Effective Date: March 18, 2026
Last Updated: March 18, 2026
TripDeal ("we," "us," or "our") operates an AI-powered hotel booking assistant available as a ChatGPT app (MCP connector). This privacy policy describes the categories of user data that our app collects, processes, stores, and returns through tool responses, and explains why each category is required.
Field: user_id — Example: guest-a1b2c3d4-... — Unique session identifier linking your searches, room lookups, and bookings within a single session or across returning sessions.
When collected: Automatically, the first time you interact with the assistant (via get_guest_session_tool).
Retention: Stored in our database so a returning user can resume their session without re-authenticating.
Returned in tool responses: Yes — the session ID is returned once at session start so the assistant can pass it to subsequent tools. It is not personally identifiable on its own.
firstName — Required by hotel suppliers to create a reservation
lastName — Required by hotel suppliers to create a reservation
email — Booking confirmation delivery; required by hotel suppliers
mobile — Contact number for the hotel or in case of booking issues
countryMobileCode — Country dialing prefix for the mobile number (e.g. "965")
nationality — ISO-2 country code (e.g. "KW"); required by hotel suppliers for visa/entry compliance
When collected: Only when you initiate a hotel booking and voluntarily provide these details in the chat conversation.
How used: Sent to the TripDeal booking API to create your hotel reservation. Never used for marketing or shared with unrelated third parties.
Returned in tool responses: The booking tool returns only a bookingId and status ("pending"). Your personal details are not echoed back in any tool response.
Server-side storage: If you submit details via the legacy web form endpoint (/submit-booking-details), they are held in server memory only for the duration of the booking flow and are not persisted to disk.
Destination query (city/hotel name) — Find matching hotels via the TripDeal search API
Check-in / check-out dates — Filter available hotels and rooms for your travel dates
Number of adults and children ages — Determine room occupancy and pricing
Applied filters (star rating, price range, etc.) — Refine search results to your preferences
When collected: When you ask the assistant to search for hotels.
Returned in tool responses: Yes — search results (hotel names, images, prices, ratings, map links) and a search_token (opaque API cursor) are returned so the assistant can display the carousel and continue the workflow.
bookingId — Identifies your pending or confirmed reservation
Booking status (pending, confirmed, cancelled) — Lets the assistant inform you of your booking state
Hotel name, room type, dates, price, currency — Displays booking summary to you
Cancellation policy / refundability — Informs you of cancellation terms before and after booking
Confirmation/reference number — Your hotel confirmation code
Special request IDs and free-text requests — Optional amenity or room preferences you select
When collected: When you create, view, or manage a booking.
Returned in tool responses: Yes — but personal identifiers (name, email, phone, nationality) are stripped from all booking-list, booking-detail, and booking-confirmation responses before they reach the assistant. Only the booking/hotel fields listed above are returned.
Payment method selection (ApplePay, CreditCard, Knet) — Determines which payment gateway to use
Payment link (URL) — One-time link to the external payment processor
When collected: When you choose a payment method after creating a booking.
Returned in tool responses: The assistant receives a paymentLink URL and displays it as a "Pay now" button. We do not collect, see, or store your credit card number, CVV, bank credentials, or any payment instrument details. All payment processing occurs on the third-party payment gateway's secure page.
locale / accept_language ("en" or "ar") — Controls the language of UI widgets and API responses.
When collected: Inferred from the language you write in.
Returned in tool responses: Yes — passed through so widgets render in the correct language and text direction (LTR/RTL).
access_token — Authenticates API calls to TripDeal's backend on your behalf
refresh_token — Refreshes the access token when it expires
When collected: Automatically during guest session creation or email OTP login.
Storage: Stored in our MongoDB database, associated with your user_id.
Returned in tool responses: Never. Tokens are used exclusively server-side and are never exposed to the assistant or any tool response.
Payment card details — handled entirely by the external payment processor.
Precise device location — we do not request or access your GPS or IP-based location.
Browsing history or third-party tracking — we do not use cookies, pixels, or cross-site trackers.
Biometric data — not collected.
Chat message content — the assistant (ChatGPT) processes your messages; our MCP server only receives the structured tool-call parameters, not your free-text conversation.
TripDeal Backend API — Session ID, search parameters, guest details (for booking), booking IDs — Core service delivery: searching hotels, creating reservations, generating payment links.
Hotel Suppliers (via TripDeal API) — Guest name, email, phone, nationality — Required to confirm hotel reservations.
Payment Gateway (external) — Booking ID, payment method — To generate a secure payment page; card details go directly to the gateway.
OpenAI / ChatGPT — Tool responses (search results, booking status, payment link, locale) — Displayed to you in the chat interface.
We do not sell, rent, or share your personal data with advertisers, data brokers, or any unrelated third parties.
Guest session records (user_id, tokens) — MongoDB (agent_history.users) — Retained for session continuity; no automatic expiration currently set.
In-memory booking form submissions — Server RAM — Cleared when the server process restarts; not persisted to disk.
Search parameters and results — Not stored server-side — Transient; exist only during the API call.
Token isolation: Authentication tokens are stored server-side only and never returned in tool responses.
PII stripping: Booking management responses are filtered through an allowlist (_strip_pii) that removes personal fields before data reaches the assistant.
Minimal returns: The booking creation tool returns only bookingId and status, not the guest details that were submitted.
HTTPS: All communication with the TripDeal API and payment gateways occurs over TLS-encrypted connections.
CORS restrictions: The form submission endpoint only accepts requests from trusted OpenAI/ChatGPT origins.
Depending on your jurisdiction, you may have the right to:
Access the personal data we hold about you.
Correct inaccurate personal data.
Delete your personal data and session records.
Withdraw consent to data processing at any time.
To exercise any of these rights, contact us at the address below.
Our service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us for removal.
We may update this policy to reflect changes in our data practices or legal requirements. The "Last Updated" date at the top will be revised accordingly. Continued use of the assistant after changes constitutes acceptance of the revised policy.
For privacy inquiries, data access/deletion requests, or complaints:
TripDeal
Email: [email protected]
Website: https://tripdeal.co
----
Welcome to tripdeal, your trusted online travel agency. This Privacy Policy outlines how we collect, use,
and safeguard your personal information when you use our website and services to book travel arrangements.
We may collect personal information such as name, contact details, payment information, travel preferences, and any other information necessary to fulfill your travel bookings.
We use the collected information to facilitate travel bookings, communicate with you regarding your bookings, provide customer support, and improve our services.
Your personal information may be shared with airlines, hotels, car rental companies, and other service providers solely for the purpose of fulfilling your travel bookings.
We employ industry-standard security measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction.
We'll utilize the gathered personal information to handle transactions and payments, including those for accommodation bookings. Additionally, we'll employ it to retrieve owed funds, both as part of fulfilling our contractual commitments and safeguarding our legitimate interest in debt recovery.
You have the right to access, correct, or delete your personal information. Please contact us if you need assistance with this.
We use cookies and similar tracking technologies to enhance your browsing experience, analyze website traffic, and personalize content and advertisements. By using our website, you consent to the use of cookies as described in our Cookie Policy.
We reserve the right to update this Privacy Policy as needed. Any changes will be effective immediately upon posting on our website.
If you have any questions or concerns about our Privacy Policy, please contact us on [email protected]
English 
عربى