COWBOY TRAVEL LIMITED
PRIVACY POLICY
Effective Date: 17th April 2026
Last Updated: 17th April 2026
Cowboy Travel Limited, an Irish company registered at Bricana, Gowran, Kilkenny, Ireland ("Cowboy," "we," "us," or "our"), operates the Cowboy mobile application, website, and related services (together, the "Platform"). The Platform is a travel technology product incorporating Firebase Authentication, Google Maps integration, GPS-based route planning and polyline storage, accommodation booking via Stripe, activities and transport via external links, and Firebase Analytics instrumentation.
This Privacy Policy explains how we collect, use, store, disclose, transfer, and otherwise process personal data when you use the Platform. It is intended to comply with the EU General Data Protection Regulation (EU 2016/679) ("GDPR"), which applies to Cowboy as an Irish-incorporated entity, and, where applicable, Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA").
Please read this Privacy Policy carefully before using the Platform.
1. Identity and Contact Details of the Data Controller
The data controller responsible for personal data processed through the Platform is:
Cowboy Travel Limited
Bricana, Gowran, Kilkenny, Ireland
Privacy contact: support@cowboytravelapp.com
Support contact: support@cowboytravelapp.com
Where you make a booking with a partner hostel or accommodation provider ("Partner"), that Partner may independently process your personal data as an autonomous controller for its own guest management, on-property operations, and legal compliance purposes. This Privacy Policy does not govern those independent processing activities.
Where payment processing is carried out through Stripe, Inc. ("Stripe"), Stripe may act as processor and/or independent controller. Stripe's own privacy terms govern its independent processing.
2. Scope
This Privacy Policy applies to personal data collected through the Cowboy mobile application and website; account registration and authentication via Firebase Authentication; route planning, GPS data, saved polylines, and trip preferences; accommodation browsing and booking; in-app communications and customer support; Firebase Analytics instrumentation; Google Maps and location features; and links to and integrations with third-party services offered via the Platform.
This Privacy Policy does not apply to third-party websites, partner booking systems, Stripe's payment pages, external activity or transport providers, or any other service that Cowboy does not own or control.
3. Personal Data We Collect
We collect personal data that is adequate, relevant, and limited to what is necessary for the purposes set out in this Privacy Policy.
3.1 Account and Registration Data
We collect your full name, email address, phone number, login credentials, and account profile information when you register for and use your account.
3.2 Authentication Data
The Platform uses Firebase Authentication (provided by Google LLC) to manage user identity via email and password. Authentication credentials and session tokens are processed by Firebase and validated server-side through JWT middleware in Cowboy's NestJS backend. Firebase processes authentication data subject to Google's terms of service and privacy policy.
3.3 Booking and Reservation Data
We collect and process information relating to bookings made through the Platform, including selected accommodation, dates of stay, number of guests, reservation identifiers, booking and payment status, cancellation and refund details, and special requests or notes you provide.
3.4 Payment-Related Data
Payments are processed through Stripe. We receive and retain limited payment metadata necessary to operate the booking service, including payment status, transaction identifiers, amounts and currency, and refund or dispute status. Cowboy does not collect or store full payment card numbers or card security codes. Those values are processed exclusively by Stripe.
3.5 Location and Route Data
The Platform features an interactive map powered by Google Maps, GPS positioning, route polyline generation, and layer toggles. If you grant location permissions, we collect approximate and/or precise device location to enable these features. Route polylines and associated metadata that you create or save are stored in Cowboy's PostgreSQL database via Prisma ORM and associated with your account. You may withdraw location permissions through your device settings at any time, which will disable location-dependent Platform features.
3.6 Device and Technical Data
We automatically collect device identifiers, IP address, device type and model, operating system and application version, browser type, language and region settings, crash reports, diagnostic data, and performance metrics. This data is used to operate, secure, and improve the Platform.
3.7 Usage and Analytics Data
The Platform uses Firebase Analytics (provided by Google LLC) to instrument user behaviour. Firebase Analytics collects information about screens viewed, in-app events, session duration, feature usage, and booking funnel activity. Google's data practices for Firebase Analytics are described at https://firebase.google.com/support/privacy. Firebase Analytics data practices are accurately disclosed in the App Store and Google Play Data Safety disclosures for the application.
3.8 Communications Data
We collect and store messages between you and Cowboy support, communications relating to bookings facilitated through the Platform, email records, push notification delivery data, and notification preferences.
3.9 Third-Party Data Sources
We may receive personal data from Partners in connection with confirmed bookings; from Stripe relating to payment processing; from Firebase and Google relating to authentication and analytics; and from cloud infrastructure, security, and hosting vendors in the ordinary course of platform operations.
3.10 Sensitive Personal Data
Cowboy does not intentionally collect special category personal data — including health data, biometric data, or government identification — unless specifically required for a booking, legal compliance, fraud prevention, or support scenario and lawfully provided by you or an authorised third party.
3.11 Data Not Collected or Sold
Cowboy does not collect or store full payment card numbers or card security codes. Cowboy does not sell personal data to third parties.
4. Purposes of Processing and Legal Bases
We process personal data only where we have a lawful basis under GDPR Article 6 and a specific, legitimate purpose. The table below summarises the primary purposes and the bases on which we rely.
Account creation, authentication, and session management — Legal basis: Contract (Article 6(1)(b)).
Route planning, GPS features, polyline storage, and map functionality — Legal basis: Contract and Legitimate Interests (Articles 6(1)(b) and 6(1)(f)).
Accommodation booking, payment processing, and booking management — Legal basis: Contract (Article 6(1)(b)).
Customer support and communications — Legal basis: Contract and Legitimate Interests (Articles 6(1)(b) and 6(1)(f)).
Firebase Analytics and platform improvement — Legal basis: Consent and Legitimate Interests (Articles 6(1)(a) and 6(1)(f)).
Security, fraud prevention, and abuse detection — Legal basis: Legitimate Interests (Article 6(1)(f)).
Marketing communications — Legal basis: Consent (Article 6(1)(a)).
Tax, accounting, legal compliance, and regulatory obligations — Legal basis: Legal Obligation (Article 6(1)(c)).
Where we rely on legitimate interests, we balance those interests against your rights and freedoms. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
5. Payments and Stripe
Cowboy uses Stripe, Inc. to process all payments on the Platform. Cowboy operates a single Stripe account and acts as payment intermediary, collecting the booking amount from the user and settling amounts with Partners. By making a payment through the Platform, you agree to Stripe's Terms of Service and Privacy Policy.
Stripe may process personal data as Cowboy's processor and/or as an independent controller, depending on the activity. Cowboy retains from Stripe only the payment metadata necessary to manage bookings, reconcile transactions, support refunds and disputes, and maintain financial records. Cowboy does not store full card numbers or CVV/CVC codes.
6. How We Share Personal Data
6.1 Partner Hostels and Accommodation Providers
We share booking-related data with the relevant Partner to fulfil confirmed reservations. This includes your name, booking dates, reservation details, guest information, and special requests. Partners are independent data controllers for the personal data they process for their own purposes.
6.2 Payment Service Providers
We share personal data with Stripe and connected payment participants to process transactions, manage refunds and disputes, conduct fraud screening, and reconcile payments.
6.3 Infrastructure and Technology Providers
We share personal data with Google LLC in connection with Firebase Authentication and Firebase Analytics; with Google Maps Platform in connection with mapping and location features; and with cloud infrastructure, security, communications, customer support, and content delivery vendors. These providers process data only as necessary to deliver services to Cowboy and under appropriate contractual terms.
6.4 External Activity and Transport Providers
The Platform links to external activity and transport providers for user convenience. Where you follow such a link, data sharing with that provider is governed by its own privacy policy. Cowboy has no control over and is not responsible for external providers' data practices.
6.5 Legal, Regulatory, and Safety Disclosures
We may disclose personal data where necessary to comply with a legal obligation, court order, or regulatory requirement; to enforce our Terms of Service; to investigate fraud, abuse, or security incidents; or to protect the rights, safety, or property of Cowboy, our users, our Partners, or the public.
6.6 Business Transfers
If Cowboy undergoes a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction, subject to appropriate protections and notice to users where required.
7. International Data Transfers
Cowboy is incorporated in Ireland and processes data internationally, including in Thailand and in the United States, where Google (Firebase and Maps) and Stripe are headquartered.
Under GDPR, transfers of personal data outside the EEA to countries not covered by a European Commission adequacy decision require appropriate safeguards under GDPR Chapter V. Thailand is not currently on the Commission's adequacy list. Transfers to the United States are covered by Standard Contractual Clauses (SCCs) or equivalent mechanisms adopted by Google and Stripe respectively
Where personal data is transferred to countries other than those covered by SCC-based mechanisms, Cowboy will rely on Standard Contractual Clauses, binding corporate rules, or other lawful GDPR Chapter V mechanisms as applicable.
Where Thailand's PDPA applies, cross-border transfers are managed in compliance with Thai requirements, including ensuring an adequate level of protection or equivalent safeguards in the destination country.
8. Data Retention
We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, or as required by applicable law.
Account and profile data is retained while your account is active and for a reasonable period following closure. Booking and transaction data is retained for the period required by applicable tax, accounting, and consumer protection law, typically a minimum of seven years. Route and GPS data is retained for the duration your account is active and deleted on account deletion subject to legal requirements. Firebase Analytics data is subject to Google's own retention settings. Support and communications data is retained as necessary to manage open issues and disputes. Crash and diagnostic data is retained for the period required for debugging and stability improvement.
Data no longer required for any lawful purpose will be deleted or anonymised.
9. Account and Data Deletion
You can delete your Cowboy Travel account at any time. You may request deletion of your account and associated personal data by:
From the app:
1. Open Cowboy Travel and sign in
2. Go to the Account tab
3. Tap "Delete Account"
4. Confirm
By email:
Send a request to support@cowboytravelapp.com from your account
email with subject "Delete my account". We process within 30 days.
What gets deleted:
- Your profile (name, email, travel preferences)
- Saved routes and journey history
- Login credentials
What we retain (for legal/tax compliance, up to 7 years):
- Booking transaction records
- Payment records (handled by Stripe)
Email support@cowboytravelapp.com for more information.
On receipt of a valid deletion request, Cowboy will delete or anonymise your personal data subject to any mandatory retention obligations. Retained data will be used only for the lawful purpose justifying retention. Account deletion permanently removes saved routes, trip preferences, booking history, and all account-linked content. This action is irreversible.
10. Your Rights
Subject to applicable law, you have the following rights under GDPR in relation to your personal data:
Right of access (Article 15): to obtain a copy of the personal data we hold about you and information about how it is processed.
Right to rectification (Article 16): to have inaccurate or incomplete data corrected.
Right to erasure (Article 17): to have your personal data deleted in certain circumstances.
Right to restriction of processing (Article 18): to limit how we process your data in certain circumstances.
Right to object (Article 21): to object to processing based on legitimate interests or for direct marketing.
Right to data portability (Article 20): to receive certain personal data in a structured, machine-readable format.
Right to withdraw consent: to withdraw consent at any time where processing is consent-based.
Right to lodge a complaint: with the Irish Data Protection Commission (www.dataprotection.ie) or another competent supervisory authority.
To exercise any right, contact us at support@cowboytravelapp.com. We may verify your identity before responding. Response timeframes comply with applicable law. Where Thailand's PDPA applies, you may additionally exercise rights under that legislation.
11. Cookies, SDKs, and Tracking Technologies
The Platform integrates Firebase Authentication and Firebase Analytics SDKs (Google LLC) and Google Maps SDK (Google LLC). These SDKs collect device identifiers, usage events, location data, and technical information for authentication, analytics, mapping, and fraud prevention purposes, as further described in the Privacy Policy and in the App Store and Google Play Data Safety disclosures.
Cowboy does not use advertising networks or advertising cookies. Session tokens and local storage mechanisms are used strictly for authentication and Platform functionality.
App Store and Google Play Data Safety disclosures accurately reflect the data collection practices of Cowboy and its integrated third-party SDKs, as required by Apple's App Store Review Guidelines and Google Play's Data Safety policy.
12. Push Notifications and Marketing
Cowboy sends service notifications relating to booking confirmations, booking status updates, trip reminders, security alerts, and account management events. These communications are integral to the Platform and cannot be opted out of while your account is active.
Cowboy sends marketing communications only where you have given consent or where otherwise permitted by applicable law. You may withdraw marketing consent at any time via the unsubscribe link in any marketing communication or by contacting support@cowboytravelapp.com. Withdrawal does not affect the lawfulness of prior processing.
Push notification permissions are managed through your device's notification settings. You may disable push notifications at any time.
13. Security
Cowboy implements appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, alteration, or disclosure. These measures include TLS-encrypted data transmission; Firebase Authentication and JWT-based access control; role-based permissions in the NestJS backend; PostgreSQL database access controls; payment data segregation via Stripe; secure cloud hosting infrastructure; logging, monitoring, and intrusion detection; vendor due diligence and contractual security obligations; and documented incident response procedures.
No technical system is completely immune from attack or failure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, Cowboy will comply with applicable breach notification obligations under GDPR — including notifying the Irish Data Protection Commission within 72 hours where feasible and notifying affected individuals without undue delay where required — and, where applicable, under Thailand's PDPA.
14. Children
The Platform is intended for users aged 18 and over. Cowboy does not knowingly collect personal data from persons under 18. If we become aware that a child has provided personal data, we will promptly delete it, subject to any mandatory legal retention. To report such a situation, contact support@cowboytravelapp.com.
15. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes to our data practices, the Platform, or applicable law. Material changes will be communicated by updating the Last Updated date above and, where appropriate, by notice through the Platform or by email. Continued use of the Platform following an update constitutes acknowledgement of the revised policy.
16. Contact
Cowboy Travel Limited, Bricana, Gowran, Kilkenny, Ireland
Privacy: support@cowboytravelapp.com | Support: support@cowboytravelapp.com
END OF PRIVACY POLICY