Privacy Policy
Last updated: 29 May 2026
This Privacy Policy explains how the AccessibleOz Itinerary Studio (the “Service”) collects, uses, shares, and protects personal information. It applies to travel agents and travel-trade professionals who use the Service (“you”), and to travellers whose information is processed through the Service (see the section “Information about travellers”).
Who we are
The Service is operated by Viva Travel Holdings Pty Ltd (ACN 636 285 651), trading as AccessibleOz (“AccessibleOz”, “we”, “us”, “our”), of 20 Wynnum Road, Norman Park QLD 4170, Australia. For privacy questions, contact us at privacy@accessibleoz.com.
Where this policy refers to a “controller” and a “processor”, those terms have the meaning given under the EU and UK General Data Protection Regulation (GDPR). We are the controller of the personal information described under “Information we collect about you”. The roles for traveller information are described under “Information about travellers”.
How this policy works
The Service is offered to agents in several countries. The core of this policy applies to everyone. Region-specific rights and details for the European Economic Area (EEA), the United Kingdom, Australia, New Zealand, and the United States appear in the section “Your rights by region”.
Information we collect about you
- Account data: your name, email address, agency name, phone number, and country.
- Itinerary inputs:destinations, dates, accessibility requirements, traveller name (if you provide one), and other inputs you submit to build an itinerary. Some of these inputs may relate to a traveller rather than to you (see “Information about travellers”).
- Usage data: pages you visit, itineraries you generate, documents you download, and quote requests you send. This includes a hashed form of your IP address, used for abuse prevention and analytics.
- Billing data: handled by our payment processor, Stripe. We store your Stripe customer ID and subscription status. We do not see or store your card number.
Information about travellers
When you build an itinerary, you may input information about a traveller, including their name and their accessibility needs. Accessibility needs may reveal information about a person's health or disability, which is sensitive information under Australian law and special category data under the GDPR and UK GDPR.
In most cases, you (the agent) decide what traveller information to collect and why, and you provide it to us so that we can build the itinerary you have asked for. In that situation:
- you are the controllerof the traveller's personal information, and we act as your processor, processing it on your instructions to provide the Service; and
- you are responsible for having a lawful basis to provide that information to us, for giving the traveller any required privacy notice, and for obtaining any consent required for sensitive or health-related information. Your obligations are set out in our Terms of Service and, where applicable, our Data Processing Agreement.
We minimise traveller information to what is needed to provide the Service. We do not use traveller information to train artificial intelligence models, and we do not use it for advertising.
If you are a traveller and you want to exercise rights over your information, see “If you are a traveller” below.
How we use personal information
We use personal information to:
- provide and operate the Service for you;
- send transactional communications (verification codes, billing notices, quote responses);
- prevent abuse, including rate limiting and trial deduplication;
- generate AI Suggested supplier information (see “Use of AI” below);
- improve the Service through aggregated, de-identified analytics; and
- comply with our legal obligations.
We do not sell personal information, and we do not use it for advertising or for cross-context behavioural advertising.
Use of AI to assess suppliers (automated processing)
When the Service cannot fill a gap in an itinerary from our assessed (“Verified”) supplier pool, it may generate a candidate supplier from public sources (such as Google Places and the supplier's own website) and use a third-party artificial intelligence service (Anthropic's Claude API) to score that candidate against the accessibility dimensions relevant to the itinerary. To do this, the Service sends public supplier information, and the accessibility dimensions being requested, to that AI service.
This processing produces a candidate that is labelled “AI Suggested” and presented to you. The decision whether to recommend an AI Suggested supplier to a traveller is made by you, the agent, exercising your own judgment. The Service does not make a decision that produces legal or similarly significant effects for any individual without your involvement. AI Suggested information is unverified and must be confirmed with the supplier, as explained in our Terms of Service.
Who we share personal information with
We use the following service providers (sub-processors) to operate the Service. Some are located outside Australia, which involves a transfer of personal information overseas (see “International transfers”).
- Supabase (database and authentication). Hosted in Sydney, Australia (ap-southeast-2).
- Stripe (payment processing). United States. PCI DSS Level 1.
- SendGrid (Twilio) (transactional email delivery). United States.
- Vercel (application hosting and content delivery). United States, with edge regions that may serve from outside Australia.
- Google Maps Platform (supplier location and photo data, and place lookups). Place lookups may send query parameters to Google.
- Anthropic(Claude API, AI scoring of candidate suppliers). United States. Anthropic processes the information described under “Use of AI” above. Under our commercial terms with Anthropic, your inputs are not used to train Anthropic's models.
We also share itinerary details and your contact information with the AccessibleOz bookings team when you request a quote or a net rate, so that we can respond.
We may disclose personal information where required by law, to enforce our Terms, or in connection with a sale or reorganisation of our business.
We keep our current sub-processor list up to date. EEA and UK agents who have a Data Processing Agreement with us will be notified of new sub-processors and may object as set out in that agreement.
International transfers
Some of our sub-processors are in the United States. Where we transfer personal information out of the EEA, the United Kingdom, or Australia, we use a lawful transfer mechanism. For transfers to the United States, this is the EU-US Data Privacy Framework and its UK extension where the recipient is certified, and/or the Standard Contractual Clauses approved by the European Commission (and the UK International Data Transfer Addendum) together with appropriate safeguards. A copy of the relevant safeguards is available on request.
How long we keep personal information
- Account data: while you have an account, plus up to 30 days after deletion (in backups).
- Itinerary records and quote requests: 2 years from creation, for accounting and dispute handling, after which they are deleted or de-identified.
- Hashed IP addresses (abuse prevention): 30 days.
- AI Suggested supplier records:retained in the supplier database with their “AI Suggested” status and the date scored, and reviewed for currency over time.
Security
We take reasonable technical and organisational measures to protect personal information, including access controls, encryption in transit, and restricting access to those who need it. No system is perfectly secure, and we cannot guarantee absolute security.
Your rights by region
Australia
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles you may request access to, and correction of, the personal information we hold about you, and you may ask us to delete your account. To make a request, email privacy@accessibleoz.com. We aim to respond within 30 days. If you are not satisfied with our response, you can complain to the Office of the Australian Information Commissioner (oaic.gov.au).
European Economic Area and United Kingdom (GDPR / UK GDPR)
If you are in the EEA or the UK, you have the right to access, rectify, erase, restrict, or object to our processing of your personal information, to data portability, and to withdraw consent where processing is based on consent.
The legal bases on which we rely are: performance of our contract with you (to provide the Service); our legitimate interests (to operate, secure, and improve the Service), balanced against your rights; consent, where we ask for it; and compliance with legal obligations. For sensitive or special category data relating to travellers, the lawful basis is the agent's responsibility as controller, as described under “Information about travellers”.
You have the right to lodge a complaint with your local supervisory authority. If we do not have an establishment in the EEA or the UK, our representative for the purposes of Article 27 GDPR / UK GDPR is to be appointed before EEA/UK marketing.
United States (including California)
We do not sell personal information, and we do not share it for cross-context behavioural advertising. If you are a California resident and applicable law gives you rights to know, access, delete, or correct personal information, you may exercise them by contacting privacy@accessibleoz.com. We will not discriminate against you for exercising your rights.
New Zealand
Under the Privacy Act 2020 you may request access to, and correction of, the personal information we hold about you. Contact privacy@accessibleoz.com. You may complain to the Office of the Privacy Commissioner (privacy.org.nz).
If you are a traveller
If your information was entered into the Service by a travel agent, that agent is generally the controller of your information, and we act on their instructions. You can ask us to access, correct, or delete your information by contacting privacy@accessibleoz.com. Depending on the situation, we may need to direct your request to the agent who entered your information, and we will help you do so. We will verify your identity before acting on a request.
Cookies
We use first-party cookies only, to keep you signed in (a session cookie) and to remember your itinerary draft (browser storage). We do not use third-party tracking or advertising cookies. If this changes, we will update this policy and, where required, ask for your consent.
Children
The Service is for travel-trade professionals (business to business). It is not intended for, or directed at, children.
Changes to this policy
We will post any updated version on this page and change the “Last updated” date. We will notify account holders of material changes by email.
Contact and complaints
Privacy questions and requests: privacy@accessibleoz.com. If you are not satisfied with our response, you may contact the relevant regulator for your region as listed above.