How we treat your data.

Our posture.

reservations.ai operates inside a twenty year old travel commerce business that has processed billions of reservations. The security posture reflects that lineage: established operational rails, mature incident playbooks, and a conservative approach to new claims. We publish what we can verify and do not publish what we cannot.

Enterprise partners going through procurement typically request a formal security package. We deliver one under NDA as part of scoping. The public page describes the approach in plain language. The private package contains the specifics.

Data handling.

Three categories of data flow through the platform: traveler data (names, dates, loyalty numbers), payment data (cards, tokens), and property data (rates, inventory, reservations). Each is handled differently.

Traveler data

Stored in the minimum form required to complete the reservation and fulfill the commercial obligation to the property. Retention windows match industry norms for reservation records. Travelers can request deletion through the partner that originated the reservation, routed to our DPA contact.

Payment data

reservations.ai never stores full primary account numbers. Payments are tokenized at intake through a qualified payment processor. The token is what traverses our infrastructure. For partners using our reservation rails, settlement happens at the processor level and only redacted references persist on our side.

Property data

Rates, inventory, and commercial terms are shared with us under agreements with HotelPlanner and direct property contracts. We treat that data as confidential and do not expose it beyond what partners need to complete searches, reservations, and reconciliation.

Authentication.

Partner authentication uses bearer tokens tied to a tier, a scope, and an expiration. Tokens are scoped at issuance. A search only token cannot create a reservation. Scopes cannot be escalated by the client.

• Tier scoping. Search, Reservation, and Enterprise tiers have distinct token types. Cross tier capability requires a new token issued at signup or upgrade.
• Expiration. Default token lifetime is 90 days. Enterprise tokens follow negotiated terms.
• Rate limiting. Per token and per IP, tier dependent. Breaches soft throttle first, hard revoke on pattern repeats.
• Audit log. Every authenticated call is logged with token ID, source IP, endpoint, and response code. Logs are retained per our retention policy and made available to partners on request.

Keys and rotation.

API keys rotate automatically on a 90 day cycle. Partners receive advance notice and can trigger rotation early through the partner dashboard. Enterprise partners can pin to a specific rotation schedule tied to their own security cadence.

Compromised keys are revoked immediately on notification and a replacement is issued through the same channel. Partners notify us through security@reservations.ai. We notify partners through the primary contact on file within one business hour of detection.

Agent identity.

Autonomous agents registered through POST /agents/register receive tokens bound to a user principal, a spend cap, a scope (hotels, cars, activities), and an expiration. The agent can transact freely within those bounds. Exceeding any bound triggers immediate revocation.

Agent tokens are distinct from partner tokens. An agent token cannot modify partner account settings, view billing, or access other agents' traffic. Agent actions are logged with a traceable link to the issuing partner and the authorizing principal.

Payments.

Two models are supported. Our rails: we tokenize the card through a qualified processor, charge, settle to the property, and wire the partner's share net of revenue share. Partner rails: the partner handles payment end to end and remits revenue share through monthly reconciliation.

Partners using our rails benefit from the processor's certifications. Partners using their own rails maintain their existing posture and pass reservation confirmations to us without card data. Choice of rail is made at onboarding.

Data residency.

Default storage region is United States. Enterprise partners operating in the European Economic Area can request EU region storage for traveler data subject to scoping. Regional inventory pinning is available for Enterprise partners whose use case requires it.

We do not replicate traveler PII across regions without explicit partner configuration. Property data and rate cache may replicate globally for read performance; that data is not considered personal data.

Incident response.

We maintain an on call rotation across three regions covering the platform 24 hours a day. Response time targets match the severity of the incident:

• Sev 1 (platform down, data exposure). On call response inside 15 minutes. Partner notification inside 1 hour of confirmed incident. Public status page updated inside 30 minutes.
• Sev 2 (degraded service, single endpoint down). On call response inside 1 hour. Partner notification as the incident stabilizes.
• Sev 3 (isolated errors, recoverable). Tracked in the standard queue. Posted on the status page if partner facing.

Post incident reviews for Sev 1 and Sev 2 are published to affected partners within 5 business days. Enterprise partners receive the review directly; Reservation partners receive it through the partner dashboard.

Audits and review.

We undergo regular internal review of security practices and commission third party assessment on a cadence appropriate to the business. We do not publish specific certification claims on this page. Partners in formal procurement can request the current attestation package under NDA as part of scoping.

This approach reflects a simple principle: the attestation package is the authoritative answer. Marketing copy is not. If a partner needs to see an auditor's report, they should see the auditor's report, not a badge on a landing page.

Report a vulnerability.

Security researchers who identify vulnerabilities in the platform can report them through the channels below. We respond to reports inside one business day and coordinate disclosure with the reporter.