Privacy Policy
Last updated: February 7, 2026
Valyzen ("we," "us," or "our") operates the Valyzen Travel platform at travel.valyzen.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our AI-powered flight negotiation service.
By creating an account or using the Service, you agree to the practices described in this policy. If you do not agree, please do not use the Service. This policy should be read together with our Terms of Service and Cookie Policy.
1. Data We Collect
1.1 Information You Provide
- Account data — name, email address, phone number, and password when you register.
- Passkey / WebAuthn credentials — public-key credential identifiers if you choose passwordless authentication.
- Saved traveller profiles — full name, date of birth, passport or identity document number, nationality, and gender for each traveller you add to your account.
- Negotiation preferences — target price, budget range, flexibility indicators, and any special requirements you provide when starting a negotiation.
- Support correspondence — messages, attachments, and contact details you share when reaching out to us.
1.2 Data Generated Through Use
- Search history — routes, dates, cabin classes, and passenger counts you search for.
- Negotiation history — full record of each negotiation round, including offers, counter-offers, and outcomes.
- Booking records — confirmed itineraries, PNR references, ticket numbers, fare rules, and change/cancellation history.
- Payment records — transaction amounts, currency, timestamps, and payment status. We do not store your credit or debit card numbers; payments are processed through our booking provider (see Section 5).
1.3 Automatically Collected Data
- Device and browser information — IP address, browser type and version, operating system, device type, and screen resolution.
- Usage data — pages visited, features used, clicks, session duration, and referring URLs.
- Cookies and similar technologies — see our Cookie Policy and Section 8 below for details.
2. How We Use Your Data
We process your personal data for the following purposes:
- Provide the Service — search for flights, run AI-powered negotiations, create bookings, and manage changes or cancellations on your behalf.
- Authenticate your identity — verify your account credentials (email/password or passkey) and maintain session security.
- Process payments — submit payment to the airline through our booking provider and record transaction details for your reference.
- Improve negotiation outcomes — analyze your past negotiations and preferences to calibrate AI agent behaviour and deliver better results over time (see Section 3).
- Communicate with you — send booking confirmations, itinerary updates, service announcements, and respond to support requests.
- Analyse and improve the Service — understand usage patterns, diagnose technical issues, and develop new features.
- Comply with legal obligations — retain records required by tax, accounting, or aviation regulations.
Legal Bases (GDPR)
Where the GDPR applies, we rely on the following legal bases:
- Contract performance — processing necessary to provide the Service you requested (searching, negotiating, booking).
- Legitimate interests — improving our AI models, preventing fraud, and ensuring platform security, where these interests are not overridden by your rights.
- Consent — analytics cookies and marketing communications, which you can withdraw at any time.
- Legal obligation — retaining booking and payment records as required by applicable law.
3. AI Processing and Automated Decisions
Valyzen Travel uses AI agents to negotiate flight prices on your behalf. When you start a negotiation, a Buyer Negotiation Agent (BNA) represents your interests and negotiates with a Merchant Negotiation Agent (MNA) that represents pricing rules. A Arbiter Negotiation Agent (ANA) coordinates the process.
What the AI processes
- Your stated budget, target price, and flexibility preferences.
- Historical negotiation outcomes associated with your account.
- Flight offer details (route, fare class, airline rules).
How AI decisions affect you
The AI determines which duplicate vendor listings to surface during fare reconciliation and the final reconciled price. You always retain the choice to accept or reject the reconciled price before any booking is confirmed. No booking is made without your explicit approval.
Your right to explanation
You have the right to request a meaningful explanation of how our AI agents arrived at a particular reconciled price or recommendation. To exercise this right, contact us at privacy@valyzen.com with the reconciliation session or booking reference, and we will provide a clear summary of the factors and logic that influenced the outcome.
Opting out
You may request that we stop using your historical reconciliation data to personalise future AI behaviour. Note that this may reduce the effectiveness of reconciliation on your behalf. You may also request deletion of your reconciliation history entirely (see Section 7).
4. Data Sharing
We do not sell your personal data. We share data only in the following circumstances:
Service providers
- Duffel (booking provider) — receives traveller details, passport information, and payment data to search for flights, issue tickets, and process payments with airlines. Duffel acts as a data processor on our behalf.
- Amazon Web Services (AWS) (infrastructure) — hosts our application, databases, and AI processing in the US West (Oregon) region. AWS processes data under its Data Processing Addendum.
- PostHog (analytics) — receives anonymised usage data only if you consent to analytics cookies. PostHog is self-hosted or cloud-hosted under a data processing agreement.
Legal requirements
We may disclose your data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Valyzen, our users, or the public.
Business transfers
If Valyzen is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
5. Payments
Valyzen Travel processes payments through Duffel's balance payment system. When you pay for a booking, the charge is processed via Duffel's merchant account. We do not directly capture, store, or have access to your credit or debit card numbers. Payment records stored in our system include the transaction amount, currency, timestamp, and status only.
6. Data Retention
We retain your data only for as long as necessary to fulfil the purposes described in this policy or as required by law:
| Data Category | Retention Period | Reason |
|---|---|---|
| Booking and payment records | 7 years | Tax, accounting, and aviation regulatory requirements |
| Account data (profile) | Until deletion requested | Required to provide the Service |
| Negotiation history | 2 years | AI personalisation and dispute resolution |
| Search history | 2 years | Service improvement and personalisation |
| Analytics data | 26 months | Usage analysis and product development |
| Saved traveller profiles | Until removed by you or account deletion | Convenience for repeat bookings |
When data reaches the end of its retention period, it is securely deleted or anonymised so that it can no longer be associated with you.
7. Your Rights
Depending on your location, you may have some or all of the following rights regarding your personal data:
Under the GDPR (EEA/UK residents)
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — request deletion of your data, subject to legal retention requirements.
- Restriction — ask us to limit processing in certain circumstances (e.g., while we verify data accuracy).
- Portability — receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
- Object — object to processing based on legitimate interests, including AI-based profiling used for negotiation personalisation.
- Withdraw consent — where processing is based on consent (e.g., analytics cookies), you may withdraw it at any time without affecting the lawfulness of prior processing.
- Explanation of AI decisions — request meaningful information about the logic involved in automated decisions that affect you (see Section 3).
- Lodge a complaint — file a complaint with your local data protection supervisory authority.
Under the CCPA (California residents)
- Right to know — request the categories and specific pieces of personal information we have collected about you.
- Right to delete — request deletion of personal information we have collected, subject to legal exceptions.
- Right to opt out of sale — we do not sell personal information. No opt-out action is required.
- Right to non-discrimination — we will not discriminate against you for exercising any of these rights.
How to exercise your rights
To submit a data rights request, email privacy@valyzen.com with your full name and the email address associated with your account. We will verify your identity and respond within 30 days (GDPR) or 45 days (CCPA). You may also delete your account and associated data directly from your account settings.
8. Cookies and Tracking
We use cookies and similar technologies on the Service. For full details, see our Cookie Policy. A summary of cookie categories is provided below.
| Category | Provider | Purpose | Consent Required |
|---|---|---|---|
| Essential | Valyzen / AWS Cognito | Session authentication, CSRF protection, cookie consent preference | No (always active) |
| Analytics | PostHog | Anonymous usage metrics, feature adoption, session replays | Yes |
| Marketing | None currently | No marketing cookies are in use at this time | Yes (when introduced) |
Analytics cookies (PostHog) are loaded only after you provide consent via our cookie banner. You can withdraw consent at any time by clearing your browser cookies or contacting us.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Authentication via AWS Cognito with support for passkeys (WebAuthn) and secure password hashing.
- Access controls and least-privilege IAM policies for all backend services.
- DynamoDB tenant isolation ensuring your data is logically separated from other users.
- Regular security reviews and dependency updates.
No method of transmission or storage is 100% secure. If you become aware of a security vulnerability, please contact us immediately at security@valyzen.com.
10. International Data Transfers
Our primary infrastructure is hosted on AWS in the United States (us-west-2, Oregon). If you are located outside the United States, your data will be transferred to and processed in the US. We ensure appropriate safeguards for international transfers through:
- Standard Contractual Clauses (SCCs) with our service providers, as approved by the European Commission.
- Data processing agreements with all third-party processors (AWS, Duffel, PostHog) that include transfer mechanism provisions.
- Supplementary technical measures (encryption, access controls, pseudonymisation) to protect your data regardless of where it is processed.
11. Children's Privacy
The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@valyzen.com and we will promptly delete such data.
Saved traveller profiles may include information about minors who are passengers on a booking. This data is provided by the account holder (the parent or guardian) and is used solely to complete flight bookings.
12. Third-Party Links
The Service may contain links to third-party websites (e.g., airline websites, travel resources). We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies before providing any personal data.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify you by email or through a prominent notice on the Service at least 14 days before the changes take effect.
- Where required by law, obtain your consent before applying material changes to how we process your data.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
- Privacy inquiries: privacy@valyzen.com
- General support: support@valyzen.com
- Website: valyzen.com
We aim to respond to all privacy-related inquiries within 30 days.