20+ trackers. The policy allows SMS and contact access. Chatbot data may train AI.

Executive summary

We visited a travel booking website. Over 20 trackers loaded during the session. The privacy policy allows the company to access SMS, contacts, camera, and location. Partners can combine your booking data with other services. Chatbot conversations may be used to train AI. The grievance response redirected us instead of answering.

Evidence snapshot

What trackers we found

Google Ads, Meta Pixel, and many other advertising and analytics trackers loaded during the session. The platform collects sensitive travel details. The sheer volume means a single booking search sends signals to dozens of outside companies.

What the privacy policy says

The policy allows access to "SMS, contacts, camera, and location." Partners can "combine your booking data with information from other services." Chatbot conversations "may be used to train AI models." Simply visiting the website means you agree to the privacy terms. Your data "may be stored and processed in countries with different privacy laws."

What the product flow showed

Phone number and email requests made it hard to proceed without sharing contact details. Travel searches reveal destination, dates, budget, and group size. That intent data was observable by outside companies during one booking session.

What we asked and what they said

We sent a data-rights request. The response redirected us to other channels rather than directly answering what data was held. The question was not answered clearly.

Why this matters

When a travel site can access your SMS and contacts, shares booking data with partners who combine it with other services, and uses your chatbot conversations to train AI — while simply visiting the site counts as consent — the gap between user expectation and policy reality is significant. Evidence exists. Company name withheld.