Privacy Policy

We collect the following types of information:

• Account information: name, email address, phone number, and password (stored as a secure hash).
• Booking and order data: client names, travel details, package selections, payment records, and order history.
• Usage data: login timestamps, IP addresses (for security and brute-force protection), and session activity.
• Uploaded files: images uploaded for packages, categories, tenant branding, and outreach campaigns. These are stored in our MinIO object storage.
• Gmail OAuth tokens: if you choose to connect a Gmail account for outreach, we store OAuth2 access and refresh tokens. We never store your Gmail password.

• To provide, operate, and maintain the TMS platform.
• To authenticate users and protect accounts from unauthorised access.
• To send outreach emails on your behalf when you use the Outreach module.
• To generate PDF vouchers, calendar invites, and booking confirmations.
• To enforce role-based access control within your organisation.
• To detect and prevent fraud, abuse, or security threats.

If you connect your Gmail account via Google OAuth2, TMS requests the https://mail.google.com/ scope solely to send outreach emails on your behalf. We:

• Store only OAuth2 tokens (not your Gmail password).
• Use your tokens exclusively to send emails you explicitly trigger.
• Do not read, index, or store the contents of your Gmail inbox.
• Allow you to disconnect Gmail at any time from the Settings page, which immediately deletes your stored tokens.

TMS’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

All data is stored on servers under our control. We use industry-standard measures to protect your data:

• Passwords are hashed using bcrypt and never stored in plain text.
• Sessions are managed via encrypted JWT tokens.
• Failed login attempts are tracked and accounts are temporarily locked after repeated failures.
• File uploads are served over HTTPS from our MinIO storage.
• Database access is restricted to the application server only.

We do not sell, trade, or rent your personal information to third parties. We may share information only:

• With service providers necessary to operate TMS (e.g. Google OAuth2 for Gmail integration, SMTP servers for email delivery).
• If required by law, court order, or to protect the rights and safety of our users.

TMS uses a session cookie to keep you authenticated across page visits. This cookie is:

• HTTP-only and secure — it cannot be accessed by JavaScript.
• Deleted when you log out.
• Not used for advertising or cross-site tracking.

We retain your data for as long as your account is active. If your account expires or is deactivated, your data may be retained for a reasonable period for audit and compliance purposes before deletion. You may request deletion of your data by contacting us.

You have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your account and associated data.
• Disconnect third-party integrations (e.g. Gmail) at any time.

To exercise these rights, contact us at hasan.e7san@gmail.com.

TMS is a business tool not intended for use by individuals under 18 years of age. We do not knowingly collect data from minors.

We may update this Privacy Policy from time to time. We will notify users of significant changes by updating the “Last updated” date at the top of this page. Continued use of TMS after changes constitutes acceptance of the revised policy.

If you have any questions about this Privacy Policy, please contact: