Privacy Policy

We collect information in three ways: data you provide directly, data collected automatically as you use the Platform, and data received from third-party services such as authentication providers.

Information you give us

• Account registration: Full name, email address, phone number, and an optional profile picture.
• Booking details: Check-in and check-out dates, number of guests, room preferences, and any special requests submitted to a property.
• Vendor applications: For hotel-owner applications we may request additional documents such as a government-issued ID or business registration certificate to verify your authority over the property. We also collect information about your property listings, including images, descriptions, and compliance documents. Property limit checks and onboarding status are recorded for compliance and platform management.
• Support communications: Messages, submitted reviews, or any other correspondence you send to our team.
• Account status: If your account is suspended or banned, we retain relevant records including the reason, supporting evidence, and communications regarding the action. This is necessary for compliance, fraud prevention, and appeals.

Information collected automatically

• Usage data: Pages you visit, searches you perform (including hotel name search), rooms and hotels you view, time spent on each section, and button interactions.
• Device & technical data: IP address, browser type and version, operating system, and device identifiers used to detect fraud and improve compatibility.
• Approximate location: Inferred from your IP address to show relevant properties. Precise GPS-level location is only requested if you explicitly enable the “Near Me” search feature.

Your data is used only for purposes necessary to provide and improve the Platform. We do not use your personal information for advertising profiling or sell it to any third party.

• Processing bookings: Creating, confirming, and managing your reservations, and communicating confirmation, modification, and cancellation updates.
• Payment processing: Transmitting the minimum details required to complete transactions through our authorised payment processors.
• Account management: Authenticating your identity, enabling role-based access (Guest, Vendor, Admin), and keeping your profile current.
• Customer support: Responding to enquiries, resolving disputes, and sending service-related notifications.
• Platform improvement: Analysing aggregated, anonymous usage patterns to fix bugs, optimise performance, and develop new features.
• Legal compliance: Fulfilling tax reporting and accounting obligations, and responding to lawful requests from regulatory authorities.
• Fraud prevention: Detecting and blocking suspicious activity to protect guests, vendors, and the integrity of the Platform.

We do not sell, rent, or trade your personal information to any third party for marketing purposes. We share your data only in the following limited circumstances, and only to the extent necessary:

• Hotel partners: Guest name, contact details, reservation dates, and special requests are shared with the relevant property to fulfil your booking.
• Payment processors: We pass the minimum information required to securely complete your transaction — see Section 4 for details.
• Authentication provider: We use Clerk for identity management. Clerk processes your email and authentication credentials under their own privacy policy.
• Infrastructure providers: Hosting, database, email delivery, and image storage services (e.g., Cloudinary) operate under strict data-processing agreements and may process your data solely on our behalf.
• Legal obligations: We may disclose data to comply with a court order, government directive, or applicable law, or to protect the rights and safety of our users and the public.

Khan Familia Travels supports multiple payment methods to accommodate guests across different regions. All payment processing is handled by certified third-party providers; we do not store raw card numbers or mobile-wallet credentials on our servers.

• Stripe: International card payments (Visa, Mastercard, American Express) are processed by Stripe, Inc., which is PCI DSS Level 1 certified. Stripe collects your card number, expiry, CVV, and billing address directly; we never see or store these details.
• EasyPaisa: Guests paying via EasyPaisa mobile wallet interact with the EasyPaisa payment interface operated by Telenor Microfinance Bank (TMB). We receive only your registered mobile number and a transaction reference to confirm payment status; we do not access your EasyPaisa PIN, account balance, or transaction history.
• JazzCash: JazzCash payments are facilitated through the JazzCash gateway operated by Mobile Commerce (Pvt.) Ltd., a subsidiary of Jazz Telecom. We receive only a transaction confirmation reference; we do not access your JazzCash MPIN, mobile account balance, or linked bank details.

Each processor maintains its own privacy and security standards. We recommend reviewing their respective policies before completing a transaction.

We use a minimal set of cookies required to operate the Platform securely and remember your preferences. We do not serve third-party advertising cookies.

• Essential cookies: Session tokens, CSRF protection tokens, and authentication state cookies set by Clerk. These are strictly necessary and cannot be disabled without breaking site functionality.
• Preference storage: Lightweight cookies or local browser storage that remember interface settings such as your most recent searches, guest count preferences, and last searched city for featured recommendations.
• Analytics (aggregated): We may collect anonymous, aggregated metrics — such as page view counts and popular search cities — to understand how the Platform is used. No personally identifiable information is included in these statistics.

You can configure or delete cookies via your browser settings. Disabling essential cookies may prevent you from signing in or completing a booking.

We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law.

• Active accounts: Account data is retained for the lifetime of your account. Upon account deletion requests, personal data is permanently removed within 30 days, except where retention is legally mandated.
• Booking records: Reservation history and associated transaction records are retained for seven (7) years from the booking date for tax, accounting, and dispute-resolution purposes.
• Support correspondence: Tickets and messages are kept for two (2) years to handle follow-up enquiries and quality assurance.
• Application logs: Server-side access and error logs are retained for a maximum of 90 days and then automatically purged.

Depending on your jurisdiction, you may have the following rights with respect to your personal data. Email support@khanfamiliatravels.com with your request and sufficient information to verify your identity. We will respond within 30 days.

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Ask us to correct inaccurate or incomplete personal data.
• Right to erasure: Request deletion of your account and personal data, subject to legal retention obligations.
• Right to data portability: Receive your personal data in a structured, machine-readable format.
• Right to restriction: Ask us to limit processing while a dispute or complaint is being resolved.
• Right to object: Object to certain types of processing, including any use of your data for profiling.

We implement industry-standard technical and organisational measures to protect your personal data from unauthorised access, loss, or disclosure.

• All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS enforced).
• Passwords are never stored in plain text. We use cryptographically strong bcrypt hashing with per-user salts.
• Payment data is handled exclusively by PCI DSS-compliant processors. No card numbers or wallet credentials are stored in our databases.
• Database access is restricted to authorised internal services managed behind network-level firewall rules.
• Administrative access to production systems requires multi-factor authentication (MFA).

Despite these safeguards, no method of internet transmission is completely secure. If you believe your account has been compromised, please contact us immediately.

If you have questions, concerns, or complaints about this Privacy Policy or the way we handle your personal data, please contact us:

• Email: support@khanfamiliatravels.com
• Response time: We aim to acknowledge all privacy-related requests within 48 hours and resolve them within 30 calendar days.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.