Back Home
Legal
Privacy Policy

How personal data is used in this app.

This policy explains what ITravel-Agent collects, why it is processed, which providers receive it, how long it is kept, and which controls are available to users.

Last Updated

March 16, 2026

Controller and Contact

  • Travel Agent Academy is the controller for the personal data processed through ITravel-Agent.
  • Privacy contact email: itravelagent101@gmail.com. Mailing address: itravelagent101@gmail.com
  • If this application is operated by a registered company or sole trader, the published controller name and address must match that legal entity before production use.

Data We Collect

  • Account data: name, email address, password hash, role, plan, account timestamps, and theme preference.
  • Learning data: module progress, completion status, and quiz activity needed to provide the course experience.
  • Support data: contact-form submissions including name, email, company, category, subject, message, page URL, IP address, user agent, internal handling notes, and timestamps.
  • Security data: authentication cookies, password-reset tokens, request metadata used for rate limiting, and security logs needed to protect the service.
  • Preference data: cookie-consent choices stored in local storage and a first-party cookie.

Why We Process It

  • To create and manage your account, authenticate you, and keep the platform secure.
  • To deliver modules, remember progress, enforce plan access, and provide customer support.
  • To send transactional emails such as password-reset instructions.
  • To prevent abuse, investigate incidents, comply with legal obligations, and maintain disaster recovery backups.

Legal Bases

  • Contract performance: account creation, authentication, course delivery, and support directly related to the service.
  • Legitimate interests: platform security, fraud prevention, abuse throttling, internal troubleshooting, limited administrative backup operations, and service improvement.
  • Legal obligations: accounting, tax, consumer, and compliance recordkeeping where applicable.
  • Consent: optional cookie categories only if analytics or marketing technologies are enabled in the future.

Recipients and Processors

  • EmailJS may receive contact-form data directly from your browser for email forwarding when that integration is enabled. Resend and/or EmailJS may also process transactional email content for password-reset or account-deletion emails, depending on deployment configuration.
  • Firebase Realtime Database may receive a reduced user mirror for admin recovery workflows, deleted-user tombstones, and sanitized remote backups if that feature is enabled.
  • Google Identity Toolkit may process Firebase backup account credentials if the Firebase email/password authentication method is used for backup automation.
  • Hosting, database, and infrastructure providers process data strictly to run the application environment.
  • We do not sell personal data.

International Transfers

  • Some providers used by the application may process data outside your country, including outside the EEA/UK.
  • Where those transfers occur, they should be covered by an appropriate transfer mechanism such as the EU Standard Contractual Clauses or another lawful safeguard offered by the provider.
  • You should document the exact hosting regions and transfer safeguards for the providers enabled in your production environment.

Retention

  • Account data is kept while your account is active and for as long as needed to handle security and legal obligations.
  • Course progress is kept while needed to provide the service and maintain learning continuity.
  • Password-reset tokens are short-lived and are deleted when replaced or consumed. Expired tokens should also be purged by scheduled maintenance.
  • Resolved or spam contact messages should be purged after up to 365 days unless they must be kept longer for a legal or dispute-related reason.
  • Deleted-user tombstones stored in Firebase recovery tooling, when enabled, should be purged after up to 30 days.
  • Sanitized Firebase remote backups, when enabled, are retained for up to 30 days by default before automated cleanup is attempted.

Your Rights

  • You may request access to your personal data, correction of inaccurate data, deletion of your account data, restriction or objection where applicable, and data portability for data you provided to us.
  • Authenticated users can currently export their account data, subscriptions, learning progress, and contact messages linked to their account or verified email address from the Profile page.
  • Authenticated users can also request account deletion from the Profile page. Deletion is confirmed through a link sent to the account email address.
  • You may also contact us at the privacy email above for rights requests that cannot be completed self-service.
  • If you are in the EU/EEA or UK, you may have the right to lodge a complaint with your supervisory authority.

Cookies and Similar Storage

  • The application uses authentication cookies necessary to keep you signed in and protect the session.
  • A cookie-consent preference is stored in local storage and in a first-party cookie so your choices can be remembered.
  • The current codebase does not include active third-party analytics or marketing trackers by default. If they are enabled later, optional categories must remain off until you consent where required by law.

Security and Backups

  • Passwords are stored as hashes, auth cookies are hardened, and key endpoints are rate limited.
  • Administrative backup features are restricted to authenticated admins and same-origin requests.
  • Remote Firebase backups are sanitized before upload to avoid copying the most sensitive account and reset data into secondary storage.
  • Firebase recovery datasets should be protected with strict RTDB rules and retention cleanup jobs.