Platform
Policy & Approvals Integrations Reporting & Visibility TMC Operations Performance & Scale
API About Contact
Sign in Reach Out

Privacy Policy

Last updated: 2026-03-09

This Privacy Policy explains how personal information is collected, used, disclosed, stored, and protected when you interact with Cinturon360 and related services operated by RePass Cloud Pty Ltd.

Cinturon360 is an enterprise travel governance, approvals, integrations, and reporting platform developed and operated by RePass Cloud Pty Ltd. This policy applies to Cinturon360 and other RePass Cloud-operated services that link to this Privacy Policy.

If you do not agree with this Privacy Policy, do not use the Services.

1. Who We Are

This Privacy Policy applies to RePass Cloud Pty Ltd.

RePass Cloud Pty Ltd
PO BOX 262
Bondi Junction NSW 1355
Australia

Email: hello@repasscloud.com

If you need to raise a privacy or security issue urgently, email hello@repasscloud.com and include Privacy or Security in the subject line.

2. Roles: Controller and Processor

Depending on the context, RePass Cloud may act as either:

  • Data controller, such as when operating our websites, managing accounts, handling billing, or running marketing and business administration activities.
  • Data processor / service provider, such as when processing personal information on behalf of a business customer using Cinturon360.

Where a customer uses Cinturon360 as part of its own travel program or enterprise operations, that customer will generally determine what customer content is submitted to the platform and is usually the controller for that content. RePass Cloud processes that content in order to provide the Services, subject to customer instructions, applicable agreements, and applicable law.

3. Information We Collect

We may collect information:

  • directly from you
  • from your organisation
  • from your device or browser
  • from service providers that help us operate the Services

Depending on how Cinturon360 is used, we may collect the following categories of information.

Identity and account data

This may include:

  • name
  • email address
  • organisation name
  • identifiers associated with your account
  • user roles and permissions
  • authentication identifiers issued by identity providers

Authentication and access data

Where authentication is used, we may process:

  • sign-in events and timestamps
  • authentication logs
  • session identifiers
  • access tokens, where needed for security
  • multi-factor authentication status, where supplied by an identity provider

Customer content and business data

Customers using Cinturon360 may submit business and operational content into the platform. Depending on configuration and usage, that may include:

  • traveller, employee, or user profile details
  • business contact details
  • booking or operational data
  • approval and workflow data
  • communications or support context entered into the platform

Operational, audit, and security logs

To operate and secure the Services, we may collect:

  • IP addresses
  • authentication logs
  • application and API access logs
  • audit logs
  • error logs
  • diagnostic traces
  • performance and availability telemetry

Device and technical data

This may include:

  • browser type and version
  • device type
  • operating system
  • approximate location derived from IP address
  • session metadata
  • performance metrics

Billing and payment data

If Services are purchased, we may process:

  • billing contact details
  • transaction metadata

Payment processing may be handled by third-party providers. We do not store full payment card numbers.

Support and communications

If you contact us, we may collect:

  • the content of your request
  • contact details
  • records of communications
  • relevant diagnostic information needed to investigate or resolve the issue

These categories are all reflected in the current RePass Cloud policy.

4. How We Use Information

We may use personal information to:

  • provide and operate Cinturon360 and related services
  • authenticate users and manage access
  • deliver customer support and respond to enquiries
  • maintain security, detect abuse, prevent fraud, and investigate incidents
  • monitor performance, reliability, and availability
  • manage billing, accounting, procurement, and business administration
  • comply with legal obligations
  • enforce our terms and protect our rights
  • improve products and services
  • communicate with you about products, updates, or marketing where permitted by law and your preferences

RePass Cloud states that it does not sell personal information. The policy also states it may use analytics, behavioural metrics, and advertising technologies where permitted by law.

Where applicable law requires a legal basis for processing, we may rely on one or more of the following:

  • Contract, to provide the Services requested by you or your organisation
  • Legitimate interests, including securing and improving the Services, preventing fraud, and protecting our business and users
  • Consent, where required for certain marketing, cookie, analytics, advertising, or optional activities
  • Legal obligation, where processing is required by law
  • Vital interests, where necessary to protect safety

Where RePass Cloud acts as a processor, the customer is generally responsible for determining the legal basis for customer content they provide to the platform.

6. Cookies and Similar Technologies

We may use cookies and similar technologies for:

  • authentication and session management
  • security controls
  • preferences and settings
  • performance and reliability
  • analytics, optimisation, and, where permitted, advertising and marketing activities

The current RePass Cloud privacy policy states that Microsoft Clarity and Microsoft Advertising may be used for behavioural metrics, heatmaps, session replay, optimisation, fraud/security purposes, and advertising. It also states that non-essential cookies will be subject to consent where required by law.

You can control cookies through your browser settings, although some features may not function correctly if certain cookies are disabled.

7. Disclosure of Information

We may disclose personal information only where reasonably necessary to operate the Services, provide requested functionality, protect rights and safety, or comply with law.

We may disclose information to:

  • cloud hosting and infrastructure providers
  • identity providers
  • payment processors
  • security and operational vendors
  • analytics, advertising, and marketing vendors, subject to applicable law
  • professional advisers such as lawyers, auditors, and insurers
  • regulators, courts, law enforcement, or other authorities where required
  • business transferees in connection with a merger, acquisition, restructure, or sale

RePass Cloud states that it does not sell personal information.

8. Hosting, Data Residency, and International Transfers

RePass Cloud’s current policy states that customer data may be hosted using cloud infrastructure providers and that hosting may vary based on configuration, region, and commercial terms. It currently describes Australia and New Zealand customers as hosted in Microsoft Azure Australia regions by default, with expansion plans including Australia, the United States, and the European Union.

Where personal information is transferred across borders, we may use appropriate safeguards, including:

  • contractual protections
  • encryption and access controls
  • vendor due diligence and security requirements

9. Security

We maintain an information security program designed to protect personal information.

Security measures may include:

  • encryption in transit
  • encryption at rest
  • role-based access control
  • least-privilege access
  • multi-factor authentication
  • audit logging and monitoring
  • environment and network segmentation
  • secure development and change management practices
  • vulnerability management
  • incident response procedures

No method of transmission or storage is completely secure, but we take reasonable steps to protect personal information and continuously improve our safeguards. These measures are all described in the RePass Cloud privacy policy.

10. Data Retention

We retain personal information only for as long as reasonably necessary for the purposes described in this Privacy Policy, including legal, tax, accounting, contractual, and security requirements.

According to RePass Cloud’s current policy:

  • security and telemetry logs are generally retained for 90 to 100 days
  • customer content is retained according to customer instructions and contract terms
  • backups may retain data for limited periods as part of backup lifecycle management

Where deletion is requested, reasonable steps will be taken to delete or de-identify information unless an exception applies, such as legal hold, security investigation, or legal obligation.

11. Data Breach and Incident Notification

If we become aware of a data breach affecting personal information, we may:

  • investigate and contain the incident
  • take remediation steps
  • notify affected customers or users where required by law or contract
  • provide relevant information needed for customers to meet their own obligations

This is consistent with the current RePass Cloud privacy policy.

12. Your Rights

Your rights depend on where you live and how you use the Services.

Australia and New Zealand

You may request access to, or correction of, personal information held about you, and you may make a complaint.

EEA, United Kingdom, and Switzerland

Where applicable law applies, you may have rights to:

  • access
  • rectification
  • erasure
  • restriction
  • objection
  • data portability
  • withdraw consent where processing is based on consent

United States

Where applicable state privacy laws apply, you may have rights such as:

  • access
  • correction
  • deletion
  • opt-out rights relating to certain processing activities as defined by law

RePass Cloud’s policy also states that it does not sell personal information and notes that some analytics or cookie-based advertising activities may be treated as “sharing” or targeted advertising under certain U.S. laws.

13. Exercising Rights

To request access, correction, deletion, or other privacy-related rights, contact:

hello@repasscloud.com

If you use Cinturon360 through your organisation, your organisation’s administrator may need to submit certain requests on your behalf. We may need to verify identity before acting on a request.

RePass Cloud states that it aims to respond within timeframes required by applicable law.

14. Children’s Privacy

Cinturon360 and related Services are not intended for children under 18, and we do not knowingly collect personal information from children. This matches the current RePass Cloud privacy policy.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top of this page indicates when this Privacy Policy was last revised.

Material changes may be communicated through the Services or by other appropriate means, consistent with the RePass Cloud policy.

16. Contact Us

If you have questions about this Privacy Policy or want to make a privacy-related request, contact:

RePass Cloud Pty Ltd
PO BOX 262
Bondi Junction NSW 1355
Australia

Email: hello@repasscloud.com