Privacy Policy

Effective April 26, 2026 · Plain-English summary at the top, full policy below.

1. Who we are

AskTAD ("AskTAD," "we," "us," "our") is operated by Josh Weiss Travel LLC, located at 35 Marquette Road, Montclair, NJ 07043. References to "you" or "your" mean the travel advisor using the service. This policy applies to the AskTAD web application at asktad.app and any associated subdomains, plus our marketing site at the same root.

2. What we collect

We collect the following categories of personal data:

Account data

• Your name and email address (from the OAuth provider you sign in with: Google or Microsoft. Sign in with Apple is on the roadmap).
• An OAuth refresh token that lets us re-authenticate you when your session expires.
• Optional: a recovery email you set in Settings.

Workspace data (the data you put into AskTAD)

• Contact records you add, scan, import, or sync (name, title, email, phone, company, notes, photo).
• Property records (hotel name, location, brand, your visit notes, photos, tags).
• Activity logs (site visits, industry meals, fam trips, conferences, virtual meetings, client feedback, your "my places" list).
• Company records (rep firms, DMCs, hotel brands, tour operators).
• Knowledge-base documents you upload (PDFs, DOCX, plain text).
• Photos you scan or upload.

Usage data

• The questions you ask TAD and the timestamps of those queries.
• The features you use and how often (for service quality).
• Standard server logs: IP address, browser type, request paths.

Connection data

• OAuth tokens for any external services you connect (Google Workspace for Drive storage and/or Contacts sync; Microsoft 365 for Outlook Contacts sync). We store the refresh tokens encrypted on our servers.

What we do NOT collect

• Payment card numbers. Beta is free. When billing turns on, payments will be processed by a PCI-compliant third party and we will never see card data.
• Government IDs, SSNs, passport numbers (we have no reason to ask).
• Health information.
• Browsing activity outside AskTAD.
• Behavioral tracking data for advertising. We do not advertise.

3. How we use your data

We use your personal data to:

• Authenticate you and authorize access to your workspace.
• Store and retrieve the records you create, edit, or import.
• Generate answers to your questions by sending your query and relevant excerpts of your stored data to our AI provider (see Section 4).
• Process imports (PDFs, CSVs, business-card photos, hotel website pulls) into structured records.
• Sync contacts from (and optionally to) your Google or Microsoft address book if you've connected those services. The exact direction (one-time import, going-forward only, or full bidirectional) is set by the sync mode you pick during onboarding.
• Store your workspace photos, scans, and documents in your own Google Drive folder, with nightly snapshots of your structured data kept in AskTAD/Backups/ so previous states are recoverable.
• Detect duplicates, surface "needs attention" items, and run the housekeeping flows you can see in Settings.
• Diagnose bugs and improve service reliability.
• Comply with legal obligations and enforce our Terms.

4. AI providers & your data

To answer your questions and parse documents (cards, PDFs, hotel websites), we send your query plus relevant excerpts of your data to a third-party AI provider. Currently:

• Anthropic, Inc. (Claude API): for natural language understanding, debrief synthesis, document parsing, and question answering.

Anthropic's API terms prohibit using your data to train Anthropic's models. We rely on those terms; we do not have an independent ability to enforce that promise. Anthropic's Commercial Terms of Service apply.

We may, in the future, add other AI providers (e.g. OpenAI, Google) for specific features. We will update this policy and notify you in-app before any new provider receives your data.

What gets sent to the AI provider: your question, the system prompt that frames TAD's role, and the records and notes that the question is about (e.g. your notes on the property you're asking about, contacts at that property, etc.). We do not send your entire workspace on every query. We do not send your authentication credentials or recovery email.

What you can do: if you do not want any of your data sent to an AI provider, do not use the Ask TAD feature, Smart Debrief, or any feature labeled "Let TAD do the work." Manual logging, browsing, and viewing your records do not call the AI provider.

5. Other third-party services

In addition to the AI provider above, we use:

• Google OAuth, Google Drive API, Google Contacts API, Google Places API: for sign-in (if you choose Google), storage of your AskTAD photos, scans, and documents in your Drive, contact sync from your Google address book, and property auto-match against Google Places. Data sent to Google is governed by Google's privacy terms.
• Microsoft OAuth, Outlook Contacts API: for sign-in (if you choose Microsoft) and contact sync to/from your Outlook address book. OneDrive file storage for AskTAD media is not yet supported; Microsoft 365 advisors who want photo/scan storage need to also connect a Google Drive account during this period.
• Vercel, Inc.: hosts the AskTAD web application and the working index. Vercel processes IP addresses and request metadata in the course of serving requests.
• Postmark (Wildbit, LLC): processes inbound email forwarded to your per-workspace import address (<slug>@import.asktad.app) so AskTAD can extract structured logs, contacts, and properties from confirmation emails you forward in. Postmark also delivers outbound transactional email (waitlist confirmations, contact-form replies). Postmark does not retain message bodies past the standard delivery window.
• OpenStreetMap / OpenFreeMap: serves the base map tiles when you view the Map. Your IP address is visible to the tile server when tiles load.

Each of these services has its own privacy policy that governs their handling of your data. We choose providers with reasonable data-protection commitments, but we cannot control or guarantee their practices.

6. Where your data lives

AskTAD's storage model is split, by design, to keep our hosting costs from scaling with your media library:

• Your photos, scanned business cards, and uploaded documents (KB imports, booking-confirmation PDFs, anything with a binary file) live in your own Google Drive folder, inside AskTAD/Photos/, AskTAD/Scans/, and AskTAD/Documents/. We store a reference (a Drive file id) and stream the file through to the browser when needed. We never keep a copy on our servers. If you disconnect your Drive or delete the folder, those files are gone from AskTAD.
• Your structured text (property names, contact records, log titles + notes, ratings, tags, summaries) lives in AskTAD's database. This is the searchable, query-able working set: text only, no media, typically under a megabyte per workspace. It's hosted on Vercel's managed Postgres infrastructure in the United States and encrypted at rest and in transit.

A regular snapshot of the structured text is written to AskTAD/Backups/ in your own cloud storage. The standard deployment schedules this daily; the exact cadence is set by your deployment's cron configuration. Together with the live media in AskTAD/Photos/ + AskTAD/Scans/ + AskTAD/Documents/, you have an advisor-owned copy of everything in your account that you can download and keep indefinitely.

If you close your account or revoke Drive access, AskTAD's database is purged of your workspace within 30 days; your files in AskTAD/ stay in your Google Drive for you to keep, download, or delete on your own schedule.

The AskTAD/ folder lives in your Google account, not ours, and is governed by Google's Drive terms. If you disconnect Drive or delete the folder yourself, AskTAD loses access immediately and we cannot retrieve it.

You can export any subset of your data at any time from Settings (CSV, JSON, vCard formats). You can also request a full export by emailing us; we will deliver it within the timelines required by applicable law.

7. Security & encryption

We take reasonable measures to protect your data, including:

• HTTPS/TLS for all data in transit between your browser and our servers.
• Encryption at rest for our index storage on Vercel's managed Postgres infrastructure.
• OAuth refresh tokens stored encrypted; we never see or store your Google or Microsoft account password.
• Access controls limiting who on our team can see workspace data (currently only the founders).
• Regular dependency updates and an internal security audit before each public release.

8. Retention & deletion

Live records (contacts, properties, logs) live in your workspace until you delete them.

Deleted records are soft-deleted: they leave your views immediately, can be recovered from Settings → Housekeeping → Recently Deleted for 30 days, and are permanently purged on day 30 by an automated job. You can also force-delete a row immediately from the same Recently Deleted screen ("Delete forever").

Server logs and usage analytics are retained for up to 12 months for service quality and abuse prevention.

Account closure: if you close your AskTAD account, we will (a) purge your workspace database within 30 days, (b) revoke any OAuth tokens we hold for your Google or Microsoft account, and (c) leave your Google Drive AskTAD/ folder intact for you to keep, download, or delete on your own schedule. Server logs may persist up to 12 months for legal-defense and abuse-prevention reasons.

9. Your privacy rights

Regardless of where you live, you can:

• Access the personal data we hold about you. Most of it is visible in-app; for the rest, email us.
• Correct inaccurate data. Most fields are user-editable in-app.
• Delete your account and have your workspace data removed (subject to 30-day soft-delete window described above).
• Export your data in a portable format.
• Restrict or object to certain processing.
• Withdraw consent at any time (note: this means you cannot use the service, since the service requires processing your data to function).

10. GDPR (EU/UK residents)

If you are located in the European Union or United Kingdom, you have the rights listed above plus:

• The right to lodge a complaint with your data-protection authority.
• The right to know our lawful basis for processing your data: this is contractual necessity (we cannot provide AskTAD without processing your data) plus, in some cases, your consent (e.g. when you connect Google or Microsoft).
• The right to restrict transfers of your data outside the EEA. Note: AskTAD currently processes data in the United States, which is your legal transfer destination. If this is a deal-breaker for you, please do not sign up.

Our data controller for GDPR purposes is Josh Weiss Travel LLC, contactable at contact@asktad.app. We do not currently designate an EU representative under Article 27; if our EU user base grows, we will appoint one.

11. CCPA / CPRA (California residents)

California residents have the right to know what personal information we collect, to delete it, to correct it, to opt out of any sale or sharing, and to not be discriminated against for exercising these rights. AskTAD does not sell your personal information and does not "share" it for cross-context behavioral advertising as those terms are defined in the CCPA/CPRA. We do not have a "Do Not Sell or Share My Personal Information" link because we have nothing to sell or share.

To exercise your rights, email contact@asktad.app.

12. Cookies

AskTAD uses a small number of strictly-necessary cookies for authentication and workspace selection. We do not use tracking cookies, advertising cookies, or third-party analytics that profile you. Disabling cookies in your browser will prevent AskTAD from working.

13. Children

AskTAD is built for adult travel advisors. We do not knowingly collect personal data from children under 16. If you believe a child has provided data to us, contact us at contact@asktad.app and we will delete it.

14. International data transfers

AskTAD is operated from the United States. By using AskTAD, you understand that your personal data will be transferred to, stored in, and processed in the United States, which may not provide the same level of data protection as your country of residence. If you do not consent to this, please do not use AskTAD.

15. Changes to this policy

We may update this policy from time to time. The "Effective Date" at the top reflects the most recent version. Material changes (changes that materially expand the data we collect or how we use it) will be communicated to you in-app at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.

16. Contact us

For privacy-related questions, requests, or complaints:

Email: contact@asktad.app (use subject line "[Privacy]")
Or: contact@asktad.app if set up
Mail: Josh Weiss Travel LLC / 35 Marquette Road, Montclair, NJ 07043

We respond to verifiable requests within 30 days, or sooner if your law requires.