GDPR Compliance

This page summarises how Becko approaches the EU and UK GDPR. It is provided for transparency and general information only, reflects our interpretation of the legislation as of the date above, and does not constitute legal advice. GDPR is highly fact-specific; you should consult qualified counsel to determine how it applies to your organisation, your travellers and your specific use of the Becko platform. BECKO - TRAVEL OS LTD makes no warranties, express or implied, regarding the information on this page.

The GDPR is the European Union's data protection framework, in force since 25 May 2018, and is mirrored in the United Kingdom by the UK GDPR and the Data Protection Act 2018. It gives individuals in the EU/EEA and the UK enforceable rights over their personal data, and places binding obligations on the organisations that collect, store, share or otherwise process it.

Becko is a travel CRM and operations platform. Our clients — tour operators, travel agencies, DMCs and travel brands — use Becko to manage leads, customers, bookings, payments, suppliers and messaging. Much of that data relates to identifiable travellers and prospects, which means GDPR is central to how we build, operate and secure the product.

• A GDPR-aligned Data Processing Addendum available to every client.
• Public sub-processor list with notice of material changes.
• EU Standard Contractual Clauses (2021) and the UK IDTA in place for international transfers.
• Encryption in transit (TLS 1.2+) and at rest, with managed key rotation.
• Row-Level Security and application-layer brand isolation across the multi-tenant database.
• Mandatory MFA for administrative access and least-privilege internal roles.
• Automatic PII redaction (names, emails, phone numbers, payment data) before any AI model call.
• Comprehensive audit and activity logs covering authentication, data exports and admin actions.
• Documented incident response with a target controller-notification window of 72 hours.
• Self-serve data deletion and export flows for data subjects.

For personal data that our clients upload, capture or generate through the platform (leads, customers, travellers, passengers, conversations, bookings, supplier contacts), the client is the Data Controller and Becko acts as Data Processor. We process that data only on documented instructions from the client, as set out in our DPA.

For data we determine the purposes and means of — such as account, billing and subscription information, security telemetry, service logs and product analytics about how the platform itself is used — Becko acts as an independent Data Controller.

We engage a small number of carefully vetted sub-processors (for example cloud infrastructure, transactional email, AI providers and messaging APIs). All sub-processors are bound by written agreements that impose data protection obligations equivalent to those we accept under the DPA.

The lawful bases most commonly relied on when Becko is used in a travel context are:

• Contract — to quote, book and deliver travel services a traveller has requested.
• Legitimate interests — for fraud prevention, service security, internal analytics and limited B2B follow-up, balanced against the rights of the individual.
• Consent — for marketing emails, WhatsApp and Messenger broadcasts, non-essential cookies, and any optional profiling.
• Legal obligation — for tax, anti-money-laundering, accounting and travel-industry regulatory record keeping.

The client (Controller) is responsible for selecting and documenting the appropriate lawful basis for each processing activity carried out through Becko.

Individuals whose data is processed through Becko have the right to:

• Access the personal data held about them.
• Have inaccurate or incomplete data corrected.
• Have their data deleted (the "right to be forgotten") subject to legal retention requirements.
• Restrict or object to certain processing, including direct marketing.
• Receive their data in a portable, machine-readable format (JSON/CSV).
• Not be subject to solely automated decisions producing legal or similarly significant effects.
• Withdraw consent at any time where consent is the lawful basis.
• Lodge a complaint with a supervisory authority (in the UK, the ICO).

Requests can be made through /data-deletion, /do-not-sell, or by emailing privacy@becko.app. Where Becko is the Processor, we will forward the request to the relevant client without undue delay and assist them in responding. We aim to action verified requests within 30 days, extendable by a further 60 days where permitted by Article 12(3).

Becko is headquartered in the United Kingdom. Some sub-processors host or process data outside the UK and EEA, including the United States. Where transfers occur, we rely on a recognised transfer mechanism, typically the European Commission's 2021 Standard Contractual Clauses and the UK International Data Transfer Addendum, supplemented by additional technical and organisational measures (encryption, access controls, transfer impact assessments) as appropriate. The current list of sub-processors and the regions in which they operate is published at /subprocessors.

We implement and maintain layered safeguards proportionate to the risk of the processing, including:

• TLS 1.2+ for all data in transit; encryption at rest for databases, backups and object storage.
• PostgreSQL Row-Level Security plus application-layer brand_id isolation between tenants.
• Mandatory MFA for administrative consoles and rotating secrets for service-to-service calls.
• Role-based access control, granular menu permissions and least-privilege internal access reviews.
• Centralised audit logs covering logins, exports, role changes and sensitive admin actions.
• Daily encrypted backups with documented restore procedures and disaster-recovery objectives.
• Vulnerability management and a public responsible disclosure programme.

Becko uses AI models (currently OpenAI's GPT family and Google Gemini, via the Lovable AI Gateway for some surfaces) to power features such as content generation, Becko Studio creative tools, travel-card enrichment and assistive replies. Before any prompt is sent to an external model, Becko automatically redacts personally identifiable information — including names, email addresses, phone numbers and payment card details. We do not allow our AI sub-processors to use customer content to train their public foundation models. Materially impactful decisions — pricing, booking confirmation, refunds, supplier commitments — always require human review. See the AI Usage Policy for the full position.

Messaging features (email, WhatsApp Cloud API, Messenger, Instagram, SMS) are powerful and tightly regulated. Clients are responsible for obtaining and recording valid consent before sending marketing communications, complying with the WhatsApp Business and Meta platform policies, and honouring opt-out requests immediately. Becko enforces automatic STOP/opt-out handling on supported channels and blocks further outbound messages to opted-out recipients. Detailed rules are set out in the Acceptable Use Policy.

If Becko becomes aware of a personal data breach affecting client data, we will notify the impacted client(s) without undue delay and, where feasible, within 72 hours of becoming aware of it. Our notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it and mitigate possible adverse effects (Article 33(3)).

Becko maintains an internal record of the processing activities carried out on behalf of clients, including categories of data, purposes, sub-processors and applicable transfer mechanisms. A summary relevant to a specific client engagement can be requested by Controllers at privacy@becko.app under the DPA.

The Becko platform is a B2B tool not directed at children. Where bookings involve travellers under the age of 16, the client (Controller) is responsible for ensuring that any required parental or guardian consent has been obtained before personal data is entered into Becko.

When you use Becko as a Data Controller you are responsible for:

• Identifying and documenting a lawful basis for each processing activity.
• Providing a transparent privacy notice to your travellers, leads and contacts.
• Collecting and recording valid consent for marketing and non-essential cookies.
• Configuring user roles, brand isolation and menu permissions inside Becko to enforce least-privilege.
• Responding to data subject requests within statutory timeframes and instructing Becko where assistance is required.
• Ensuring that any third-party tools you integrate with (CRMs, supplier APIs, automation tools) are themselves GDPR-compliant.

Related Becko policies:

• Privacy Policy
• Data Processing Addendum
• Sub-processors
• Acceptable Use Policy
• AI Usage Policy
• Cookie Policy
• Security Vulnerability Disclosure

Data protection enquiries: privacy@becko.app

Controller: BECKO - TRAVEL OS LTD, United Kingdom.