GDPR Information Handling Executive Summary

GDPR is a new set of rules put in place by the European Union that dictate the acceptable use of European Citizens’ data. These rules came into effect on May 25, 2018. If you’re an EU citizen or manage any EU citizens’ data, GDPR applies to you. Some key rights outlined in GDPR include: the right for individuals to know how and why their data is being used, the right for individuals to request a record of their data, and the right for individuals to request their data be removed.

At  Trip Ninja, we are fully GDPR compliant. That means that we take data privacy and protection seriously. We’re committed to making sure that you know how we’re using your data, and that you have access to it if necessary. We’ve reviewed our practices to ensure that we only possess data that we need to carry out our day-to-day operations. In addition we have tight protocols in place to prevent data breaches or leaks.


PRIVACY POLICY

Trip Ninja is committed to ensuring your data is protected. We will inform our customers if, why and how we collect, use and disclose their personal information, obtain their consent where required, and only handle their personal information in a manner that a reasonable person would consider appropriate in the circumstances. We have strengthened our commitment to protecting personal information in accordance to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

This Personal Information Protection Policy, in compliance with PIPEDA, outlines the principles and practices we will follow in protecting customers’ personal information. Our privacy commitment includes ensuring the accuracy, confidentiality, and security of our customers’ personal information and allowing our customers to request access to, and correction of, their personal information.

Website Privacy Notice and Consent

Trip Ninja Inc. (“Trip Ninja”, “we”, “us”, “our”) is committed to respecting and preserving the privacy of those who engage with us through our website (the “Site”) or who use the other services we provide and in doing so, we endeavour to meet or exceed standards set by law.  This privacy policy (the “Privacy Policy”) applies to information that we gather from you as you use the Services.  

As part of our regular review of all of our policies and procedures, we may change this Privacy Policy from time to time without notice to you.  A current version of this Privacy Policy will be accessible on our Site and Application at all times. Please also carefully read our Website Terms of Use prior to using the Services.

By accessing and using our Services you agree that you have read and understand this Privacy Policy.  Your use of the Services represents your implied consent for the collection, use and disclosure of any Information that you provide to us, or that we gather from you, through your use of the Site or otherwise, in accordance with the terms of this Privacy Policy.

 

Definitions

Content: means any information that is submitted to Trip Ninja, publicly or privately, including but not limited to – Information, images, videos, graphics, sounds, texts and e-mails

Information: includes both Personal Information and Non-identifiable Information

Non-identifiable Information: means information that we gather from you that is not personally identifiable to you including, but not limited to, your IP address or browser software.

Personal Information: means information about an identifiable individual including, but not limited to, the User’s billing address and credit card payment information.

Services: means the services provided by Trip Ninja including, but not limited to, use of the Site, travel planning tools/APIs, or White Label solutions.

Site: means the Trip Ninja website hosted at www.tripninja.io.

User (variously, “you” or “your”): an individual who accesses and uses the Services.

Minors

If you are under the age of majority in your jurisdiction of residence, be sure to obtain your parent or guardian's permission before you send any Personal Information to us, or anyone else. We encourage parents to get involved with their children's online usage and to be aware of the activities in which they are participating.

 

Collection of your Information

We only collect Information that we believe is reasonably necessary for a legitimate purpose, as further described below.  In offering you the Services, we may collect Personal Information that you, or another, provides directly to us by filling in forms, and Non-identifiable Information that we collect from cookies or tracking software we utilize. In addition to Information collected while you use the Services, we may also collect Information in other ways such as over the phone, via email and through location tracking devices as further described below.

To the extent that Trip Ninja holds information about you due to your use of our services, Trip Ninja is the controller and is responsible for your personal information. In the cases where we process personal information on your or another’s behalf in providing our services to you, we act as data processor. You may review our Data Processing Addendum here.

The choice to provide us with Personal Information is yours.  In certain cases, your decision to withhold Information may limit the Services that we can provide to you.

Retention of your information

We will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.

By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for 6 years after they cease being customers for tax and other legally required purposes. In some circumstances you can ask us to delete your information.

Further, in some circumstances we may anonymize your personal information (in which case it can no longer be associated with you) for research or statistical purposes; in this case we may use this information indefinitely without further notice to you.

Use of your Information

We will only disclose your Information for purposes identified in this Privacy Policy, or if required by law.  The Information that we collect and store is primarily used for the following purposes:

  1. to provide you with the Services;

  2. to provide you with information relating to our Services;

  3. to follow up on client or User comments and suggestions;

  4. to manage and develop our business systems and operations;

  5. to monitor and conduct an analysis of our website traffic and usage patterns;

  6. to post customer testimonials, comments or reviews;

  7. to protect our rights and property; or

  8. to lessen a serious threat to personal safety, health or security.

We will not sell, share, trade or otherwise distribute your Personal Information to third parties, except in accordance with this Privacy Policy.  However, we reserve the right to use Non-identifiable Information for any commercial purpose in our sole discretion. Such commercial purpose may include, but is not limited to, sale to third parties to allow them to send targeted advertising messages.

We reserve the right to share any Information collected from you with affiliates, or to transfer such Information to a successor entity or to an entity which purchases substantially all of the assets of Trip Ninja.

We sometimes contract with outside organizations to perform specialized services such as hosting the Site. Our suppliers may at times receive, process or handle some of your Information. Only the Information necessary to perform the services under the contract is given to the supplier. Under their contracts with us, our suppliers may use such Information only to carry out the contracted service and must not store or use the Information for any other purpose. Our contracts with suppliers require that they provide a level of protection for your Information that is comparable to our own.

We may collect, use or disclose personal information without the customer’s knowledge or consent in the following limited circumstances:

  • When the collection, use or disclosure of personal information is permitted or required by law;

  • In an emergency that threatens an individual's life, health, or personal security;

  • When the personal information is available from a public source (e.g., a telephone directory);

  • When we require legal advice from a lawyer;

  • For the purposes of collecting a debt;

  • To protect ourselves from fraud;

  • To investigate an anticipated breach of an agreement or a contravention of law

  • To conduct customer surveys in order to enhance the provision of our services;

  • To contact our customers directly about products and services that may be of interest

We will not use or disclose customer personal information for any additional purpose unless we obtain consent to do so. We will not sell customer lists or personal information to other parties.

Security

To ensure that your Personal Information is secure, we have put in place commercially suitable procedures to safeguard the Information we collect against unauthorized use, disclosure, or modification.  Nonetheless, transmission of information on the internet is not completely secure. Therefore, we cannot guarantee the security of data sent to us electronically on our Site, by email or otherwise and transmission of such data is therefore entirely at your own risk. Likewise, the storage of information is not completely secure and we cannot guarantee the security of data stored on our system and storage of such data is therefore entirely at your own risk.

The following security measures will be followed to ensure that customer personal information is appropriately protected:

Customer information collected for use by third-party services will be transferred on secure connections to organizations of good repute. Further, any information collected to be used in the rendering of our service(s) will be securely stored and restricted to employees for the purposes of rendering these services.

We will use appropriate security measures when destroying customers’ personal information such as erasure of customer information from our electronic storage, in accordance to previous data storage provisions. We will continually review and update our security policies and controls as technology changes to ensure ongoing personal information security. 

GDPR Compliance

 If you are based in the European Union (EU), please note that the data protection law in the EU changed on May 25, 2018. For more information on how GDPR is handled at Trip Ninja, please visit our GDPR Statement page here.

If you are based in the European Union, you also have the right to make a complaint at any time to your local supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the regulator so please contact us at compliance@tripninja.io.

 

International Transfers

We share your personal information within our company. This will involve, if you are based in the European Union, transferring your data outside the European Economic Area (EEA). Many of our external third parties are also based outside the European Economic Area (EEA) so their processing of your personal information will involve a transfer of data outside the EEA.

If you are based in the European Union, whenever we transfer your personal information out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring appropriate safeguards are implemented.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

 

Updating your Information and Correcting Errors

You have the right to access, verify and amend all of your Personal Information.  Since we use your Personal Information to provide services to you and others, it is important that the information be accurate and up-to-date. If any of your Personal Information changes, is inaccurate, or is incomplete, please inform us so that we can make any necessary changes. We will make reasonable efforts to ensure that customer personal information is accurate and complete where it may be used to make a decision about the customer or disclosed to another organization. A request to correct personal information must be made in writing and provide sufficient detail to identify the personal information and the correction being sought.

 If the personal information is demonstrated to be inaccurate or incomplete, we will correct the information as required and send the corrected information to any organization to which we disclosed the personal information in the previous year. If the correction is not made, we will note the customers’ correction request in the file.

Your Legal Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal information. You have the rights to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.

  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

  • Request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in the following scenarios: (a) if you want us to establish the information’s accuracy; (b) where our use of the information is unlawful but you do not want us to erase it; (c) where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.

  • Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

  • Withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us at compliance@tripninja.io.

No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Third Party Website and Interaction

By accessing third party websites or applications through our Site, you are consenting to the terms and privacy policies of those websites. We do not accept any responsibility or liability for their policies. You should read the individual privacy policies of such websites, and make an informed decision whether or not to use those websites based upon their privacy practices and your discretion.

Contact Us:

The Privacy Officer is responsible for ensuring Trip Ninja’s compliance with this policy and the Personal Information Protection and Electronic Documents Act. Customers should direct any complaints, concerns or questions regarding Trip Ninja’s compliance in writing to the Privacy Officer. If the Privacy Officer is unable to resolve the concern, the customer may also write to the Information and Privacy Commissioner of Canada.

If you have any questions, concerns or suggestions regarding this Privacy Policy, please contact us at 

Email: compliance@tripninja.io

Phone: 403-621-1064

Address: 100-1505 Barrington Street, Halifax, NS, B3J 3K5

This Privacy Policy last updated on February 19, 2019.












GDPR Compliance


Updated February 20th 2019

The EU General Data Protection Regulation (GDPR) has set a new standard for how companies use and protect EU citizens’ data. It replaced the EU Data Protection Directive and took effect on May 25th 2018.

Trip Ninja takes privacy and security seriously. We’ve worked to ensure that we fulfill our GDPR obligations and maintain our transparency about data collection, processing, and use.

Trip Ninja strives to ensure that our products and services are GDPR-compliant and provide our partners with industry-leading functionality.

Trip Ninja is fully committed to continuing to improve our products and services as GDPR best practices are developed.

It’s equally important to us to help you, our customers, understand what the GDPR means for your business in relation to working with Trip Ninja.

Here’s an overview of GDPR, and how we are addressing it at Trip Ninja:

WHAT IS GDPR?

The EU General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law that came into effect on May 25, 2018. It replaced the EU Data Protection law to strengthen the protection of “personal data” and the rights of the individual. It is a single set of rules which govern the processing and monitoring of EU data.


HOW WILL THIS AFFECT ME?

If you hold or process the personal data of any person in the EU, the GDPR will apply to you, whether you’re based in the EU or not. We highly recommend looking into the GDPR requirements and making sure you’ve met them.

HOW HAS TRIP NINJA PREPARED FOR GDPR?

The Trip Ninja development team has reviewed our products and data models to make sure we meet ongoing legal obligations and are continuously doing the best thing for our customers and yours.

Trip Ninja is committed to doing the following things to ensure we’re setting up ourselves and our customers up to meet GDPR obligations:

WE WILL RESPOND PROMPTLY TO DATA REQUESTS

Any person can request a full record of all data we have stored on that particular person. Further, they can request that Trip Ninja fully delete all data Trip Ninja holds linked to that particular person where it is reasonable and possible to do so.

To make a data request please contact compliance@tripninja.io.

WE HAVE UPDATED OUR DATA PROCESSING ADDENDUM (DPA)

Strong data protection commitments are a key part of the GDPR requirements. Our data processing addendum outlines our privacy commitments and sets out the terms for Trip Ninja and our partners to meet GDPR requirements. This is available for partners to view and opt in here.

WE HAVE APPOINTED A DATA PROTECTION OFFICER

We have appointed a dedicated Data Protection Officer to oversee and advise on our data management. For anything related to data protection, please email compliance@tripninja.io.

WE ARE COORDINATING WITH OUR VENDORS

We are continually reviewing  the compliance of our vendors. We will assess their GDPR implementation, and arrange similar GDPR-ready data processing agreements with them.

WE ARE TAKING NEW SECURITY MEASURES

Security is a priority for us. Working with digital security experts, we have built a robust security framework and continuously review our internal access design to ensure user data is safe and accessible by only those who should have it.

Trip Ninja will continue to review and improve our GDPR compliance and we hope that you will too. Some steps you can take are:

  • Ensure you’re familiar with the GDPR requirements and how they affect your company.

  • Discuss your company’s best course of action with your lawyer.

  • Outline everywhere you process data as well as carry out a gap analysis.

  • Make privacy a sincere consideration in your product roadmap and think about privacy when you’re planning.

  • Frequently review the GDPR Article 29 Working Party for new developments.

QUESTIONS?

Please feel free to reach out to us if you have any questions about how we’re complying with GDPR - we’d be happy to talk to you about it!

HOW TO CONTACT TRIP NINJA  WITH GDPR AND DATA SECURITY QUERIES

Trip Ninja is dedicated to ensuring that our products and services are GDPR-compliant. We will continue to implement industry-leading  functionality across our products and maintain transparency about how we use data.

We have appointed a dedicated Data Protection Officer to oversee and advise on our data management. For anything related to data protection, please email compliance@tripninja.io.

DISCLAIMER: This website is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how Trip Ninja has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this document as legal advice, nor as a recommendation of any particular legal understanding. The products, services, and other capabilities described herein are not suitable for all situations and may have restricted availability.


Terms of Use


Trip Ninja Inc. (“Trip Ninja”, “we”, “us”, “our”) makes certain products and services available on this website (the “Site”), and by accessing and using the Site, you (the “User”) agree to each of the terms and conditions set forth herein (each a “Term” and collectively, the "Terms of Use"). We reserve the right to amend these Terms of Use at any time and without notice. These Terms of Use will be accessible on the Site at all times and the User undertakes an obligation to observe and follow these Terms of Use, including any changes that may occur from time to time.  Any changes to these Terms of Use become effective from the date of modification and any subsequent use of the Services constitutes acceptance of the revised Terms of Use. We reserve the right to block the User’s access at any time for any reason, including but not limited to violations of these Terms of Use.  Please also carefully read our Privacy Policy which is hereby incorporated into these Terms of Use by reference.



Definitions

Content: means any information that is submitted to the Site, publicly or privately, including but not limited to – personal information, images, videos, graphics, sounds, texts and e-mails.

Services: means the products and services provided by Trip Ninja, including, but not limited to, use of the Site, Trip Ninja tools/APIs, or Whitelabel products.

Site: means the Trip Ninja website hosted at www.tripninja.io.

User (variously, “you” or “your”): an individual who accesses and uses the Services.


Description of Services

Trip Ninja provides specialized travel technology through various APIs, tools, and platforms. We enable travel companies to offer multi-city travel options to their customers.

User Conduct and Responsibility

Users pledge that they will not participate in any form of action or conduct that may have a disruptive, destructive or negative impact on the Site, Services or Users.  This includes but is not limited to:

  1. illegal activity;

  2. uploading, posting or sharing of material that is obscene, offensive, or discriminatory;

  3. threatening, abusive, obscene or harassing behaviour;

  4. invasions of privacy;

  5. distribution of software viruses;

  6. any interference with the proper operation of the Site;

  7. tampering with the software code for the Site; and

  8. bypassing of any security measures put in place by Trip Ninja, including but not limited to password protections.


Intellectual Property

The Services are legally protected in various ways, including copyrights, trademarks, service marks, patents, trade secrets, and other rights and laws. By using the Services, you agree to respect all copyright and other legal notices, information, and restrictions contained in any of the content that we provide through the Site.  You also agree not to change, translate, or otherwise create derivative works of the Services or any of the content found thereon including, but not limited to, Trip Ninja trademarks, logos, and copyrighted material.

We do not grant you a right or license to reproduce content from the Site, for any reason.  


Indemnification

You agree to indemnify and hold Trip Ninja and its subsidiaries, affiliates, officers, agents, representatives, employees, partners and licensors harmless from any claim or demand, including reasonable attorneys’ fees, made by any third party due to or arising out of Content you submit, post, transmit or otherwise seek to make available through the Site, your use of the Services, your connection to the Site, your violation of these Terms of Use, or your violation of any rights of another person or entity.


Warranty Disclaimer

The User agrees that they use the Services solely at their own risk.  The Services are provided “as is” and “as available” and without warranty of any kind, express or implied.  TRIP NINJA SPECIFICALLY DISCLAIMS ANY AND ALL WARRANTIES AND CONDITIONS OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES IMPLIED BY ANY COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE OF TRADE. NO ADVICE OR INFORMATION (ORAL OR WRITTEN) OBTAINED BY YOU FROM TRIP NINJA SHALL CREATE ANY WARRANTY.


Force Majeure

You agree that Trip Ninja shall not be liable for failures or delays in performance due to causes beyond its reasonable control, including war, strikes, lockouts, fire, flood, storm or other acts of God. Trip Ninja will use best efforts to minimize the effects of such failures or delays.


Limitation of Liability

To the fullest extent permitted by law, in no event will Trip Ninja, its directors, employees, partners, suppliers, or content providers be liable for any indirect, incidental, punitive, consequential, special, or exemplary damages of any kind, including but not limited to damages: (i) resulting from your access to, reliance on, use of, or inability to access or use the Services; (ii) for any lost profits, data loss, or cost of procurement or substitute goods or services; or (iii) for any conduct or content of any third party on the Site. In no event shall Trip Ninja liability for direct damages be in excess of (in the aggregate) one hundred Canadian dollars ($100).


Third Party Website and Interaction

By accessing third party websites or applications through our Site, you are consenting to the Terms of Use and privacy policies of those websites.  We do not accept any responsibility or liability for their policies. You should read the Terms of Use and privacy policies of such websites, and make an informed decision whether or not to use these websites based upon their practices and your discretion.


Dispute Resolution and Governing Law

These Terms of Use (and all other rules, policies, or guidelines incorporated by reference) are governed by and construed in accordance with the laws of the Province of Nova Scotia and the federal laws of Canada as applicable therein, without giving effect to any common law or statutory principles of conflicts of law.  You expressly agree that any action arising out of or relating to your use of the Services shall be filed in a court in the Province of Nova Scotia and that you atone to the jurisdiction of that court.



Contact Us


If you have any questions, concerns or suggestions regarding these Terms of Use, please contact us at :


Email: compliance@tripninja.io

Phone: 403-621-1064

Attention: 1300-1969 Upper Water Street, Halifax, NS, Canada, B3J 2V1


These Terms of Use were last updated on 12 February 2019.




SECURITY POLICY


PRODUCT SECURITY

  • Uptime - Trip Ninja strives to meet an 99.9% uptime standard.



NETWORK AND APPLICATION SECURITY

  • Data Hosting and Storage - Trip Ninja hosts all services and data through Amazon Web Services (AWS).

  • Virtual Private Cloud - All servers exist within our virtual private cloud (VPC) employing network access controls and IP whitelisting to prevent unauthorized requests.

  • Encryption - All data sent to and from Trip Ninja is encrypted per industry standards.

  • Failover and DR - Trip Ninja servers and databases are spread across multiple zones with failover protocols and redundant resources in place.

  • Backups and Monitoring - Trip Ninja uses the Amazon RDS daily backup for databases and Deep Security monitoring for malware, unauthorized access, and server health.

  • Permissions and Authentication - Trip Ninja is served 100% over HTTPS.

  • Incident Response - Trip Ninja has developed multiple incident response protocols involving staff and infrastructure.

ADDITIONAL SECURITY FEATURES

  • Confidentiality - All Trip Ninja employees and partners enter into strict IP protection agreements.

  • Training - All Trip Ninja technical staff receive annual security training.

  • Policies - Trip Ninja works with tech security industry leaders to develop and enforce internal policies and procedures.