Privacy Policy
for the use of the B2B software Lambus for Business
Version: 17.03.2026
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
Lambus GmbH
Albert-Einstein-Straße 1, 49076 Osnabrück
Germany
E-Mail: privacy@lambus.com
2. Scope of this Privacy Policy
This Privacy Policy provides information about the processing of personal data when using the software Lambus for Business, a cloud-based B2B solution for the digitization, structuring, and presentation of travel and booking information.
The policy applies to both:
- the use of the website (lambus.ai) and
- the use of the software Lambus for Business (app.lambus.ai, including registration and product data).
3. Allocation of Roles under the GDPR
3.1 Customer as Controller
Our customers (e.g. tour operators, travel agencies, OTAs) are controllers within the meaning of data protection law pursuant to Art. 4 No. 7 GDPR with respect to the personal data of their end customers.
3.2 Provider as Processor
We process personal data exclusively on behalf of and in accordance with the instructions of our customers pursuant to Art. 28 GDPR.
A corresponding Data Processing Agreement (DPA) is concluded as part of the self-onboarding process or separately.
3.3 Collection of Data Not Directly from the Data Subject
Personal data of end customers is not collected directly from the data subject, but is transmitted by the respective customer in the context of data processing.
The customer, as controller, is obligated to inform the data subjects about the data processing in accordance with Art. 13 or Art. 14 GDPR.
3.3 Provider's Own Responsibility
Insofar as personal data is processed in connection with the marketing website, the initiation and performance of the contract with the B2B customer, or in the context of web analytics and tracking measures, this is done under the provider's own data protection responsibility pursuant to Art. 4 No. 7 GDPR.
4. Categories of Data Processed
Depending on the use of the software, the following personal data may be processed in particular:
4.1 End Customer Data (Travelers)
- First and last name
- Contact details (e.g. email address, phone number)
- Travel data (travel dates, locations, accommodations, means of transport)
- Booking and reference numbers
- Other travel-related information from booking documents
4.2 Customer Data (B2B Users)
- Name
- Business address
- Phone number
- Business email address
- Company affiliation
- Company type and website
- Product interests and estimated travel volume
- Login and usage data
The provision of the data mentioned in Section 4.2 is required for the establishment and performance of the contractual relationship. Without this data, the software cannot be provided.
5. Purposes of Data Processing
Personal data is processed exclusively for the following purposes:
- Provision and operation of the software
- Needs assessment and product recommendation during onboarding
- Automated extraction and structuring of travel data
- Digital presentation of travel itineraries
- Support, error analysis, and product improvement
- Billing and usage analysis (B2B)
- Processing of contact requests
Processing for other purposes does not take place.
6. Legal Bases for Processing
Processing is based on the following legal bases:
- Art. 6(1)(b) GDPR (performance of a contract with the customer, in particular provision of the software, support, and billing, as well as implementation of pre-contractual measures upon request, e.g. in the case of contact inquiries via the website)
- Art. 28 GDPR (processing on behalf of customers with regard to end customer data)
- Art. 6(1)(f) GDPR (legitimate interest in IT security, system stability, error analysis, and abuse prevention)
- Art. 6(1)(a) GDPR (consent, if required in individual cases)
7. Self-Onboarding
During self-onboarding, customers may test the software with real booking documents.
The customer ensures that:
- they are authorized to process the data,
- the necessary consents of the end customers are in place,
- no unlawful or illegal data is processed.
The provider accepts no responsibility for the lawfulness of the content provided by the customer.
8. Recipients & Sub-processors
To provide and operate the software, the provider engages carefully selected sub-processors in the context of data processing pursuant to Art. 28 GDPR. These are contractually obligated to comply with applicable data protection regulations.
The following service providers are currently used in particular:
- Amazon Web Services (AWS): Receipt of emails, cloud infrastructure, and document storage
- Supabase, Inc.: Provision of database infrastructure
- Fly.io, Inc.: Hosting and operation of the application environment
- Plus Five Five, Inc. (Resend): Sending system-related emails
- Google Cloud EMEA Limited: Processing of document contents for structured analysis using AI models
- Braintrust Data, Inc.: Logging and monitoring of AI agents
- Inngest, Inc.: Control and processing of background jobs (job queue)
- BunnyWay d.o.o. (bunny.net): Content delivery network and image delivery
Processing generally takes place within the European Union or the European Economic Area. Insofar as individual service providers process data outside the EU/EEA or access from a third country cannot be excluded, this is done exclusively in compliance with the statutory requirements pursuant to Art. 44 et seq. GDPR, in particular on the basis of EU Standard Contractual Clauses or an adequacy decision of the European Commission.
9. Third-Country Transfers
In the context of providing the software, personal data may be processed by engaged sub-processors in countries outside the European Union (EU) or the European Economic Area (EEA), in particular in the United States of America.
Such transfer is made exclusively in compliance with the statutory requirements pursuant to Art. 44 et seq. GDPR.
If no adequacy decision of the European Commission exists for the relevant third country, the transfer is made on the basis of appropriate safeguards within the meaning of Art. 46 GDPR, in particular by concluding EU Standard Contractual Clauses (SCCs).
Insofar as a service provider is certified under the EU-US Data Privacy Framework, data transfer is made on the basis of the corresponding adequacy decision of the European Commission.
The provider ensures that an adequate level of data protection is guaranteed for all third-country transfers.
10. Data Security
We implement appropriate technical and organizational measures (TOMs) pursuant to Art. 32 GDPR to protect personal data, in particular:
- Encryption during transmission (TLS)
- Access restrictions and role models
- Client separation
- Regular backups
- Logging and monitoring
Details are described in the TOMs document.
11. Retention Period & Deletion
Personal data is stored only for as long as necessary for the fulfillment of the contractual purposes.
After termination of the contractual relationship, productive customer data is deleted within 30 days, unless statutory retention obligations exist.
Data from contact inquiries via the website (e.g. via a contact or inquiry form) is used exclusively for processing the inquiry and deleted after the inquiry has been fully processed, unless statutory retention obligations exist.
Statutory retention obligations (e.g. requirements under commercial or tax law) remain unaffected.
12. Rights of Data Subjects
Data subjects have the following rights under the GDPR:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to lodge a complaint (Art. 77 in conjunction with Art. 13(2)(d))
The exercise of data subject rights is generally directed at the respective controller (customer).
The provider supports the controller in fulfilling data subject rights within the framework of the existing data processing relationship pursuant to Art. 28(3)(e) GDPR.
Data subjects have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority is in particular the
State Commissioner for Data Protection of Lower Saxony:
Prinzenstraße 5, 30159 Hannover
Phone: 0511 120-4500, E-Mail: poststelle@lfd.niedersachsen.de
Website: https://www.lfd.niedersachsen.de
Insofar as processing is based on consent, it may be withdrawn at any time with effect for the future. The lawfulness of processing carried out prior to the withdrawal remains unaffected.
13. Cookies & Tracking
13.1 General
On the website (lambus.ai) we use cookies and similar technologies. The storage of and access to information on your device is based exclusively on your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. You may withdraw your consent at any time (see Section 13.4).
13.2 Google Analytics 4
- Provider: Google LLC, Mountain View, CA 94043, USA
- Purpose: Analysis of website usage (page views, dwell time, interactions)
- Data processed: IP address (anonymized), device and browser information, page interactions
- Retention period of analysis data: 14 months
- Third-country transfer: Transfer to the USA is made on the basis of the adequacy decision of the European Commission on the EU-US Data Privacy Framework, provided the provider is certified accordingly. Otherwise, the transfer is made on the basis of EU Standard Contractual Clauses pursuant to Art. 46 GDPR.
13.3 Microsoft Clarity
- Provider: Microsoft Corporation, Redmond, WA 98052, USA
- Purpose: Analysis of user behavior using heatmaps and session recordings
- Data processed: Mouse movements, clicks, scroll behavior, device and browser information
- Retention period of analysis data: 13 months
- Third-country transfer: Transfer to the USA is made on the basis of the adequacy decision of the European Commission on the EU-US Data Privacy Framework, provided the provider is certified accordingly. Otherwise, the transfer is made on the basis of EU Standard Contractual Clauses pursuant to Art. 46 GDPR.
13.4 Withdrawal of Consent
You may withdraw your consent at any time with effect for the future by clicking the "Cookie Settings" link in the footer of the website (lambus.ai). After withdrawal, the cookies set will be deleted and the analytics services deactivated.
14. Changes to this Privacy Policy
We reserve the right to update this Privacy Policy to adapt it to legal or technical changes.
In the event of material changes affecting the processing of personal data, we will notify registered users in an appropriate manner (e.g. by email or in-app notification).
The current version is available on the website at any time.
15. Contact
For questions about data protection, please contact:
E-Mail: privacy@lambus.com
Note: This Privacy Policy is addressed to business customers and forms the basis for GDPR-compliant operation of the software.