Privacy Policy

This Privacy Policy explains how IKAN Talent Mobility ("IKAN", "we", "us") handles personal data in connection with the I-Tour by IKAN service at itinerary.ikan.com (the "Service").

It applies to three groups: relocation consultants and administrators who use the consultant workspace; Global Mobility leaders and other client representatives who engage IKAN; and relocation assignees (and accompanying household members) whose programmes are built and shared through the Service.

For most assignee data, IKAN acts as a data processor on behalf of the relocation client that engaged us. For our own account, billing, and website data, IKAN acts as a data controller.

We collect the following categories of personal data:

• Account data — consultant and administrator names, work email addresses, organisation, role, and authentication identifiers from our SSO provider.
• Assignee programme data — names, contact details, home and destination cities, travel and accommodation details, household members, schedules, and notes that a consultant enters or imports to build an itinerary.
• Access data — the email addresses an assignee uses to sign in to their Trip Hub, and the secure links issued for that hub.
• Usage and device data — log records, IP address, browser and device type, and basic interaction events used to operate, secure, and improve the Service.
• Communications — messages you send us by email or through in-product support.

We use personal data only for the purposes for which it was provided, including:

• Providing the Service — building, exporting, and publishing relocation programmes and operating the assignee Trip Hub.
• Authentication and access control — verifying consultants via SSO and granting assignees access to their own programme via secure link or allow-listed email.
• Security and abuse prevention — monitoring for unauthorised access, fraud, and service misuse.
• Service communications — sending operational notices, and responding to support requests.
• Improvement and analytics — understanding aggregate usage to maintain reliability and improve features.

Where the GDPR or comparable laws apply, we rely on: performance of a contract (to provide the Service to our clients and their users); legitimate interests (to secure, maintain, and improve the Service, balanced against your rights); legal obligation (to meet record-keeping and compliance duties); and consent where required (for example, certain communications).

Where IKAN processes assignee data on a client’s behalf, the client is responsible for establishing the lawful basis for that processing under its own arrangements with its employees.

We do not sell personal data. We share it only as needed to run the Service and meet our obligations:

• With the relocation client that engaged us, in respect of its own assignees and programmes.
• With sub-processors that operate parts of the platform under contract — currently Supabase (database and storage), Clerk (consultant authentication), and Vercel (application hosting and edge delivery). The current list is maintained on our trust page.
• When required by law, legal process, or to protect the rights, safety, and security of IKAN, our users, or the public.
• In connection with a merger, acquisition, or asset transfer, subject to this policy continuing to apply.

We protect personal data with encryption in transit (TLS 1.3) and at rest (AES-256), database row-level security that scopes records to their owner, and password-less assignee access via secure links or allow-listed email.

Data is hosted in Supabase EU-Central and India regions and can be configured per deployment to meet residency requirements. Our SOC 2 Type I audit is in progress; we share current status and supporting documentation under NDA during a security review. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

We retain personal data for as long as needed to provide the Service and for legitimate business and legal purposes. Secure assignee links expire by default after 30 days. Programme and account data follow a documented lifecycle and are deleted or anonymised when no longer required, or earlier on a valid request from the controlling client.

Subject to applicable law, you may have the right to access, correct, delete, or port your personal data, to object to or restrict certain processing, and to withdraw consent where processing is based on consent.

If IKAN holds your data on behalf of a relocation client, please direct rights requests to that client; we will support them in responding. For data IKAN controls, contact us using the details below. You also have the right to complain to your local data protection authority.

Where personal data is transferred across borders, we use appropriate safeguards — such as hosting in the configured region and contractual protections with our sub-processors — consistent with applicable data protection law.

We may update this policy from time to time. When we make material changes we will update the “last updated” date above and, where appropriate, provide additional notice. Continued use of the Service after an update constitutes acceptance of the revised policy.