Luxury Hospitality Website – “Aurelia Regent”

NT Analyzer testing was conducted on a staging-like production build of aureliaregent.com using a controlled browser environment routed through the NT Analyzer client-side proxy.

2.1 Key User Journeys

The test plan focused on flows that are most likely to generate high-intent or sensitive data, including:

• Homepage exploration & itinerary browsing
  • Viewing suite options, destination pages, pricing grids, and FAQs.
• Quote & lead-generation forms
  • “Request More Information,” “Request a Call,” and “Request a Quote” flows.
• Account-related interactions (non-authenticated)
  • Newsletter sign-up, waitlist interest, loyalty-program page.
• Cookie banner & consent flows
  • “Accept All,” “Reject All,” and “Manage Preferences” interactions.
• “Do Not Sell/Share My Personal Information” / privacy rights interface
  • Where exposed under “Your Privacy Choices.”

2.2 Artifacts Collected

For each flow, NT Analyzer generated and analyzed:

• Overview file – host list per test file / scenario.
• Data Detections file – curated table of potentially sensitive fields.
• Key-Value Dump – detailed cookie, query, header, and payload parameters.
• Host Mapping Layer – AI-enriched mapping: host → company → role.
• Composed Report – unified, narrative report plus structured tables.

4.1 Overview / Third-Party Ecosystem

The Overview file, enriched with host intelligence, showed that Aurelia’s site relied on:

a) Core first-party & infrastructure

• aureliaregent.com and subdomains (main site, assets, booking front-end).
• CDN and asset hosts (e.g., static.aurelia-cdn.com or generic CDN providers).
• First-party analytics endpoints (e.g., Adobe or in-house data-collection servers).

These hosts were expected and necessary to deliver site functionality, including content, images, and booking UX.

b) Advertising & audience vendors

The “Overview – Noteworthy Hosts and Issues” table highlighted a dense cluster of ad-tech and audience partners, including (illustrative):

• Programmatic advertising & retargeting
  • The Trade Desk (adsrvr.org endpoints).
  • Google Ads / DoubleClick (googleads.g.doubleclick.net).
  • Microsoft/Bing Ads and related endpoints.
  • Index Exchange, Magnite, PubMatic, and other exchanges.
• Identity & graph vendors
  • Neustar / Verizon Media (agkn.com).
  • Tapad cross-device ID endpoints.
• Direct-mail / retargeting
  • PebblePost (pbbl.co) providing post-card / direct-mail retargeting based on web visits.

Key Insight: These vendors appeared across high-intent flows, including itinerary browsing, information requests, and quote forms — meaning detailed travel preferences were being shared with advertising partners

c) Analytics, session replay, and UX insights

• Web analytics
  • Google Analytics (including GA4-style payloads).
  • Adobe Analytics, configured through Aurelia’s parent-brand tag manager.
• Session replay & behavioral heatmaps
  • A provider like Crazy Egg or similar monitoring page interactions, scroll, click patterns, and potentially form behavior.
• Performance & error monitoring
  • APM tools or error trackers (e.g., Sentry-style, Site24x7-style monitoring).

d) Personalization & testing

• On-site personalization / decisioning
  • A vendor similar to Salesforce Interaction Studio or other experience platforms.
  • These endpoints received behavioral data about which itineraries and pages were viewed, enabling fine-grained personalization.

e) Media and VR experiences

• Video & media players (e.g., Vimeo-type hosts) for promotional films.
• 360° virtual tour platforms for hotel interiors and suites.

Observed patterns

The overview narrative concluded that Aurelia Regent operates a data-intensive, marketing-optimized environment, where:

• Numerous third parties can observe high-intent travel browsing, including suite search, and quote form launches.
• Advertising and analytics vendors appear before and after consent interactions, raising potential questions about when tracking begins and ends.

4.2 Data Detections – Noteworthy Transmissions

The Data Detections module, using both host intelligence and contextual tagging (hospitality / travel), surfaced a set of noteworthy transmissions of personal and potentially sensitive data.

Types of data observed

Examples included:

• Identifiers and contact data
  • Email address fields from “Request More Information,” “Request a Call,” and “Stay in Touch” forms.
  • Phone number fields associated with call-back requests.
  • Names (first and last) and country/region.
• High-intent behavioral signals
  • Itinerary codes and suite categories in URLs or payloads.
  • Signals like “information requested,” “quote_started,” “quote_submitted.”
• Location & preference indicators
  • Destination region selection
  • Time-frame preferences (e.g., “Summer 2026”).
  • Travel party size and potential spend indicators (“Owner’s Suite”, “Penthouse”).

Example distilled table (in the report)

Detections – Noteworthy Transmissions

4.3 Key-Value Dump – Identifiers, Segments, and Profiles

The Key-Value Dump module (with host enrichment) added nuance around how users are tracked and segmented.

Signals uncovered

• Advertising identifiers
  • Cookies and parameters such as TDID, TDCPM, IDE, and partner IDs.
  • Some values are long, encoded payloads carrying segment membership and partner mappings.
• Audience & segment labels
  • Keys and values such as:
    • segment=aurelia_ultra_luxury_traveler
    • bucket=high_value_suite
    • intent_score=9 (or similar numeric ranking)

Key Insight: These segment labels suggest profiled user intent and potential targeting categories. Depending on jurisdiction, this may raise questions about profiling and automated decision-making around high-value financial decisions.

• Personalization identifiers
  • Pseudonymous user IDs for on-site personalization:
    • anonId, _persistedUserId, site-specific “experience profile” IDs.
  • Often observed across multiple sessions and pages, indicating persistent behavioral tracking.

Example KV table (in the report’s appendix or main section)

KEY–VALUE FINDINGS – NOTABLE ITEMS

4.4 Consent & “Do Not Sell/Share” Behavior

Using the Overview plus filename-based opt-state classification, NT Analyzer compared:

• “Consent given” / “Accept All” flows
  vs.
• “Reject All” / “Do Not Sell/Share” / “No consent” flows

Observations

• Several core ad-tech and analytics vendors appeared in both states, with similar patterns of identifiers being transmitted.
• Certain consent states appeared to suppress cosmetic UI tags but not deeper telemetry from embedded SDKs.
• For some vendors, event volume and parameter richness decreased in “reject” state, but identifiers (e.g., advertising IDs) still flowed.

The report used cautious language:

“Based on observed traffic, some third-party vendors continued to receive identifiers and telemetry in scenarios labeled as ‘reject all’ or ‘do not sell/share.’ This may warrant further review of how the consent and opt-out choices are wired into the underlying tag and SDK configuration.”

4.5 Host Intelligence Layer

The host mapping module was particularly important in this case study:

• It transformed opaque hosts like px0.pbbl.co, aa.agkn.com, insight.adsrvr.org into recognizable vendor names and roles.
• It allowed NT Analyzer to generate tables that are meaningful for lawyers and executives rather than purely technical teams.

This host intelligence is what made tables like “Overview – Noteworthy Hosts and Issues” and “Detections – Noteworthy Transmissions” readable and actionable as client deliverables.