions of our Services without directly providing us with any personal data.
• Certain features, however, may only be used by users that are registered or where you provide us with personal data.

Information we collect from you (or someone acting for you)

• Contact information, including your name, address, email address, telephone number and other contact details;
• Billing or payment information, such as your credit card number, cardholder name, expiration date, authentication code and billing address;
• Details of the products and services we have provided to you or that you have enquired about, including any additional information necessary to deliver those products and services and respond to your enquiries;
• Information you provide to us through customer surveys or feedback;
• Passport information, including your passport number, passport expiration date, and date of birth;
• Loyalty program details (such as frequent flyer details);
• Information about your health (if disclosed);
• Your device ID, device type, geo-location information, computer and connection information, statistics on page views, traffic to and from our Services, ad data, IP address and standard web log information;
• Where applicable, identification documentation and information collected for the purposes of identity verification, fraud prevention, sanctions screening, beneficial ownership confirmation, source-of-funds documentation, politically exposed persons (PEP) declarations, and anti-money laundering (AML) / counter-terrorist financing (CTF) compliance (collectively, “Compliance Information”);
• Where you access our Services via the Travala Travel MCP, the prompts, selections, preferences, and instructions transmitted to us by the AI Agent acting on your behalf, together with any associated session metadata;
• Any additional information relating to you that you provide to us through your use of our Services, in person or through other websites or accounts from which you permit us to collect information;
• Any other personal data that may be required in order to facilitate your dealings with us.

Where you provide us with information about your health (for example, in connection with dietary requirements, mobility assistance, medical accommodations, or other special needs in respect of your Booking), we process that information on the basis of your explicit consent, which is given by your voluntary provision of that information to us for the relevant purpose. You may withdraw your consent at any time as described in the section headed “Your rights”.

Information about you we collect from third parties

We may receive personal data and/or Anonymous Data about you from companies that offer their products and/or services for use in conjunction with the use of our Services or whose products and/or services may be linked to our Services. Examples of third parties from whom we may receive personal data include:

• Service Providers, for example, in connection with the performance of any contract or verification or confirmation purposes;
• AI Agent Providers, where you access our Services via the Travala Travel MCP;
• Payment service providers and wallet providers who may provide us with your debit or credit card details or your blockchain address for payment verification or confirmation;
• Regulated payment institutions, including those licensed by the MAS as Major Payment Institutions, processing payments on your behalf;
• Regulated digital asset custodians providing custody services in connection with your Travala Wallet; and
• Blockchain analytics, sanctions screening, and KYC verification providers acting on our behalf in connection with our Compliance Requirements.

We may add this to the data we have already collected from you to provide our Services.

If you apply to work with us, we collect information from you from:

• Recruitment consultants;
• Your previous employer(s); and
• Other organisations that are authorised to give us information about you,

to assist us in deciding the outcome of your application.

Information we collect automatically

We automatically collect information through your use of our Services using cookies and other technologies. This information includes your:

• Domain name, operating system, settings and system configurations;
• IP address;
• The webpages you access within our Services;
• The website that led you to our Services;
• The website to which you go after leaving our Services;
• The dates and times you access our Services; and
• Web log personal data.

Public information we may record

We may collect data from activity that is publicly visible and/or accessible on blockchains. This may include blockchain addresses and information regarding purchases, sales, or transfers of non-fungible tokens (NFTs), which may then be associated with other data you have provided to us.

2. How we use your information

We use your information for the following purposes:

• Providing our services. Provide accommodation, flights, experiences, vehicle rentals, and other travel booking services on our Services, to manage your account, to communicate with you, including via email, about your use of our Services, to respond to your enquiries, and for similar customer service purposes.
• Marketing. Where you consent, we will provide you with news, special offers, promotions, and information about products we think may interest you; and for other marketing, advertising, and promotional purposes provided that you have not opted out of receiving such communications.
• Analysing Use of Our Services. To better understand how users access and use our Services, on an aggregated basis; to respond to user desires and preferences; to improve our Services; and for other research and analytical purposes, including the development and enhancement of our ML and AI systems as described in the section headed “How we use artificial intelligence and make automated decisions”. In addition, we may create Anonymous Data records derived from personal data provided for the aforesaid purposes. We reserve the right to use Anonymous Data for any lawful purpose and to disclose Anonymous Data to third parties lawfully.
• To Protect Rights and Interests. To protect our rights and interests, as well as the rights and interests of our customers, users of our Services, and any other person.
• Compliance Requirements. To comply with our internal policies and applicable law, including for the purposes of identity verification, fraud prevention, transaction monitoring, AML and CTF compliance, sanctions screening, PEP screening, and beneficial ownership confirmation. This may involve our processing of Compliance Information in conjunction with blockchain addresses, transaction histories, and other information attributable to you, including by means of third-party blockchain analytics and screening providers acting on our behalf.

3. How we use artificial intelligence and make automated decisions

We use AI and ML technologies for a number of purposes in connection with our Services, as described below. We do not use AI or ML to make solely automated decisions that produce legal or similarly significant effects on you without meaningful human involvement, except in connection with the Travala Travel MCP as described below.

Our own use of AI and ML

We use AI and ML technologies for the following purposes:

• Fraud detection and prevention, including the detection of suspicious account activity, anomalous transaction patterns, and other indicia of misuse;
• Personalisation and recommendation of travel products and offers;
• Content moderation, including the screening of user-generated content for compliance with our terms;
• Service optimisation, including the improvement of search functionality, pricing display, and customer-service workflows; and
• The development and enhancement of our own AI and ML models, using personal data either in anonymised form or in identified form as a necessary part of model improvement.

Where we process personal data for these purposes, our lawful basis under the GDPR or UK GDPR is our legitimate interest in operating a secure and effective service. Under the PDPA, this processing is undertaken on the basis of your consent, or the legitimate interest exception, as applicable.

The Travala Travel MCP

We may make our Services accessible through AI Agents operated by AI Agent Providers via the Travala Travel MCP. Where you choose to access our Services in this way:

• Your AI Agent transmits your prompts, selections, preferences, and instructions to us, together with associated session metadata. We process this information for the purpose of facilitating your Booking and the related Services;
• We may transmit personal data to your AI Agent Provider, the Coinbase Agentic Wallet MCP from which your payment is made, and applicable Service Providers, in each case to the extent necessary to facilitate your Booking;
• AI Agent Providers act as separate data controllers in respect of their own processing of your personal data and are governed by their own privacy policies. We recommend that you review the AI Agent Provider’s privacy policy before using its services to interact with us;
• You determine the authority under which an AI Agent may make Bookings on your behalf via the Travala Travel MCP, including by funding and configuring the spending limits of your Coinbase Agentic Wallet MCP. Within the authority and spending limits you configure, an AI Agent may select, confirm, and pay for Bookings on your behalf without separately confirming each Booking with you. Where this occurs, the decision is based on the standing authority and limits you have set; our lawful basis is the performance of our contract with you and, where required, your explicit consent. You may obtain human intervention, express your point of view, and contest a relevant decision by contacting us at [email protected], and you may change or revoke an AI Agent’s authority and your spending limits at any time; and
• The Coinbase Agentic Wallet MCP holds your funded balance and effects payments made via the x402 Protocol on your behalf. Your relationship with Coinbase, including wallet creation, authentication, funding, and the configuration of spending limits, is direct and is governed by Coinbase’s own terms and privacy policy. Travala does not receive your wallet credentials, private keys, or balance.

If you wish to object to our use of personal data for the purposes described in this section, please contact us at [email protected].

4. Marketing

Travala would like to send you information about our products and services that we think you might like. If you have agreed to receive marketing communications, you may always opt out at a later date. You have the right at any time to stop us from contacting you for marketing purposes.

If you no longer wish to be contacted for marketing purposes, please click the ‘Unsubscribe’ button contained in the footer of each of our emails or contact us at [email protected].

5. How we store your personal data

We undertake a number of physical, administrative, personnel, and technical measures to protect your personal data and prevent it from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Our data security measures include but are not limited to: Secure Sockets Layer (SSL) encryption technology, pseudonymisation, internal data access restrictions, and strict physical access controls to buildings and files.

Travala will keep your personal data for the duration that your account is active, and for the requisite period in accordance with applicable law following the deactivation of your account. Once this time period has expired, we will delete your personal data.

6. Security

We take commercially reasonable steps to protect your personal data from misuse, loss, unauthorised access, modification or disclosure. For example, we take steps to destroy or permanently de-identify personal data if we no longer need it for any purpose. Please be aware that despite our efforts, no personal data security measures can guarantee 100% security.

If you have an account with us, you should take steps to protect against unauthorised access to your account by, among other things, choosing a robust password that nobody else knows or can easily guess and keeping your log-in and password private. We are not responsible for any lost, stolen, or compromised passwords or for any unauthorised activity on your account.

7. How we disclose your information

We may disclose your information, including personal data, to the following entities:

• Our Group of Companies and Employees. We may disclose your personal data to our employees, contractors, and authorised representatives, and to our group companies (including our parent, subsidiaries, and affiliates), in order to provide you with our Services. All such persons and entities are subject to obligations to keep your personal data confidential and to process it only for the purposes set out in this privacy policy.
• Service Providers. We may disclose your information to our Service Providers, or others who perform functions on our behalf or otherwise fulfil your Bookings. All such parties are required to keep your personal data safe and process your personal data pursuant to appropriate data protection arrangements. If the recipient is located outside of the UK or the EU, we endeavour to put in place measures to ensure that your information has the same level of protection.
• AI Agent Providers. Where you access our Services via the Travala Travel MCP, we may transmit personal data to your chosen AI Agent Provider as necessary to facilitate your Booking and the related Services. AI Agent Providers act as separate data controllers in respect of their own processing and are governed by their own privacy policies.
• Regulated Payment Institutions and Custodians. We may disclose personal data to regulated payment institutions (including the Coinbase Agentic Wallet MCP and any other institutions licensed by the MAS as Major Payment Institutions) and to regulated digital asset custodians, in each case to the extent necessary to facilitate payments, refunds, and the custody of digital assets in connection with your Travala Wallet or Bookings. Such institutions act as separate controllers in respect of their own processing under their own terms and privacy policies.
• Compliance and Screening Providers. We may disclose personal data to providers of identity verification, blockchain analytics, sanctions screening, PEP screening, and related compliance services. These providers act as our processors and are bound by data processing agreements.

We may also disclose your information, including personal data, in the following ways:

• Business Transfers. We may disclose your information to another entity if we are acquired by or merged with another company, if we sell or transfer a business unit or assets to another company, as part of a bankruptcy proceeding, or as part of a similar business transfer.
• Protecting Rights and Interests. We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms and Conditions or this privacy policy, or as evidence in litigation in which we are involved.
• Cross-border Disclosure of Information. We may disclose your personal data to international third parties, including countries outside the European Economic Area (EEA) (collectively “Cross-border Disclosure”), generally to arrange travel with a Service Provider on your behalf. Whenever we perform Cross-border Disclosures, we will do so in accordance with applicable law and ensure that a similar degree of protection is afforded to it by implementing appropriate safeguards. Cross-border Disclosures outside the EEA will only be made: (i) to a country recognised by the European Commission as providing an adequate level of protection; or (ii) to a country which does not offer adequate protection, but whose transfer has been governed by the standard contractual clauses of the European Commission, or by implementing other appropriate cross-border transfer solutions to provide adequate protection. In respect of Cross-border Disclosures from Singapore, we will take steps to ensure that the recipient is bound by legally enforceable obligations to provide a standard of protection comparable to that under the PDPA.

8. Cookies and other tracking mechanisms

We and our service providers use cookies and other tracking mechanisms to track your use of our Services. We use these in a range of ways including:

• Keeping you signed in;
• Understanding how you use our Services;
• Functionality. Travala uses tracking mechanisms so that we recognise you on our Services and remember your previously selected preferences. These could include what language you prefer, the currency in which prices are displayed, and the location you are in. A mix of first-party and third-party tracking mechanisms are used; and
• Advertising. Travala uses these tracking mechanisms to collect information about your visit to our Services, the content you viewed, the links you followed and information about your browser, device, and your IP address. Travala shares some limited aspects of this personal data with third parties for advertising purposes. We also share personal data collected through tracking mechanisms with our advertising partners. This means that when you visit another website, you may be shown advertising based on your browsing patterns on our Services.

Types of tracking mechanisms we use:

• Cookies. We or our service providers use cookies to track visitor activity on our Services. A cookie is a text file that a website transfers to your device's hard drive for record-keeping purposes. We or our service providers may use cookies to track user activities on our Services, such as the pages visited and time spent on our Services. Most browsers allow users to refuse cookies. The ‘Help’ portion of the toolbar on most browsers will tell you how to prevent your device from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Users who disable cookies may not be able to browse certain areas of our Services. Please refer to our Cookie Policy for further information with respect to cookies used on our Services.
• Clear GIFs, pixel tags and other technologies. Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies, which are embedded invisibly on web pages. We or our service providers may use clear GIFs (also known as web beacons, web bugs or pixel tags), in connection with our Services to track the activities of visitors to our Services, help us manage content, and compile statistics about usage of our Services. We or our service providers also use clear GIFs in HTML emails to our users, to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded.

9. Third-party analytics

We use service providers, such as Google Analytics demographics and interests reports as well as advertising reporting features, to evaluate the use of our Services. We or our service providers use automated devices and applications to evaluate the use of our Services. We or our service providers use these tools to help us improve our Services, performance, and user experiences. These entities may use cookies and other tracking technologies, such as web beacons or Flash LSO, to perform their services. To opt out of Google Analytics, go here. To opt out of Google Analytics for display advertising or customise Google display network ads, you can visit the Google Ads Settings page.

10. Interest-based advertising

We use third parties such as network advertisers to serve advertisements on our Services and on third-party websites or other media (e.g., social networking platforms). This enables us and these third parties to target advertisements to you for products and services in which you might be interested.

Users in the United States may opt out of many third-party ad networks. For example, you may go to the Digital Advertising Alliance (“DAA”) Consumer Choice Page for information about opting out of interest-based advertising and their choices regarding having information used by DAA companies. You may also go to the Network Advertising Initiative (“NAI”) Consumer Opt-Out Page for information about opting out of interest-based advertising and their choices regarding having information used by NAI members.

Opting out from one or more companies listed on the DAA Consumer Choice Page or the NAI Consumer Opt-Out Page will opt you out from those companies' delivery of interest-based content or ads to you, but it does not mean you will no longer receive any advertising through our Services. You may continue to receive advertisements, for example, based on the particular website that you are viewing (i.e., contextually based ads). Also, if your browsers are configured to reject cookies when you opt out on the DAA or NAI websites, your opt-out may not be effective. Additional information is available on the DAA's website at www.aboutads.info or the NAI's website at www.networkadvertising.org.

11. User-generated content

Note that if you post information in a publicly accessible portion of our Services, it may be viewed by other users and potentially be further disclosed by those users. Please exercise caution when deciding to disclose such information.

12. Your choices

We take steps to ensure the personal data that Travala collects, uses or discloses is accurate, complete and up to date.

You may modify your personal data by updating your account through our Services or by contacting us at [email protected]. On request, we will give you access to the personal data we hold about you. If any personal data we hold about you is out of date or inaccurate, we encourage you to let us know by contacting us at [email protected].

If you are a registered user, we may send periodic informational emails to you. You may opt out of such communications at any time by following the opt-out instructions contained in the email. Please note that it may take up to five (5) business days for us to process opt-out requests.

If you opt out of receiving emails about recommendations or other information we think may interest you, we will still send you emails about your account or any services you have requested or received from us provided that you have not opted out of receiving such emails.

13. Your rights

In compliance with applicable personal data protection laws, you may have some / all of the following rights:

• Right to access. The right to request access to the personal data we hold about you. We may charge you a fee to cover the cost of processing and fulfilling this request.
• Right to rectification. The right to request the correction of any inaccurate or incomplete personal data we hold about you.
• Right to erasure. The right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or if you withdraw your consent to our processing of your data.
• Right to restrict processing. The right to request that we restrict the processing of your personal data, under certain conditions.
• Right to personal data portability. The right to request that we transfer the personal data you have provided to us to another organisation where technically feasible, or directly to you, under certain conditions.
• Right to object to processing. The right to object to our processing of your personal data, under certain conditions.
• Right to withdraw consent. Where our processing is based on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

 

If you would like to exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month of receiving it. In some cases, we may need to extend this period by an additional two (2) months if the request is complex or numerous. If an extension is necessary, we will inform you within one (1) month of receiving your request and explain the reasons for the delay.

Notwithstanding the above, please be aware that we cannot edit or delete any personal data that is stored on a blockchain, as we do not have custody or control over any blockchain. The information stored on a blockchain that is associated with you may include, but is not limited to, blockchain addresses; transaction records relating to purchases, sales, or transfers of digital assets or NFTs; and payment records relating to Bookings made via the Travala Travel MCP using the x402 Protocol. This information remains publicly visible on the relevant blockchain notwithstanding any deletion request.

 

14. Children

Our Services are not targeted to children under thirteen (13) years of age, and we do not knowingly collect personal data from children under thirteen (13) without parental consent.

If we discover that the personal data of a child under thirteen (13) is in the system without parental consent, we will promptly delete such personal data from our systems.

We encourage children of all ages to obtain their parent's or guardian's permission before sharing personal data with any website.

15. External links

Our Services may contain links to other websites. We are not responsible for the information handling practices or content of these external websites. Please read the privacy policies of these third parties before using such websites.

16. Third-party payment processors and wallets

In order to use our Services, you may opt to use payment options which utilise a third-party payment processor or a third-party wallet which allows you to engage in transactions on public blockchains. Your interactions with any third-party payment processor or wallet provider are governed by the applicable terms of service and privacy policy of that third party.

17. Contact us

If you have any questions or concerns about the privacy aspects of our Services or want to make a complaint about an interference with your privacy by Travala, please email us at [email protected].

We will do our best to resolve your complaint as quickly as possible. Where required by law, we will notify the relevant supervisory authority (and, where applicable, affected individuals) of personal data breaches in accordance with our obligations under the PDPA, the GDPR, and the UK GDPR, as applicable.

You can also contact your local data protection authority to lodge a complaint.

If you are in Singapore, you can contact the Personal Data Protection Commission here.

If you are in the EU, you can find your Data Protection Authority here.

If you are in the UK, you can contact the Information Commissioner’s Office here.

18. Changes to this privacy policy

We may change this privacy policy from time to time, and new versions will be posted on our Services, so please check back periodically for updates.

If you are registered with us, we will let you know when we update this privacy policy.