SENDERO·ARC
Start free
Legal

Privacy Policy

Effective 2026-04-28

This policy describes what Sendero collects, why, and how we keep it safe. We are a travel-ops platform: travelers, agencies, and corporates use us to plan, book, and settle trips. Our agents run across MCP, WhatsApp, Slack, and the web console.

1. What we collect

1a. Account & workspace data

  • Email, name, organization name, and role — from Clerk, our authentication provider. We don't store your password; Clerk does.
  • API keys you mint via Clerk's <APIKeys /> component. We hold the token hash, not the raw key.
  • Plan tier (Free / Basic / Pro / Enterprise) and billing identity from Clerk Billing.

1b. Trip & agent data

  • Travel records (legs, travelers, holds, bookings, settlements) created when your agent calls Sendero tools. Stored in our Postgres database hosted on Neon, region aws-us-east-1.
  • Agent transcripts and tool-call logs (input/output of every metered call). Used to serve replays, debugging, and Langfuse-based quality tracking.

1c. Payment data

  • On-chain wallet addresses and USDC settlement records from Circle (Arc-Testnet today; Arc-Mainnet at GA). Wallet addresses are public on-chain by design.
  • Card-and-fiat data (subscriptions) is handled entirely by Stripe via Clerk Billing. We never see card numbers.

1d. Telemetry

  • Web traffic logs, server response times, error stack traces.
  • Langfuse traces for agent turns (system prompt → tool calls → response).
  • Vercel Analytics for the marketing + app surfaces.

2. Why we collect it

  • Run the service. We can't book a flight without knowing the route.
  • Bill correctly. Plan tier + per-call meter events drive your invoice.
  • Audit. Every settlement writes an on-chain row + a meter event. Auditors and finance teams need the trail.
  • Improve quality. Langfuse traces let us catch regressions in agent behavior (tool-call success rate, latency).
  • Comply. Anti-fraud, anti-money-laundering, regulatory holds.

3. Sub-processors

Sendero uses the following sub-processors. Each receives only the data they need to perform their function. Your access to your own data is not throttled by them.

  • Clerk — auth + billing UI
  • Stripe — payment processing (via Clerk)
  • Circle — USDC custody + Arc settlement
  • Duffel — flight search + booking
  • Neon (Postgres) — primary database
  • Upstash — Redis cache + rate-limit state
  • Langfuse — agent observability
  • Vercel — hosting (apps/app, apps/docs, apps/marketing)
  • Cloudflare — edge proxy (apps/edge)
  • Resend — transactional email

4. Your rights

You can:

  • Access your data — every workspace surface in the dashboard exposes it.
  • Export trip and settlement data via export_audit_log, export_trip_summary, and the OpenAPI surface.
  • Correct data — open a ticket via the dashboard or email below.
  • Delete your workspace — email privacy@sendero.travel. We honor deletion within 30 days, except where retention is required by law (financial records: 7 years).
  • Withdraw consent for telemetry — set SENDERO_TELEMETRY=off in your CLI env. Server-side telemetry is load-bearing for the service and can't be opted out individually; deleting the workspace is the path.

5. Data retention

  • Active trip + booking data: retained while the workspace is active.
  • Settlement + on-chain audit data: 7 years (regulatory).
  • Telemetry: 90 days rolling.
  • Langfuse traces: 30 days rolling.
  • Deleted workspace: backups purge within 30 days.

6. Security

  • TLS in transit, encryption at rest (Neon + Upstash + Vercel Blob).
  • API keys hashed at rest; we cannot recover a lost raw key.
  • Webhook signatures verified (Circle, Clerk, Slack, WhatsApp, Stripe).
  • Rate limits + bot detection on every public surface.
  • Annual penetration testing + ongoing dependency scanning.

7. Children

Sendero is a B2B platform. We do not knowingly collect data from anyone under 18. If you believe a child has provided us with data, contact privacy@sendero.travel.

8. International transfers

Sendero hosts data primarily in the US (Vercel, Neon). EU-origin data is transferred under Standard Contractual Clauses with our sub-processors. Argentina-, Mexico-, and Brazil- origin traffic is served from the closest available Vercel edge.

9. Changes to this policy

We update this page when sub-processors or practices change. The effective date at the top always reflects the active version. Material changes are emailed to workspace owners 14 days before they take effect.

10. Contact

Privacy: privacy@sendero.travel
Security disclosures: security@sendero.travel
General legal: legal@sendero.travel

Questions? Email legal@sendero.travel or read our Privacy Policy and Terms of Service.