Privacy Policy

1. Introduction

This Privacy Policy explains how WW Travel Solutions ("WW Travel Solutions," "we," "our," or "us") — the operator of the TransMov platform — collects, uses, shares, and protects personal data.

TransMov is a business-to-business software-as-a-service (SaaS) platform for the ground-transportation industry. Our users are businesses: customer organizations (destination management companies, event agencies, corporate travel teams, hotel groups, and enterprise mobility programs) that coordinate ground transportation for their clients, and provider organizations (transportation companies, car services, fleet operators) that fulfill those trips.

Because we are a B2B platform, most personal data we handle either (a) belongs to business contacts acting in their professional capacity or (b) belongs to end-passengers whose information has been entrusted to us by a customer organization for the purpose of arranging their travel. Section 3 explains this distinction, because it determines which of your rights under applicable law apply to us directly and which apply to the customer organization that gave us your information.

We operate as a US-based SaaS facilitator platform. TransMov provides the software tools that allow customer organizations to coordinate transportation; we are not a transportation operator, a payment service, or a party to the transportation contract between a customer organization and a provider (see Section 3 and our Terms of Service). For most personal data processed through the platform — including end-passenger information — we act on the documented instructions of the customer organization that collected it. Our primary relationship with personal data is as a processor, not a controller (Section 3). We operate the Service from the United States, and our primary data store is in the United States (AWS US-East).

This Policy applies to:

• The TransMov application at app.transmov.com (and customer sub-domains)
• The TransMov marketing website at transmov.com
• Embedded forms we provide to customer organizations
• All related services operated by WW Travel Solutions

It does not apply to the websites, services, or data-processing activities of our customer organizations, provider organizations, or any third-party service that is separately linked or referenced.

Contact for privacy matters: privacy@transmov.com

2. Scope

This Policy covers personal data we process when:

• You visit transmov.com
• You submit a form to contact us, request a demo, or sign up for communications
• You register as a provider organization through our partner-onboarding form
• A customer organization invites you to use TransMov as an administrator, event manager, dispatcher, or other user role
• A customer organization enters your information into TransMov because you are an end-passenger, a booker acting on behalf of a traveler, a client contact, or a provider contact
• You otherwise interact with us (for example, by contacting support)

It does not cover how a customer organization uses the TransMov platform to handle your information. That is governed by the customer organization's own privacy policy and your relationship with them. TransMov is the processor for that data; the customer organization is the controller. See Section 3.

3. Our role — controller and processor

We handle personal data in two distinct roles. The role that applies to your data determines which rights you exercise directly with us and which you exercise with the customer organization that gave us your information.

3.1 When we are the controller

We are the controller for personal data about:

• Marketing website visitors (analytics, form submissions, cookies on transmov.com)
• Prospective customers and prospective providers who contact us
• Administrator users of customer organizations — for account credentials, sign-in records, and platform-usage logs we need to operate the platform
• Provider-organization contacts we recruit directly (company principals, compliance and insurance contacts, billing contacts)
• Our own employees, contractors, vendors, and investors, where relevant

When we are the controller, you may exercise your data-protection rights directly with us (Section 10).

3.2 When we are the processor

We are the processor — acting on behalf of and on the documented instructions of a customer organization — for personal data that a customer organization enters into or generates through the TransMov platform, including:

• End-passenger information (names, contact details, itineraries, special-handling notes, trip history, ratings)
• Customer-organization client contacts (corporate clients, event stakeholders, hotel guests, VIPs)
• Provider-organization data as used by a specific customer (preferred-provider lists, notes, performance records)
• Trip-execution data (GPS tracking events, communications, timestamps) generated during the operation of a trip

When we are the processor, the customer organization is the controller. You should direct any data-protection rights requests to that customer organization in the first instance; we support them in responding. If you are not sure which customer organization holds your data, contact us and we will help identify them.

3.3 Strict isolation between customer organizations

Each customer organization's data is structurally isolated from every other customer organization's data at the database layer, via row-level security policies enforced across all tenant-scoped tables. If the same email address is associated with two different customer organizations, those are treated as completely separate records with no cross-visibility. We do not combine, correlate, or route your data from one customer organization's network to another, and we do not use a customer organization's data to solicit business or upgrades from end-passengers outside that customer organization's scope.

4. Personal data we collect

4.1 Marketing-website visitors

• Device and usage data — IP address, browser type, operating system, device type, referring URL, pages viewed, time spent, links clicked, UTM parameters, approximate geographic location derived from IP
• Cookies and similar technologies — see our Cookie Policy

4.2 Contact, demo-request, and newsletter forms

• Name, business email, phone number (if provided), company name, job title, country
• Inquiry content from free-text fields
• Submission metadata — date, time, form used, marketing campaign or referrer

4.3 Provider-organization onboarding

• Company data — legal name, DBA, year established, website, country of operation, service areas
• Business identifiers — federal tax ID (or equivalent), business-license number, operating-authority reference
• Contact person — name, title, email, phone number
• Address — registered business address
• Operations profile — business type, description, fleet size, vehicle types, special services
• Insurance — provider, coverage amount, expiration date
• Compliance documents — business license, insurance certificate, vehicle registration, driver license, background check, W-9 or equivalent, operating authority

4.4 Platform user accounts

• Account identifiers — name, business email, password (stored as a cryptographic hash — we never see or store plain-text passwords), profile settings, role and permission assignments
• Authentication and session records — sign-in timestamps, IP addresses, device and browser metadata, multi-factor-authentication events, session tokens
• Platform-activity logs — actions you take, records you create or modify, API calls

4.5 End-passenger and booking data (processor — belongs to the customer organization)

• Passenger identity — name, contact details, employer, title
• Itinerary — pickup and dropoff locations, times, flight or event details, vehicle-type preferences, group size
• Special-handling notes — VIP status, accessibility needs, language preferences, free-text notes
• Trip-execution data — assigned provider and driver, vehicle details, live GPS location events (latitude, longitude, accuracy, speed, heading, timestamp), status updates, completion timestamps
• Communications — emails and SMS sent through the platform for the trip
• Ratings and feedback

4.6 Billing and subscription data (customer administrators)

• Billing contact — name, email, phone, billing address
• Subscription data — plan tier, add-ons, invoice history, payment-method metadata (we do not store bank-account or card numbers)
• Tax identifiers — VAT or equivalent, as required for invoicing

4.7 Internal systems

• Error-monitoring data — stack traces, request metadata, session identifiers, a sampled subset of session-replay recordings for debugging
• Support-ticket records — messages to and from our support team

4.8 What we do not collect

• Special-category personal data under GDPR Article 9 (we do not solicit health, religion, ethnicity, political views, biometrics, sex life, or sexual orientation data; customer organizations may enter incidental data as free-text notes, which we protect the same as other passenger data)
• Personal data from children under 18 (see Section 11)
• Payment card or bank-account numbers (these are held by our invoicing and collection processor)
• Location data about you outside of trips that a customer organization has explicitly arranged through the platform

5. How we use personal data

We use personal data only for specific purposes. Under GDPR and UK GDPR, each activity has a legal basis:

• Providing and operating the platform (authentication, matching, trip lifecycle, invoicing) — contract performance (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) for processing where we support a party other than our direct counterparty
• Account security, fraud prevention — legitimate interests
• Transactional communications — contract performance
• Sales and business-development communications with contacts who submit our forms — legitimate interests (B2B outreach), opt-out any time
• Marketing emails and newsletters — opt-in consent, opt-out any time
• Analytics on the marketing website — consent via cookie banner (see Cookie Policy)
• Error and performance monitoring — legitimate interests; sensitive-field masking applied
• Provider vetting — contract performance with the provider; legitimate interests in operating a curated marketplace
• Billing, tax, and financial recordkeeping — contract and legal obligation
• Law-enforcement or regulatory requests — legal obligation
• Enforcing our terms, protecting our rights, defending claims — legitimate interests
• Corporate transactions (due diligence, investment, acquisition) — legitimate interests, with confidentiality and minimization

We do not sell personal data, and we do not use it for advertising or retargeting.

6. Automated decision-making and profiling

We do not make decisions about you solely by automated means that produce legal or similarly significant effects. Our provider performance-tier classification (Elite / Premium / Standard) is derived from ratings and trip volumes and informs customer discovery, but it is not a sole determinant of any material decision, and human review is available for classification disputes.

7. Who we share personal data with

7.1 Service providers (sub-processors)

We share personal data with service providers that help us operate the platform, under written contracts that require them to protect the data and use it only for purposes we authorize. We publish our sub-processor list and give affected customer organizations at least 30 days' prior notice before adding a new sub-processor that affects their data.

We do not use third-party advertising networks, data brokers, third-party analytics inside the application, CRM or customer-data-platform services, or any AI / large-language-model service that would receive personal data in the course of operating the platform.

7.2 Between platform participants

The platform connects customer organizations with provider organizations. Quote requests sent by a customer to a provider include trip details needed to quote (pickup / dropoff locations, times, vehicle-type requirements, passenger counts). Passenger names and contact details are shared with the provider only when the workflow explicitly requires it. Provider information (company profile, service areas, vehicle inventory, performance indicators) is visible to customers with the right to see it. Trip-execution data during a live trip is visible to the parties involved in that trip.

7.3 Corporate events

If we undergo a merger, acquisition, investment, financing, reorganization, bankruptcy, or sale of assets, personal data may be transferred as part of that transaction, subject to confidentiality protections and applicable law. We will notify affected customer organizations before such a transfer is finalized where feasible and permitted.

7.4 Law-enforcement and regulatory requests

We may disclose personal data where required by law, subpoena, court order, or other lawful demand. Where permitted, we notify the controller (for processor data) or the data subject (for controller data) before disclosure and challenge over-broad or improper demands. We do not provide blanket access to any government or private party.

7.5 To enforce our rights

We may share personal data where necessary to enforce our terms, investigate fraud or abuse, or defend claims.

8. International transfers

WW Travel Solutions is headquartered in the United States, and our primary data store is in the United States (AWS US-East). Some sub-processors process data in, or from, jurisdictions outside the EEA, the UK, or your country of residence.

Where we transfer personal data across borders:

• From the EEA to countries without an adequacy decision — 2021 European Commission Standard Contractual Clauses, with supplementary measures where appropriate following a transfer-impact assessment
• From the United Kingdom — UK International Data Transfer Addendum (or the UK IDTA)
• From Switzerland — the Swiss SCC variant, where relevant
• Where applicable — the EU-US Data Privacy Framework

You can request a copy of the transfer mechanism applicable to a specific transfer by contacting privacy@transmov.com.

8.1 Our primary role and EEA / UK representation

As a processor of personal data on behalf of our customer organizations, we rely primarily on the controller (the customer organization) to satisfy its own EEA, UK, and Swiss compliance obligations — including any obligation to appoint a representative under GDPR Article 27 or UK GDPR Article 27 that attaches to the controller. Customer organizations acknowledge this allocation in our Terms of Service.

Where our own direct processing of EEA or UK personal data reaches a scale that triggers a requirement for us to appoint a representative under GDPR Article 27 or UK GDPR Article 27, we will appoint such a representative and publish the representative's contact details in this Privacy Policy. Until then:

• EEA and UK data subjects may contact us directly at privacy@transmov.com, and we will respond in accordance with applicable law
• Customer organizations remain responsible for fielding data-subject rights requests relating to data they have entered into the platform, consistent with their role as controller
• We will cooperate with supervisory authorities and, where required, respond to lawful inquiries from EEA / UK regulators through direct communication with our privacy team

9. How long we keep personal data

We keep personal data only for as long as necessary for the purpose collected, for the duration of our relationship with you or the customer organization that gave us your information, and for additional periods where required by law, tax, accounting, or legitimate business need. Individual agreements with customer organizations may specify different retention periods, which take precedence.

When personal data is no longer needed, we delete or anonymize it. Backups are deleted on a rolling schedule.

10. Your rights

Your rights depend on applicable law. To exercise a right, see Section 13. We respond within the timelines required by applicable law (generally one month for GDPR; 45 days for CCPA/CPRA, with extensions where permitted).

Where we are the processor (Section 3.2), please direct your request to the customer organization that gave us your information — they are the controller and decide how to handle the request. We will assist them.

10.1 EEA, UK, Switzerland (GDPR / UK GDPR)

• Access — obtain a copy of your personal data and information about how we use it
• Rectification — correct inaccurate or incomplete data
• Erasure — have your data deleted, subject to legal exceptions
• Restriction — pause processing while a dispute is resolved
• Portability — receive your data in a structured, commonly used, machine-readable format
• Objection — object to processing based on legitimate interests, including direct marketing
• Withdraw consent — at any time, without affecting processing before withdrawal
• Not be subject to solely automated decisions with legal or similarly significant effects (we do not make such decisions — Section 6)
• Complain to your national data-protection authority

10.2 California (CCPA / CPRA)

• Know what personal information we collect, its sources, purposes, and categories of third parties
• Access specific pieces of personal information we hold about you
• Delete personal information we hold, subject to legal exceptions
• Correct inaccurate personal information
• Opt out of "sale" or "sharing" — we do not sell or share personal information; we honor the Global Privacy Control (GPC) signal
• Limit use of sensitive personal information — we do not use sensitive PI for purposes beyond those permitted by default under CPRA
• Non-discrimination — we will not deny service or charge different prices for exercising a right

10.3 Other US state privacy laws

Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Indiana, Tennessee, New Jersey, and other states with comprehensive privacy laws have rights broadly similar to CCPA/CPRA. We honor these consistently with California's approach.

10.4 Other jurisdictions

Residents of other jurisdictions (including Brazil under LGPD, Canada under PIPEDA) have rights under their local laws. We honor those rights to the extent they apply.

10.5 Verifying your identity

We will verify your identity before responding to a rights request. Verification may include confirming information you provide, requiring sign-in to your account, or, for sensitive requests, additional identity evidence. Agents acting on your behalf must provide proof of authorization.

11. Children

TransMov is intended for use by businesses and their authorized employees or representatives. We do not direct our services to, knowingly collect personal data from, or knowingly market to, children under 18. We do not collect age information, and the platform has no features designed for minors. If you believe a minor has provided personal data to us, please contact privacy@transmov.com and we will delete it.

12. Security

We use organizational, technical, and contractual measures to protect personal data, including:

• Encryption in transit (TLS/HTTPS)
• Encryption at rest for our primary data store
• Row-level security at the database layer, enforcing strict isolation between customer organizations
• Role-based access control within customer organizations
• Multi-layer API authentication with optional IP allowlists and per-client rate limiting
• Audit logging of administrative actions, permission changes, API usage, and tenant-context switches
• Passwords stored as cryptographic hashes; we never store or see plain-text passwords
• Production-data access limited to authorized personnel on a need-to-know basis
• Vendor due-diligence and written data-processing agreements with every sub-processor

We disclose honestly: we have not yet obtained SOC 2 or ISO 27001 certification, and we have not yet completed dynamic penetration testing. Both are on our roadmap. We do not claim certifications we do not hold.

No system is perfectly secure. If we become aware of a personal-data breach, we notify affected customer organizations without undue delay, and in any event within the timelines required by applicable law (including the 72-hour timeline under GDPR Article 33).

13. How to contact us

• By email: privacy@transmov.com
• By post: WW Travel Solutions — Privacy, address available on request

If you are dissatisfied with how we have handled a request or concern, you have the right to lodge a complaint with your national data-protection authority.

14. Changes to this Policy

We may update this Privacy Policy from time to time. For material changes, we will notify registered users by email or in-platform notice and update the "Last updated" date above. We will not apply material changes retroactively to personal data already collected without an appropriate legal basis. Continued use of the platform after the effective date of a change constitutes acknowledgment of the updated Policy.