Privacy Policy
Last updated: June 2, 2026
OVERVIEW
Traveler Passport is a service that lets travelers share their stay preferences — including dietary needs, allergies, and accessibility requirements — with hospitality operators of their choosing. This policy explains what data we collect, why, and how we protect it.
Operated by River House Group (Argentina). For any questions: lucas@theriverhousegroup.com
DATA WE COLLECT
Depending on how you use the service:
- Registered travelers: Email, password (hashed by Supabase), full name, language, nationality, dietary preferences, allergies, accessibility and room preferences, additional notes.
- Guest travelers (no account): Same profile data, but without email or password. The profile is linked only to the stay for which it was created.
- Hospitality operators: Email, property name, logo, and any custom fields they choose to configure.
- Technical data: IP address (used solely for API abuse prevention, not stored persistently).
⚠ Allergies, dietary restrictions, and accessibility needs are health data and constitute a special category under GDPR (Art. 9). We only process them with your explicit consent.
LEGAL BASIS (GDPR)
- Contract: We process your email and account data to deliver the service you signed up for.
- Explicit consent: For health data (allergies, dietary needs, accessibility), we require your active consent before sharing with any operator. You may withdraw it at any time by deleting your profile.
- Legitimate interest: Protection against technical abuse (rate limiting).
WHO WE SHARE DATA WITH
Your preferences are shared exclusively with the specific operator you choose when confirming a reservation. We never sell or share data with third parties for advertising or marketing purposes.
We use the following sub-processors:
- Supabase — database and authentication infrastructure (US, EU-US DPF).
- Resend — transactional email notifications (US).
DATA RETENTION
- Registered travelers: your data is retained for as long as your account is active.
- Guest travelers (no account): the profile is retained for 90 days after the stay checkout date, then automatically deleted.
- You may request immediate deletion at any time.
YOUR RIGHTS
Under GDPR and applicable law, you have the right to:
- Access your personal data.
- Rectify inaccurate data.
- Request erasure ("right to be forgotten") — available directly in the app under Profile → Privacy & Data.
- Receive a copy of your data (portability).
- Withdraw consent for health data at any time.
- Lodge a complaint with the supervisory authority in your country.
To exercise these rights, contact us at lucas@theriverhousegroup.com. We respond within 30 days.
SECURITY
Data is stored in Supabase with encryption at rest. Passwords are never stored in plain text. Server-side access to guest data uses service keys with least-privilege principles.
Despite these measures, no system is completely invulnerable. In the event of a security breach affecting personal data, we will notify affected users within the timeframe required by applicable regulations.
CHANGES TO THIS POLICY
We may update this policy from time to time. Material changes will be notified by email to users with an active account. Continued use of the service after notification implies acceptance.
Questions or requests: lucas@theriverhousegroup.com
River House Group · Argentina