Privacy Policy

TADR Platform — Travel Agency Digital Resource

Effective Date: April 4, 2026  ·  Last Updated: April 4, 2026  ·  Version: 1.0

Contents 1. Who We Are 2. Data We Collect 3. How We Use Your Data 4. Legal Basis for Processing 5. Who We Share Data With 6. International Data Transfers 7. How Long We Keep Your Data 8. Your Privacy Rights 9. Cookies & Tracking 10. Children's Privacy 11. Security 12. Dominican Republic — Ley 172-13 13. European Union — GDPR 14. California — CCPA / CPRA 15. Changes to This Policy 16. Contact & Data Requests
Plain-language summary: TADR Platform is a software service for travel agencies in the Dominican Republic. We collect data to operate the platform, process payments, and enable agencies to serve their clients. We do not sell personal data. We store data on secure servers in the United States. You have the right to access, correct, and delete your information.

1. Who We Are

TADR Platform ("TADR," "we," "our," or "us") is operated by Dren Group LLC / Eleven Society Global, a company organized under the laws of the United States, operating in the Dominican Republic.

For purposes of applicable data protection law, Dren Group LLC is the data controller with respect to personal data collected through the TADR Platform at travelagencydr.com.

Travel agencies using the TADR Platform are data processors with respect to the personal data of their own clients. Each agency is independently responsible for its compliance obligations concerning the personal data of travelers it manages.

Contact:
Dren Group LLC · info@dren.group · travelagencydr.com

2. Data We Collect

2.1 Travel Agency Account Data

When a travel agency subscribes to TADR, we collect:

  • Business name, agency slug, and contact information
  • Email addresses and names of agency users
  • Logo, brand colors, and other branding assets you upload
  • Subscription tier, billing history, and payment method metadata (card type and last four digits, stored by Stripe — we never store full card numbers)
  • Google Business Profile information (Place ID) if provided

2.2 Traveler & Guest Data (collected by agencies, processed by TADR)

Agencies using TADR may collect and store the following data about their clients through the platform:

  • Full name, email address, phone number
  • Date of birth, nationality, country of residence
  • Booking details: travel dates, adventures, group size, special requirements
  • Signed digital waivers, including any health or medical disclosures made therein
  • Visa application data: passport information, travel history, supporting documents
  • DGII fiscal records: RNC (tax identification numbers), invoice data
  • Guest portal interactions: messages, review submissions

TADR processes this data on behalf of the agency (as a processor). The agency is responsible for obtaining any required consents from travelers and for providing travelers with notice of data use.

2.3 Platform Usage Data

We automatically collect:

  • Login timestamps, session identifiers, and IP addresses
  • Browser type, operating system, and device information
  • Pages visited, features used, and interaction logs
  • Error reports (through Sentry error monitoring)
  • Content Security Policy violation reports

3. How We Use Your Data

  • Providing the platform: authentication, booking management, waiver generation, invoice creation, fiscal compliance
  • Billing and payments: processing subscription payments through Stripe, sending invoices, managing plan upgrades and downgrades
  • Communications: sending transactional emails (billing reminders, payment receipts, guest portal notifications, magic links)
  • Support and security: diagnosing errors, detecting fraudulent activity, enforcing our Terms of Service
  • Improving the platform: analyzing aggregate usage patterns to improve features
  • Legal compliance: maintaining records required by Dominican tax law (DGII), responding to lawful government requests

We do not use personal data for advertising, sell data to third parties, or use traveler data for any purpose other than providing services to the agency that collected it.

Where applicable (including for processing of EU residents' data under GDPR), our legal bases are:

  • Contract performance: processing necessary to deliver the TADR Platform service to subscribing agencies
  • Legitimate interests: platform security, fraud prevention, service improvement (always balanced against your rights)
  • Legal obligation: DGII fiscal record retention, waiver document retention, and other legally mandated data retention
  • Consent: marketing emails (you may withdraw consent at any time by unsubscribing), guest portal communications where consent is obtained by the agency

5. Who We Share Data With

We share personal data only with the following categories of recipients, strictly for the purposes described in this Policy:

5.1 Infrastructure and Service Providers

  • Supabase Inc. (US) — database hosting and authentication
  • Netlify Inc. (US) — web hosting and serverless functions
  • Cloudflare Inc. (US) — content delivery network and security
  • Resend Inc. (US) — transactional email delivery
  • Stripe Inc. (US) — payment processing (subject to Stripe's own Privacy Policy)
  • Sentry (Functional Software Inc., US) — error monitoring
  • Google LLC (US) — Google Analytics (aggregated usage data only); Google Places API (for business profile lookup)

All service providers are bound by data processing agreements and may not use your data for their own purposes.

5.2 Legal Authorities

We may disclose data to government authorities (including the Dominican DGII or law enforcement) when required by law, court order, or to protect rights and safety.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to the same privacy protections.

6. International Data Transfers

TADR Platform stores and processes data on servers located in the United States. If you are located outside the United States — including in the European Economic Area (EEA), United Kingdom, or Switzerland — your data will be transferred to and processed in the US.

For transfers of EU/EEA personal data, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our data processing agreements with service providers.

You may request a copy of the applicable transfer mechanisms by contacting us at info@dren.group.

7. How Long We Keep Your Data

  • Agency account data: retained for the duration of the active subscription, plus 6 months after termination (to allow for reactivation and dispute resolution)
  • Booking and fiscal records: 7 years from creation (required by Dominican Republic tax law — Art. 50, Código Tributario)
  • Signed waivers: 5 years from the date of the activity (liability documentation)
  • Visa application data: 2 years from the date of application or until deletion is requested, whichever comes first
  • Guest communications: 1 year from the date of the last message
  • Platform logs and error reports: 90 days
  • Payment records: 7 years (tax compliance)

After retention periods expire, data is permanently deleted or irreversibly anonymized.

8. Your Privacy Rights

Depending on your jurisdiction, you have the following rights with respect to your personal data:

Right of Access Request a copy of the personal data we hold about you.
Right to Rectification Request correction of inaccurate or incomplete data.
Right to Erasure Request deletion of your personal data, subject to legal retention obligations.
Right to Restriction Request that we limit processing of your data in certain circumstances.
Right to Portability Receive your data in a structured, machine-readable format.
Right to Object Object to processing based on legitimate interests.
Right to Withdraw Consent Withdraw consent for consent-based processing at any time.
Non-Discrimination You will not be discriminated against for exercising your rights.

To exercise any of these rights, contact us at info@dren.group with the subject line "Privacy Request." We will respond within 30 days. We may require identity verification before processing requests.

If you are an EU/EEA resident and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.

9. Cookies & Tracking

TADR Platform uses the following types of cookies and local storage:

  • Strictly necessary: session tokens stored in browser localStorage for authentication. Required for the platform to function. Cannot be disabled.
  • Analytics: Google Analytics (aggregated, anonymized usage statistics). You may opt out via your browser's "Do Not Track" setting or a browser extension.

We do not use advertising cookies, cross-site tracking, or behavioral profiling cookies.

10. Children's Privacy

TADR Platform is intended for use by businesses (travel agencies) and their adult staff members. The platform is not directed at children under the age of 18.

Travelers who are minors may appear in booking records collected by agencies. Agencies are responsible for obtaining parental or guardian consent when collecting data about minors, consistent with applicable law.

If you believe a child's data has been submitted to our platform without appropriate consent, contact us immediately at info@dren.group.

11. Security

We implement and maintain industry-standard technical and organizational security measures, including:

  • HTTPS/TLS encryption in transit on all connections
  • Row-Level Security (RLS) enforcing strict tenant isolation in our database
  • Authenticated API endpoints — no public access to any data without a valid session token
  • Cloudflare Web Application Firewall (WAF) filtering malicious requests
  • Content Security Policy (CSP) protecting against script injection attacks
  • HTTP Strict Transport Security (HSTS) preventing downgrade attacks
  • Supabase point-in-time database backups
  • Rate limiting on all API endpoints

No system is perfectly secure. In the event of a data breach that poses a risk to your rights, we will notify affected parties as required by applicable law.

12. Dominican Republic — Ley 172-13

TADR Platform operates in the Dominican Republic and complies with Ley No. 172-13 on the protection of personal data in the Dominican Republic.

As a data controller under this law, we:

  • Register and maintain personal data only for lawful, specified purposes
  • Ensure data accuracy and keep it updated
  • Implement appropriate security measures
  • Do not transfer personal data to countries that do not provide an adequate level of protection without appropriate safeguards
  • Honor the rights of data subjects established under Articles 31–38 of Ley 172-13, including the right to access (habeas data), correction (rectificación), suppression (cancelación), and objection (oposición)

Requests under Ley 172-13 may be submitted to info@dren.group.

13. European Union — GDPR

If you are a resident of the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply under the General Data Protection Regulation (GDPR) and applicable national laws.

Our legal bases for processing personal data of EU residents are set out in Section 4 above. In addition:

  • Where we rely on legitimate interests, you may object to such processing at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, or for legal claims.
  • You have the right to lodge a complaint with your national data protection authority (Supervisory Authority). A list of EU Supervisory Authorities is available at edpb.europa.eu.
  • We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

For GDPR inquiries, contact our data protection contact at info@dren.group.

14. California — CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights:

  • Right to Know: Request disclosure of the categories of personal information we have collected, the purposes for which it is used, and the categories of third parties with whom it is shared.
  • Right to Delete: Request deletion of your personal information, subject to exceptions.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out is required.
  • Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information (such as passport data or health information) beyond what is necessary to provide the contracted service.
  • Right to Non-Discrimination: You will not be denied services, charged different prices, or given a different quality of service for exercising your CCPA rights.

To exercise California rights, contact us at info@dren.group with the subject "California Privacy Request." We will respond within 45 days.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will:

  • Update the "Last Updated" date at the top of this page
  • Notify agency account holders of material changes via email at least 30 days before they take effect
  • Display an in-platform notice for significant changes

Your continued use of TADR Platform after a revised Privacy Policy becomes effective constitutes your acceptance of the changes.

16. Contact & Data Requests

For any privacy-related questions, requests to exercise your rights, or to report a concern:

© 2026 Dren Group LLC · TADR Platform · Terms & Conditions · Privacy Policy · Billing Policy