TripXL Private Limited ("TripXL", "we", "our", "us"), a company incorporated under the Companies Act 2013 with its registered office in Siliguri, West Bengal, India, is committed to protecting your personal data.
This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our website, mobile application, or services (collectively, the "Platform"). It is intended to comply with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology Act, 2000 read with the IT (Reasonable Security Practices and Procedures) Rules, 2011.
โ LEGAL REVIEW: verify the policy is current with the latest DPDP Rules once notified
1. Personal data we collect
We collect the following categories of personal data:
a. Account data
- Name, email, mobile number
- Hashed password (we never store plain-text passwords)
- Profile preferences and settings
b. Booking and traveller data
- Passenger names exactly as on government ID
- Date of birth, gender, nationality
- Passport number, issuing country, expiry (for international travel)
- Contact details for the trip
c. Payment data
- Transaction IDs, payment status, refund history
- Last 4 digits of card / UPI handle (for identification only)
We do not store full card numbers, CVV, or net banking credentials. All payment processing is handled by Razorpay over a PCI-DSS-compliant connection.
d. Usage and technical data
- IP address, device type, browser, operating system
- Search history within the Platform
- Pages visited, time spent, clicks
- Cookies and similar tracking technologies (see our Cookies Policy)
2. How we collect data
- You provide it when you sign up, book, or contact us
- Automatically when you use the Platform (cookies, logs)
- From third parties when you sign in using social login or when an airline returns booking details
3. How we use your data
We use personal data only for these purposes:
- To process bookings: issue tickets, confirm payment, deliver e-tickets
- To provide customer support: respond to your queries, handle cancellations and refunds
- To meet legal obligations: tax records, regulatory filings, fraud prevention
- To improve the Platform: analyse usage patterns, fix bugs, build new features
- To communicate: booking confirmations, schedule changes, policy updates
- To send marketing (only with your consent, and you can opt out anytime)
4. Legal basis for processing
Under the DPDP Act, we process your personal data on the following bases:
- Your consent โ for marketing, optional features, and processing not strictly required
- Performance of contract โ to fulfill your booking
- Legal obligation โ tax records, regulatory compliance
- Legitimate interest โ fraud prevention, security, service improvement
5. Who we share data with
We share personal data only with:
- Airlines โ to issue your ticket and manage your travel
- Payment gateways (Razorpay) โ to process payment
- Aggregators like TBO Group โ to access flight inventory
- Communication providers (e.g., MSG91 for SMS, email services) โ to send transactional messages
- Cloud infrastructure providers โ to host data within India โ LEGAL REVIEW: name specific provider per DPDP transparency
- Government authorities โ when required by law
- Auditors and advisors โ under strict confidentiality
We do not sell your personal data to third parties for advertising or any other purpose.
6. Data storage and security
Your personal data is stored on servers located in India. We implement reasonable security practices including:
- Encryption of data in transit (HTTPS / TLS)
- Encryption of sensitive fields at rest โ LEGAL REVIEW: confirm passport and OTP encryption status
- Role-based access controls within TripXL โ only authorized personnel can access your data
- Regular security audits and vulnerability scans
- Audit logging of all administrative access
Despite our efforts, no system is 100% secure. If you suspect unauthorized access to your account, contact us immediately at security@tripxl.in.
7. Data retention
We retain personal data only as long as necessary for the purposes it was collected, or as required by law:
- Booking records โ retained for at least 8 years to meet tax and regulatory requirements
- Account data โ retained while your account is active, plus 1 year after deletion request
- Audit logs โ retained for at least 7 years
- Marketing data โ retained until you withdraw consent
โ LEGAL REVIEW: confirm retention periods comply with Companies Act, IT Act, and tax law
8. Your rights under DPDP Act
You have the following rights with respect to your personal data:
- Right to access โ request a copy of the personal data we hold about you
- Right to correction โ ask us to correct inaccurate or incomplete data
- Right to erasure โ ask us to delete your data, subject to legal retention requirements
- Right to withdraw consent โ for processing based on consent
- Right to grievance redressal โ escalate concerns to our Data Protection Officer (below) or the Data Protection Board of India
- Right to nominate โ designate someone to exercise rights on your behalf in case of incapacity
To exercise these rights, email privacy@tripxl.in. We will respond within 30 days.
9. Cookies
We use cookies and similar technologies to keep you logged in, remember your preferences, and analyse usage. See our Cookies Policy for details and opt-out options.
10. Children's privacy
The Platform is not directed at children under 18. We do not knowingly collect personal data of children except as part of a booking made by a parent or legal guardian. If you believe we have collected data from a child without consent, please contact us and we will delete it.
11. Cross-border transfers
Personal data is stored on servers in India. In limited cases (e.g., for international flight bookings), data may be shared with airlines or aggregators outside India. Such transfers comply with the DPDP Act and applicable cross-border data transfer rules. โ LEGAL REVIEW: monitor DPDP transfer rules and update when notified
12. Data Protection Officer / Grievance Officer
For privacy concerns, contact our Data Protection Officer:
- Name: โ LEGAL REVIEW: designate DPO per DPDP Act
- Email: privacy@tripxl.in
- Office: TripXL Private Limited, Siliguri, West Bengal, India
If unsatisfied, you may approach the Data Protection Board of India once it is operational.
13. Changes to this policy
We may update this Privacy Policy. Material changes will be notified through the Platform or by email. Continued use after changes means you accept the updated policy.