Privacy Policy
Your Privacy. Our Responsibility.
Effective Date: April 30, 2026 | Version 1.0
Governed by the Digital Personal Data Protection Act, 2023 (India)
Quick Summary — What You Need to Know
What We Collect
Name, email, phone, travel preferences, booking history, payment info, device data, location (with consent).
How We Use It
To provide travel services, process bookings, personalize your experience, send communications, and improve the platform.
Your Rights
Access, correct, delete, withdraw consent, opt out of marketing, data portability — all upon request.
We never sell your personal data to third parties for advertising or marketing. Contact our Data Protection Officer at privacy@tripgullak.com for any privacy concern.
1. About This Privacy Policy
TripGullak ("we," "us," or "our") operates the travel planning and booking platform accessible at www.tripgullak.com and through our mobile applications (collectively, the "Platform"). This Privacy Policy explains how we collect, use, store, share, protect, and process your personal data when you interact with our Platform.
This Policy applies to all users of the Platform, including visitors, registered users, paying customers, and anyone who contacts us for support or information. It forms part of our Terms of Service and End User License Agreement (EULA).
Governing Law:
This Privacy Policy is governed by the Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and other applicable Indian laws and regulations.
2. Data Controller / Fiduciary
Company Name
TripGullak
Website
Role under DPDPA
Data Fiduciary
Jurisdiction
Nagpur, Maharashtra, India
Data Protection Officer (DPO)
Grievance Officer
DPO Response SLA
Within 30 days of receiving a request
3. Personal Data We Collect
3.1 Data You Provide Directly
| Data Category | Examples |
|---|---|
| Identity & Contact Data | Full name, email address, mobile number, date of birth, nationality, gender. |
| Account Credentials | Username, password (stored in encrypted/hashed form), security questions. |
| Travel Profile Data | Passport details, visa information, travel preferences, dietary restrictions, seat preferences. |
| Booking & Transaction Data | Flight/hotel/package bookings, co-traveller details, billing address, trip itineraries. |
| Payment Data | Card type, masked card number, UPI ID, bank account details (handled via PCI-DSS compliant gateways; full card numbers are NOT stored by TripGullak). |
| Communications Data | Messages sent to our support team, feedback forms, survey responses, community forum posts. |
| User-Generated Content | Trip reviews, photos, travel stories, itinerary shares, ratings and comments. |
3.2 Data Collected Automatically
| Data Category | Examples |
|---|---|
| Device & Technical Data | IP address, browser type and version, operating system, device identifiers, screen resolution. |
| Usage & Behavioural Data | Pages visited, search queries, click patterns, time spent on pages, features used, error logs. |
| Location Data | Approximate location (from IP), precise GPS location (only if you grant permission in the mobile app). |
| Cookies & Tracking Data | Session cookies, persistent cookies, pixel tags, local storage. |
| Log Data | Server logs including request timestamps, referrer URLs, and access records. |
3.3 Data Received from Third Parties
- Travel suppliers (airlines, hotels, cab services) sharing booking confirmation data.
- Payment gateway providers (Razorpay, PayU) sharing transaction status and reference IDs.
- Social login providers (Google, Facebook) sharing your public profile data if you choose to log in via these platforms.
- Analytics partners sharing aggregated platform performance data.
- Government and regulatory databases (for identity verification, where required).
Sensitive Personal Data (SPDI)
TripGullak may collect Sensitive Personal Data or Information (SPDI) as defined under Indian law, including: passport and travel document details, financial information (payment data), and health-related data (medical requirements for travel). This data is collected only with your explicit consent and is protected with enhanced security measures.
4. How We Use Your Personal Data
We use your personal data for the following lawful purposes under the DPDPA 2023:
| Purpose of Processing | Legal Basis | Data Used |
|---|---|---|
| Creating and managing your TripGullak account | Contract performance / Consent | Identity, contact, credentials |
| Processing travel bookings and transactions | Contract performance | Booking, payment, travel profile |
| Personalising your travel recommendations and experience | Legitimate interest / Consent | Usage data, preferences, history |
| Sending booking confirmations, e-tickets, and itineraries | Contract performance | Contact data, booking data |
| Sending marketing emails, offers, and newsletters | Consent (opt-in required) | Email, travel preferences |
| Providing customer support and resolving disputes | Legitimate interest / Contract | Communications, booking data |
| Platform security, fraud detection, and abuse prevention | Legitimate interest / Legal obligation | Device, usage, payment data |
| Compliance with legal and regulatory obligations | Legal obligation | As required by applicable law |
We Do NOT:
- Sell your personal data to advertisers or data brokers.
- Use your data for automated profiling that produces legal or similarly significant effects without human review.
- Process children's data without verified parental consent (users must be 18+).
7. Your Rights as a Data Principal
Under the Digital Personal Data Protection Act, 2023 (DPDPA) and applicable Indian law, you have the following rights with respect to your personal data:
Right to Access
Request a copy of the personal data we hold about you. We will respond within 30 days.
Right to Correction
Request that inaccurate or incomplete data be corrected or updated.
Right to Erasure
Request deletion of your personal data, subject to legal retention obligations.
Right to Withdraw Consent
Withdraw consent for any processing based on consent (e.g., marketing emails). Withdrawal does not affect prior lawful processing.
Right to Data Portability
Request your data in a structured, machine-readable format where technically feasible.
Right to Complain to DPB
File a complaint with the Data Protection Board of India if you are not satisfied with our response.
How to Exercise Your Rights:
Email our Data Protection Officer at privacy@tripgullak.com with the subject line "Privacy Request – [Your Right]". Include your registered email address and a brief description of your request. We will acknowledge your request within 3 business days and respond fully within 30 days.
8. Data Security
TripGullak implements appropriate technical and organizational security measures to protect your personal data against unauthorized access, loss, alteration, disclosure, or destruction.
Technical Measures:
- End-to-end encryption (TLS 1.2+) for all data transmitted between your device and our servers.
- AES-256 encryption for sensitive data stored at rest.
- PCI-DSS compliant payment processing — full card details never stored on TripGullak servers.
- Multi-factor authentication (MFA) for all administrative access to production systems.
- Regular penetration testing, vulnerability assessments, and security audits.
- Web Application Firewall (WAF) and DDoS protection on all public-facing infrastructure.
Organizational Measures:
- Privacy-by-design and privacy-by-default principles embedded in product development.
- Mandatory annual data privacy and cybersecurity training for all employees.
- Data Processing Agreements (DPAs) with all third-party processors.
- Incident Response Plan with defined procedures for data breach detection and notification.
13. Marketing Communications
Opt-In
TripGullak sends marketing emails, SMS, push notifications, and WhatsApp messages only to users who have explicitly opted in.
Opt-Out
You may withdraw your consent to marketing communications at any time by:
- Clicking the "Unsubscribe" link in any marketing email.
- Updating your communication preferences in your Account Settings.
- Sending an opt-out request to privacy@tripgullak.com.
- Replying "STOP" to any marketing SMS.
11. Children's Privacy
TripGullak is not directed at individuals under the age of 18.
We do not knowingly collect personal data from minors. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact privacy@tripgullak.com immediately and we will delete such data promptly. Bookings for minors must be made by and under the account of a parent or guardian aged 18 or above.
16. Grievance Redressal
If you have any questions, concerns, or complaints regarding this Privacy Policy or the processing of your personal data, please contact:
Data Protection Officer (DPO)
privacy@tripgullak.comGrievance Officer
grievance@tripgullak.comResponse Timeframe
Acknowledgement within 3 business days; resolution within 30 days.
Mailing Address
TripGullak, Nagpur, Maharashtra, India — 400001
15. Changes to This Privacy Policy
TripGullak reserves the right to update or modify this Privacy Policy at any time to reflect changes in law, technology, or our business practices. When we make material changes, we will update the "Effective Date" at the top of this Policy and notify registered users via email and/or a prominent notice on the Platform at least 15 days before the changes take effect. Your continued use of the Platform after the updated Policy takes effect constitutes your acceptance of the changes.
TripGullak — Committed to Your Privacy
We will never sell your data. We will always be transparent about how we use it.
Document Owner: Data Protection Officer, TripGullak
Next Scheduled Review: April 30, 2027