Travel Agent Academy

Controller and Contact

Travel Agent Academy is the controller for the personal data processed through Travel Agent Academy.
Privacy contact email: itravelagent101@gmail.com. Mailing address: itravelagent101@gmail.com
If this application is operated by a registered company or sole trader, the published controller name and address must match that legal entity before production use.

Account data: name, email address, password hash, role, plan, account timestamps, and theme preference.
Learning data: module progress, completion status, and quiz activity needed to provide the course experience.
Billing metadata: Stripe customer ID, subscription ID, price/product references, plan, status, and billing period dates. Full card data is processed by Stripe and is not stored on our servers.
Support data: contact-form submissions including name, email, company, category, subject, message, page URL, IP address, user agent, internal handling notes, and timestamps.
Security data: authentication cookies, password-reset tokens, request metadata used for rate limiting, and security logs needed to protect the service.
Preference data: cookie-consent choices stored in local storage and a first-party cookie.

To create and manage your account, authenticate you, and keep the platform secure.
To deliver modules, remember progress, enforce subscription access, and provide customer support.
To process paid plans and keep subscription state in sync with Stripe.
To send transactional emails such as password-reset instructions.
To prevent abuse, investigate incidents, comply with legal obligations, and maintain disaster recovery backups.

Contract performance: account creation, authentication, course delivery, subscription management, and support directly related to the service.
Legitimate interests: platform security, fraud prevention, abuse throttling, internal troubleshooting, limited administrative backup operations, and service improvement.
Legal obligations: accounting, tax, consumer, and compliance recordkeeping where applicable.
Consent: optional cookie categories if analytics or marketing technologies are activated later.

Stripe processes subscription checkout and recurring billing metadata.
EmailJS and/or Resend may process email address and email content for password-reset delivery or contact forwarding, depending on deployment configuration.
Firebase Realtime Database may receive a reduced user mirror for admin recovery workflows and sanitized remote backups if that feature is enabled.
Hosting, database, and infrastructure providers process data strictly to run the application environment.
We do not sell personal data.

Some providers used by the application may process data outside your country, including outside the EEA/UK.
Where those transfers occur, they should be covered by an appropriate transfer mechanism such as the EU Standard Contractual Clauses or another lawful safeguard offered by the provider.
You should document the exact hosting regions and transfer safeguards for the providers enabled in your production environment.

Account data is kept while your account is active and for as long as needed to handle security, billing, and legal obligations.
Course progress and subscription records are kept while needed to provide the service and maintain billing history.
Password-reset tokens are short-lived and are deleted when replaced or consumed; expired tokens should also be purged operationally.
Contact messages are retained only as long as needed to resolve the request, maintain support records, and meet legal obligations.
Sanitized Firebase remote backups, when enabled, are retained for up to 30 days by default before automated cleanup is attempted.

You may request access to your personal data, correction of inaccurate data, deletion of your account data, restriction or objection where applicable, and data portability for data you provided to us.
Authenticated users can currently export their data and request account deletion from the Profile page. Deletion is confirmed through a link sent to the account email address, and recurring subscriptions are canceled automatically during the final deletion step when applicable.
You may also contact us at the privacy email above for rights requests that cannot be completed self-service.
If you are in the EU/EEA or UK, you may have the right to lodge a complaint with your supervisory authority.

The application uses authentication cookies necessary to keep you signed in and protect the session.
A cookie-consent preference is stored in local storage and in a first-party cookie so your choices can be remembered.
The current codebase does not include active third-party analytics or marketing trackers by default. If they are enabled later, optional categories should remain off until you consent where required by law.

Passwords are stored as hashes, auth cookies are hardened, Stripe webhooks are verified, and key endpoints are rate limited.
Administrative backup features are restricted to authenticated admins and same-origin requests.
Remote Firebase backups are sanitized before upload to avoid copying the most sensitive account and reset data into secondary storage.