Privacy Notice
1. What this tool is
Andavo Labs Experts is an AI-assisted advisor that helps travel agents and back-office staff answer fare-rule, ticketing, and policy questions. It connects to a curated knowledge base (ATPCO standards, Sabre procedures, internal runbooks) and to large language model providers under contract. It is not a booking system and does not itself ticket, refund, or invoice travel.
2. What information we collect
| Category | Examples | Source |
|---|---|---|
| Authenticated user identity | Corporate email, Microsoft Entra object ID, role assignments | Microsoft Entra External ID at sign-in (OIDC) |
| Conversation content | The questions you type, files or PNR snippets you paste, and the assistant's responses | You, while using the chat or MCP API |
| Traveller PI in support context | Names, frequent-flyer numbers, ticket numbers, PNRs, occasionally addresses, dates of birth, passport / Known Traveller Number, payment fragments | Pasted into a conversation by an agent while researching a case |
| Operational metadata | Timestamps, request IDs, source IP, model + token-count usage, error logs | Automatically generated by the platform |
| Audit trail | Tool invocations, admin actions (key issuance, user role changes) | Application audit log |
3. How PII is scrubbed before leaving the platform
Whenever a message is sent to a third-party AI model, a deterministic
PII scrubber runs first. It detects 22 categories of personal,
payment, and travel data (credit card, SSN, passport, visa, government ID, KTN,
redress number, ticket number, postal address, geolocation, employee ID, frequent-flyer
number, hotel/car/rail loyalty numbers, email, phone, passenger and natural names, PNR,
generic membership IDs, and dates of birth) and replaces each detected value with an
opaque token (for example
[PAX_NAME_1], [ADDRESS_1],
[PNR_1]) before the message reaches the model.
A combinatorial risk check (50 rules) blocks known-dangerous combinations entirely. The mapping between tokens and original values is stored encrypted via HashiCorp Vault's Transit engine (per-conversation derived keys). The plaintext mapping is reattached only when the assistant's response is rendered back to you in the browser; it is never written to the database, model providers, or logs.
This means model providers (Anthropic, Cohere, OpenAI when used) receive tokens and travel jargon, not personally identifying values.
4. How we use the information
- Authenticate and authorise corporate users via Microsoft Entra.
- Serve answers from the curated knowledge base.
- Send tokenised prompts to large language model providers under contract to generate the assistant's responses.
- Generate a conversation history visible only to the authenticated user.
- Record audit events required for security monitoring (CC4.3 / CC7.3).
- Improve the knowledge base when staff submit corrections through the in-product feedback flow (corrections are reviewed by Josh Cameron and stored as plain markdown in the repo).
5. Where the information lives
| System | What it stores | Region / hosting |
|---|---|---|
| Microsoft Entra External ID | Identity, MFA factors, sign-in logs | Microsoft 365 tenant (Christopherson Andavo Travel) |
| Supabase Postgres | Tokenised conversations, knowledge embeddings, audit log | Azure-region-pinned Supabase instance |
| HashiCorp Vault | Encryption keys, PII token-map ciphertext | Self-hosted on a DigitalOcean droplet (no third-party access) |
| Anthropic / Cohere / OpenAI | Tokenised prompts only; no plaintext PI | Vendor-controlled; see vendor contracts |
| Vercel / Azure Container Apps | Application runtime; logs without PI plaintext | US regions |
6. Retention and deletion
- Conversation history — retained while you remain an active user. You can delete an individual conversation from the UI; deletion is propagated to the database within 24 hours.
- PII token maps — encrypted ciphertext is retained for the lifetime of the parent conversation and removed when the conversation is deleted.
- Audit log — retained for 12 months for security monitoring, then aggregated.
- Operational logs — retained per the Azure Monitor / Log Analytics workspace policy (currently 30 days).
- Authentication logs — retained per Microsoft Entra defaults (currently 30 days for sign-ins, 30 days for audit events).
- Detailed retention rules are documented in
docs/compliance/data-retention.md(see SOC 2 control P4.2).
7. Sharing
We do not sell or rent personal information. We disclose information only to:
- Sub-processors under contract (large language model providers, hosting, identity, communication tooling). Each is listed with its data-processing agreement status in
docs/compliance/vendor-agreements.md. - Christopherson Andavo Travel internal teams with a need-to-know.
- Authorities, if compelled by valid legal process and subject to vendor and operator review.
8. Your rights
Because the platform is offered through your employer or contracting relationship with Christopherson Andavo Travel, requests to access, correct, export, or delete your information should be sent to the contact below or raised with the Christopherson Andavo Travel HR contact for staff users. We will acknowledge within 5 business days and respond within 30 calendar days.
9. Security
Controls include: Microsoft Entra MFA-enforced sign-in, OIDC token validation,
role-based authorisation, server-side rate limiting, deterministic PII scrubbing,
Vault Transit-wrapped encryption keys, TLS in transit, encryption at rest,
pre-egress secret scanning in CI, and a backup-restore drill cadence (CC4.5).
Our SOC 2 readiness assessment lives at
docs/compliance/soc2-readiness.md in the codebase. Security incidents
are reported to andavolabs@outlook.com
with a 72-hour acknowledgement target.
10. Children
The platform is not intended for and is not offered to children under 13. We do not knowingly process information about minors except where it appears incidentally as part of a corporate booking record (for example a child traveller's name on a PNR), in which case the data is tokenised and treated under the same controls as adult traveller data.
11. Changes
We will update this notice and the “Last updated” date when the
data flow or sub-processors change materially. The change history lives in
git: see commits touching apps/experts/public/privacy-notice.html.
12. Contact
Privacy questions, access requests, and complaints: andavolabs@outlook.com. Security disclosures follow SECURITY.md.