Privacy Notice
Last updated: June 22, 2026
1. Who We Are
Hoskins Travel LLC, doing business as Vencresa ("we," "us," or "our") is the data controller responsible for the personal data collected through Vencresa Advisor and its related services (the "Service"). This Privacy Notice explains how we collect, use, store, and protect your personal data.
2. What Data We Collect
We collect and process the following categories of personal data:
- Account data: name, email, login credentials.
- Usage data: feature usage, page views, diagnostic data.
- User content: contacts, trips, bookings, quotes, documents, and other data you store in the Service.
- Communication data: support messages, emails synced via the Gmail integration (with your consent), and feedback.
- Social platform data (with your consent): when you connect a Facebook Page or Instagram Business account, we receive your Facebook user ID and name, the list of Pages you administer, Page and Instagram messages and comments routed to your CRM inbox, and aggregate Page and Instagram insights (reach, engagement, follower counts). We do not receive your Facebook password or friends list.
- Device and log data: IP address, browser type, device identifiers, and timestamps for security and performance.
3. Why We Collect Your Data
We use your personal data to:
- Provide the Service: account creation, authentication, itinerary management, contact tracking, document storage.
- Process payments: subscription billing, invoicing, and tax compliance via our Merchant of Record, Paddle.
- Maintain security: detect unauthorized access and protect your account.
- Improve the Service: analyze usage to fix bugs and develop features.
- Communicate with you: service updates, billing notices, and support responses.
4. Legal Basis for Processing
We process your personal data based on:
- Contract performance: processing necessary to provide the Service under our Terms.
- Legitimate interests: service improvement, security, fraud prevention.
- Consent: where you have explicitly agreed, such as marketing communications or Gmail sync.
- Legal obligation: compliance with applicable tax and accounting laws.
5. Subprocessors
We engage the following subprocessors to operate the Service. All are bound by contractual data-protection commitments equivalent to those we owe you.
| Subprocessor | Purpose | Region |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | United States |
| Paddle.com Market Ltd | Merchant of Record, payment processing, tax | United Kingdom / EU |
| Twilio Inc. | SMS delivery (when configured) | United States |
| Google LLC (Gmail API) | Outbound and inbound email sync (with your consent) | United States |
| Meta Platforms, Inc. | Facebook Page and Instagram Business connection: messages, comments, and insights (with your consent) | United States |
| Cloudflare, Inc. | Application hosting, CDN, DDoS protection | Global |
| Lovable AB | Application platform and AI gateway (Google Gemini, OpenAI) | Sweden / EU |
We do not sell personal data. We share data with these subprocessors only as necessary to provide the Service, with professional advisors where necessary, and with authorities when required by law.
6. Data Retention
We retain personal data only as long as needed for the purposes above:
- Active account data: retained while your account is active.
- After cancellation: retained for 90 days to allow reactivation or export, then deleted or anonymized.
- Billing and tax records: retained for 7 years to meet US and EU tax-record obligations.
- Server logs and security audit data: retained for 12 months.
- Marketing suppression list (unsubscribes, bounces): retained indefinitely so we don't email people who asked us not to.
7. Your Rights
Depending on your location, you have rights including:
- Access: request a copy of your data.
- Rectification: correct inaccurate data.
- Erasure: request deletion.
- Restriction: limit how we process your data.
- Portability: receive your data in a machine-readable format.
- Objection: object to processing based on legitimate interests.
- Withdraw consent: at any time where processing is based on consent.
Email us at Chris@HoskinsTravel.com. We respond within one month.
8. UK and EU Users
If you are in the United Kingdom or the European Economic Area, the UK GDPR or EU GDPR applies to our processing of your personal data, and you have additional rights, including the right to lodge a complaint with your local data-protection supervisory authority.
- UK supervisory authority: Information Commissioner's Office (ICO) — ico.org.uk/make-a-complaint.
- EU supervisory authorities: the list of national DPAs is at edpb.europa.eu.
If you are in the UK or EEA and we have not yet designated a representative under Article 27, please contact us directly at Chris@HoskinsTravel.com.
9. Security
We use TLS in transit, encrypted storage at rest, role-based access controls, and regular security review. No system is perfectly secure, and we cannot guarantee absolute security.
10. Cookies and Tracking
We use essential cookies to keep you signed in. We also use a small amount of first-party analytics to understand how the site is used. When you first visit, a banner lets you accept or reject analytics cookies. You can change your choice at any time by clearing site data in your browser.
11. International Transfers
Your personal data may be transferred to and processed in countries outside your jurisdiction, including the United States. Where such transfers occur, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or applicable adequacy decisions to protect your data.
11a. AI Processing of Communications
We use AI to help advisors manage your trip more efficiently. When an advisor connects their work email inbox (Gmail, Outlook, iCloud, Yahoo, or any IMAP provider), our automated systems may read messages between the advisor and you that relate to an open trip in order to: (a) detect where your trip is in the advisor's pipeline (proposal sent, booked, in progress, completed) and (b) extract specific trip details you have shared — hotels, flights, dates, traveler names, totals — so they appear in your trip record without manual re-entry. Every AI read and write is logged with the source message and is available to your advisor on request.
Lawful basis: legitimate interest in operating the advisor's business and performance of the travel-planning contract between you and the advisor. Extraction logs are retained for 90 days and then deleted automatically. You may object to this AI processing at any time by emailing your advisor or the address in section 13; we will mark your contact record as excluded from AI processing and your messages will no longer be processed.
12. Changes to This Notice
We may update this Privacy Notice from time to time. We will notify you of material changes by email or through the Service.
13. Contact Us
Questions about this Privacy Notice or our data practices? Chris@HoskinsTravel.com.