Privacy Policy

for the use of the B2B software Lambus for Business

Version: 17.03.2026

1. Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

Lambus GmbH
Albert-Einstein-Straße 1, 49076 Osnabrück
Germany
E-Mail: privacy@lambus.com

2. Scope of this Privacy Policy

This Privacy Policy provides information about the processing of personal data when using the software Lambus for Business, a cloud-based B2B solution for the digitization, structuring, and presentation of travel and booking information.

The policy applies to both:

the use of the website (lambus.ai) and
the use of the software Lambus for Business (app.lambus.ai, including registration and product data).

3.1 Customer as Controller

Our customers (e.g. tour operators, travel agencies, OTAs) are controllers within the meaning of data protection law pursuant to Art. 4 No. 7 GDPR with respect to the personal data of their end customers.

3.2 Provider as Processor

We process personal data exclusively on behalf of and in accordance with the instructions of our customers pursuant to Art. 28 GDPR.

A corresponding Data Processing Agreement (DPA) is concluded as part of the self-onboarding process or separately.

3.3 Collection of Data Not Directly from the Data Subject

Personal data of end customers is not collected directly from the data subject, but is transmitted by the respective customer in the context of data processing.

The customer, as controller, is obligated to inform the data subjects about the data processing in accordance with Art. 13 or Art. 14 GDPR.

3.3 Provider's Own Responsibility

Insofar as personal data is processed in connection with the marketing website, the initiation and performance of the contract with the B2B customer, or in the context of web analytics and tracking measures, this is done under the provider's own data protection responsibility pursuant to Art. 4 No. 7 GDPR.

4. Categories of Data Processed

Depending on the use of the software, the following personal data may be processed in particular:

4.1 End Customer Data (Travelers)

First and last name
Contact details (e.g. email address, phone number)
Travel data (travel dates, locations, accommodations, means of transport)
Booking and reference numbers
Other travel-related information from booking documents

4.2 Customer Data (B2B Users)

Name
Business address
Phone number
Business email address
Company affiliation
Company type and website
Product interests and estimated travel volume
Login and usage data

The provision of the data mentioned in Section 4.2 is required for the establishment and performance of the contractual relationship. Without this data, the software cannot be provided.

5. Purposes of Data Processing

Personal data is processed exclusively for the following purposes:

Provision and operation of the software
Needs assessment and product recommendation during onboarding
Automated extraction and structuring of travel data
Digital presentation of travel itineraries
Support, error analysis, and product improvement
Billing and usage analysis (B2B)
Processing of contact requests

Processing for other purposes does not take place.

6. Legal Bases for Processing

Processing is based on the following legal bases:

Art. 6(1)(b) GDPR (performance of a contract with the customer, in particular provision of the software, support, and billing, as well as implementation of pre-contractual measures upon request, e.g. in the case of contact inquiries via the website)
Art. 28 GDPR (processing on behalf of customers with regard to end customer data)
Art. 6(1)(f) GDPR (legitimate interest in IT security, system stability, error analysis, and abuse prevention)
Art. 6(1)(a) GDPR (consent, if required in individual cases)

7. Self-Onboarding

During self-onboarding, customers may test the software with real booking documents.

The customer ensures that:

they are authorized to process the data,
the necessary consents of the end customers are in place,
no unlawful or illegal data is processed.

The provider accepts no responsibility for the lawfulness of the content provided by the customer.

8. Recipients & Sub-processors

To provide and operate the software, the provider engages carefully selected sub-processors in the context of data processing pursuant to Art. 28 GDPR. These are contractually obligated to comply with applicable data protection regulations.

The following service providers are currently used in particular:

Amazon Web Services (AWS): Receipt of emails, cloud infrastructure, and document storage
Supabase, Inc.: Provision of database infrastructure
Fly.io, Inc.: Hosting and operation of the application environment
Plus Five Five, Inc. (Resend): Sending system-related emails
Google Cloud EMEA Limited: Processing of document contents for structured analysis using AI models
Braintrust Data, Inc.: Logging and monitoring of AI agents
Inngest, Inc.: Control and processing of background jobs (job queue)
BunnyWay d.o.o. (bunny.net): Content delivery network and image delivery

Processing generally takes place within the European Union or the European Economic Area. Insofar as individual service providers process data outside the EU/EEA or access from a third country cannot be excluded, this is done exclusively in compliance with the statutory requirements pursuant to Art. 44 et seq. GDPR, in particular on the basis of EU Standard Contractual Clauses or an adequacy decision of the European Commission.

9. Third-Country Transfers

In the context of providing the software, personal data may be processed by engaged sub-processors in countries outside the European Union (EU) or the European Economic Area (EEA), in particular in the United States of America.

Such transfer is made exclusively in compliance with the statutory requirements pursuant to Art. 44 et seq. GDPR.

If no adequacy decision of the European Commission exists for the relevant third country, the transfer is made on the basis of appropriate safeguards within the meaning of Art. 46 GDPR, in particular by concluding EU Standard Contractual Clauses (SCCs).

Insofar as a service provider is certified under the EU-US Data Privacy Framework, data transfer is made on the basis of the corresponding adequacy decision of the European Commission.

The provider ensures that an adequate level of data protection is guaranteed for all third-country transfers.

10. Data Security

We implement appropriate technical and organizational measures (TOMs) pursuant to Art. 32 GDPR to protect personal data, in particular:

Encryption during transmission (TLS)
Access restrictions and role models
Client separation
Regular backups
Logging and monitoring

Details are described in the TOMs document.

11. Retention Period & Deletion

Personal data is stored only for as long as necessary for the fulfillment of the contractual purposes.

After termination of the contractual relationship, productive customer data is deleted within 30 days, unless statutory retention obligations exist.

Data from contact inquiries via the website (e.g. via a contact or inquiry form) is used exclusively for processing the inquiry and deleted after the inquiry has been fully processed, unless statutory retention obligations exist.

Statutory retention obligations (e.g. requirements under commercial or tax law) remain unaffected.

12. Rights of Data Subjects

Data subjects have the following rights under the GDPR:

Right of access (Art. 15 GDPR)
Right to rectification (Art. 16 GDPR)
Right to erasure (Art. 17 GDPR)
Right to restriction of processing (Art. 18 GDPR)
Right to data portability (Art. 20 GDPR)
Right to object (Art. 21 GDPR)
Right to lodge a complaint (Art. 77 in conjunction with Art. 13(2)(d))

The exercise of data subject rights is generally directed at the respective controller (customer).

The provider supports the controller in fulfilling data subject rights within the framework of the existing data processing relationship pursuant to Art. 28(3)(e) GDPR.

Data subjects have the right to lodge a complaint with a data protection supervisory authority. The competent supervisory authority is in particular the

State Commissioner for Data Protection of Lower Saxony:
Prinzenstraße 5, 30159 Hannover
Phone: 0511 120-4500, E-Mail: poststelle@lfd.niedersachsen.de
Website: https://www.lfd.niedersachsen.de

Insofar as processing is based on consent, it may be withdrawn at any time with effect for the future. The lawfulness of processing carried out prior to the withdrawal remains unaffected.

13. Cookies & Tracking

13.1 General

On the website (lambus.ai) we use cookies and similar technologies. The storage of and access to information on your device is based exclusively on your consent pursuant to Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG. You may withdraw your consent at any time (see Section 13.4).

13.2 Google Analytics 4

Provider: Google LLC, Mountain View, CA 94043, USA
Purpose: Analysis of website usage (page views, dwell time, interactions)
Data processed: IP address (anonymized), device and browser information, page interactions
Retention period of analysis data: 14 months
Third-country transfer: Transfer to the USA is made on the basis of the adequacy decision of the European Commission on the EU-US Data Privacy Framework, provided the provider is certified accordingly. Otherwise, the transfer is made on the basis of EU Standard Contractual Clauses pursuant to Art. 46 GDPR.

13.3 Microsoft Clarity

Provider: Microsoft Corporation, Redmond, WA 98052, USA
Purpose: Analysis of user behavior using heatmaps and session recordings
Data processed: Mouse movements, clicks, scroll behavior, device and browser information
Retention period of analysis data: 13 months
Third-country transfer: Transfer to the USA is made on the basis of the adequacy decision of the European Commission on the EU-US Data Privacy Framework, provided the provider is certified accordingly. Otherwise, the transfer is made on the basis of EU Standard Contractual Clauses pursuant to Art. 46 GDPR.

You may withdraw your consent at any time with effect for the future by clicking the "Cookie Settings" link in the footer of the website (lambus.ai). After withdrawal, the cookies set will be deleted and the analytics services deactivated.

14. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to adapt it to legal or technical changes.

In the event of material changes affecting the processing of personal data, we will notify registered users in an appropriate manner (e.g. by email or in-app notification).

The current version is available on the website at any time.

15. Contact

For questions about data protection, please contact:

E-Mail: privacy@lambus.com

Note: This Privacy Policy is addressed to business customers and forms the basis for GDPR-compliant operation of the software.