Papazau ("we", "us", or "our") operates the Papazau MCP server — an AI-native travel booking service exposed through the Model Context Protocol. This Privacy Policy explains what personal data we collect when AI agents call our tools on your behalf, how we use it, and the rights you have over your data.
This policy applies to data processed by the Papazau MCP server, available at papazau.ai and via the Anthropic MCP Directory.
1. Data we collect
We only collect the data needed to fulfill the specific booking action you (or your AI agent on your behalf) ask us to perform. Different tools collect different fields:
| Tool | Data collected | Purpose |
|---|---|---|
search_hotels, get_hotel_details, check_availability | None (search parameters only — city, dates, budget) | Return matching inventory |
create_booking (hotel) | Guest name, email, party size, dates | Hotel reservation record |
search_flights, get_flight_details | None (route and date only) | Quote flight offers |
book_flight | Full passenger name (as on passport), date of birth, gender, email, phone, passport details | Required by airlines and the IATA ticketing system via Duffel |
get_transfer_quote | Pickup / dropoff addresses, datetime, party size | Quote a transfer price |
create_transfer_booking | Passenger name, phone, email, pickup / dropoff addresses, flight number (optional) | Driver dispatch and payment link generation |
Search-only tools do not collect personal data. We never collect payment card numbers — payments are handled by ECPay through a hosted checkout URL, and card data never reaches Papazau servers.
2. How we use your data
- Fulfilling bookings. Passing data to airlines (via Duffel), drivers, and hotels so they can prepare your reservation.
- Customer support. Looking up your booking when you contact [email protected].
- Compliance. Retaining booking records as required by Taiwanese tax law (see retention below).
We do not use your data for advertising, profiling, or training AI models. We do not sell your data.
3. Third-party processors
The following third parties receive personal data when you book through Papazau:
- Duffel (flight orders) — passenger and contact details required by the airline. See Duffel's privacy notice.
- ECPay 綠界 (Taiwan payment gateway) — name and email for transfer-payment processing. See ECPay's privacy notice.
- Hotels and drivers — your name and contact information are shared with the specific property or driver fulfilling your reservation.
We do not share personal data with any other third party.
4. Data retention
| Category | Retention period |
|---|---|
| Booking records (hotel, flight, transfer) | 7 years, as required by Taiwanese tax law (Article 23 of the Tax Collection Act). |
| Payment links and statuses | 90 days after expiration or cancellation |
| Search queries and quotes | Not persisted; processed in-memory only |
| Server logs | 30 days, then automatically deleted |
5. Your rights
Subject to applicable law (Taiwan Personal Data Protection Act, EU GDPR, California CCPA where applicable), you have the right to:
- Access — request a copy of the personal data we hold about you.
- Correction — ask us to fix incorrect data.
- Deletion — ask us to delete your data (subject to legal retention obligations above).
- Portability — receive your data in a machine-readable format.
- Objection — object to specific processing activities.
To exercise these rights, email [email protected]. We respond within 30 days.
6. International data transfers
Papazau is operated from Taiwan. When you book a flight, your data is transferred to Duffel (UK) and the operating airline (which may be anywhere in the world). When you book a Taiwan transfer, data stays in Taiwan. We rely on standard contractual clauses and the destination country's adequacy decision where applicable.
7. Security
We protect your data with industry-standard measures:
- TLS 1.2+ for all data in transit
- API tokens rotated quarterly, never logged
- Booking data encrypted at rest
- Access limited to authorized engineers on a need-to-know basis
To report a security vulnerability, see our Security Policy or email [email protected].
8. Children
Papazau is not directed at children under 14, and we do not knowingly collect data from them. If you believe we have inadvertently done so, contact [email protected] and we will delete the record.
9. Changes to this policy
We will update this page when our practices change. Material changes will be announced via the Papazau homepage and (where you have an active booking) by email at least 30 days in advance.
10. Contact
Data protection inquiries — [email protected]
General support — [email protected]
Security reports — [email protected]
Papazau · Taipei, Taiwan