Privacy Policy

1. Who We Are

Vivley is operated by Odinkor Pty Ltd, registered in Australia. For the purposes of applicable data protection legislation (including the Australian Privacy Act 1988 (Cth) and the EU General Data Protection Regulation), Odinkor Pty Ltd is the data controller.

2. Information We Collect

We collect the following categories of personal information:

• Waitlist information — if you join our waitlist before creating an account, we collect your email address to send launch updates and any promotional offers. You can unsubscribe at any time via the link in any email we send.
• Account information — name, email address, password (hashed), profile address, profile preferences.
• Booking information — travel dates, lead guest and traveller details, child guest ages where required by accommodation suppliers, special requests, billing contact details, billing address, and payment card details (processed and stored by our payment processor; we do not store full card numbers).
• Conversation and search data — natural-language queries, search filters, saved properties, itineraries.
• Device and usage data — IP address, browser type, operating system, referral URLs, pages visited, session duration.
• Cookies and similar technologies — see our Cookie Policy for details.

3. How We Use Your Information

We process your information for the following purposes and lawful bases (under GDPR, where applicable):

• To provide the Service (contract performance) — process bookings, manage your account, deliver search results, and send required booking information to accommodation suppliers.
• To personalise your experience (legitimate interest) — tailor recommendations based on preferences and history.
• To communicate with you (contract / legitimate interest) — booking confirmations, service updates, support responses.
• To improve and develop (legitimate interest) — analyse usage patterns, fix bugs, develop new features.
• To process payments and protect against fraud (contract / legitimate interest) — provide billing name, billing address, email address, and phone number to our payment processor for payment authorisation, card verification, fraud prevention, receipts, dispute handling, and related security checks.
• To comply with legal obligations (legal obligation) — tax records, accounting records, fraud prevention, law enforcement requests.
• Marketing (consent) — promotional emails, only with your opt-in consent. You can unsubscribe at any time.

4. AI and Large Language Model (LLM) Data Disclosure

Vivley uses third-party AI providers to power our conversational search and recommendation features. When you interact with the AI assistant, the following data may be sent to these providers:

• Your natural-language search queries and messages within a conversation
• Contextual information such as travel dates, destinations, and preferences you have shared in the conversation
• Search results metadata used to generate recommendations

What is not sent: your name, email address, payment details, or any other directly identifying personal information is not transmitted to LLM providers.

We use AI observability tools to monitor AI quality and performance. Conversation data processed through these tools is stored securely and used solely for service improvement. Our AI providers process data in accordance with their respective privacy policies and data processing agreements. We do not permit AI providers to use your data for training their models.

5. Data Sharing

We share your information only with the following categories of third parties, and only to the extent necessary:

• Hotel suppliers — lead guest details, traveller names, child ages where required, special requests, stay dates, room/rate details, and booking identifiers needed to fulfil reservations.
• Payment processor (Stripe) — payment card details, billing name, billing address, email address, phone number, payment amount, currency, and booking/payment identifiers to process transactions securely, run fraud and card verification checks, issue receipts, support disputes, and meet payment compliance obligations. Stripe sets functional cookies during the payment flow for fraud prevention purposes (__stripe_mid and __stripe_sid).
• AI providers — conversation content as described in section 4.
• Analytics (Cloudflare Web Analytics and Real User Monitoring) — we use these services to measure site performance. No cookies are set and no personal data is collected.
• Error monitoring — technical error data that may include anonymised session information.
• Email delivery provider — email addresses to deliver booking confirmations, account notifications, and waitlist updates.
• Infrastructure providers — data hosting and delivery.

We do not sell, rent, or trade your personal data to any third party.

6. International Data Transfers

Your data may be transferred to and processed in countries outside Australia, including the United States (where our AI and payment providers operate). Where data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) for transfers from the EEA/UK, or reliance on the provider’s compliance with applicable data protection frameworks.

7. Data Retention

• Account data — retained while your account is active and for 30 days after deletion request, except where longer retention is required by law.
• Booking, billing, and payment records — retained for 7 years to comply with Australian tax, accounting, and consumer law obligations.
• Conversation history — retained while your account is active; deleted within 30 days of account deletion.
• Analytics data — anonymised and aggregated; retained indefinitely.
• Server logs — retained for up to 90 days for security and debugging purposes.

8. Your Rights

Depending on your location, you may have some or all of the following rights regarding your personal data:

Australian Privacy Principles (APPs)

• Access your personal information held by us
• Request correction of inaccurate or incomplete information
• Complain to the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached

GDPR Rights (EU/EEA/UK residents)

• Right of access — obtain a copy of your data
• Right to rectification — correct inaccurate data
• Right to erasure — request deletion of your data (see our Data Deletion page)
• Right to restrict processing — limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent, withdraw at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or sooner where required by law).

9. Children’s Privacy

The Service is intended for users aged 18 and over. Only adults may create accounts and make bookings. We may collect the ages of children included as guests in a booking, as this information is required by accommodation suppliers to determine availability and pricing. This data is used solely for booking fulfilment and is not used for marketing or profiling purposes. If you believe a child has independently provided us with personal information beyond what is necessary for a booking, please contact us and we will delete it promptly.

10. Cookies

We use cookies and similar technologies to maintain your session, remember preferences, and analyse usage patterns. For full details on the types of cookies we use, their purposes, and how to manage your preferences, see our Cookie Policy.

11. Data Security

We use industry-standard encryption (TLS in transit, encryption at rest), secure authentication, and access controls to protect your information. Access to personal data is restricted to authorised personnel on a need-to-know basis. We regularly review our security practices and conduct vulnerability assessments.

12. Data Breach Notification

In the event of a data breach that is likely to result in serious harm, we will notify affected individuals and the relevant authorities (including the OAIC in Australia and supervisory authorities in the EU/UK where applicable) within 72 hours of becoming aware of the breach, in accordance with the Notifiable Data Breaches scheme and GDPR Article 33.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The “Effective” date at the top indicates the latest version. Material changes will be communicated via email or in-app notice.

14. Contact

For privacy-related inquiries, email [email protected] or visit our help page.