Sonic Star Travel
ISO 9001-2015IATA accreditedUMTA member

Privacy Policy

Last updated: 2026-06-28

Pre-launch notice: review with qualified legal counsel for Myanmar PDPA, GDPR (if you serve EU residents), or any other applicable regime.

Introduction

We respect your privacy and only collect what we need to book your travel, process payments, and operate the service. This policy explains what we collect, why, and what rights you have.

Who's responsible

Sonic Star Travel Co., Ltd., Yangon, Myanmar — IATA 05300050, UMTA member, ISO 9001-2015 certified — is the data controller. Email privacy@sonicstartravel.com for privacy questions.

Data we collect

  • Account data: name, email, phone, password hash.
  • Traveller data: name, date of birth, gender, nationality, passport details (only what airlines require).
  • Booking data: routes, dates, fare class, payment status.
  • Payment data: tokenised by UAB Bank — we never receive your full card number or PIN.
  • Device data: IP, user agent, language, timezone (used for security and analytics).
  • Communication data: messages exchanged with our ops team via email, SMS, Viber, WhatsApp, in-app.

How we use it

  • To process bookings and payments, and issue tickets, vouchers, refunds.
  • To verify identity and prevent fraud.
  • To send transactional notifications (booking confirmation, flight status, etc.).
  • To handle support requests, change/cancel/refund requests, and feedback.
  • With your consent, to send marketing about new routes, promotions and travel tips. You can opt out at any time.

Who we share with

  • Airlines, hotels, tour suppliers, visa partners: only what they need to deliver your travel.
  • UAB Bank: payment processing.
  • Notification providers: Twilio (SMS / WhatsApp), Meta (WhatsApp Cloud), Viber, our SMTP provider — only the message body and recipient details.
  • Cloud + infrastructure providers: e.g. our hosting and database provider, under data-processing agreements.
  • Authorities: only when legally required (e.g. lawful disclosure order).

We do not sell your personal data.

How long we keep it

  • Account data: while your account is active, plus 12 months after closure.
  • Booking + payment data: 7 years for tax and accounting obligations.
  • Marketing data: until you withdraw consent.
  • Support messages: 3 years.

Your rights

Subject to applicable law, you have the right to access, correct, delete, restrict processing, port, and object to processing of your personal data. Email privacy@sonicstartravel.com to exercise any of these — we respond within 30 days.

Security

We use industry-standard practices: HTTPS everywhere, bcrypt password hashing, JWT bearer tokens in HTTP-only cookies, PCI-DSS Level 1 payment processing via UAB, signed webhooks, role-based admin access, and audit logging. No system is 100% secure; report suspected breaches to security@sonicstartravel.com.

International transfers

Where data flows outside Myanmar (e.g. to airline systems, payment processors, or cloud regions), we rely on standard contractual safeguards and the supplier's own certifications.

Children

Our services are intended for adults. Minors may travel as passengers on a parent or guardian's booking but cannot create their own account.

Changes

We may update this policy. Material changes will be highlighted in the app and emailed to account holders.

Contact

privacy@sonicstartravel.com or Sonic Star Travel, Yangon, Myanmar.