About Us and Scope of This Privacy Policy

Tripphilia.com is a consumer-facing travel agency website owned and operated by Hydra Travels Inc., a duly incorporated company accredited by the Airlines Reporting Corporation (ARC) under Accreditation Number 45572424. We are an independent travel agency and intermediary — we are not an airline, hotel chain, cruise operator, or any other travel supplier. We act solely as an agent on behalf of our customers to facilitate travel bookings with independently operated third-party suppliers.

This Privacy Policy governs the collection, use, storage, sharing, and protection of personal information we obtain from or about you in connection with your use of Tripphilia.com, our mobile applications, and all associated services.

This Policy applies to:

• All visitors to the Tripphilia.com website (desktop, mobile, and tablet versions)
• All registered users and account holders on the Tripphilia.com platform
• All customers who purchase, inquire about, or otherwise engage with our travel products and services
• All individuals who communicate with us via email, telephone, live chat, or social media channels
• All recipients of our newsletters, marketing communications, and promotional materials
• All participants in surveys, contests, or promotional campaigns we conduct

This Policy does NOT apply to third-party websites, applications, airlines, hotels, car rental agencies, cruise lines, or other travel suppliers you may access through links on our platform. Those entities are independent businesses that maintain their own privacy policies.

Information We Collect

We collect personal information through multiple channels and touchpoints in connection with the provision of travel agency services. The categories below describe, in detail, the types of information we may collect about you.

Information You Provide Directly to Us

Account Registration and Profile Data

• Full legal name (as it appears on government-issued identification)
• Date of birth and nationality
• Primary and secondary email addresses
• Telephone numbers (home, mobile, and/or work)
• Mailing address and billing address
• Username and encrypted password (or social login credentials)
• Optional profile photograph or avatar
• Security questions and answers for account recovery

Booking and Travel Information

• Passport number, expiration date, and country of issuance
• National identification number or driver's license number (where required)
• Visa status, visa numbers, and known traveler numbers (e.g., TSA PreCheck, Global Entry)
• Seat preferences, meal preferences, and special assistance requirements
• Frequent flyer program memberships and loyalty numbers
• Information about co-travelers, companions, and minors traveling with you
• Emergency contact name, relationship, and contact number
• Travel insurance beneficiary and health declaration information
• Vaccination records and health certificates (where required by destination or applicable law)

Payment and Financial Information

• Credit card, debit card, or prepaid card numbers (processed by our PCI-DSS Level 1 certified payment processor)
• Card expiration dates and security codes (not stored on our servers)
• Billing name and billing address associated with the payment method
• Bank account information for wire transfers or direct debit arrangements
• PayPal, Apple Pay, Google Pay, or other digital wallet identifiers
• Travel credits, vouchers, promotional codes, and their redemption history

Communications and Correspondence

• Emails, letters, and written correspondence you send to us
• Customer service chat transcripts and chatbot interaction logs
• Telephone call recordings (with prior notice and your consent where required by law)
• Survey responses, product reviews, and customer feedback
• Social media messages and direct messages sent to our official accounts

Information Collected Automatically

When you visit Tripphilia.com or use our mobile applications, we and our technology partners automatically collect certain information about your device, browser, and browsing activity through cookies and similar tracking technologies:

Information Received from Third Parties

We may receive personal information about you from third parties in the following circumstances:

• Airlines, hotels, car rental agencies, cruise lines, and other travel suppliers involved in your bookings
• Global Distribution Systems (GDS) such as Sabre, Amadeus, and Travelport — core booking infrastructure for travel agencies
• Credit bureaus and identity verification services (for fraud prevention and KYC compliance)
• Social media platforms (e.g., if you log in using Facebook, Google, or Apple credentials)
• Marketing data partners and audience enrichment providers
• Travel insurance companies with whom we have commercial relationships
• Government databases, watch lists, and sanctions screening services (for compliance with applicable regulations)
• Loyalty program partners and co-branded card issuers

Sensitive Personal Information

In certain travel-related circumstances, we may be required to collect special categories of sensitive personal information. We handle such information with the utmost care and collect it only where strictly necessary:

• Health and medical information (e.g., wheelchair assistance requirements, medical equipment needs, dietary restrictions arising from medical conditions, fitness-to-fly certifications)
• Biometric data (e.g., fingerprints, facial recognition data where required by visa authorities or border control)
• Immigration and residency status (required for international bookings and visa processing)
• Criminal record information (where required by destination country entry requirements)
• Religious or philosophical dietary requirements (e.g., halal, kosher, Hindu vegetarian meal options)

We process sensitive personal information only with your explicit prior consent, or where permitted or required by applicable law, and we apply enhanced security and access controls to such data.

How We Use Your Personal Information

Hydra Travels Inc. uses your personal information for specific, identified purposes and on the basis of recognized legal grounds. We do not use your information in ways that are incompatible with the purposes for which it was collected. The following table sets out, in detail, our processing activities and the legal basis for each.

Marketing Communications

We will send you marketing communications only where you have expressly opted in to receive them, or where we have a legitimate interest in marketing similar travel services to existing customers in accordance with applicable law. Every marketing communication includes a clearly visible, one-click unsubscribe mechanism. We will honor all opt-out requests promptly, and in any event within ten (10) business days. Unsubscribing from marketing emails will not affect transactional communications related to your bookings.

Automated Decision-Making and Profiling

We may use automated processes to assess fraud risk, determine eligibility for promotional fares or upgrades, and personalize content, pricing, and recommendations shown to you. Where we engage in profiling that produces legal or similarly significant effects, you have the right to: (a) request human review of the automated decision; (b) express your point of view; and (c) contest the decision. To exercise these rights, contact our Privacy Officer at [Email Address].

Disclosure and Sharing of Your Information

As an independent travel agency, Tripphilia.com necessarily shares certain personal information with third parties in order to fulfill your bookings, operate our business, and comply with legal obligations. We do not sell your personal information to third parties for their own independent marketing or commercial purposes, unless required by applicable law or with your explicit consent.

Travel Suppliers

To complete your travel reservations, we share relevant personal and travel document information with the following categories of suppliers:

• Airlines (domestic and international carriers) for ticket issuance, seat assignment, and check-in processing
• Hotels, hostels, resorts, and vacation rental platforms for accommodation reservation and guest profile creation
• Car rental agencies for vehicle reservation confirmation and driver verification
• Cruise lines and ferry operators for passenger manifest and cabin allocation
• Ground transportation providers including private transfers, coach operators, and rail services
• Tour operators, activity providers, and guided excursion companies
• Travel insurance underwriters and administrators where coverage has been purchased or requested
• Visa facilitation services and consular appointment management companies

Technology and Business Service Providers

ARC Reporting Requirements

As an ARC-accredited travel agency (ARC No: 45572424), Hydra Travels Inc. is subject to mandatory reporting and record-keeping obligations under ARC's agent accreditation program. We share booking, ticketing, and financial settlement data with ARC as required by our accreditation agreement. Compliance with ARC requirements is a legal and contractual obligation, and such sharing is not subject to your opt-out rights.

Legal and Regulatory Disclosures

We may disclose personal information where required or permitted by applicable law, including to:

• Comply with a valid court order, subpoena, or lawful government or regulatory request
• Enforce our Terms and Conditions, Privacy Policy, or other binding agreements
• Protect the rights, property, safety, and security of Hydra Travels Inc., our employees, customers, and the general public
• Detect, investigate, and prevent fraud, identity theft, cyber attacks, or other illegal activities
• Respond to emergency situations involving imminent risk to life or safety
• Facilitate a corporate merger, acquisition, restructuring, or sale of all or substantially all of our assets (with prior notice where required)

International Transfers of Personal Data

Given the inherently international nature of the travel industry, your personal data will be transferred to airlines, hotels, and other service providers located in countries outside your country of residence, including countries that may offer different levels of data protection. When we transfer personal data internationally, we implement appropriate safeguards to protect your information, including:

• Standard Contractual Clauses (SCCs) approved by the applicable data protection authority
• Adequacy decisions by the European Commission or UK ICO recognizing equivalent protection in the destination country
• Binding Corporate Rules (BCRs) where applicable
• Your explicit consent to the international transfer, provided before the transfer takes place

Cookies and Tracking Technologies

Tripphilia.com uses cookies, web beacons, pixel tags, local storage objects, and similar tracking technologies to operate our website, analyze performance, personalize content, and deliver relevant advertising. This section explains these technologies, how we use them, and how you can manage your preferences.

What Are Cookies?

Cookies are small text files placed on your device by a website you visit. They allow the website to remember your actions and preferences over time. Web beacons (also called pixel tags or clear GIFs) are tiny images embedded in web pages or emails that help us understand whether you have opened an email or visited a page.

Types of Cookies We Use

Managing Your Cookie Preferences

You have choices about how cookies are used on your device. You can manage your preferences through the following mechanisms:

• Cookie Consent Banner: When you first visit our website, a cookie consent banner allows you to accept all cookies, reject non-essential cookies, or customize your preferences by category.
• Account Settings: Registered users can update their cookie and marketing preferences through their account settings page.
• Browser Controls: Most web browsers allow you to view, delete, and block cookies through browser settings. Note that blocking essential cookies may prevent you from using key features of our website, including completing a booking.
• Industry Opt-Out Tools: You may opt out of interest-based advertising through the Network Advertising Initiative (NAI) Opt-Out Tool (optout.networkadvertising.org) and the Digital Advertising Alliance (DAA) WebChoices tool (optout.aboutads.info).
• Google Analytics Opt-Out: Install the Google Analytics Opt-Out Browser Add-on available at tools.google.com/dlpage/gaoptout.
• Email Tracking: You can disable image loading in your email client to prevent email tracking pixels from functioning.

Data Retention

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, and to comply with our legal, regulatory, accounting, and contractual obligations. When determining the appropriate retention period, we consider the nature and sensitivity of the data, the potential risk from unauthorized use, and applicable legal requirements.

Upon expiration of applicable retention periods, we securely delete or irreversibly anonymize personal data in accordance with our data destruction and disposal procedures. Anonymized data (which can no longer identify you) may be retained for statistical and research purposes indefinitely.

Data Security

Hydra Travels Inc. takes the security of your personal information seriously and implements a comprehensive, multi-layered security program to protect it against unauthorized access, use, disclosure, alteration, and destruction. While no system can be guaranteed to be completely secure, we continually work to improve our security practices in line with industry standards.

Technical Security Measures

• Transport Layer Security (TLS 1.2 and 1.3) encryption for all data transmitted between your device and our servers
• AES-256 encryption for sensitive data stored in our databases at rest
• PCI-DSS Level 1 compliant payment processing — we do not store full payment card numbers on our own servers
• Multi-factor authentication (MFA) required for all employee access to systems containing customer personal data
• Web Application Firewall (WAF) to protect against common web attacks including SQL injection and cross-site scripting
• Distributed Denial of Service (DDoS) protection and rate limiting
• Intrusion detection and prevention systems (IDS/IPS) with 24/7 monitoring
• Regular penetration testing by independent third-party security firms (at minimum annually)
• Automated vulnerability scanning and patch management procedures

Organizational Security Measures

• Role-based access control (RBAC) ensuring employees can only access the data necessary for their specific job functions
• Mandatory annual data privacy and security training for all staff with access to personal data
• Background screening for employees in roles with privileged access to customer data systems
• Data Processing Agreements (DPAs) required for all third-party vendors and processors who handle personal data on our behalf
• Documented and tested incident response plan and data breach notification procedures
• Regular internal data privacy impact assessments (DPIAs) for new or significantly changed processing activities
• Clear desk and screen lock policies for all workstations

Data Breach Notification

In the event of a confirmed personal data breach that is likely to result in a risk to your rights and freedoms, Hydra Travels Inc. will:

• Notify the applicable regulatory supervisory authority within 72 hours of becoming aware of the breach, where feasible
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• Include in our notification: a description of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach
• Maintain a comprehensive internal log of all data breaches and near-misses for ongoing risk management

Your Privacy Rights

Depending on your jurisdiction of residence and applicable law, you may have the following rights regarding your personal information. Hydra Travels Inc. is committed to honoring these rights in a timely and transparent manner.

We will respond to all verifiable privacy requests within thirty (30) calendar days of receipt. For complex or voluminous requests, we may extend the response period by up to an additional sixty (60) days, and we will inform you of any such extension within the initial thirty-day period. We reserve the right to charge a reasonable administrative fee for requests that are manifestly unfounded, excessive, or repetitive.

Children's Privacy

Tripphilia.com is not directed to, and we do not knowingly collect personal information from, children under the age of 18, except as necessary to complete travel bookings made by an adult customer on behalf of a minor traveler. When an adult customer books travel that includes a minor, the adult accepts full responsibility for providing accurate information about the minor and for consenting to the use of that information as described in this Privacy Policy.

We do not knowingly build user profiles of minors, and we do not use personal information about minors for behavioral advertising, profiling, or any purpose other than fulfilling the specific travel booking for which the information was provided.

If you are a parent or guardian and believe your child under 18 has independently created an account or submitted personal information through our platform without your consent, please contact our Privacy Officer immediately at [Email Address]. We will investigate and, where confirmed, delete the relevant information promptly.

Third-Party Websites and Linked Platforms

Our website may contain hyperlinks, buttons, and widgets connecting to third-party websites, platforms, and applications, including airline ticketing portals, hotel booking engines, travel review platforms, social media networks, and visa information sites. When you click on these links and leave the Tripphilia.com environment, your browsing and any information you provide are governed by the privacy policies and terms of use of those third-party sites.

Hydra Travels Inc. does not control, and accepts no responsibility for, the privacy practices, security measures, or content of third-party websites, even where such sites are linked from or embedded within our platform. We encourage you to review the privacy policy of every website you visit before providing any personal information.

Travel suppliers (airlines, hotels, car rental agencies, and others) with whom we facilitate bookings are independent businesses. Once your personal information is shared with them as necessary to fulfill your booking, their subsequent handling, use, and storage of that information is governed by their own privacy policies, over which we have no control.

California Privacy Rights (CCPA / CPRA)

If you are a resident of California, you have specific rights under the California Consumer Privacy Act (CCPA) as significantly amended and expanded by the California Privacy Rights Act (CPRA, effective January 1, 2023). This section supplements and, where in conflict, supersedes the general rights described in Section 8 above.

Categories of Personal Information Collected (Preceding 12 Months)

Do Not Sell or Share My Personal Information

We do not sell your personal information for monetary compensation. However, under the CPRA's expanded definition, certain sharing of data with advertising partners for cross-context behavioral advertising purposes may constitute 'sharing' of personal information. You have the right to opt out of such sharing by clicking the 'Do Not Sell or Share My Personal Information' link prominently displayed in the footer of our website, or by contacting us at [Email Address].

Sensitive Personal Information — Limitation of Use

We limit our use and disclosure of sensitive personal information to that which is reasonably necessary to perform the travel services you request, to ensure the security of our systems, or as otherwise required or permitted by applicable law. We do not use sensitive personal information to infer characteristics about you beyond what is necessary for service provision.

Shine the Light Law (California Civil Code Section 1798.83)

California residents may request and obtain from us, once per calendar year, information about the categories of personal information we disclose to third parties for their direct marketing purposes. To make this request, please contact us at [Email Address] with the subject line 'California Shine the Light Request.'

Nevada Privacy Rights

Nevada residents have the right, under Nevada Revised Statutes Chapter 603A, to opt out of the sale of certain covered personal information to data brokers. Hydra Travels Inc. does not currently sell personal information as defined under Nevada law. If you wish to submit a verified opt-out request nonetheless, you may contact us at [Email Address]. We will maintain a record of your request and respond within sixty (60) days.

EEA, United Kingdom, and Switzerland Privacy Rights (GDPR / UK GDPR / FADP)

If you are located in a European Economic Area (EEA) member state, the United Kingdom, or Switzerland, this section applies to you. Hydra Travels Inc. processes your personal data in compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR (retained EU law), and the Swiss Federal Act on Data Protection (nFADP), as applicable. In such jurisdictions, Hydra Travels Inc. acts as the data controller in respect of personal data collected via Tripphilia.com.

Legal Bases for Processing (Summary)

Data Protection Officer (DPO)

Hydra Travels Inc. has designated a Data Protection Officer (DPO) responsible for overseeing our data protection compliance program. You may contact our DPO with any privacy concern or inquiry at: [Email Address]. The DPO operates independently and reports directly to senior management.

Supervisory Authority

If you are unsatisfied with our response to any privacy inquiry or request, you have the right to lodge a complaint with your national or regional data protection supervisory authority. In the EU, this is the supervisory authority for your Member State. In the UK, this is the Information Commissioner's Office (ICO), available at ico.org.uk. We encourage you to contact us first so that we may resolve your concern directly.

Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our business practices, the services we offer, applicable laws, or industry standards. The 'Last Revised' date at the top of this document indicates when the Policy was most recently updated.

When we make material changes to this Policy, we will:

• Post the revised Policy on this page with an updated effective date
• Send a notification email to all registered users for whom we have a valid email address
• Display a prominent notice on the Tripphilia.com homepage and/or your account dashboard for at least thirty (30) days following the effective date of the material change

Your continued access to or use of Tripphilia.com following the effective date of any revised Policy constitutes your acknowledgment of, and agreement to, the updated terms. If you do not agree with any material change, you should discontinue your use of our services and may request deletion of your account and data as described in Section 8.

Glossary of Key Terms

How to Contact Us

If you have any questions, concerns, complaints, or requests regarding this Privacy Policy, your personal data, or our data practices, please contact us using the details below. We aim to respond to all privacy inquiries within five (5) business days. For formal data subject rights requests (Section 8), statutory response timelines of thirty (30) days apply.