Privacy Policy

This Privacy Policy explains how TripsMitra ("we", "us", "our") collects, uses, shares, and protects your personal information when you access tripsmitra.com, use our mobile experiences, interact with our customer teams, or engage any service we operate (collectively, the "Services"). We follow applicable Indian laws, including the Digital Personal Data Protection Act, 2023 (DPDP Act), sectoral regulations, and contractual obligations with our travel partners.

Summary of how we handle personal data:

• We only collect the data needed to plan, book, and support your tours.
• Google and Facebook logins share limited profile details and are optional.
• Payments are processed securely by PCI-DSS compliant gateways; we never store card numbers.
• You can request access, corrections, or deletion via our Data Request workflow.
• Security safeguards and vetted vendors protect your information end to end.

1) Personal Data We Collect

• Account data: name, email, phone number, hashed passwords, and customer support history when you create an account or log in via OTP.
• Social login data: basic profile information shared by Google or Facebook (name, verified email, profile identifier). We never receive your social passwords.
• Booking data: traveller details, government ID information you provide, itinerary selections, preferences, special requests, and communications regarding a booking.
• Payment data: transaction tokens, payment success/failure meta, and invoice records from gateways such as Razorpay. Card and UPI credentials are collected directly by the gateway.
• Device & usage data: IP addresses, device type, browser, session events, referral sources, and cookie-based identifiers for performance, security, and debugging.
• Marketing preferences: opt-ins/out for email, SMS, or WhatsApp messaging, survey responses, testimonials, and referral programme activity.
• Lead capture context: the name, email, phone, and most recent tour you viewed or enquired about so our support team can follow up with the correct itinerary. This includes lightweight local-storage markers (e.g., last viewed tour slug) plus server-side audit logs when you submit booking contact details or use social login.

2) Why We Use This Data

We process personal data for the following DPDP-recognised purposes and legal bases:

• Performance of a contract: creating itineraries, confirming reservations, issuing invoices, and providing tour support.
• Legitimate interests: fraud prevention, platform security, analytics, customer research, and product improvement.
• Consent: marketing messages, optional cookies, and social login profile data beyond identifiers required to authenticate you.
• Legal compliance: accounting, taxation, Know Your Customer (KYC) obligations, and regulatory reporting.
• Lead fulfilment: providing timely callbacks or WhatsApp follow-ups for the exact tour you just viewed or booked a slot for.

3) Third-Party Processors & Disclosures

We share data with carefully vetted processors who enable our Services: payment gateways, cloud hosting, SMS/email vendors, analytics providers, and travel partners (hotels, transport operators, local guides) who fulfil your bookings. Each processor is bound by confidentiality, data processing agreements, and compliance requirements. We do not sell personal data. Data may be disclosed to authorities or regulators when mandated under applicable law.

4) Social Login Specifics

When you authenticate with Google Identity Services or Facebook Login we receive only your confirmed email address, public profile name, and an identifier provided by that platform. This data is used solely to:

• Create or link your TripsMitra account so you can sign in without OTPs.
• Detect duplicate accounts and keep booking history together.
• Send essential service communication (e.g., booking confirmations) to your verified email.

You can revoke platform permissions directly in your Google or Facebook account. If you remove access, you can still continue using our Services via email OTP or by requesting account deletion.

5) Lead Capture & Follow-ups

When you leave your contact details on the booking page, use guest checkout, or complete social login, we log the same name/email/phone together with the latest tour you were exploring. This helps our support team pick up the conversation with the right itinerary instead of asking you to repeat the details. Locally, we store a lightweight marker (tm:lastViewedTour) so the UI can prefill the correct slug on your next visit; you can clear it by removing site data from your browser. Server-side lead records are retained for up to 12 months (or longer if the conversation converts into a booking) and may be deleted sooner on request via our Data Request workflow.

6) Cookies, Analytics & Similar Technologies

We use first-party cookies and local storage to keep you signed in, remember language preferences, and maintain cart/booking state. We also rely on privacy-aware analytics to monitor usage patterns, detect service incidents, and measure campaign performance. You can adjust cookie settings in your browser; some core functionality may be impacted if essential cookies are disabled.

Lead-specific local storage items (such as tm:lastViewedTour) simply store the last itinerary slug so we can prefill forms. They never include sensitive IDs and you may delete them at any time via your browser settings.

7) Data Retention

Personal data is retained only for as long as needed to deliver the Services and meet legal obligations:

• Booking and billing records: typically 8 years to satisfy tax and regulatory requirements.
• Support conversations: up to 24 months for training, dispute resolution, and audit purposes.
• Inactive accounts: anonymised or deleted 24 months after the last activity unless law requires longer retention.

When deletion is requested, we follow the process outlined on our Data Deletion page while preserving legally mandated records.

8) Security Controls

Security practices include encryption in transit, role-based access, multi-layer monitoring, periodic vulnerability assessments, and least-privilege service accounts. We train staff on privacy hygiene and log system access for investigations.

9) Cross-Border Data Transfers

Some processors store or access data outside India (for example, cloud infrastructure or email providers). We verify that such transfers are supported by contractual safeguards and industry-standard security controls consistent with Indian law and global best practices.

10) Children & Family Bookings

Our Services target adults who are legally competent to contract. For family itineraries, guardians provide child information purely to facilitate travel (e.g., ages for tickets, hotel occupancy). Guardians may update or request deletion of a minor’s data via our Data Request workflow.

11) Your Rights Under the DPDP Act

• Request confirmation whether we process your personal data and obtain a copy.
• Correct or update inaccurate information.
• Request data erasure, subject to statutory retention requirements.
• Nominate another individual to exercise these rights on your behalf.
• Seek grievance redressal if you believe your rights have been infringed.

Submit requests via our Data Deletion & Requests page or contact our Grievance Officer directly.

12) Policy Updates

We review this policy when we introduce new features, change vendors, or when laws evolve. Updates will be posted on this page with a revised effective date. For material changes, we may notify you via email or in-product alerts.

13) Contact & Grievance Redressal

For questions, grievances, or to exercise your rights, contact our designated Grievance Officer:

• Email: contact@tripsmitra.com
• Address: Jolad Enclave, Opposite to Railway Officers Guest House, Keshwapur, Hubli, Karnataka 580020