At Trama Inc. (hereinafter "Trama", "we", or "our") we take the privacy and protection of personal data seriously. This Privacy Policy explains what information we collect, how we use it, with whom we share it, how we protect it, and what rights you have over your data.
This policy applies to all individuals who interact with our services: clients who contract Trama for their business, authorized users who access the Platform on behalf of a client, end users who interact with an AI agent operated by a Trama client, and visitors to our website trama.so.
By using our services or visiting our website, you accept the practices described in this policy. We recommend reading it alongside our Terms and Conditions, available at trama.so/tc.
1. Who we are
Trama Inc. is a company headquartered in Córdoba, Argentina, that develops and provides artificial intelligence agents for service companies, with an initial focus on the tourism industry. Our agents operate on communication channels such as WhatsApp, Instagram, email, and others, assisting companies in their commercial and operational processes.
Contact for privacy matters: Email: privacy@trama.so General email: hello@trama.so Web: trama.so Location: Córdoba, Argentina
2. Our privacy principles
Data processing at Trama is governed by the following principles, which we apply from the design of our products and in all our operations:
Privacy by design and by default. We incorporate data protection from the design stage of every feature and product. By default, our systems collect and process only the minimum data necessary for each purpose.
Data minimization. We only collect the personal data that is strictly necessary for the specific purpose of processing. We don't ask for more information than we need nor retain it longer than necessary.
Purpose limitation. We use personal data exclusively for the purposes disclosed in this policy. We don't repurpose it for incompatible ends without informing you and, where applicable, without obtaining your consent.
Accuracy. We make reasonable efforts to keep personal data accurate and up to date. We enable data subjects to correct inaccurate data.
Transparency. We inform clearly, accessibly, and in understandable language about our data processing practices.
Security and integrity. We protect personal data with technical and organizational measures appropriate to the risk of the processing.
Demonstrable accountability. We document our data protection decisions and practices, and can demonstrate our compliance to competent authorities.
3. Roles in data processing
It is important to understand the different roles in data processing through our service:
Trama as data controller. When we collect data directly from our clients, website visitors, and Platform users (registration, billing, navigation data, cookies, support communications), Trama acts as data controller and decides the purposes and means of processing.
Trama as data processor. When we process data from our clients' end users (people who write to the AI agent via WhatsApp or other channels), Trama acts as data processor, processing that data on behalf of and under the documented instructions of the client. In this case, the client is the data controller and is responsible for having the legal basis to collect and process that personal data.
The client as controller. Each client using Trama is responsible for complying with applicable data protection legislation in their jurisdiction regarding the personal data of their end users. This includes obtaining the necessary consents, informing their end users about data processing (including the use of artificial intelligence), ensuring that the use of the agent complies with applicable rules, and handling data rights requests from their end users.
Data Processing Agreement (DPA). For clients who require it (especially those subject to GDPR, LGPD, or other regulations requiring a formal processing agreement), Trama offers signing a Data Processing Agreement (DPA) that formalizes Trama's obligations as data processor, including: the client's documented instructions, applicable security measures, obligations regarding sub-processors, cooperation in exercising data subjects' rights, security breach notification, and data deletion or return at the end of the relationship. Clients can request the DPA at privacy@trama.so.
4. What information we collect
We collect different types of information depending on how you interact with our services:
4.1 Information you provide directly
Registration and account data. When a client registers with Trama, we collect: full name or company name, email address, phone number, business name, business address, country and jurisdiction, tax ID (for billing), role within the organization (for the registering user), and any other information the client provides during registration or account setup.
Billing and payment data. To process payments we collect: payment method information (card type, last 4 digits, expiration date), billing address, tax details and VAT status, and transaction and invoice history. Complete credit or debit card data is processed and stored directly by our payment processors (such as Stripe or Mercado Pago). Trama does not store full card numbers, CVVs, or equivalent data on its own servers.
Client content. Clients upload information about their business to the Platform to configure and operate the agent: product and service catalogs, price lists and rates, commercial policies (cancellation, refunds, conditions), destination information, itineraries and packages, business rules and service flows, operating hours, team contact details (for handoffs), promotional material and images, and credentials for access to external systems (when applicable for integrations, stored in encrypted form).
Direct communications. When you contact us by email, support, web forms, chat, or any other means, we collect: the content of those communications, associated contact details, the date and time of the interaction, and any files you share.
4.2 Conversation data (end users)
When an end user interacts with a Trama client's AI agent, conversation data is generated that may include:
Data provided by the channel. End user's profile name (as it appears on WhatsApp or other channel), phone number or user identifier in the channel, and profile photo (if the channel provides it; Trama generally does not store it).
Conversation content. Text messages sent and received, responses generated by the AI agent, shared attachments (images, documents, audio, video), and stickers, reactions, or other interactive elements.
Voluntarily shared information. End users may share additional information during the conversation, such as: travel destinations, dates and duration, number of passengers and group composition, budget and preferences, additional contact details (email, another phone), identity or passport documents (if shared for a booking), and payment data (if shared in the conversation; Trama recommends its clients not collect payment data through this channel).
Metadata. Date, time, and duration of each interaction, channel used, conversation status (active, handed off, closed), contact qualification result, and detected language.
Important: Trama processes this data as a data processor on behalf of the client. We do not use identifiable end user data from one client to benefit other clients or for our own purposes beyond providing the service.
4.3 Usage and navigation data
When you visit our website or use the Platform, we automatically collect:
Technical data. IP address (may be anonymized depending on configuration), browser type and version, operating system and version, device type (desktop, mobile, tablet), screen resolution, and time zone and language settings.
Interaction data. Pages visited and navigation order, time spent on each page, elements you interact with (buttons, forms, links), referral URL (where you came from), search terms that brought you to the site (if available), and date, time, and frequency of visits.
Identifiers. Session identifiers, cookies (see section 13), and authentication tokens (for logged-in users).
4.4 Integration data
When a client connects Trama with external systems (GDS like Amadeus, ERPs, CRMs, inventory systems, wholesaler APIs, or others), Trama may access data from those systems exclusively to the extent necessary for the agent's operation, in accordance with the client's instructions and granted permissions. The data accessed depends on each integration and is defined during project configuration. Trama does not access more data than necessary for the contracted functionality.
5. How we use information
Below we detail each processing purpose and the legal basis that supports it:
5.1 Service delivery
What we do: Operate, maintain, and improve our AI agents and the Platform. This includes processing conversations, generating responses, qualifying contacts, producing quotes, searching availability in integrated systems, and executing the functions contracted by the client. Legal basis: Performance of the contract with the client. Legitimate interest of the client (for end user data processed as processor).
5.2 Account administration
What we do: Manage registration, authentication, service configuration, billing, collection, issuance of fiscal receipts, technical support, and operational communications related to the service. Legal basis: Performance of contract. Compliance with legal obligations (billing and tax records).
5.3 Service improvement
What we do: Analyze Platform usage patterns, agent performance, resolution rates, response times, quality metrics, and feedback to improve our products and services. Legal basis: Trama's legitimate interest in improving its products.
5.4 Anonymized data for research and development
What we do: We use irreversibly anonymized data to: train and evaluate proprietary AI models, generate aggregate statistics and industry benchmarks, develop new features and products, and conduct research on commercial interaction patterns in the industry. Legal basis: Trama's legitimate interest. Anonymized data does not constitute personal data under applicable legislation. Anonymization process: Our anonymization process includes: removal of all direct identifiers (names, phones, emails, identity documents), removal or generalization of indirect identifiers (specific locations, exact dates, exact amounts), aggregation of data from multiple conversations and clients, verification that the resulting data does not allow re-identification through reasonable techniques, and irreversible separation between anonymized and original data. Once anonymized, data cannot be linked to any specific person or company, and no reversal keys are retained.
5.5 Communications
What we do: Send you relevant information about your account and service (operational notifications, security alerts, service changes, policy updates). With your authorization, send marketing communications, product updates, educational content, and offers. Legal basis: Performance of contract (operational communications). Consent (marketing communications). You can opt out of marketing communications at any time by clicking "unsubscribe" in any email, or by contacting hello@trama.so.
5.6 Legal compliance and fraud prevention
What we do: Comply with legal, tax, and regulatory obligations. Respond to requests from competent authorities. Protect our legal rights. Prevent, detect, and investigate fraud, abuse, or illegal activities. Enforce our Terms and Conditions. Legal basis: Compliance with legal obligation. Trama's legitimate interest in protecting its rights and preventing abuse.
5.7 Security
What we do: Protect the security and integrity of our systems, networks, and infrastructure. Detect and prevent unauthorized access, cyberattacks, and malicious activities. Monitor service availability and performance. Maintain audit logs for traceability. Legal basis: Trama's legitimate interest in the security of its systems and the protection of its clients.
6. Artificial intelligence and data processing
Since our service is based on artificial intelligence, it is important that you understand how we process data in this context:
Processing by AI models. End user conversations with the agent are processed by artificial intelligence models to generate responses. This processing means that message content is sent to the servers of the AI model providers that Trama uses. Trama selects providers that offer security and privacy guarantees, and contracts their services under agreements that restrict the use of our clients' data. In particular, conversation data sent to the model provider is not used to train or improve the provider's general models.
We don't train general models with your data. Trama does not use identifiable conversation data from a client to train general-purpose AI models that are shared with other clients or third parties. When we use data for service improvement, it is first irreversibly anonymized according to the process described in section 5.4.
Conversational memory. The agent can maintain memory of the context of an active conversation and, depending on the configuration, of the history of previous interactions with the same end user, to provide a coherent and personalized experience. This memory is specific to each client and is logically isolated. It is not shared between clients. The client can configure the duration and scope of conversational memory.
Automated decisions and profiling. The agent may perform the following automated processing activities: contact qualification (determining whether a contact is a qualified lead, an informational inquiry, spam, etc.), priority assignment (determining the urgency or potential value of an inquiry), quote generation (calculating prices and building budgets based on the client's rules), human handoffs (deciding when a conversation requires human intervention), and product or service suggestions (recommending options based on expressed preferences).
These decisions are based on the business rules configured by the client and on analysis of the conversation context. They do not produce legal effects on their own (they do not conclude contracts, assume binding commitments, or deny services). The client is responsible for supervising these decisions, configuring human handoff thresholds, and verifying that generated quotes and recommendations are correct before a transaction is formalized.
If you are an end user and believe that an automated decision has negatively affected you, you can request human review of that decision by contacting directly the business you interacted with (the Trama client).
Transparency about AI use. Trama recommends and facilitates that its clients inform their end users that they are interacting with an artificial intelligence agent. The agent includes, by default, an identification as an AI assistant in the first interactions, unless the client configures otherwise. In jurisdictions where legislation requires it (such as the European Union under the EU AI Act, Article 50), this disclosure is mandatory and the client is responsible for complying with it.
7. WhatsApp and Meta
Trama accesses WhatsApp conversations through the WhatsApp Cloud API from Meta Platforms, Inc. This section details how this access works:
Access via official API. Trama uses the official WhatsApp Business API (Cloud API), which is the mechanism approved by Meta for technology providers to process messages on behalf of businesses. We do not access WhatsApp in an unauthorized manner or use personal apps or the standard WhatsApp Business app for data processing.
Data we receive from WhatsApp. Through the API we receive: the content of messages sent and received (text, images, documents, audio, video, stickers, shared locations), the end user's profile name and phone number, message metadata (timestamp, message type, delivery and read status), and conversation context information (if it's a reply to a template, a message in a flow, etc.).
Data we do NOT access. Trama does not access: the phone contact list of the client or end user, private conversations of the client or end user outside the agent's channel, real-time location data of the end user (unless they explicitly share a location in the conversation), WhatsApp conversation history prior to the Trama agent's activation, WhatsApp statuses (stories) of the client or end user, information from WhatsApp groups not linked to the agent, or Meta/Facebook/Instagram account data of the end user.
Encryption. Messages in transit between the end user and WhatsApp servers are protected by WhatsApp's encryption protocol. Once the message reaches Meta's servers through the Cloud API and is forwarded to Trama via webhook, Trama protects the data using encryption in transit (TLS) and encryption at rest in its own systems.
Meta policies. The use of the WhatsApp Cloud API is subject to Meta's policies, including the WhatsApp Business Platform Data Policy, the Business Messaging Policy, the WhatsApp Commerce Policy, and the Platform Terms. Meta may access certain conversation metadata in accordance with its own privacy policies. Trama has no control over Meta's data processing practices. We recommend that clients and end users review WhatsApp's privacy policy at whatsapp.com/legal/privacy-policy.
WhatsApp service provider (BSP). Trama may use a Business Solution Provider (BSP) authorized by Meta to manage the connection to the WhatsApp API. In that case, the BSP acts as a sub-processor and is subject to confidentiality and data protection contractual obligations equivalent to those of Trama.
WhatsApp AI Policy 2026. Trama operates in compliance with Meta's current policy regarding the use of artificial intelligence in WhatsApp Business. Our agents are designed as purpose-specific tools (commercial service, contact qualification, quotes) and not as general-purpose conversational assistants, in accordance with Meta's guidelines.
8. Data of your agency's end users
If you are a Trama client, this section explains how we process the data of the people who contact your agent (your travelers, potential customers, suppliers, contacts):
Ownership. Your end users' data belongs to you as the client. Trama processes it exclusively as a data processor, to provide you with the contracted service.
Isolation. Your end users' data is logically isolated and segregated from other Trama clients' data. Each client operates in their own data space (tenant), with dedicated access controls. No other client can access your data, and you cannot access other clients' data.
No use for own purposes. Trama does not use identifiable data from your end users for: Trama marketing, directly contacting your end users on behalf of Trama, selling or sharing with third parties, feeding other clients' agents, or profiling for Trama's benefit. The exception is the use of irreversibly anonymized data, in accordance with the process described in section 5.4.
No data sale. Trama does not sell, rent, license, or commercialize personal data of any kind, under any circumstances. This applies to data from clients, end users, and visitors.
Data export. You can request the export of your end users' data at any time during the term of your subscription and during the 30 calendar days following cancellation. Data will be delivered in a structured, commonly used, machine-readable format (JSON or CSV).
Your responsibility. As a client, you are responsible for: informing your end users that they may be interacting with an AI agent and that their data will be processed in accordance with your own privacy policy, having the appropriate legal basis to collect and process their personal data (consent, contractual relationship, legitimate interest, or other valid basis in your jurisdiction), publishing your own privacy policy describing how you process your customers' data, including the use of Trama as data processor, complying with applicable data protection legislation in your jurisdiction, handling data rights requests directed to you by your end users, and not collecting sensitive data or special categories of data through the agent unless you have a reinforced legal basis for doing so. Trama will reasonably assist you in fulfilling these obligations in accordance with the terms of the DPA, if signed.
9. With whom we share information
Trama does not sell, rent, or commercialize personal data. We share information only in the following cases and with the following categories of recipients:
Cloud infrastructure providers. For data storage, processing, and hosting. These providers operate under strict confidentiality and data protection agreements, and process data exclusively in accordance with our instructions.
Artificial intelligence model providers. For conversation processing and response generation by the agent. Conversation data is sent to the model provider for real-time processing. Trama contracts providers that do not use this data to train general models.
Payment processors. For managing payments, subscriptions, and billing. Payment processors receive only the data strictly necessary to process the transaction and are subject to payment industry security standards (PCI DSS).
WhatsApp service providers (BSP). For connection to the WhatsApp Business API and message management.
Email and communications providers. For sending operational notifications, transactional emails, and, when authorized by the client, marketing communications.
Analytics and monitoring providers. To measure website, Platform, and service performance, detect errors, and improve the experience. Data sent to these tools may include anonymized or pseudonymized browsing data.
Sub-processor management. Trama maintains an internal record of its main sub-processors. Clients who request it can obtain the updated list of sub-processors by contacting privacy@trama.so. Before incorporating a new sub-processor that processes client data, Trama will evaluate the provider's security and privacy guarantees. Trama will notify clients who have signed a DPA about significant changes to the list of sub-processors, with at least 15 days' notice, giving the client the opportunity to object in accordance with the terms of the DPA.
Legal requirements. We may disclose information when necessary to comply with a legal obligation, respond to a court order, subpoena, or request from a competent administrative authority, protect the rights, property, or safety of Trama, our clients, or third parties, or investigate and prevent fraud, abuse, or illegal activities. When legally possible, we will notify the client before disclosing their data in response to a legal requirement.
Corporate transfer. In the event of a merger, acquisition, corporate reorganization, asset sale, financing, or change of control of Trama, personal data could be transferred as part of the transaction. In that case, the acquirer will be subject to the obligations of this policy. We will notify those affected before their data becomes subject to a substantially different privacy policy.
With your consent. In any other case, we will only share your data with your prior, specific, and informed consent.
10. International data transfers
Personal data collected through our services may be transferred to and processed in countries other than the country where it was collected.
Processing location. Our infrastructure and AI model providers may process data in the United States, Europe, and other regions where they maintain data centers. Trama has no direct control over the specific location of its providers' servers, but selects providers that offer adequate guarantees.
Transfer safeguards. When we transfer personal data outside the data subject's jurisdiction, we adopt one or more of the following safeguards: verification that the destination country offers an adequate level of protection recognized by the competent authority of the country of origin, implementation of standard contractual clauses approved by data protection authorities, inclusion of confidentiality, security, and use restriction contractual obligations equivalent to those in this policy, and application of complementary technical measures (encryption, pseudonymization, access controls) to strengthen the protection of transferred data.
For clients in Argentina. International transfers are made in accordance with Articles 12 and related provisions of Law 25.326 and its Regulatory Decree 1558/2001, which allow transfers to countries with adequate protection or when the data subject has given consent, among other grounds.
For clients in the European Union / EEA. Transfers outside the EEA are made in accordance with the mechanisms provided in Chapter V of the GDPR (Articles 44 to 49), including adequacy decisions by the European Commission, standard contractual clauses (SCCs) approved by the Commission, or other valid mechanisms. When SCCs are used, Trama implements the supplementary measures necessary in accordance with EDPB recommendations.
For clients in Brazil. International transfers are made in accordance with the mechanisms provided in Article 33 of the LGPD, including countries with adequate protection, standard contractual clauses, or other mechanisms recognized by the ANPD.
11. Data retention and deletion
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected. Below are the retention periods by data type:
Account and registration data. Retained while the client's account is active. After cancellation, retained for 30 calendar days to allow reactivation or export, then deleted from active systems. Certain basic data (name, email, billing history) may be retained for legal periods.
Billing and tax data. Retained for the period required by applicable tax legislation. In Argentina, tax documentation must be kept for 10 years under Law 11.683 and ARCA (former AFIP) regulations. In other jurisdictions, the local legal period applies.
Conversation data (end users). Retained while the client's subscription is active. After cancellation, retained for 30 calendar days for export. Then deleted from active systems. Data may persist in encrypted backups for an additional period of up to 90 days in accordance with the backup rotation cycle.
Client content (catalogs, business rules). Retained while the subscription is active and during the 30 calendar days following cancellation.
Navigation and analytics data. Retained for a maximum period of 26 months from collection, unless anonymized earlier.
Cookies. Depending on type: session cookies are deleted when the browser is closed, persistent cookies are retained for the periods indicated in section 13.
Anonymized data. Retained indefinitely, as they do not constitute personal data.
Security and audit logs. Retained for a period of 12 months for security, traceability, and incident investigation purposes.
Support communications. Retained for a period of 24 months from the last interaction, unless part of an active dispute.
Early deletion request. You can request deletion of your personal data at any time by contacting privacy@trama.so. We will handle your request in accordance with applicable legislation. Note that certain data may require retention due to legal obligations, and that data deletion may mean we are unable to continue providing the service to you.
12. Data security
We implement technical and organizational measures appropriate to the risk of processing to protect personal data:
Technical measures
Encryption. Data in transit protected by TLS 1.2 or higher (HTTPS). Data at rest encrypted in our databases and storage systems. Encrypted backups.
Access control. Role-based access controls (RBAC) with least privilege principle. Secure authentication for access to internal systems. Periodic review of access permissions. Environment segregation (development, staging, production).
Isolation. Multi-tenancy with strict logical isolation between clients. Each client operates in a segregated data space. Queries and operations are limited to the scope of the authenticated client.
Monitoring. Continuous activity monitoring and anomaly detection. Audit logs for traceability of access and operations. Automated alerts for security events.
Resilience. Regular backups with documented recovery procedures. Distributed infrastructure for high availability.
Organizational measures
Staff. Contractual confidentiality obligations for all staff with data access. Access to client data limited to the minimum necessary staff.
Vendors. Security evaluation of providers before contracting. Contractual security and confidentiality obligations in all vendor agreements.
Processes. Documented internal information security policies. Security incident response procedures. Periodic security reviews.
Security breach notification
In the event of a security breach affecting personal data:
Client notification. Trama will notify affected clients without undue delay and, in any case, within 72 hours of becoming aware of the incident. The notification will include: description of the nature of the incident, categories and approximate volume of affected data and data subjects, description of the likely consequences of the incident, measures taken and planned to remedy the incident and mitigate its effects, contact details for more information, and recommendations for the client to protect their end users.
Authority notification. When the breach poses a risk to individuals' rights and freedoms, Trama will notify the competent data protection authority in accordance with the timelines and requirements of applicable legislation (72 hours for the GDPR, AAIP timelines for Argentina).
Incident log. Trama maintains an internal log of all security incidents, including those not notified externally because they did not reach notification thresholds.
Limitation. Despite our efforts, no data storage or transmission system is completely invulnerable. We cannot guarantee the absolute security of data, but we commit to acting diligently, continuously improving our security practices, and responding transparently and promptly to any incident.
13. Cookies and tracking technologies
Our website (trama.so) and the Platform use cookies and similar technologies (local storage, pixels, beacons).
Strictly necessary cookies. Essential for the functioning of the website and the Platform. They include session, authentication, security (CSRF), and critical preference cookies. They cannot be disabled without affecting basic functionality. Duration: session or up to 12 months depending on the cookie.
Performance and analytics cookies. Allow us to understand how visitors use our website. Trama uses analytics tools (such as PostHog or others) that may set cookies to collect usage data in aggregate or pseudonymized form. Duration: up to 26 months.
Functionality cookies. Allow remembering user preferences (language, time zone, Platform configuration) to provide a personalized experience. Duration: up to 12 months.
Marketing cookies. At the time of publication of this policy, Trama does not use advertising, remarketing, or third-party advertising tracking cookies. If we implement such cookies in the future, we will update this policy and request your prior consent before activating them, in accordance with applicable legislation.
Do Not Track (DNT) signals. Currently, there is no uniform standard for interpreting "Do Not Track" browser signals. Trama does not modify its behavior in response to DNT signals. If a standard is established in the future, we will evaluate its implementation.
Cookie management. You can configure your browser to reject all or certain cookies, to notify you before accepting them, or to delete existing cookies. Note that disabling certain cookies may affect the functionality of the website or the Platform. Most browsers offer these options in their privacy settings section.
14. Data subjects' rights
Depending on the applicable legislation in your jurisdiction, you may have the following rights regarding your personal data:
Right of access. Request information about what personal data we hold about you, the purposes of processing, the categories of data processed, the recipients or categories of recipients, the retention periods, and the source of the data (if not collected directly from you).
Right of rectification. Request correction of personal data that is inaccurate, incomplete, or outdated.
Right of erasure (deletion). Request deletion of your personal data when: it is no longer necessary for the purposes for which it was collected, you withdraw consent and there is no other legal basis, you object to processing and there are no overriding legitimate grounds, the data has been unlawfully processed, or deletion is required by applicable legislation. This right may be subject to legitimate exceptions: legal retention obligations, exercise or defense of legal rights, or archiving in the public interest.
Right to object. Object to the processing of your personal data when: processing is based on legitimate interest (including profiling based on legitimate interest), data is processed for direct marketing purposes, or in any other case provided for by applicable legislation.
Right to restriction of processing. Request that we restrict the processing of your personal data while: we verify the accuracy of data following a rectification request, we assess an objection request, processing is unlawful but you prefer restriction to erasure, or data is no longer needed but you need it for the exercise of legal rights.
Right to portability. Request to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV), and to transmit it to another controller without Trama preventing it. This right applies to data you provided directly to us and that was processed automatically based on consent or the performance of a contract.
Right not to be subject to automated decisions. Request that a decision that significantly affects you not be based solely on automated processing, including profiling, and to obtain human intervention, express your point of view, and contest the decision. If you are an end user of a Trama agent, this right must be exercised with the client that operates the agent, who is the data controller.
Right to withdraw consent. Withdraw your consent at any time, when processing is based on it, without affecting the lawfulness of processing prior to withdrawal.
How to exercise your rights
If you are a client or Platform user: Contact us at privacy@trama.so with the subject "Exercise of rights", stating: your full name, account email, the specific right you want to exercise, and a description of your request. We will respond within the applicable legal periods:
- Argentina (Law 25.326): 10 calendar days for access, 5 business days for rectification/deletion/objection.
- European Union (GDPR): 30 days, extendable by 60 additional days in complex cases.
- Brazil (LGPD): 15 days.
- Other jurisdictions: in accordance with the applicable legal period.
If you are an end user of a Trama agent: Your direct relationship is with the Trama client that operates the agent (the travel agency, tour operator, or other company). You must direct your request directly to that company, which is the data controller for your data. If you do not receive a response from the controller within the legal periods, you can contact us at privacy@trama.so and we will make reasonable efforts to facilitate the handling of your request, informing the client and cooperating to the extent applicable to us as data processors.
Identity verification. To protect your data against unauthorized access, we may ask you to verify your identity before processing your request. This may include confirming account data or providing identity documentation.
No cost. Exercising these rights is free. In the case of manifestly unfounded or excessive requests (due to their repetitive nature), Trama may charge a reasonable administrative fee or reject the request, informing you of the reasons, in accordance with applicable legislation.
Right to complain. If you believe your rights have been violated, you can file a complaint with the competent data protection authority:
- Argentina: Agencia de Acceso a la Información Pública (AAIP), www.argentina.gob.ar/aaip.
- European Union: supervisory authority of the Member State of your habitual residence, place of work, or place of the alleged infringement.
- Brazil: Autoridade Nacional de Proteção de Dados (ANPD), www.gov.br/anpd.
15. Client audit rights
Clients who have signed a DPA with Trama have the right to verify Trama's compliance with its obligations as data processor, in accordance with the terms of the DPA.
Method. Audits may be conducted through: security and compliance questionnaires that Trama will complete within a reasonable timeframe, review of certifications, third-party audit reports, or security assessments that Trama makes available, and on-site or remote audits conducted by the client or an independent auditor designated by the client, subject to prior agreement on date, scope, and confidentiality conditions.
Frequency. On-site or remote audits are limited to once per year, unless a security breach or relevant incident justifies an additional audit.
Costs. The client bears the audit costs. Trama will cooperate in good faith and make available the information and access reasonably necessary, to the extent that it does not compromise the security of other clients or reveal confidential information of third parties.
16. Jurisdiction-specific provisions
16.1 Argentina (Law 25.326)
Database registration. Trama complies with registration obligations with the National Database Registry of the Agencia de Acceso a la Información Pública (AAIP), in accordance with Law 25.326, its Regulatory Decree 1558/2001, and Provision 11/2006, where applicable.
Sensitive data. Trama does not intentionally collect sensitive data (racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, health data, sexual orientation, criminal records) through its services. If an end user spontaneously shares information of this nature in a conversation with the agent, this data is treated with the reinforced security measures required by law, not used for purposes other than providing the service, and deleted when no longer necessary for that purpose.
Consent. In accordance with Law 25.326, the data subject's consent must be free, express, and informed, and must be in writing or by another equivalent means.
Response deadlines. Access: 10 calendar days from the request. Rectification, deletion, or objection: 5 business days from receipt of the request. If the request is not satisfied within these periods, the data subject may initiate the habeas data action provided for in Article 33 of Law 25.326.
Supervisory authority. Agencia de Acceso a la Información Pública (AAIP), www.argentina.gob.ar/aaip.
16.2 European Union and European Economic Area (GDPR)
Legal bases for processing. The legal bases for each processing activity are detailed in section 5 of this policy.
EU representative. If Trama reaches the thresholds requiring designation of an EU representative under Article 27 of the GDPR, we will publish the representative's contact details in this policy. At the time of this publication, Trama does not operate at a scale requiring such designation.
Data Protection Officer (DPO). At the time of this publication, Trama has not formally designated a DPO in accordance with Article 37 of the GDPR. Data protection inquiries can be directed to privacy@trama.so. If a DPO is designated in the future, their details will be published in this policy.
Impact assessment. Trama conducts Data Protection Impact Assessments (DPIAs) when processing may involve a high risk to individuals' rights and freedoms, in accordance with Article 35 of the GDPR.
Record of processing activities. Trama maintains a record of processing activities in accordance with Article 30 of the GDPR, available to the supervisory authority upon request.
16.3 Brazil (LGPD)
For clients or end users in Brazil, personal data processing is carried out in accordance with the Lei Geral de Proteção de Dados (LGPD, Law 13.709/2018). Applicable legal bases include: performance of contract, consent, legitimate interest, and compliance with legal obligation. Data subjects in Brazil have the right to request confirmation of the existence of processing, access to data, correction, anonymization, blocking or deletion of unnecessary or excessive data, portability, deletion of data processed with consent, information about entities with whom data was shared, and information about the possibility of not giving consent and the consequences. Supervisory authority: Autoridade Nacional de Proteção de Dados (ANPD), www.gov.br/anpd.
16.4 Other jurisdictions
If you are in a jurisdiction not specifically covered in this section (such as the United States under CCPA/CPRA, Canada under PIPEDA, or any other), Trama commits to processing your personal data with the protection standards described in this policy, which are aligned with international best practices. If the legislation of your jurisdiction grants additional rights beyond those described here, those rights also apply to you, and you can exercise them by contacting privacy@trama.so.
For clients in California (USA), Trama clarifies that: it does not sell consumers' personal information as defined by "sale" under CCPA/CPRA, it does not share personal information for cross-context behavioral advertising, and California consumers have the right to know, delete, and opt out of the sale of their personal information.
17. Children's privacy
Our services are not directed to individuals under 18 years of age (or the age of majority in the applicable jurisdiction). Trama does not intentionally collect personal data from minors.
If an underage end user interacts with a Trama agent, the responsibility for age verification, implementing access controls, and obtaining parental or guardian consent where required under applicable legislation, falls on the client operating the agent.
If we become aware that we have collected personal data from a minor without appropriate consent, we will take reasonable steps to delete that information from our systems in a timely manner. If you believe a minor has provided personal data through our service, contact us at privacy@trama.so.
18. Links to third-party sites and services
Our website, the Platform, or the AI agent may contain links to third-party websites, services, applications, or platforms. This Privacy Policy applies exclusively to Trama's services and does not extend to third-party sites or services.
We recommend reviewing the privacy policies of each third-party site or service you use or visit. Trama is not responsible for the privacy practices, content, or security of third-party sites or services, including those of Meta/WhatsApp, AI model providers, payment processors, and any other third party mentioned in this policy.
19. Changes to this policy
Trama may update this Privacy Policy periodically to reflect changes in our data processing practices, applicable legislation, our services, or our corporate structure.
Substantial changes. Substantial changes will be notified with at least 30 calendar days' notice through: email to the address registered in the client's account, prominent notice on our website (visible banner or notification), and notification within the Platform. Changes considered substantial are those that: modify the purposes of processing, expand the categories of data collected, incorporate new categories of recipients, modify data subjects' rights, or substantially alter security measures.
Minor changes. Minor changes (format corrections, contact detail updates, clarifications that do not modify the meaning) may be made without prior notice and will be reflected in the "Last updated" date.
Update date. The "Last updated" date at the beginning of this policy indicates when the most recent revision was made.
Acceptance. Continued use of our services after the changes take effect constitutes acceptance of the updated policy. If you disagree with substantial changes, you can cancel your account before they take effect, without penalty, in accordance with the Terms and Conditions.
Previous versions. We will maintain an archive of previous versions of this policy. You can request access to previous versions by contacting privacy@trama.so.
20. Contact
If you have questions, comments, or requests related to this Privacy Policy or the processing of your personal data:
For privacy inquiries and exercise of rights: Email: privacy@trama.so
For general inquiries: Email: hello@trama.so
To report security incidents: Email: security@trama.so
Address: Córdoba, Argentina
Website: trama.so
We commit to responding to all inquiries within the applicable legal periods and, in any case, within no more than 30 calendar days from receipt.
Trama Inc. is committed to protecting your privacy and processing your personal data responsibly, transparently, and with respect for your rights.