Data Protection

1. Security Measures

All traffic is encrypted in transit with TLS 1.3. Payment data is tokenized and never stored on our servers. Production databases are encrypted at rest (AES-256). Access is restricted via role-based controls, multi-factor authentication, and audited via SIEM.

2. Storage Locations

Personal data is stored in SOC 2 Type II certified facilities in US-East and US-West regions. Backups are encrypted and retained for 35 days.

3. Personnel Practices

Employees receive annual security and privacy training. Background checks are performed on all staff with access to production systems.

4. Incident Response

In the unlikely event of a data breach affecting personal information, we will notify affected users within 72 hours of confirmation, as required by GDPR Article 33 and applicable US state breach-notification laws.

5. Data Retention & Disposal

Booking records: 7 years. Marketing data: until unsubscribe. Logs: 1 year. Data is securely overwritten upon expiry.

6. Subject Requests

To exercise data subject rights, write to privacy@thecitypair.com. We respond within 30 days.