1. Introduction

This Privacy Policy explains how Serko Limited and its group companies (collectively, Serko, we, us, or our) process personal information in connection with Serko.ai. 

While providing some personal information is optional, failing to provide certain personal information may mean you are unable to use the services. If you do not agree with the terms of this Privacy Policy, please do not provide any personal information to us. 

2. Scope — when does this Privacy Policy apply?

This Privacy Policy applies to the processing of data in connection with your access to and use of the Serko.ai sites (‘Sites’), your use of the related services (‘Services’) set out in the Serko.ai Website and Booking Terms and Conditions, and our related marketing and support activities.

This Privacy Policy does not apply to our other websites, or our other service offerings.

3. Personal information Serko.ai processes

Serko.ai will collect information that varies depending on your use of our services and marketing preferences. Based on your use, Serko.ai may process the following categories of data, which may include personal information:

• Identity data: name, date of birth, gender;
• Contact data: including email address, address, and phone number;
• Profile data: Serko.ai profile information – username, ID, password; 
• Documents (for international travel): passport details, visa details if required;
• Employment data: title, employee ID if relevant, company details;
• Payment data: including card and spend details; 
• Serko.ai use data: including details of products and services you have purchased and information on how you are using the products and services, as well as the prompts that you have entered into the Serko.ai application and outputs that it generates;
• Travel data: including details of your bookings and travel itineraries, frequent flyer details, loyalty details, rental car details, meal preferences, seat preferences, travel dates/times, flight number, ticket number, confirmation number, booking locators (booking ID, passenger name record (PNR), airline locator), origin location, destination location, third party profile ID/code, and travel components,
• Device data: including internet protocol (IP) address, login data, browser type and version, time zone setting including geolocation, operating system and platform, device type, unique device identification numbers, and other information your browser supplies;
• Communications data: including preferences in receiving marketing from us, your communication preferences, and any feedback or survey responses;
• Support data: including screenshots (of error messages, for example), support ID, and support communications

Depending on your use, we may collect special or sensitive personal data - for example, your passport number for international travel bookings and your payment card details for processing payment. Additionally, your preferences may involve processing sensitive data - for instance where you indicate religious or medical travel requirements. We ask that you are mindful of this. These categories of personal information are only for the purposes of providing services to you, and Serko does not sell or share it outside of these purposes.

4. Personal information sources

We collect and receive personal information in different ways depending on the sites and/or services that you use. This might include:

• Direct interactions: when you sign-up to Serko.ai, use the platform, submit travel prompts and book travel, request support, or communicate with Serko about Serko.ai.  
• Customers, suppliers and other third parties: We may receive personal information from other sources such as your employer (if they manage your account), payment suppliers (including card operators and virtual payment suppliers), travel service providers (including accommodation providers, transport providers).
• Cookies and similar technologies: We automatically collect some personal information when you visit, use, and interact with our Sites and Services by using cookies and other similar technologies. We may also receive personal information if you visit other sites employing our cookies and/or from analytics providers (such as Google). You can see our Cookie Policy for further details. For example, we might use these technologies to distinguish you from other users and remember your preferences, to improve our Sites and Services, and/or for web analytics. You can also set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. However, if you disable or refuse cookies used, you may not be able to access or use parts of our sites and services.

Serko processes personal information lawfully. We process your personal information primarily to provide the services you request under the contract we have with you (including via our Website and Booking Terms and Conditions) and with your consent, and also where necessary for our legitimate interests and to comply with legal obligations. 

In certain situations, you may provide us personal information  about other individuals (such as your colleagues, customers, suppliers, directors or shareholders). In doing so, you warrant that you have all necessary notices, permissions, and consents in place to lawfully disclose such personal information to us for use in accordance with this Privacy Policy.

5. How Serko.ai uses your personal information

We collect and use your personal information for different purposes depending on the Sites and/or Services that you use. The main purposes are:

• To provide, host, and maintain Serko.ai – for example, to process purchases (along with our authorised payments processors), manage payments, collect monies owed, process user registrations, to  provide personalised options and recommendations in Serko.ai based on your profile and preferences and use of our Services, to help your organisation apply its travel policies, and to create profiles; 
• To communicate and manage our relationship with you – for example, to provide you with the Services and information you have requested or that we are required to provide to you, inform you of technical notices, updates, security alerts, support and administrative messages, notify you of any changes to our relationship and ask you for feedback or to take part in any research we are conducting;
• To provide customer service and support – for example, to provide booking confirmations, assist with the resolution of technical support issues or other issues relating to the Sites or Services (whether by email, in-app support, or otherwise), and we may record customer calls for monitoring and training purposes;
• To measure and enhance our Sites and Services – for example, to understand how our Sites and Services are being configured and used, to understand how our Sites and Services and user experience can be improved, to make our Services more relevant to you, to develop new services, and to perform internal business processes such as testing, maintenance, and quality assurance, to 
• For protection purposes – for example, to detect, investigate and prevent any fraudulent or malicious activity or transactions, unauthorised access, or other security incidents and other illegal activities, troubleshooting, and to ensure our Sites and Services are being used in accordance with the Serko.ai Website and Booking Terms and Conditions;
• To analyze, aggregate and report – for example, to analyse trends and statistics regarding use of our Sites and Services and the transactions conducted, and to produce aggregated and anonymised analytics and reports;
• Legal purposes - for example to comply with regulatory and/or industry requirements and standards, audits, accounting, tax obligations, and to defend against claims, and enforce our rights. 

6. How we use AI with your personal information. 

When you use Serko.ai, we process your personal information using artificial intelligence (AI) to provide the services you request. This draws on our nearly 20 years of travel expertise to simplify the end-to-end experience of booking and managing travel, by using multiple AI agents to support you. This includes: 

• LLM technology: the Serko.ai interaction is designed to be a single point of intent driven engagement, and this is supported by large-language model (LLM) technology to understand your requests and generate responses.
• Agent technology: we use multiple AI agents to help suggest and book your travel options, apply your preferences, and support the monitoring and management of transactions. 
• Fraud and operational performance: we are committed to keeping you safe - this includes by monitoring our AI, which is partially done by AI, as well as using AI within our fraud detection.

These systems are designed to help provide recommendations, suggestions, and other outputs to assist you and your organisation. It does not make decisions based on automated processing that will have legal consequences or similar impacts on you. Decisions will still be yours to make; you and your organisation still approve the bookings.

We do not use personal information to train general-purpose or ‘foundation’ AI models that are used across customers.

7. Disclosure of Personal Information 

There will be times when we need to share your personal information with third parties for the purposes set out in this Privacy Policy. This might include:

• Serko group companies – who help us provide, host, and maintain our Sites and Services. Some group companies (subject to access controls) may also have access to the Serko group data centres in which we store and process your personal information.
• Customers (i.e. your organisation) – for example, so we can provide our Sites and Services (including processing and/or approving your travel bookings and/or expense claims), for user management and licence administration purposes, and they may be able to access your personal information held in our systems.
• Travel management companies, travel agents, and GDS operators (if any) – who cooperate with us to provide our Services and assist us to book travel.
• Service providers – for example, travel service providers (such as travel wholesalers, tour operators, airlines, hotels, car rental companies), banks, expense management and accounting service providers, and other contracted third party service providers such as credit and virtual card processing, fraud prevention, IT and system administration, business analytics, online advertising delivery, marketing, market research and communication, mail, freight and courier and price comparison services.
• Business partners and third parties you authorize – with whom we may jointly offer products or services, or whose products or services may be offered on and/or integrated with our Sites or Services. You may also give third parties access to your personal information on the Sites and Services.
• Our professional advisers – including our lawyers, bankers, auditors, consultants, and insurers.
• An actual or potential buyer (and its agents and advisors) – in connection with an actual or proposed purchase, merger or acquisition of any part of our business. If a change happens to our business, then the new owner may use your personal information in the same way as set out in this Privacy Policy.
• Regulators, law enforcement bodies, government agencies, courts or other third parties – where we think it is necessary to comply with applicable laws or regulations, or to exercise, enforce, or defend our legal rights.

As a global business, we may transfer and process your personal information in countries other than the country you live in – for example to Australia, New Zealand, the Republic of Ireland, the Netherlands, and Canada, where some of our offices, data centres or sub-processors are located. More information about third parties is available here at Serko.ai Third Party Processors.

8. Security

We have put in place appropriate technical and organisational security measures and procedures to  prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. 

Although we will take such measures to protect your personal information, by virtue of the nature of the internet, we cannot guarantee the security of your information transmitted online, and any transmission is undertaken at your own risk. Help us keep you safe - keep your password secure, don’t share it with anyone.

We have also put in place procedures to deal with breaches of personal information, and we will notify you and any applicable regulator of a breach where we are legally required to do so.

9. Retention

We retain personal information we collect from you where we have an ongoing legitimate business need to do so in accordance with our data retention policies and practices (for example, in connection with the purposes described in this Privacy Policy, legal purposes, and/or for the purposes of satisfying any regulatory, tax, accounting or reporting requirements).

Following that period, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been temporarily stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

10. Your rights

You have rights over your personal information. For example, you may have rights to:

• request access to personal information;
• request correction of inaccurate or incomplete personal information;
• request deletion of personal information;
• object to or restrict certain processing;
• withdraw consent where processing is based on consent;
• request portability of certain personal information; and
• lodge a complaint with an applicable supervisory authority or privacy regulator.

To view, access, or update / correct the information that we hold about you, log into your account and navigate to the ‘profile’ section. Where applicable, you can also ask your administrator to deactivate your account at any time.

Alternatively, you can contact us using the details below. Please provide sufficient detail for us to respond to your request.  We may request specific information to verify your identity and confirm your rights.

11. Contact details

If you have any questions about this Privacy Policy or want to make a privacy request, our best contact is privacy@serko.com. Otherwise, our mailing address is:

Attention: Legal Department
Serko Limited
Unit 14d, 125 The Strand
Auckland
New Zealand

‍

Version and updates 

This Privacy Policy is effective from 13 May 2026. We may update it from time to time so we encourage you to check it regularly for changes. Where updates are significant, we may also notify you by email or via a notice on our home page.

‍—

Addendum 1: Additional information for California residents

If you are a resident of California, the following information also applies to you with respect to your personal information:

A. The personal information we collect, receive, disclose and retain

We will collect, receive, disclose and retain different kinds of personal information depending on the Sites and/or Services that you use. With reference to the categories of personal information set out in the CCPA:

• We collect personal information from the sources set out in section 4, above.
• We disclose it to the categories of third parties set out in section 6 above, for the purposes set out at section 5.
• We retain personal data consistently with section 9, above. We retain your personal information for as long as your account is active or as needed to provide you with the Services. On offboarding, we will anonymise your profile data so that you are no longer identifiable, unless we are required to retain it by your employer. We may retain data in non-identifiable forms, or where required by law - for example, financial transaction records for tax and accounting purposes. 

We do not "sell" your personal information for the purposes of the CCPA.

B. Your rights

You have rights under privacy and data protection laws in relation to your personal information. For example, you may have rights to:

• know what personal information is collected about you, and if any of your personal information is sold or disclosed (and the categories of third parties that purchased or received it);
• access the personal information we process about you;
• request the deletion of your personal information, if applicable;
• opt-out from the sale of your personal information, if applicable; and
• not be discriminated against for exercising any of the rights above.

You can exercise your rights as described in section 9 (‘Your rights’) above. You may also designate an authorised agent to make a request on your behalf, subject to proof of identity and authorisation.

C. Sensitive Personal Information 

In providing the services described above, we may collect and use certain categories of personal information that are defined as sensitive under the CPRA. This includes:

• Government-issued identification numbers (such as passport and driver's licence numbers)
• Payment card details
• Health or medical information may be collected as medical travel requirements you provide.
• Religious beliefs may be collected as dietary or religious travel preferences you provide.

We use sensitive personal information only to provide the Services you have requested and for related purposes as described in this Privacy Policy. We do not use or disclose sensitive personal information for any purposes beyond those permitted under the CPRA. This includes disclosing this data to Serko group companies, the service providers you may select, and our own service providers where necessary — for example, to process payment.

Addendum 2: Additional information for Texas Residents

If you are a resident of Texas, the following information may apply to you with respect to your personal information.

• Right to access, correct, delete: You have the right to access and correct your information. We will delete your personal information consistent with our lawful obligations and our retention needs. You will not be discriminated against for exercising your privacy rights.
• Opting out: You may have the right to opt out of processing of personal information, particularly for marketing purposes and we will endeavour to support this. We will make reasonable efforts to process opt outs for jurisdictions that require them.
• Sale of data: We do not sell personal information to third parties. We are not data brokers nor do we work with data brokers.
• De-identification: Where we de-identify data, we will not re-identify that data.

‍