Trust and Security at Sayyad
At Sayyad (sayyad.travel) the trust of travelers and commercial partners is foundational to our business. This page describes the technical and operational controls currently in place to protect user data, preserve the integrity of search results, and uphold our contractual relationships with global travel partners. The content is maintained by the Sayyad team and is updated as the product evolves; it is not a third-party certification.
Access and identity
- Sign-in via a secure magic link (OTP) or Google account. We do not store passwords on our servers.
- Each user has an isolated profile; no account can read another account's data.
- Administrative privileges are stored in a dedicated roles table and verified server-side via security-definer functions.
- Admin sessions are protected by an additional auth gate and logged for audit purposes.
Data we collect
- Account data voluntarily provided by the user (name, email, avatar).
- Search parameters (destinations, dates, traveler count) used to produce accurate results.
- Anonymized technical data (device, browser, partner-link click events) used for performance analytics.
- Error logs to improve reliability. We never collect card numbers or banking credentials.
Data protection and infrastructure
- All traffic between the user and the platform is encrypted using modern TLS/HTTPS certificates.
- The database enforces row-level security (RLS) policies that prevent cross-account access.
- Commercial partner keys and identifiers are stored in server-side secret vaults and are never exposed to the browser.
- Daily backups and point-in-time recovery are enabled through our cloud infrastructure provider.
Cookies and analytics
We use browser local storage to remember language and session, and lightweight analytics events to measure partner-link performance and improve search quality. We do not currently deploy third-party advertising trackers, and we do not sell user data to any party.
Our relationship with travel partners
Sayyad is a metasearch and comparison engine only; we are not a travel agency and we do not complete bookings ourselves. When a user selects a partner offer (flights, hotels, cars, travel extras) they are redirected to the partner's official site, where booking and payment are completed under that partner's terms. Affiliate identifiers are appended server-side to preserve attribution integrity, and our partnerships are managed through established networks including Travelpayouts and Awin.
Privacy requests and account deletion
To request a copy of your data, delete your account, or raise any privacy question, please contact the privacy team athello@sayyad.travel. We respond within 7 business days.
Responsible vulnerability disclosure
We welcome responsible disclosure of security vulnerabilities. Please do not publish details publicly and contact our security team athello@sayyad.travel. All reports are handled in strict confidence.