Privacy Policy — JetSetGo LLC
Version 1.2 — Effective date: 2026-05-25 — Last updated: 2026-05-25
Entity: JetSetGo LLC, a New Mexico limited liability company Contact: privacy@jetsetgo.world
1. The 90-second summary
If you only read one page of this document, read this one.
| What you might be wondering | The short answer |
|---|---|
| Who are you? | We're JetSetGo. We make booking software for ferry, tour, cruise and coach operators. JetSetGo LLC is a New Mexico limited liability company; we provide our services to operators internationally, with production hosting in Australia today. |
| What is your role with my data? | Two roles. If you are our operator-customer, we are responsible for your account data. If you are a traveller who booked a tour or ferry, the operator runs your booking. We are the software underneath. |
| Who owns my data? | You do. Always. Operators can export 24/7 and we never withhold data for unpaid invoices. |
| Will you sell my data? | No. Not in any form. Not even de-identified. |
| Will you market to travellers? | No. We never market to travellers in JetSetGo's name. The operator owns that relationship. |
| Will you use my data for behavioural ads? | No. We do not use traveller data for cross-context behavioural advertising. |
| Where does my data live? | Primary hosting in AWS Sydney (Australia); primary Postgres database in Oracle Cloud Infrastructure (Sydney); backups in AWS Singapore. Some sub-processors are based in the United States — see §5 and §6 for the full list and what they do. |
| Can a computer make decisions about me? | No. Our platform produces recommendations to operators (suggested peak pricing, channel-cap suggestions, demand-forecasting alerts). Where an operator turns on an automated rule — for example a peak-pricing tier that triggers at a load threshold the operator has set — the rule is authored and authorised by the operator, not a decision JetSetGo makes about you. We do not make decisions about travellers that produce legal or similarly-significant effects on them. |
| Can I get my data out? | Yes. Operators can self-serve a full export 24/7. Travellers ask the operator they booked with. |
| How long do you keep it? | Up to 36 months for traveller details (configurable down by the operator). 7 years for operator account records (tax law). 12 months for backups and security logs. See §8 for the full table. |
| What happens if there is a data breach? | We notify the affected operator within 24 hours and help them respond. See §11. |
| What rights do I have? | Depends on where you live. We list them by region in §12. We honour the highest-common-denominator rights for everyone. |
| Will you change this policy without telling me? | No. 30 days' notice for any material change. If you do not accept, you can leave. |
| Who do I complain to? | Email privacy@jetsetgo.world. You can also complain to the regulator in your country — addresses are in §16. |
2. Who we are, and what this policy covers
We are JetSetGo LLC, a New Mexico limited liability company ("JetSetGo", "we", "us", "our"). JetSetGo provides software services internationally; we are subject to the privacy laws of each jurisdiction in which our operators and their travellers reside, including those listed in §12.
JetSetGo is a software platform. Transport and tourism operators — ferry services, tour companies, cruise operators, accommodated-cruise and live-aboard operators, scenic flight providers, coach lines — use our platform to take bookings, run their boarding apps, build their customer databases, and manage their day-to-day operations.
This policy explains how we handle personal information. It covers:
- People who run an operator account with us (an operator's owners, staff, billing contacts).
- Travellers whose data flows through our platform because they booked something with one of our operators.
- People who visit our website or contact us without yet being a customer.
This is a single global policy. Section 12 sets out additional rights you have if you live in the European Union, the United Kingdom, the United States (California especially), New Zealand, Canada (Quebec especially), or South Africa. We extend the strongest rights to everyone where we reasonably can.
We do not sell consumer services to children. We do not target our platform at children. Section 13 explains how children's data is handled in the rare cases it arrives in a booking.
3. How JetSetGo handles your data — two roles
We sit in two different positions depending on whose data we are talking about. Both apply at the same time, but to different data.
3.1 When you are our operator-customer (we are responsible for your data)
You signed up with JetSetGo. You log into our admin console. We hold your name, email, role, billing details, support tickets, usage records, IP addresses, and so on.
For this data, we decide why and how it is used. We use it to run your account, support you, send service messages (billing, security, product updates), keep the platform secure, comply with tax and audit obligations, and improve the product.
In GDPR / UK GDPR language, we are the "controller" of this data. In CCPA language, we are a "business". In POPIA language, we are the "responsible party". You can hold us directly accountable for what we do with it.
3.2 When you booked a tour or ferry through one of our operators (the operator is responsible; we run the software)
You bought a ferry ticket, a whale-watching tour, or a scenic flight from one of our operator-customers. Their booking page is powered by JetSetGo behind the scenes.
The operator decides what to collect from you, why, how long to keep it, and who to share it with. They are the merchant on the trip and the point of contact for any questions about your booking, your refund, your cancellation, or your data.
We process that data on the operator's behalf, on their instructions. We do not use it for our own purposes (except for the narrow security, fraud-prevention, aggregated-analytics and platform-improvement purposes set out in this policy).
In GDPR / UK GDPR language, the operator is the "controller" and we are the "processor". In CCPA language, the operator is the "business" and we are the "service provider". In POPIA language, the operator is the "responsible party" and we are the "operator" (yes — confusingly, the same word means a different thing under that law).
If you want to access, correct, or delete your booking data, start with the operator you booked with. Their privacy notice will tell you how to reach them. If they cannot help you for any reason, you can come to us — we will assist or step in as Schedule 1 (Data Processing Addendum) sets out, and as §12.1 expressly preserves for Australian travellers under APP 12.
4. The kinds of information we handle
Operator account data (we are responsible):
- Identity and contact details of the operator and its staff (names, emails, phone, role).
- Login credentials (handled by Firebase — see §5; passwords are hashed, never stored in clear text).
- Billing details, invoices, payment records.
- Support tickets, in-app messages, chat transcripts.
- Usage telemetry — what pages staff visit, what features they use, error logs, IP addresses, browser type.
- Marketing-opt-in records (newsletter subscriptions, blog signups).
Traveller data (operator is responsible; we hold it on their behalf):
- Identity and contact details — name, email, phone, sometimes address.
- Booking details — what was booked, when, for how many people, at what price.
- Optional traveller attributes — accessibility needs, dietary preferences, special requests, child/infant indicators.
- Identification documents where the operator's product genuinely requires them — passport details for international ferry crossings, photo ID for licensed-product compliance.
- Payment proxies — Stripe customer reference, last four digits of card, payment status. Full card numbers are never stored by us; they live with Stripe.
- Communications history — booking confirmations, weather-cancellation messages, refund notifications.
Website visitor data (we are responsible):
- IP address, browser, referrer, pages viewed.
- Cookie preferences and a small number of essential cookies.
- Anything you send us through a contact form or email.
Sensitive categories — handled with extra care:
Some operators run products where the data we receive on their behalf includes what California, Quebec, the EU and others classify as sensitive personal information — passport numbers, accessibility/health-related dietary indicators, biometric check-in data on a small number of operator products. We do not use sensitive information for marketing, profiling, or any purpose beyond running the operator's booking. We do not sell it. We honour California residents' "limit use of sensitive personal information" right through the operator.
5. Sub-processors
A sub-processor is a vendor who handles a slice of the data so we can do our job. We name them openly here.
The live, always-current list is at jetsetgo.world/sub-processors. We notify operators of changes by email and an in-product banner, with at least 30 days' notice. If an operator reasonably objects to a new sub-processor on data-protection grounds within 30 days, they may terminate the affected Services (or the whole Agreement, at their option) without penalty and export their data (Schedule 1 sets out the mechanics).
| Vendor | What they do for us | Data they touch | Legal entity country | Data-residency / processing region |
|---|---|---|---|---|
| Amazon Web Services, Inc. | Primary hosting and infrastructure — EC2 (backend services: FastAPI, Hasura self-hosted, background workers); S3 (object storage); SES (transactional email — booking confirmations, password resets, weather-cancellation alerts); Secrets Manager; CloudFront (CDN); Amplify (build infrastructure) | All operator and traveller data passing through the application layer; transactional email content; build artefacts | US (Amazon Web Services, Inc.) | ap-southeast-2 (Sydney, Australia) for production and backups; some Amplify build infrastructure in US regions |
| Oracle Cloud Infrastructure | Primary production Postgres database | All operator and traveller data stored in the primary relational database | US (Oracle Corporation) | Sydney, Australia |
| Firebase Authentication (Google LLC) | Operator-staff identity / login / SSO (SAML 2.0 and OIDC) | Email, hashed password, login telemetry of operator staff users (no traveller data) | US | Multi-region (Google datacentres in US, EU, and Asia per Google Cloud's Auth backend) — Authentication scope only; Firestore is not used |
| Stripe | Payments — Stripe is a controller in its own right for fraud, AML, KYC and tax-reporting purposes; we list them here for transparency. Your contracting entity is Stripe Payments Australia Pty Ltd (ABN 41 160 180 343) for AU-resident operators, or the Stripe entity for your jurisdiction (e.g. Stripe Payments Europe Ltd for EU/UK, Stripe, Inc. for US). JetSetGo LLC's own platform-level Stripe relationship is with Stripe, Inc. (US). | Cardholder data (held by Stripe, not by JetSetGo), payout data, payer identity, fraud-prevention signals | US (Stripe, Inc.), Ireland (Stripe Payments Europe Ltd), Australia (Stripe Payments Australia Pty Ltd, ABN 41 160 180 343) | US for global controller functions; jurisdiction-specific Stripe entity for the merchant-of-record relationship |
| Twilio, Inc. | SMS and voice — booking notifications, OTPs, weather alerts | Recipient phone number, message content | US | Routing per recipient country; messaging metadata stored in the United States; Australian endpoints used where available |
| Cloudflare, Inc. | DNS, edge proxy, DDoS protection, rate limiting | Request metadata, IP addresses | US | Global edge network; metadata and logs in the United States |
Stripe is named for transparency. Because Stripe operates its own controller-level obligations for fraud, AML and KYC of the operator-merchant, the operator's separate Stripe agreement governs the payment-relationship side. We do not hold operator funds and we are not in the payment chain.
6. Where your data sits and how it moves — the honest version
We are not going to pretend EU data stays in the EU.
Today, primary hosting is in AWS Asia Pacific (Sydney, ap-southeast-2), with the primary Postgres database in Oracle Cloud Infrastructure (Sydney). Backups and disaster-recovery copies sit in AWS Asia Pacific (Singapore, ap-southeast-1). A handful of the sub-processors above are based in the United States or operate global infrastructure; the table tells you which.
For travellers in the European Union, the European Economic Area, Iceland, Norway, Liechtenstein, or the United Kingdom: your data is transferred to Australia. Australia is not on the European Commission's adequacy list, and the UK has not granted Australia adequacy either. We rely on the European Commission's 2021 Standard Contractual Clauses (Module 2 — controller-to-processor) and the UK International Data Transfer Addendum, both incorporated into Schedule 1 of this document. These are the standard, regulator-recognised mechanism for moving data from the EU/UK to Australia under Chapter V of the GDPR and UK GDPR.
Note: where the EU Standard Contractual Clauses apply (for EU/UK traveller data), the SCCs themselves are governed by Irish law for the purposes of data-subject claims under the clauses, and the UK IDTA Addendum is governed by the law of England and Wales for the equivalent purposes. This is the standard regulator-recognised setup; it does not displace the governing law of the contract between you and us (see Schedule 1 §16).
For travellers in New Zealand: Australia is on the New Zealand Privacy Commissioner's list of countries with comparable privacy laws. The transfer is permitted under Information Privacy Principle 12.
For travellers in Canada (including Quebec): we transfer under contractual safeguards equivalent to PIPEDA and Quebec Law 25. The operator-controller in Quebec retains responsibility for its own transfer impact assessment; we provide the inputs.
For travellers in South Africa: we transfer under the binding-agreement route in section 72 of POPIA. The contractual protections in Schedule 1 of this policy are substantially equivalent to POPIA's eight conditions.
For travellers in the United States: data crosses into Australia. No US-federal cross-border restriction is implicated. We honour the rights granted by each state's privacy law for travellers resident in that state.
We are working to offer EU and US regional residency as a paid option for operators who require local hosting. Until then, the mechanisms above apply.
APP 8 — reasonable steps for overseas sub-processors. JetSetGo, as a foreign business subject to the Australian Privacy Act 1988 (Cth) under section 5B by virtue of handling personal information of individuals in Australia in the course of carrying on business there, is bound by Australian Privacy Principle 8 (cross-border disclosure). Our reasonable steps to ensure overseas sub-processors meet APP-equivalent standards include: (a) due diligence at onboarding and annually, (b) contractual flow-down of obligations substantially equivalent to those in this policy and Schedule 1, (c) encryption in transit and at rest, (d) access controls and audit logging, and (e) periodic review of each sub-processor's published certifications and incident history.
7. How we keep data secure
We do not yet hold SOC 2 Type II or ISO 27001 certification — we will say so when we do. We do follow controls aligned with those frameworks.
What that looks like in practice:
- Encryption in transit (TLS 1.2 or higher) on every public endpoint.
- Encryption at rest for production databases, backups, and object storage.
- Role-based access controls with least-privilege defaults. Production data access is logged.
- Audit logging of access to personal information, retained for 12 months.
- Sub-processor due-diligence at onboarding and on renewal; contractual flow-down of our obligations.
- Vulnerability management — periodic security testing, dependency scanning, patch discipline.
- Personnel — confidentiality obligations, security training, background checks where appropriate.
- Incident response — documented procedure with a 24-hour breach-notification SLA to operators (§11 and Schedule 1).
- Uptime SLA — 99.9% monthly on the sales channel; sales channels stay up through maintenance via blue/green deploys. SLA mechanics live in the Master Services Agreement.
No system is perfect. We commit to taking reasonable steps and to telling the truth quickly if something goes wrong.
8. How long we keep data
| Data type | Default retention |
|---|---|
| Operator account data (live account) | Life of the account |
| Operator account data (after closure) | 7 years from account closure — tax and business-records law |
| Traveller booking details | Up to 36 months from the last booking, configurable down by the operator (operators with stricter requirements can dial lower) |
| Operator and traveller communications (email, SMS) | Up to 36 months |
| Optional identification documents (passport scans etc.) | Held only for the period the operator's product requires; we encourage operators to delete after travel |
| Audit logs and security logs | 12 months |
| Backups | 12 months rolling, then aged out |
| Website visitor logs | 12 months |
| Marketing-opt-in records (for ourselves) | Until you unsubscribe + 12 months for the unsubscribe record, to prove we honoured your unsubscribe request if it's queried |
| Post-termination wind-down | 90 days of wind-down access → 30-day production deletion → backups age out across the next 12 months |
36 months is the maximum default — it is not a target. Operators should configure retention down to match their actual operational and legal need for each product line. APP 11.2 of the Australian Privacy Act requires destruction or de-identification when personal information is no longer needed for any purpose for which it can be used. The same principle underpins GDPR storage-limitation (Article 5(1)(e)).
If we need to keep something longer because the law tells us to (tax, regulatory, litigation hold), we will keep only what we need and only for as long as we need it.
A deletion certificate is available on request after the 90-day post-termination window closes.
9. What we will never do
This list is short and the items are absolute. Each one is a commitment we are willing to be held to.
- We do not sell traveller data in any form — not in identifiable form, not in de-identified form, not in aggregated form. Aggregation does not unlock a sale; nothing does. This is the broader rule; the bullets below are specific applications of it.
- We do not market to travellers in JetSetGo's own name. Ever. Travellers belong to the operator they booked with.
- We do not use traveller personal information for cross-context behavioural advertising. We do not build advertising profiles. We do not put traveller data into ad-tech pipelines. We do not "sell" or "share" personal information in the CCPA / CPRA technical sense, or in any other sense.
- We do not make decisions about travellers that produce legal or similarly-significant effects on them. Our platform produces recommendations to operators (suggested peak pricing, channel-cap suggestions, demand-forecasting alerts). Where an operator chooses to enable an automated rule — for example a peak-pricing tier that triggers at a load threshold the operator has set — that is a rule authored and authorised by the operator-controller, not a decision JetSetGo makes about the traveller. Pricing changes within an operator's configured rules are not decisions that produce legal or similarly-significant effects on travellers. If we ever build a feature that could meet that threshold, we will tell you in advance and operator-level opt-in will be required (see §14 and §15).
- We do not withhold operator data for unpaid invoices. Even an operator in arrears can export their data. We pursue the invoice separately. ("You own your data. Always." — the website promise is enforceable here.)
10. Aggregated and anonymised insights
We reserve the right to use aggregated, statistically de-identified data drawn from across the platform for:
- Platform improvement — fixing bugs, optimising performance, designing better features.
- Industry benchmarks — average load factor for whale-watching operators in May; average direct-vs-OTA mix for ferry operators of a given size.
- AI model training for in-platform features — pricing recommendations, demand forecasting.
- Anonymised industry reports — published under our name.
The anonymisation standard: aggregation is done so that no individual operator and no individual traveller is identifiable. Our floor is k-anonymity of 10 or higher for any published benchmark — that means each row in a published statistic must reflect at least ten distinct underlying entities. We carry out a re-identification risk assessment before publication.
For CCPA / CPRA purposes, our use of de-identified aggregates for platform improvement and AI training is not a "sale" or "share" of personal information — the data does not identify, relate to, describe, or reasonably link to any particular consumer or household. We maintain documented procedures to monitor, prevent and address any re-identification risk.
Cross-operator use of de-identified aggregates does NOT require operator opt-in. Because the data is genuinely de-identified to the k-anonymity ≥10 standard, no individual operator and no individual traveller can be re-identified from it. The opt-in requirement in §14 applies only to cross-operator training on identifiable traveller data — never to the de-identified path.
Operator opt-out: any operator can opt out of being included in published industry benchmarks at any time, free, in the admin console or by emailing privacy@jetsetgo.world. Internal product-improvement use (debugging, performance, AI training on de-identified aggregates) is a condition of using the platform and cannot be opted out of separately — that is the same posture every well-run SaaS holds, and the data is genuinely de-identified before use.
No selling, even de-identified. Repeating the §9 commitment because it matters here: aggregated insights are used to build a better platform and to publish honest industry reports. They are not a product we sell to third parties.
11. Data breaches — how we respond
In Australia, the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth) requires notification to the OAIC and affected individuals where an "eligible data breach" is likely to result in serious harm. JetSetGo's 24-hour SLA to the operator is designed to give the operator-controller maximum running room on the OAIC's "as soon as practicable" standard and the 30-day assessment window.
A "data breach" means an event where personal information was accessed, disclosed, lost or destroyed in a way that should not have happened.
Our commitments:
- 24-hour SLA to notify the operator. From the moment we become aware of a suspected breach affecting an operator's data, we notify the operator within 24 hours.
- Honest content. The notification tells the operator what happened, when, what data and how many people are estimated to be affected, what we are doing about it, and how to reach our incident-response lead.
- We assist the operator in their own regulator notifications — GDPR 72-hour clock to a supervisory authority, OAIC Notifiable Data Breach scheme, ICO, CAI (Quebec), Office of the Privacy Commissioner of Canada, NZ Privacy Commissioner, South African Information Regulator. We provide the technical facts; the operator-controller decides whether the threshold for notification is met.
- Joint breach allocation (in plain English):
- A breach affecting multiple operators' data because of a JetSetGo platform incident → we lead the regulator notification where we are the holder; we coordinate with operators on per-person notification because the operator owns the customer relationship.
- A breach affecting a single operator's traveller data caused by something the operator did (admin error, weak passwords, staff misuse) → the operator leads, we assist with forensics and evidence; we parallel-notify our regulators if required as the holder of the information.
- A breach affecting only operator account data (an operator's own staff credentials) → we notify and lead.
- Cost allocation: we bear the cost of notification for platform-caused breaches. The operator bears the cost for operator-caused breaches. This allocation is reflected in the Master Services Agreement.
The detail of breach-allocation, content of notifications, and assistance obligations lives in Schedule 1.
12. Your rights, by region
The rights below are additional to the universal commitments in this policy. We honour all of them and apply the strongest standard where it is reasonable to do so.
12.1 Australia
Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles you have the right to:
- Know what personal information we hold about you.
- Access it and ask us to correct it.
- Complain to us about how we handle it, and have us deal with your complaint in a reasonable time.
- Complain to the Office of the Australian Information Commissioner (OAIC) if you are not satisfied with our response —
oaic.gov.au.
To exercise any of these rights, email privacy@jetsetgo.world. We respond within 30 days.
Where you booked through one of our operators, please contact the operator first — they are the controller. If the operator cannot or does not respond, you can request access or correction directly from us at privacy@jetsetgo.world and we will respond within 30 days as the holder of the information under APP 12. We may need to coordinate with the operator on the substance of the response, but we will not use the operator-controller relationship to refuse access we are obliged to give.
12.2 European Union (and Iceland, Norway, Liechtenstein)
Under the GDPR you have the right to:
- Access your personal data (Article 15).
- Rectification of inaccurate data (Article 16).
- Erasure (Article 17) — the "right to be forgotten" — subject to limited exceptions.
- Restriction of processing (Article 18).
- Data portability (Article 20) — receive your data in a structured, commonly-used, machine-readable format.
- Object to processing (Article 21).
- Not be subject to a solely-automated decision producing legal or similarly-significant effects on you (Article 22) — and we have committed in §9 not to do this anyway.
- Withdraw consent at any time where processing is consent-based.
- Lodge a complaint with your local supervisory authority. A list of all EU supervisory authorities is available from the European Data Protection Board at
edpb.europa.eu.
If you booked through one of our operators, the operator is the controller and your starting point. We will assist and route your request as Schedule 1 requires.
12.3 United Kingdom
Under the UK GDPR and the Data Protection Act 2018 you have the same set of rights as EU residents above. The relevant supervisory authority is the Information Commissioner's Office (ICO) — ico.org.uk. You can lodge a complaint there at any time.
12.4 United States
US privacy law varies state-by-state. We honour the rights granted to you by the privacy law of your state. As at the date of this policy, the following states have privacy laws granting access, deletion, correction, portability, and opt-out rights to residents:
California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Tennessee, Indiana, Maryland, Minnesota, New Jersey, New Hampshire, Kentucky, Rhode Island. (And the list keeps growing — we treat any newer state law as in scope from the day it commences.)
Across all those states, we extend the following to you:
- Right to know what personal information we hold about you and to receive a copy.
- Right to delete your personal information, subject to legal exceptions (security, fraud prevention, legal hold).
- Right to correct inaccurate personal information.
- Right to data portability — receive your data in a standard format.
- Right to opt out of sale or sharing of personal information — moot for us because we do not sell or share (see §9), but the right is there.
- Right to opt out of profiling for decisions producing legal or similarly-significant effects — again, moot because we do not do this (see §9).
- Right to non-discrimination for exercising your rights — we do not penalise people for asserting them.
We honour Global Privacy Control (GPC) signals on any property under our direct control, in line with state-law expectations.
Single channel for US rights requests: privacy@jetsetgo.world. We respond within 45 days as required.
California — additional rights
Under the California Consumer Privacy Act as amended by the California Privacy Rights Act, California residents also have:
- Right to know specifics — the categories and specific pieces of personal information we collect, the sources, the purposes, the categories of third parties we share with (which for traveller data is the operator they booked with, the sub-processors in §5, and no-one else).
- Right to limit use of Sensitive Personal Information. Where the operator's product involves sensitive personal information (passport details, certain accessibility/health-related fields, precise geolocation) you have the right to direct that this information be used only for the booking and necessary security purposes. The operator-business actions the request; we assist.
- We act as a service provider to operator-businesses for traveller data. We do not sell or share that data. The CCPA-specific service-provider contract clauses are in Schedule 1.
If you are not satisfied, you may file a complaint with the California Privacy Protection Agency (CPPA) — cppa.ca.gov — or the California Attorney General.
12.5 New Zealand
Under the Privacy Act 2020 you have the right to:
- Access your personal information held by an agency.
- Request correction of inaccurate information.
- Have your complaint dealt with reasonably.
- Complain to the Office of the Privacy Commissioner —
privacy.org.nz.
Where you booked through one of our operators, the operator is the first point of contact and is treated as the agency that collected the information. We assist.
NZ Information Privacy Principle 12 permits the transfer of personal information of New Zealand travellers to Australia because Australia's privacy laws are recognised as providing comparable safeguards.
12.6 Canada
Under the Personal Information Protection and Electronic Documents Act (PIPEDA) you have the right to:
- Access the personal information we hold about you.
- Challenge the accuracy and have it corrected.
- Complain to the Office of the Privacy Commissioner of Canada —
priv.gc.ca.
For provinces with substantially-similar laws (Alberta PIPA, BC PIPA), the same rights apply through the provincial commissioner.
Quebec — additional rights under Law 25
Under An Act respecting the protection of personal information in the private sector (as amended by Law 25), Quebec residents also have:
- Right to data portability — receive your data in a structured, commonly-used technological format and have it transferred where possible.
- Right to information about automated decisions — if a decision were ever made solely by automated processing, you would have the right to be informed and to request the principal factors, parameters, and human review. As stated in §9, we do not make solely-automated decisions producing legal or significant effects on travellers, but the right is preserved here.
- Right to complain to the Commission d'accès à l'information du Québec (CAI) —
cai.gouv.qc.ca.
Privacy Officer (Law 25): contactable at privacy@jetsetgo.world. JetSetGo will provide the name of a designated individual on written request as required by Law 25.
Cross-border transfer assessments under Law 25 are conducted by the Quebec operator-controller; we provide the inputs (our security measures, the legal framework in Australia, the contractual protections in Schedule 1).
12.7 South Africa
Under the Protection of Personal Information Act (POPIA) you have the right to:
- Be notified that your personal information is being collected.
- Access your personal information held by a responsible party.
- Request correction or deletion.
- Object to processing in certain circumstances.
- Complain to the Information Regulator —
inforegulator.org.za.
Information Officer (POPIA): contactable at privacy@jetsetgo.world. JetSetGo will provide the name of the designated Information Officer on written request. We will register the Information Officer with the Information Regulator before processing personal information of South African data subjects or onboarding any South African operator-customer.
Cross-border transfer from South Africa to Australia is permitted under section 72 of POPIA on the basis that Schedule 1 of this policy constitutes a binding agreement providing substantially-equivalent protection.
13. Children's data
We do not market our platform to children. We do not knowingly collect data directly from children.
Children's personal information arrives on the platform only as part of a family booking made by an adult through an operator's checkout. The operator-controller is responsible for obtaining any consent required by the law of the child's location (COPPA for US under-13s; GDPR Article 8 for under-16s, lowered to under-13s in some EU member states; Quebec Law 25 for under-14s; POPIA section 34; the analogous protections under NZ and Australian law).
In Australia, the OAIC is developing a Children's Online Privacy Code under the Privacy Act reform program. Once in force, additional obligations will apply where an operator's product is directed at children. Operators in that position will be notified and required to meet the code's standards.
If you believe data about a child has reached our platform without appropriate consent, email privacy@jetsetgo.world and we will work with the operator to delete it.
14. AI and automated processing
Some parts of our platform use machine learning. The current features are:
- Pricing recommendations for operators — "Service X is 90% full three days out — switch to peak pricing?"
- Demand forecasting for operators — "Bookings on this route are tracking 15% above last year."
- Booking-velocity analytics — speed of fill compared to historical baselines.
In all cases the AI produces a recommendation to the operator, not a decision imposed on a traveller. Where an operator enables an automated rule (for example a peak-pricing tier that triggers at a load threshold the operator has set), the rule is authored and authorised by the operator-controller. JetSetGo does not make the decision; the operator does, by configuring the rule. This means:
- No traveller is denied a booking, charged a price outside the operator's published rate logic, or otherwise materially affected by a computer acting alone on JetSetGo's part. Pricing changes within an operator's configured rules are not decisions that produce legal or similarly-significant effects on travellers.
- We are outside the scope of GDPR Article 22 (solely-automated decisions with legal or similar effect) and outside the analogous Quebec Law 25 trigger.
Where we train AI models, we do so on:
- The operator's own data, for that operator's own platform features. (Each operator's data feeds their own forecasts and recommendations.)
- Cross-operator training on de-identified aggregates (k-anonymity ≥10 — see §10) is permitted as part of internal product improvement and does not require operator opt-in, because the data is genuinely de-identified before use.
- Cross-operator training on identifiable traveller data is a different category and requires explicit operator-level opt-in. We do not undertake it without that opt-in.
If we add a feature in future that approaches a solely-automated decision affecting travellers, we will update this policy with at least 30 days' notice (§15), seek any required operator-level consent before it goes live, and document the decision-logic and meaningful information about the logic involved per GDPR Article 13(2)(f) / Article 22(3) and the analogous Quebec Law 25 transparency requirements.
15. Changes to this policy
We can change this policy. But we cannot do it quietly.
- For material changes — changes that broaden how we use personal information, change the categories of recipients, weaken your rights, or change the cross-border transfer mechanism — we give 30 days' notice to operators by email and an in-product banner. We mark the change in a public changelog on this policy page.
- For non-material changes — fixing a typo, clarifying language, updating a regulator's web address, swapping a placeholder for a confirmed entity name — we update the "Last updated" date.
- Operators who do not accept a material change have a costless exit right under the Master Services Agreement. The right runs from the date of the notice. They can terminate without penalty and take their data with them under §8.
- We do not rely on "your continued use of the service constitutes acceptance" as a fig leaf. If you do not accept, you can leave.
16. How to contact us, and how to complain
The single channel for all privacy questions and rights requests is privacy@jetsetgo.world.
Named contacts:
- Privacy Officer (Quebec Law 25): contactable at privacy@jetsetgo.world. Name of the designated individual provided on written request.
- Information Officer (POPIA): contactable at privacy@jetsetgo.world. Name of the designated Information Officer provided on written request. We will register the Information Officer with the South African Information Regulator before processing personal information of South African data subjects or onboarding any South African operator-customer.
Registered office: JetSetGo LLC, New Mexico, United States. Full registered-agent address provided on request.
If you are unhappy with our response, you can complain to the regulator where you live:
| Region | Regulator | Website |
|---|---|---|
| Australia | Office of the Australian Information Commissioner | oaic.gov.au |
| European Union | Your local supervisory authority (list at edpb.europa.eu) | edpb.europa.eu |
| United Kingdom | Information Commissioner's Office | ico.org.uk |
| United States — California | California Privacy Protection Agency | cppa.ca.gov |
| United States — other states | Your state Attorney General | (state-specific) |
| New Zealand | Office of the Privacy Commissioner | privacy.org.nz |
| Canada — federal | Office of the Privacy Commissioner of Canada | priv.gc.ca |
| Canada — Quebec | Commission d'accès à l'information | cai.gouv.qc.ca |
| South Africa | Information Regulator | inforegulator.org.za |
We will cooperate fully with any regulator inquiry. We commit to publishing an annual transparency report covering aggregate counts of government and law-enforcement requests received and the categories of operator/traveller data disclosed — once we have meaningful volume to report.
Government and law-enforcement requests for data: where we receive a regulator, court, or law-enforcement request for operator or traveller data, our default is to notify the operator before disclosing. The only exception is where notification is legally prohibited by a gag order, sealed warrant, or statutory non-disclosure obligation. We narrowly construe each request and challenge over-broad ones where lawful to do so.
Schedule 1 — Data Processing Addendum
Status: This Schedule forms part of the Master Services Agreement signed between JetSetGo LLC and the Operator. It is incorporated by reference into that Agreement. By signing the Master Services Agreement, the Operator and JetSetGo enter into this Schedule. JetSetGo does not offer online self-service sign-up; customers are onboarded through a sales-led process culminating in a signed Master Services Agreement. The published version of this Schedule is informational for non-customers and contractual for any Operator who has signed the Master Services Agreement.
This Schedule is the Data Processing Addendum ("DPA") between us. It applies where JetSetGo processes Personal Data on the Operator's behalf in connection with the Services.
1. Definitions
- Applicable Data Protection Law means each of the GDPR, UK GDPR, the Australian Privacy Act 1988 (Cth), the CCPA / CPRA, the NZ Privacy Act 2020, PIPEDA, Quebec Law 25, POPIA, and any other privacy law applicable to the processing.
- Controller, Processor, Data Subject, Personal Data, Processing, Supervisory Authority have the meanings given in GDPR Article 4 and analogous concepts in the other Applicable Data Protection Laws.
- Business, Service Provider, Sell, Share, Sensitive Personal Information, Personal Information have the meanings given in CCPA section 1798.140.
- Responsible Party has the meaning given in POPIA.
- "Operator" in this Schedule means the JetSetGo operator-customer (the same person as the Operator under the Master Services Agreement), who acts as Controller / Business / Responsible Party with respect to Traveller Personal Data. Note: under POPIA, the term "Operator" has a different meaning (it means a Processor); where this Schedule uses "Operator" it means our customer in the Master-Services-Agreement sense, not the POPIA sense.
- Sub-processor means a third party engaged by JetSetGo to process Personal Data on the Operator's behalf.
- EU SCCs means the Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- UK Addendum means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner, in force 21 March 2022 (Version B1.0).
2. Roles and scope
2.1 With respect to Traveller Personal Data, the Operator is the Controller (GDPR / UK GDPR), Business (CCPA / CPRA), Responsible Party (POPIA), or analogous role; JetSetGo is the Processor, Service Provider, Operator (POPIA), or analogous role.
2.2 With respect to Operator Account Data, JetSetGo is the Controller / Business / Responsible Party; the body of the Privacy Policy applies, not this Schedule.
2.3 This Schedule applies for the duration of the Services and survives termination to the extent required by Section 11 (return and deletion) and Section 13 (audits).
3. Subject matter, nature, purpose, duration
| Item | Detail |
|---|---|
| Subject matter | JetSetGo's provision of a booking, reservation, point-of-sale, manifest, and operational SaaS platform to the Operator. |
| Nature | Hosting, processing, transmission, display, backup, and aggregation of Personal Data for the Operator's booking and operational workflows. |
| Purpose | Enabling the Operator to take and manage bookings from Travellers; running operational tooling; producing reports; communicating with Travellers on the Operator's behalf. |
| Duration | The term of the Services, plus the post-termination wind-down in Section 11. |
| Categories of Data Subjects | Travellers (the Operator's end-customers), and where relevant their group members (companions, family members) included in a booking. |
| Types of Personal Data | Identifiers (name, email, phone); booking details; optional traveller attributes (accessibility, dietary, special requests); identification documents where the Operator's product requires them; payment proxies (Stripe references; no full card numbers held by JetSetGo); communications history. |
| Sensitive categories | Where the Operator's product collects them: passport/ID document data; accessibility/health-related dietary fields; biometric data on a small set of products. Handled per Section 6. |
4. JetSetGo's obligations as Processor
JetSetGo shall:
4.1 Process Personal Data only on the Operator's documented instructions, including with regard to transfers to a third country, unless required by law. The Operator's instructions are set out in the Master Services Agreement, the Operator's configuration of the Services, and any further documented instructions provided in writing.
4.2 Inform the Operator if JetSetGo believes an instruction infringes Applicable Data Protection Law (without obligation to provide legal advice).
4.3 Ensure persons authorised to process Personal Data have committed to confidentiality or are under a statutory duty of confidentiality.
4.4 Implement appropriate technical and organisational measures as set out in Annex II.
4.5 Engage Sub-processors only in accordance with Section 5.
4.6 Assist the Operator by appropriate technical and organisational measures, taking into account the nature of the processing, in fulfilling its obligation to respond to Data Subject rights requests (GDPR Articles 12–22; CCPA / CPRA consumer rights; analogous rights under the other Applicable Data Protection Laws).
4.7 Assist the Operator in complying with its obligations under GDPR Articles 32–36 (security, breach notification, data protection impact assessments, prior consultation) and analogous obligations.
4.8 Return or delete all Personal Data in accordance with Section 11.
4.9 Make available to the Operator all information necessary to demonstrate compliance with this Schedule, and allow audits in accordance with Section 13.
5. Sub-processors
5.1 General authorisation. The Operator gives JetSetGo a general authorisation to engage Sub-processors. The current list of Sub-processors is published at jetsetgo.world/sub-processors and reproduced in Section 5 of the body of the Privacy Policy.
5.2 Notice of changes. JetSetGo will give the Operator at least 30 days' notice of any new or replaced Sub-processor by email to the operator account-owner and via an in-product banner.
5.3 Right to object. If an Operator reasonably objects to a new Sub-processor on data-protection grounds within 30 days of notice, the Operator may terminate the affected Services (or the whole Agreement, at its option) without penalty and exercise its data-export entitlement under Section 11.
5.4 Costless exit on objection. An Operator exercising the termination right in Section 5.3 retains the 90-day wind-down period at the current pricing. No early-termination fee applies.
5.5 Flow-down. JetSetGo will impose on each Sub-processor data-protection obligations substantially equivalent to those in this Schedule by way of a written contract.
5.6 Liability for Sub-processors. JetSetGo remains liable to the Operator for the acts and omissions of its Sub-processors as if they were JetSetGo's own, subject to the liability cap in the Master Services Agreement.
6. Sensitive data and Sensitive Personal Information
6.1 JetSetGo handles Sensitive Personal Information only as necessary to provide the Services and on the Operator's documented instructions. JetSetGo does not use Sensitive Personal Information for any purpose beyond the operation of the Services and necessary security.
6.2 California residents have a Right to Limit Use of Sensitive Personal Information; the Operator-Business actions the request and JetSetGo assists.
7. Data Subject rights
7.1 JetSetGo will, by appropriate technical and organisational measures, assist the Operator in responding to Data Subject rights requests within the time-frames required by Applicable Data Protection Law.
7.2 The Operator is responsible for responding to Data Subject requests directed to it. JetSetGo will not respond on the Operator's behalf to substantive rights requests. Notwithstanding this, JetSetGo will respond directly to a Data Subject's access or correction request to the extent required by Applicable Data Protection Law (including APP 12 of the Australian Privacy Act) where the Operator-Controller does not or cannot respond, and will inform the Operator of any such direct response.
7.3 If JetSetGo receives a request directly from a Data Subject relating to the Operator's Personal Data, JetSetGo will:
(a) acknowledge the request to the Data Subject and inform them that the Operator is the Controller / Business / Responsible Party;
(b) forward the request to the Operator within 5 business days;
(c) not action the request substantively except on the Operator's instruction, subject to Section 7.2.
7.4 Where Applicable Data Protection Law permits JetSetGo to charge for excessive or manifestly unfounded requests, JetSetGo will not do so for routine assistance.
8. CCPA / CPRA — Service Provider terms
This Section 8 applies where the Operator is a "Business" and JetSetGo is a "Service Provider" under the CCPA / CPRA. The terms below apply in addition to the rest of this Schedule.
8.1 JetSetGo shall not:
(a) Sell Personal Information.
(b) Share Personal Information for cross-context behavioural advertising.
(c) Retain, use, or disclose Personal Information outside the direct business purpose set out in this Schedule and the Master Services Agreement.
(d) Retain, use, or disclose Personal Information outside the direct business relationship between JetSetGo and the Operator.
(e) Combine Personal Information received from the Operator with Personal Information received from another source or collected from JetSetGo's own interactions with consumers, except as expressly permitted under CCPA section 1798.140(ag)(1)(D)(i)–(iv) (specifically: detecting security incidents, protecting against malicious activity, debugging, short-term transient use, and the other narrow business purposes listed).
8.2 JetSetGo shall assist the Operator in responding to verifiable consumer rights requests (right to know, delete, correct, opt-out of sale/sharing, limit use of Sensitive Personal Information).
8.3 JetSetGo will notify the Operator within 5 business days if it determines it can no longer meet its obligations under the CCPA or CPRA.
8.4 The Operator may take reasonable and appropriate steps to ensure that JetSetGo uses Personal Information consistent with the Operator's CCPA/CPRA obligations, including the audit mechanism in Section 13.
8.5 JetSetGo certifies that it understands the prohibitions in this Section 8 and will comply with them.
9. International transfers — EU SCCs and UK IDTA Addendum
9.1 Where Personal Data of Data Subjects in the EU, EEA, Switzerland, or the United Kingdom is transferred to JetSetGo in Australia, the following safeguards apply.
9.2 EU 2021 Standard Contractual Clauses (Module 2 — Controller to Processor) are incorporated into this Schedule by reference, with the following pre-completed elections:
(a) Clause 7 (Docking clause): not applicable for the initial parties; available to future joiners.
(b) Clause 9(a) (Sub-processor authorisation): Option 2 (general written authorisation) — 30 days' notice as set out in Section 5.
(c) Clause 11(a) (Independent dispute resolution): the optional language is not included.
(d) Clause 17 (Governing law): the law of the Republic of Ireland.
(e) Clause 18(b) (Choice of forum): the courts of Ireland.
(f) Annexes I, II, and III: completed below.
9.3 UK International Data Transfer Addendum is incorporated into this Schedule by reference where Personal Data of Data Subjects in the United Kingdom is transferred to JetSetGo in Australia. The Addendum applies on top of the EU SCCs in Section 9.2 with the following pre-completed tables:
(a) Table 1 — Parties: as identified in Annex I below.
(b) Table 2 — Selected SCCs, Modules and Clauses: Module 2 (Controller-to-Processor), with the elections in Section 9.2.
(c) Table 3 — Appendix Information: as in Annexes I, II, and III below.
(d) Table 4 — Ending this Addendum when the Approved Addendum Changes: neither party.
9.4 Transfer Impact Assessment. JetSetGo has conducted and maintains a Transfer Impact Assessment evaluating the legal framework in Australia and the practical effect on the protection of EU/UK Personal Data. The TIA is available to Operators on request, subject to confidentiality.
9.5 POPIA cross-border transfers from South Africa to Australia are governed by this Schedule as the "binding agreement" under section 72(1)(a) of POPIA.
9.6 Quebec Law 25 cross-border assessment. The Quebec Operator-Controller is responsible for its own Law 25 cross-border transfer assessment. JetSetGo provides as input: its technical and organisational measures (Annex II), the description of the legal framework in Australia (available on request), and this Schedule.
Annex I — Description of the transfer
A. List of Parties
| Role | Party | Address | Contact |
|---|---|---|---|
| Data Exporter (Controller) | The Operator | As stated in the Operator's account record | The Operator's privacy contact as stated in its own privacy notice |
| Data Importer (Processor) | JetSetGo LLC (a New Mexico limited liability company) | New Mexico, United States | privacy@jetsetgo.world |
B. Description of the transfer
- Categories of data subjects: Travellers (the Operator's end-customers) and persons included in a booking made by a Traveller.
- Categories of personal data: identifiers (name, email, phone); booking and transaction details; optional traveller attributes (accessibility, dietary, special requests); identification documents where the Operator's product requires them; payment proxies (no full card numbers held by JetSetGo); communications history.
- Sensitive data: where collected by the Operator's product — passport/ID details; accessibility/health-related fields; biometric data on a small set of products. Handled per Section 6.
- Frequency of transfer: continuous, for the duration of the Services.
- Nature of processing: hosting, processing, transmission, display, backup, aggregation.
- Purpose of the transfer and further processing: provision of the Services to the Operator, as described in this Schedule and the Master Services Agreement.
- Retention period: as set out in Section 8 of the body of the Privacy Policy and Section 11 of this Schedule.
- Sub-processors: as published at jetsetgo.world/sub-processors and reproduced in Section 5 of the body of the Privacy Policy; categories and locations identified there.
C. Competent Supervisory Authority
The competent Supervisory Authority is determined by the Data Exporter's place of main establishment in accordance with GDPR Article 4(23). Where Article 4(23) does not identify a single Supervisory Authority, the Irish Data Protection Commission acts as the supervising authority for the purposes of the EU SCCs in this Schedule.
For UK transfers, the competent authority is the Information Commissioner's Office (ICO).
Annex II — Technical and organisational measures
JetSetGo applies the following measures to ensure the security of Personal Data:
- Encryption in transit — TLS 1.2 or higher on all public endpoints.
- Encryption at rest — for production databases, backups, and object storage (AES-256 or equivalent).
- Access control — role-based access with least-privilege defaults; multi-factor authentication for production access; quarterly access reviews.
- Logging and monitoring — audit logging of access to Personal Data retained for 12 months; security event monitoring.
- Network security — firewall and intrusion-detection controls within AWS; DDoS protection via Cloudflare.
- Personnel — confidentiality obligations; security and privacy training at onboarding and annually; background checks where appropriate; immediate revocation of access on departure.
- Sub-processor management — due diligence at onboarding and annually; contractual flow-down of obligations.
- Vulnerability management — periodic penetration testing; continuous dependency scanning; patch management.
- Incident response — documented procedure with 24-hour notification SLA to Operators; quarterly review of process.
- Resilience and backup — daily backups; cross-region disaster-recovery copy in AWS Singapore; recovery time and recovery point objectives documented internally and available on request to Operators under NDA.
- Data minimisation — platform design choices that collect only the information needed for the booking; configurable retention windows at the Operator level.
- Pseudonymisation and anonymisation — for aggregated analytics use, k-anonymity ≥10 standard with re-identification risk assessment.
- Physical security — handled by AWS and Oracle Cloud Infrastructure for the underlying infrastructure (each operates under SOC 2 / ISO 27001 / equivalent frameworks); no JetSetGo-operated physical data centres.
JetSetGo aligns its controls with the SOC 2 and ISO 27001 frameworks. Formal certification is on the roadmap; JetSetGo does not currently claim either certification.
Annex III — List of Sub-processors
The list is published and maintained at jetsetgo.world/sub-processors and reproduced in Section 5 of the body of the Privacy Policy. Operators are notified of changes per Section 5 of this Schedule.
10. Breach notification
10.1 24-hour SLA. JetSetGo will notify the Operator without undue delay and in any event within 24 hours of becoming aware of a Personal Data Breach affecting the Operator's Personal Data.
10.2 Content of notification. The notification will include, to the extent known:
(a) the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
(b) the likely consequences of the breach;
(c) the measures taken or proposed to address the breach and mitigate its possible adverse effects;
(d) the name and contact details of JetSetGo's incident-response lead.
Where some of this information is not yet known, JetSetGo will provide it in subsequent updates without undue delay as it becomes available.
10.3 Joint allocation:
(a) Platform-caused breach affecting multiple Operators — JetSetGo leads regulator notification where it is the holder; coordinates with affected Operators on individual notifications.
(b) Operator-caused breach (admin error, weak credentials, staff misuse on the Operator side) — the Operator leads; JetSetGo provides forensics, evidence and assistance; JetSetGo parallel-notifies its own regulators where required as the holder.
(c) Operator Account Data only (no Traveller Personal Data) — JetSetGo notifies and leads.
10.4 Cost. JetSetGo bears the cost of notification for platform-caused breaches. The Operator bears the cost of notification for Operator-caused breaches.
10.5 Cooperation. JetSetGo will cooperate with the Operator's regulator notifications (GDPR 72-hour clock to a Supervisory Authority; OAIC NDB scheme; ICO; CAI; OPCC; NZ Privacy Commissioner; SA Information Regulator) and provide technical information as needed.
11. Return and deletion
11.1 During the term — the Operator can self-serve a full export of its Personal Data 24/7 via the admin console, in CSV per table and a JSON schema document. SQL dump is available on request within 14 days. No fee.
11.2 On termination:
(a) 90-day wind-down period. The 90-day post-termination period is the wind-down period described in the Master Services Agreement. During that period, in addition to read-only export via the admin console and API, the Operator may continue to fulfil in-flight bookings, use the POS and check-in apps, and process refunds on pre-termination bookings, all on the same fee terms.
(b) 30-day production deletion. After the 90-day window closes, JetSetGo deletes Personal Data from production systems within 30 days.
(c) Backup aging. Personal Data may persist in encrypted, immutable backups for up to 12 months from the production deletion date, after which it is aged out. JetSetGo does not access backups other than for the limited disaster-recovery and legal-hold purposes set out in this Schedule.
(d) Deletion certificate. JetSetGo provides a written deletion certificate on request after the production-deletion step is complete.
11.3 Legal hold. JetSetGo may retain Personal Data for longer where required by law (tax, regulatory, litigation), in which case it will limit the retention to what is required and continue to apply the security measures in Annex II.
11.4 No ransom. JetSetGo will not withhold export pending payment of arrears. Outstanding invoices are pursued separately.
12. Operator obligations
12.1 The Operator warrants that it has a lawful basis for the collection and use of Traveller Personal Data through the Services, and that it has provided Travellers with a privacy notice that meets the requirements of Applicable Data Protection Law in each jurisdiction it operates in. The Operator's privacy notice must disclose that JetSetGo acts as a sub-processor / service provider / operator (POPIA) for the Operator.
12.2 The Operator is responsible for honouring Traveller rights requests within the time-frames required by Applicable Data Protection Law, with JetSetGo's assistance under Section 7.
12.3 The Operator will not use the Services to process Personal Data in breach of Applicable Data Protection Law, the Acceptable Use clauses of the Master Services Agreement, or the prohibitions in Section 9 of the body of the Privacy Policy. The Operator acknowledges that the Privacy Act 1988 (Cth) statutory tort of serious invasions of privacy (introduced by the Privacy and Other Legislation Amendment Act 2024) is a separate cause of action available to individuals, and that the Operator's indemnity to JetSetGo under the Master Services Agreement covers third-party claims arising from the Operator's unlawful use of the Services.
12.4 The Operator will obtain any required consent for children's data collected through the Services and comply with COPPA, GDPR Article 8, Quebec Law 25 children provisions, POPIA section 34, and analogous laws.
12.5 Breach of any of the Operator obligations in this Section 12 triggers the indemnity in the Master Services Agreement.
13. Audits
13.1 Information and documentation. JetSetGo will, on the Operator's reasonable request, make available information reasonably necessary to demonstrate compliance with this Schedule.
13.2 Third-party reports. Where available, JetSetGo will provide third-party audit reports (SOC 2 Type II when achieved; ISO 27001 certificate when achieved) under confidentiality.
13.3 Questionnaire response. JetSetGo will respond to a reasonable security / privacy questionnaire from the Operator.
13.4 Remote audit. The Operator may conduct a remote audit at its own cost, once per calendar year, with at least 30 days' written notice, of reasonable scope and duration, subject to written confidentiality obligations and no on-site access to JetSetGo's premises or sub-processor facilities. The Operator and JetSetGo will agree on a mutually convenient time and on the auditor (who must not be a competitor of JetSetGo).
13.5 Suspected-breach audit. Where there is a documented, reasonable suspicion that JetSetGo has materially breached this Schedule and the suspicion relates to a breach affecting the Operator's Personal Data, the audit may be conducted with shorter notice and at JetSetGo's cost, with scope agreed between the parties.
13.6 Regulator audits. Where a Supervisory Authority requires an audit of JetSetGo's processing of the Operator's Personal Data, JetSetGo will cooperate and the cost allocation will follow the regulator's determination.
14. Liability
14.1 The liability cap and carve-outs in the Master Services Agreement apply to claims arising under this Schedule, including claims arising under the EU SCCs and UK Addendum, to the maximum extent permitted by Applicable Data Protection Law.
14.2 Where Applicable Data Protection Law or the EU SCCs provide that the parties cannot limit their liability to Data Subjects, this Schedule does not purport to do so. Statutory penalties imposed by a regulator on either party are not subject to the inter-party liability cap.
15. Order of precedence
Where there is a conflict between documents, the order of precedence is:
- The EU SCCs and UK Addendum (incorporated under Section 9), to the extent of any conflict and subject to applicable law.
- This Schedule.
- The body of the Privacy Policy.
- The Master Services Agreement signed by the Operator and JetSetGo.
16. Governing law of this Schedule
This Schedule is governed by the law of the State of New Mexico, United States of America, with non-exclusive jurisdiction in the state and federal courts located in New Mexico. The exception is the EU Standard Contractual Clauses (Section 9): per Clause 17 of the SCCs, those Clauses themselves are governed by the law of the Republic of Ireland for the purposes of data-subject claims under them. The UK IDTA Addendum is governed by the law of England and Wales for the equivalent purposes. These are the standard SCC and UK IDTA elections.
End of Schedule 1.
End of Privacy Policy.
