Privacy Policy

Tour Matrix AI Pte. Ltd.

Compliant with the Singapore Personal Data Protection Act 2012

Last Updated: April 2026

1. Introduction

1.1 Tour Matrix AI Pte. Ltd. ("Tour Matrix AI", "we", "us", or "our") is committed to protecting the privacy and Personal Data of all individuals who interact with our platform, including registered travel agencies ("Travel Agencies"), destination management companies ("Destination Management Companies"), and end travellers ("Travellers" or "you").

1.2 This Privacy Policy explains how we collect, use, disclose, and protect your Personal Data when you access or use our B2B online platform ("Platform"), including our website, mobile applications, APIs, and related services. This Policy is issued in compliance with the Singapore Personal Data Protection Act 2012 (No. 26 of 2012) ("PDPA") and all subsidiary legislation issued thereunder.

1.3 By registering for an account, accessing, or using the Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your Personal Data as described herein. If you do not agree with this Policy, you must discontinue use of the Platform immediately.

1.4 This Privacy Policy should be read in conjunction with our Platform Terms of Use and any applicable Platform Service Agreement or Destination Operator Agreement. In the event of any inconsistency, the terms of this Privacy Policy shall prevail to the extent of the inconsistency.

2. Definitions

In this Privacy Policy, the following terms shall have the meanings set out below:

• "Business Contact Information" means an individual's name, position name or title, business telephone number, business address, business email address, or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes;
• "Data Protection Officer" or "DPO" means the individual appointed by Tour Matrix AI to oversee data protection responsibilities and ensure compliance with the PDPA;
• "Data Intermediary" has the meaning ascribed to it under the PDPA — an organisation that processes Personal Data on behalf of another organisation;
• "Organisation" means any company, body corporate, unincorporated association, or other body of persons, as defined in the PDPA;
• "Personal Data" means data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access, as defined in the PDPA;
• "Platform User" means any individual or organisation that registers for and uses the Platform, including Travel Agencies and Destination Management Companies;
• "Processing" means any operation or set of operations which is performed on Personal Data, including collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, combination, blocking, erasure, or destruction;
• "Traveller Data" means Personal Data of end travellers collected by Travel Agencies and transmitted through the Platform to Destination Management Companies for the purpose of making travel bookings and reservations.

3. Personal Data We Collect

3.1 Platform User Data

When you register for and use the Platform as a Travel Agency or Destination Operator, we may collect the following categories of Personal Data:

• Identity Data: Name, nationality, identification number, passport number, date of birth, and photograph;
• Contact Data: Business address, email address, telephone number, and fax number;
• Account Data: Username, password, account preferences, and login history;
• Corporate Data: Company name, UEN/business registration number, travel licence number, and corporate bank account details;
• Transaction Data: Booking records, payment history, settlement details, and Token purchase records;
• Communications Data: Records of your correspondence with us, including customer support enquiries, complaints, and feedback;
• Technical Data: IP address, browser type and version, device information, operating system, and platform usage data collected through cookies and similar technologies.

3.2 Traveller Data

When Travel Agencies book travel products through the Platform, they may upload Traveller Data required for making reservations. Such Traveller Data may include:

• Full name (as appearing on passport or official travel document);
• Passport number, nationality, and date of birth;
• Gender and dietary or accessibility requirements;
• Emergency contact information;
• Travel insurance details; and
• Such other information as may be required by relevant service providers (e.g., airlines, railway operators, hotels, or attraction operators).

3.3 Data Not Collected

We do not intentionally collect Sensitive Personal Data (as defined in the PDPA), including data about an individual's racial or ethnic origin, political opinions, religious beliefs, health conditions, genetic or biometric data, or criminal records, unless such collection is necessary for the provision of travel services and explicit consent has been obtained. Where health-related information is provided (e.g., dietary restrictions, mobility requirements), it is processed solely for the purpose of accommodating the traveller's needs.

4. How We Collect Personal Data

4.1 Direct Collection

We collect Personal Data directly from you when you:

• Register for a Platform account;
• Complete your company and user profile;
• Make a booking or transaction through the Platform;
• Purchase AI Tokens or other services;
• Contact our customer support; or
• Respond to surveys, promotions, or other communications.

4.2 Indirect Collection

We may collect Personal Data indirectly from:

• Travel Agencies, who provide Traveller Data for booking purposes;
• Destination Management Companies, who may provide traveller feedback or incident reports;
• Third-party service providers who assist in identity verification, payment processing, or fraud prevention; and
• Publicly available sources, such as corporate registries and regulatory databases, for verification purposes.

4.3 Collection through Automated Means

We collect Technical Data automatically when you interact with the Platform through cookies, web beacons, server logs, and similar technologies. For more information, please see Section 12 (Cookies and Similar Technologies).

5. Purposes of Collection, Use and Disclosure

5.1 Primary Purposes

We collect, use, and disclose Personal Data for the following purposes:

• To register and manage your Platform account;
• To facilitate bookings, transactions, and settlements between Travel Agencies and Destination Management Companies;
• To process payments, including collection of platform service fees and AI Token purchases;
• To transmit Traveller Data to Destination Management Companies for the purpose of making travel reservations (hotels, transport, attractions, etc.);
• To provide customer support and respond to enquiries, complaints, or disputes;
• To send administrative notifications, including account updates, security alerts, and policy changes; and
• To comply with applicable laws, regulations, and regulatory requirements.

5.2 Secondary Purposes

Where permitted under the PDPA, we may also use Personal Data for the following purposes:

• To improve the Platform, develop new features, and enhance user experience;
• To train and optimise our AI-powered itinerary planning tools and recommendation algorithms;
• To conduct data analytics, market research, and trend analysis;
• To send marketing communications, newsletters, and promotional offers (subject to your consent, which you may withdraw at any time);
• To monitor and enforce compliance with our Terms of Use and other policies; and
• To prevent fraud, investigate security incidents, and protect the integrity of the Platform.

5.3 Deemed Consent

In certain circumstances, your consent is deemed to have been given under the PDPA, including where:

• The collection, use, or disclosure of Personal Data is necessary for the performance of a contract to which you are a party;
• You voluntarily provide Personal Data for a particular purpose, and it is reasonable in the circumstances to expect that such data would be collected, used, or disclosed for that purpose; or
• The collection, use, or disclosure is necessary for a legitimate interest that is not outweighed by any adverse effect on your interests, rights, or freedoms.

6. Disclosure to Third Parties

6.1 Categories of Recipients

We may disclose Personal Data to the following categories of recipients:

• Destination Management Companies: Traveller Data is disclosed to relevant Destination Management Companies for the sole purpose of fulfilling travel bookings and reservations;
• Travel Agencies: Booking confirmations, itinerary details, and status updates are shared with the booking Travel Agency;
• Service Providers: Third-party vendors who provide services on our behalf, including cloud hosting, payment processing, identity verification, email delivery, and customer support;
• Professional Advisers: Legal advisers, auditors, and insurers, where necessary for the protection of our rights or compliance with legal obligations; and
• Regulatory Authorities: Government agencies, law enforcement, or judicial bodies, where required or permitted by law.

6.2 Data Intermediary Arrangements

Tour Matrix AI acts as a Data Intermediary for the purposes of transmitting Traveller Data between Travel Agencies and Destination Management Companies. When acting as a Data Intermediary, we process Personal Data on behalf of and in accordance with the instructions of the Travel Agencies (as data controllers). We implement appropriate technical and organisational measures to protect such Personal Data and do not use it for our own purposes beyond what is necessary for transmission.

6.3 Sale of Personal Data

We do not sell, rent, or trade your Personal Data to third parties for their marketing purposes without your explicit consent.

7. Cross-Border Data Transfers

7.1 Transfer to China

As a B2B platform facilitating inbound travel to China, Traveller Data may be transferred to Destination Management Companies located in the People's Republic of China for the purpose of making travel bookings and reservations. Such transfers are necessary for the performance of our services and are carried out in accordance with the requirements of the PDPA.

7.2 Safeguards

We implement the following safeguards to protect Personal Data transferred across borders:

• We enter into data processing agreements with Destination Management Companies requiring them to implement data protection measures comparable to those required under the PDPA;
• Personal Data is transmitted through encrypted channels using industry-standard security protocols;
• We limit the categories of Personal Data transferred to what is strictly necessary for booking purposes; and
• We monitor compliance by Destination Management Companies and reserve the right to suspend data transfers to non-compliant operators.

7.3 Transfer to Other Jurisdictions

Personal Data may also be transferred to and stored in Singapore and other jurisdictions where our service providers maintain facilities. We ensure that such transfers are conducted in compliance with the PDPA and that adequate protection standards are maintained.

8. Data Security

8.1 Security Measures

Tour Matrix AI implements reasonable and appropriate technical, administrative, and physical safeguards to protect Personal Data against unauthorised access, disclosure, alteration, or destruction. Such measures include:

• Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256);
• Multi-factor authentication (MFA) for Platform account access;
• Role-based access controls limiting data access to authorised personnel;
• Regular security audits, vulnerability assessments, and penetration testing;
• Secure data centre infrastructure with redundancy and disaster recovery capabilities; and
• Employee training on data protection policies and procedures.

8.2 Data Breach Notification

In the event of a data breach involving your Personal Data, we will:

• Assess the severity of the breach and take immediate steps to contain and mitigate its impact;
• Notify the Personal Data Protection Commission (PDPC) of Singapore as required under the PDPA, where the breach results in, or is likely to result in, significant harm to affected individuals or is of a significant scale;
• Notify affected individuals without undue delay if the breach is likely to result in significant harm to them; and
• Document the breach and our response for accountability and regulatory purposes.

9. Data Retention

9.1 Retention Periods

We retain Personal Data for as long as necessary to fulfil the purposes for which it was collected, or as required or permitted by Applicable Law. Specifically:

• Account Data: Retained for the duration of your account registration and for a period of 2 years after account closure;
• Transaction Data: Retained for 7 years in accordance with tax and accounting requirements;
• Traveller Data: Retained for 90 days after the completion of the relevant travel itinerary, unless a longer retention period is required for dispute resolution, legal proceedings, or regulatory compliance;
• Technical Data and Log Files: Retained for 1 year, unless required for security investigations; and
• Marketing Data: Retained until you withdraw your consent or unsubscribe.

9.2 Destruction

When Personal Data is no longer required, we will securely delete, anonymise, or destroy it in a manner that prevents unauthorised reconstruction or retrieval. Anonymised data that cannot be associated with any individual may be retained indefinitely for analytical and statistical purposes.

10. Your Rights Under the PDPA

10.1 Access and Correction

You have the right to:

• Request access to your Personal Data that is in our possession or under our control;
• Request correction of any inaccurate, incomplete, misleading, or not up-to-date Personal Data; and
• Obtain information about how your Personal Data has been or may have been used or disclosed by us within the past year.

10.2 Withdrawal of Consent

You may withdraw your consent for the collection, use, or disclosure of your Personal Data at any time by giving us reasonable notice. Upon receipt of your withdrawal request, we will inform you of the likely consequences of such withdrawal, which may include the inability to continue providing you with access to the Platform or certain services.

10.3 Do-Not-Call (DNC) Registry

We do not send marketing messages to Singapore telephone numbers registered with the DNC Registry unless we have obtained your clear and unambiguous consent in writing or other recorded form. You may opt out of marketing communications at any time by clicking the "unsubscribe" link in our emails or contacting our DPO.

10.4 Exercising Your Rights

To exercise any of the rights set out in this Section, please contact our Data Protection Officer using the contact details provided in Section 14. We will respond to your request within 30 days of receipt. We may charge a reasonable fee for processing access requests, which we will notify you of before proceeding.

11. Children's Privacy

The Platform is a B2B marketplace intended for use by licensed travel businesses and is not directed at individuals under the age of 18. We do not knowingly collect Personal Data from children. If you believe that we have inadvertently collected Personal Data from a child, please contact us immediately and we will take steps to delete such information promptly.

12. Cookies and Similar Technologies

12.1 What We Use

We use cookies, web beacons, and similar tracking technologies to:

• Authenticate users and maintain session state;
• Remember user preferences and settings;
• Analyse Platform usage and performance;
• Detect and prevent fraud and security threats; and
• Deliver targeted content and advertisements (with your consent).

12.2 Types of Cookies

We use the following categories of cookies:

• Strictly Necessary Cookies: Essential for the operation of the Platform. These cannot be disabled;
• Functional Cookies: Enable enhanced functionality and personalisation;
• Analytics Cookies: Help us understand how users interact with the Platform; and
• Marketing Cookies: Used to deliver relevant advertisements (only placed with your consent).

12.3 Managing Cookies

You can manage your cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform.

13. Third-Party Links and Services

The Platform may contain links to third-party websites, applications, or services that are not operated or controlled by Tour Matrix AI. This Privacy Policy does not apply to such third-party services. We encourage you to review the privacy policies of any third-party services you access through the Platform. Tour Matrix AI is not responsible for the privacy practices or content of third-party services.

14. Updates to This Privacy Policy

14.1 We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the functionality of the Platform. Material changes will be notified to you via:

• Email to the address associated with your account;
• A prominent notice on the Platform; or
• A notification within your account dashboard.

14.2 The "Last Updated" date at the top of this Policy indicates when it was last revised. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Policy.

15. Contact Us

15.1 Data Protection Officer

Tour Matrix has appointed a Data Protection Officer (DPO) to oversee compliance with the PDPA and address any data protection concerns. You may contact our DPO at:

• Email: dpo@tourmatrix.ai
• Address: 60 PAYA LEBAR ROAD, #06-28, PAYA LEBAR SQUARE, SINGAPORE 409051

15.2 Complaints

If you are not satisfied with our handling of your Personal Data or our response to your request, you have the right to lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore at https://www.pdpc.gov.sg.