Lambus For Business

Privacy Policy

for the use of the B2B software Lambus for Business

Version: 2026-04-24

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Lambus GmbH
Albert-Einstein-Straße 1, 49076 Osnabrück
Germany
E-Mail: privacy@lambus.com

2. Scope of this Privacy Policy

This Privacy Policy provides information about the processing of personal data when using the software Lambus for Business, a cloud-based B2B solution for the digitization, structuring, and presentation of travel and booking information.

The policy applies to both:

  • the use of the website (lambus.ai) and
  • the use of the software Lambus for Business (app.lambus.ai, including registration and product data).

3. Allocation of Roles under the GDPR

3.1 Customer as Controller

Our customers (e.g. tour operators, travel agencies, OTAs) are controllers within the meaning of data protection law pursuant to Art. 4 No. 7 GDPR with respect to the personal data of their end customers.

3.2 Provider as Processor

We process personal data exclusively on behalf of and in accordance with the instructions of our customers pursuant to Art. 28 GDPR.

A corresponding Data Processing Agreement (DPA) is concluded as part of the self-onboarding process or separately.

3.3 Collection of Data Not Directly from the Data Subject

Personal data of end customers is not collected directly from the data subject, but is transmitted by the respective customer in the context of data processing.

The customer, as controller, is obligated to inform the data subjects about the data processing in accordance with Art. 13 or Art. 14 GDPR.

3.3 Provider's Own Responsibility

Insofar as personal data is processed in connection with the marketing website, the initiation and performance of the contract with the B2B customer, or in the context of web analytics and tracking measures, this is done under the provider's own data protection responsibility pursuant to Art. 4 No. 7 GDPR.

4. Categories of Data Processed

Depending on the use of the software, the following personal data may be processed in particular:

4.1 End Customer Data (Travelers)

  • First and last name
  • Contact details (e.g. email address, phone number)
  • Travel data (travel dates, locations, accommodations, means of transport)
  • Booking and reference numbers
  • Other travel-related information from booking documents

4.2 Customer Data (B2B Users)

  • Name
  • Business address
  • Phone number
  • Business email address
  • Company affiliation
  • Company type and website
  • Product interests and estimated travel volume
  • Login and usage data

The provision of the data mentioned in Section 4.2 is required for the establishment and performance of the contractual relationship. Without this data, the software cannot be provided.

5. Purposes of Data Processing

Personal data is processed exclusively for the following purposes:

  • Provision and operation of the software
  • Needs assessment and product recommendation during onboarding
  • Automated extraction and structuring of travel data
  • Digital presentation of travel itineraries
  • Support, error analysis, and product improvement
  • Billing and usage analysis (B2B)
  • Processing of contact requests

Processing for other purposes does not take place.

6. Legal Bases for Processing

Processing is based on the following legal bases:

  • Art. 6(1)(b) GDPR (performance of a contract with the customer, in particular provision of the software, support, and billing, as well as implementation of pre-contractual measures upon request, e.g. in the case of contact inquiries via the website)
  • Art. 28 GDPR (processing on behalf of customers with regard to end customer data)
  • Art. 6(1)(f) GDPR (legitimate interest in IT security, system stability, error analysis, and abuse prevention)
  • Art. 6(1)(a) GDPR (consent, if required in individual cases)

7. Self-Onboarding

During self-onboarding, customers may test the software with real booking documents.

The customer ensures that:

  • they are authorized to process the data,
  • the necessary consents of the end customers are in place,
  • no unlawful or illegal data is processed.

The provider accepts no responsibility for the lawfulness of the content provided by the customer.

8. Recipients & Sub-processors

To provide and operate the software, the provider engages carefully selected sub-processors in the context of data processing pursuant to Art. 28 GDPR. These are contractually obligated to comply with applicable data protection regulations.

The following service providers are currently used in particular:

  • Amazon Web Services (AWS): Receipt of emails, cloud infrastructure, and document storage
  • Supabase, Inc.: Provision of database infrastructure
  • Fly.io, Inc.: Hosting and operation of the application environment
  • Plus Five Five, Inc. (Resend): Sending system-related emails
  • Google Cloud EMEA Limited: Processing of document contents for structured analysis using AI models
  • Braintrust Data, Inc.: Logging and monitoring of AI agents
  • Inngest, Inc.: Control and processing of background jobs (job queue)
  • BunnyWay d.o.o. (bunny.net): Content delivery network and image delivery
  • Functional Software, Inc. (Sentry): Error and performance monitoring

Processing generally takes place within the European Union or the European Economic Area. Insofar as individual service providers process data outside the EU/EEA or access from a third country cannot be excluded, this is done exclusively in compliance with the statutory requirements pursuant to Art. 44 et seq. GDPR, in particular on the basis of EU Standard Contractual Clauses or an adequacy decision of the European Commission.

9. Third-Country Transfers

In the context of providing the software, personal data may be processed by engaged sub-processors in countries outside the European Union (EU) or the European Economic Area (EEA), in particular in the United States of America.

Such transfer is made exclusively in compliance with the statutory requirements pursuant to Art. 44 et seq. GDPR.

If no adequacy decision of the European Commission exists for the relevant third country, the transfer is made on the basis of appropriate safeguards within the meaning of Art. 46 GDPR, in particular by concluding EU Standard Contractual Clauses (SCCs).

Insofar as a service provider is certified under the EU-US Data Privacy Framework, data transfer is made on the basis of the corresponding adequacy decision of the European Commission.

The provider ensures that an adequate level of data protection is guaranteed for all third-country transfers.

10. Data Security

We implement appropriate technical and organizational measures (TOMs) pursuant to Art. 32 GDPR to protect personal data, in particular:

  • Encryption during transmission (TLS)
  • Access restrictions and role models
  • Client separation
  • Regular backups
  • Logging and monitoring

Details are described in the TOMs document.

11. Retention Period & Deletion

Personal data is stored only for as long as necessary for the fulfillment of the contractual purposes.

After termination of the contractual relationship, productive customer data is deleted within 30 days, unless statutory retention obligations exist.

Data from contact inquiries via the website (e.g. via a contact or inquiry form) is used exclusively for processing the inquiry and deleted after the inquiry has been fully processed, unless statutory retention obligations exist.

Statutory retention obligations (e.g. requirements under commercial or tax law) remain unaffected.

12. Rights of Data Subjects

Data subjects have the following rights under the GDPR:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object (Art. 21 GDPR)
  • Right to lodge a complaint (Art. 77 in conjunction with Art. 13(2)(d))

The exercise of data subject rights is generally directed at the respective controller (customer).

The provider supports the controller in fulfilling data subject rights within the framework of the existing data processing relationship pursuant to Art. 28(3)(e) GDPR.

Data subjects have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority is in particular the

State Commissioner for Data Protection of Lower Saxony:
Prinzenstraße 5, 30159 Hannover
Phone: 0511 120-4500, E-Mail: poststelle@lfd.niedersachsen.de
Website: https://www.lfd.niedersachsen.de

Insofar as processing is based on consent, it may be withdrawn at any time with effect for the future. The lawfulness of processing carried out prior to the withdrawal remains unaffected.

13. Cookies & Tracking

13.1 General

On our website (lambus.ai) and in the B2B software (app.lambus.ai) we use cookies and similar technologies. The storage of and access to information on your device is based exclusively on your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. You may withdraw your consent at any time (see Section 13.5).

13.2 Google Analytics 4

We use Google Analytics 4 to analyze the usage of our services, both on the website (lambus.ai) and in the B2B app (app.lambus.ai).

  • Provider: Google LLC, Mountain View, CA 94043, USA
  • Purpose: Analysis of usage (page views, dwell time, interactions)
  • Data processed: IP address (anonymized), device and browser information, page interactions
  • Retention period of analysis data: 14 months
  • Third-country transfer: Transfer to the USA is made on the basis of the adequacy decision of the European Commission on the EU-US Data Privacy Framework, provided the provider is certified accordingly. Otherwise, the transfer is made on the basis of EU Standard Contractual Clauses pursuant to Art. 46 GDPR.

13.3 Microsoft Clarity (lambus.ai only)

We use Microsoft Clarity to analyze user behavior on our website (lambus.ai).

  • Provider: Microsoft Corporation, Redmond, WA 98052, USA
  • Purpose: Analysis of user behavior using heatmaps and session recordings
  • Data processed: Mouse movements, clicks, scroll behavior, device and browser information
  • Retention period of analysis data: 13 months
  • Third-country transfer: Transfer to the USA is made on the basis of the adequacy decision of the European Commission on the EU-US Data Privacy Framework, provided the provider is certified accordingly. Otherwise, the transfer is made on the basis of EU Standard Contractual Clauses pursuant to Art. 46 GDPR.

13.4 Technically Necessary Cookies

To store your cookie consent decision, we set the following technically necessary cookie:

CookiePurposeDomainDuration
lambus_consentStores your cookie consent decisionvisited domain1 year

The cookie contains no personal data and does not require consent.

13.5 Withdrawal of Consent

You may withdraw or change your consent at any time with effect for the future. Consent is stored separately per domain. You must therefore perform the withdrawal or change on each domain individually where you previously granted consent:

  • For the website (lambus.ai): Open lambus.ai and click the "Cookie Settings" link in the footer.
  • For the B2B app (app.lambus.ai): Open app.lambus.ai and click "Change Cookie Settings" at the bottom of this Privacy Policy.

After withdrawal, the cookies set on the respective domain will be deleted and the analytics services deactivated.

14. Error and Performance Monitoring (Sentry)

To ensure the stability, security, and functionality of our services, we use Sentry, a service provided by Functional Software, Inc., USA, on our website (lambus.ai) and in the B2B software (app.lambus.ai).

  • Purpose: Automated detection and analysis of technical errors as well as performance and stability monitoring
  • Data processed: Technical error and usage data (in particular timestamp, error type, stack trace, requested URL)
  • Legal basis: Art. 6(1)(f) GDPR. Our legitimate interest consists in the secure, stable, and uninterrupted operation of our services. Appropriate technical safeguards for data minimization are implemented.
  • Retention period: Maximum of 90 days
  • Third-country transfer: Any transfer of personal data to the USA is made on the basis of the adequacy decision of the European Commission on the EU-US Data Privacy Framework, provided the provider is certified accordingly. Otherwise, the transfer is made on the basis of EU Standard Contractual Clauses pursuant to Art. 46 GDPR.
  • Right to object: Pursuant to Art. 21 GDPR, you have the right to object to this processing at any time (privacy@lambus.com).

15. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to adapt it to legal or technical changes.

In the event of material changes affecting the processing of personal data, we will notify registered users in an appropriate manner (e.g. by email or in-app notification).

The current version is available on the website at any time.

16. Contact

For questions about data protection, please contact:

E-Mail: privacy@lambus.com

Note: This Privacy Policy is addressed to business customers and forms the basis for GDPR-compliant operation of the software.

Cookie Settings

Adjust your consent for cookies at any time.