A1
1. Who We Are
Trivoyager India Private Limited (hereinafter ‘Trivoyager’, ‘we’, ‘us’, or ‘our’) is the Data Controller responsible for your personal data collected through this website and our travel services.
Registered Name: Trivoyager India Private Limited
Website: www.trivoyager.com
Email: info@trivoyager.com
Phone: +91-9599769001
Registered Address: 306, Uday Plaza, Uday Park, Delhi, 110049
CIN: U52291HR2026PTC140685
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at the email or phone number above.
A2
2. What Personal Data We Collect and Why
We collect and process personal data for specific, legitimate purposes. The table below sets out the categories of personal data we collect, the purpose of processing, and the lawful basis under GDPR Article 6.
2.1 Tour Bookings & Travel Services
- Data collected: Name, date of birth, nationality, passport number, travel dates, co-travellers’ details, dietary and accessibility requirements, accommodation preferences.
- Purpose: To arrange and fulfil your travel booking, including hotels, flights, transfers, and guided tours.
- Lawful basis: Performance of a contract (GDPR Art. 6(1)(b)) — processing is necessary to deliver the travel services you have booked.
2.2 Enquiry Forms & Pre-Booking Enquiries
- Data collected: Name, email address, phone number, destination of interest, travel dates, group size, budget range.
- Purpose: To respond to your enquiry and provide travel quotations.
- Lawful basis: Legitimate interests (GDPR Art. 6(1)(f)) — it is in our mutual interest to respond to your travel enquiry; consent where you have specifically opted in.
2.3 Website Analytics & Cookies
- Data collected: IP address, browser type, pages visited, time on site, referring URL, device information (via Google Tag Manager and analytics tools).
- Purpose: To understand how visitors use our website, improve user experience, and measure the effectiveness of our content.
- Lawful basis: Consent (GDPR Art. 6(1)(a)) — we only activate analytics and tracking cookies after you have given your explicit consent via our Cookie Consent tool.
2.4 Newsletter & Marketing Communications
- Data collected: Name, email address.
- Purpose: To send you travel inspiration, promotional offers, and destination guides.
- Lawful basis: Consent (GDPR Art. 6(1)(a)) — you must actively opt in to receive marketing. You may withdraw consent at any time.
2.5 Payment Processing
- Data collected: Payment card details, billing address, transaction reference (note: full card numbers are processed by our payment gateway and are not stored by Trivoyager).
- Purpose: To process payment for booked travel services.
- Lawful basis: Performance of a contract (GDPR Art. 6(1)(b)); legal obligation for record-keeping (Art. 6(1)(c)).
2.6 Website Comments
- Data collected: Name, email address, website URL (optional), comment content, IP address, browser user agent.
- Purpose: To display and moderate comments on our blog and website content.
- Lawful basis: Consent (GDPR Art. 6(1)(a)) — by submitting a comment, you consent to it being published.
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
A3
3. Medical and Health Data (Medical Value Tourism)
As part of our Medical Value Tourism services, we may collect and process health and medical information about you. This is classified as ‘special category’ data under GDPR and ‘sensitive personal data’ under the Digital Personal Data Protection Act 2023 and is subject to additional legal protections.
What medical data we collect: includes medical history relevant to the trip, treatment requirements, hospital or clinic preferences, dietary needs arising from medical conditions, mobility or accessibility requirements, and travel insurance medical declarations.
Why we collect it: to arrange appropriate medical travel packages, coordinate with hospitals and clinics in the destination, ensure your safety and comfort during the trip, and fulfil your specific healthcare-related travel requirements.
Lawful basis: We process medical data only with your explicit, written consent (GDPR Art. 9(2)(a)). A separate Medical Data Consent Form will be provided to you before any medical data is collected or shared. You may withdraw this consent at any time; however, withdrawal may affect our ability to arrange your medical travel.
Who we share it with: Medical data is shared only with the specific hospitals, clinics, specialist consultants, or medical travel facilitators necessary to fulfil your booking. Data is shared under strict confidentiality agreements.
Retention: Medical data is retained for the duration of your travel arrangement and for 2 years thereafter for follow-up support, unless a longer period is required by law. After this period, it is securely and permanently deleted.
We never use your health data for marketing purposes, and we never share it with insurers, employers, or any third party without your explicit, separate consent.
A4
4. Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies. We only activate non-essential cookies and tracking tools after you have given your explicit consent through our Cookie Consent tool, which appears on your first visit to our website.
4.1 What Cookies We Use
- Essential Cookies: Necessary for the website to function (e.g., session management, security). These cannot be disabled and do not require consent.
- Analytics Cookies (with consent): We use Google Analytics (via Google Tag Manager) to understand how visitors interact with our website. Data collected includes pages visited, time spent, device type, and geographic location (at city level). This data is anonymised and aggregated.
- Marketing Cookies (with consent): Used to deliver relevant advertisements and measure campaign effectiveness. These may be placed by third-party advertising partners.
- Preference Cookies (with consent): Remember your settings and preferences for a better experience on return visits.
4.2 Google Tag Manager
We use Google Tag Manager (GTM), a Google service, to manage and deploy tracking scripts on our website. GTM itself does not collect personal data, but it may activate other tools (such as Google Analytics) once you have given your consent. You can review Google’s privacy policy at www.google.com/policies/privacy.
4.3 How to Manage Cookies
You may change your cookie preferences at any time by clicking the ‘Cookie Settings’ link in the footer of our website. You can also control cookies through your browser settings — note that disabling all cookies may affect website functionality. Most browsers allow you to refuse cookies; please refer to your browser’s help documentation.
4.4 Cookie Retention
- Session cookies: Deleted when you close your browser.
- Persistent cookies: Retained for the period shown in your Cookie Consent dashboard — typically between 30 days and 2 years depending on the cookie type.
A5
5. How Long We Keep Your Data
We retain your personal data only for as long as is necessary for the purpose for which it was collected, or as required by applicable law. The following schedule sets out our standard retention periods:
- Tour booking and travel data: 7 years from the date of travel, as required for financial and tax record-keeping purposes under applicable law.
- Medical / health data: 2 years from the conclusion of your medical travel arrangement, unless a longer retention period is required by healthcare regulations.
- Enquiry and pre-booking data (where booking did not proceed): 2 years from the date of the last communication.
- Marketing and newsletter data: Until you withdraw your consent, unsubscribe, or request deletion — whichever occurs first.
- Website comments: 1 year from the date of publication; deleted sooner upon your request.
- Payment transaction records: 7 years, as required by Indian financial regulations.
- Website analytics data: 26 months (Google Analytics default); aggregated data may be retained longer.
- Cookie consent records: 3 years, as evidence of the consent you gave.
When the applicable retention period expires, your personal data is securely and permanently deleted or anonymised so that it can no longer be linked to you. You may request early deletion of your data — see Section 8 (Your Rights) below.
A6
6. Who We Share Your Data With
We do not sell your personal data. We share your data only where necessary to deliver our services or as required by law, and only with recipients who maintain appropriate data protection standards.
6.1 Categories of Recipients
- Travel Suppliers: Hotels, airlines, car rental companies, cruise lines, tour operators, and local ground handlers in your destination country — to fulfil your booking.
- Medical Facilitators (Medical Value Tourism only): Hospitals, specialist clinics, and medical coordinators — only with your explicit separate consent.
- Payment Processors: VISA, Master Card, Wise, PhonePe Business— to securely process your payments. They process card data under PCI-DSS standards.
- Technology Providers: Cloud hosting, email delivery platforms Hostinger, Mailchimp, GoDaddy, Zoho, customer relationship management systems — who process data on our behalf under data processing agreements.
- Regulatory Authorities: Government bodies (e.g., Ministry of Tourism, immigration authorities) where required by law.
- Insurance Partners: Where you purchase travel insurance through us, relevant details are shared with the insurer named in your policy document.
6.2 International Transfers
When you book international travel, your personal data is necessarily shared with suppliers located in the destination country, which may be outside India or the European Economic Area (EEA).
- For EU/UK residents: Transfers to countries without an EU adequacy decision (including India) are made using Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate safeguards under GDPR Art. 46.
- For Indian residents: International transfers of personal data are made only to countries permitted under applicable rules issued by the Government of India under the Digital Personal Data Protection Act 2023, or where permitted by law. We will update this policy when the Government of India publishes its list of permitted transfer countries.
All third-party suppliers and service providers are contractually required to: (a) use your data only for the specified purpose; (b) implement appropriate security measures; and (c) not share your data further without our written authorisation.
A7
7. Your Rights Under GDPR (EU/UK Residents)
If you are an EU or UK resident, you have the following rights regarding your personal data. To exercise any of these rights, please contact us at privacy@trivoyager.com or info@trivoyager.com. We will respond within one calendar month of receiving your request.
- Right to Access (Art. 15): You may request a copy of all personal data we hold about you and information about how it is processed.
- Right to Rectification (Art. 16): You may ask us to correct inaccurate personal data or complete incomplete data without undue delay.
- Right to Erasure — ‘Right to be Forgotten’ (Art. 17): You may request deletion of your personal data where it is no longer necessary for the purpose it was collected, you withdraw consent, or you object and there are no overriding legitimate grounds.
- Right to Restriction of Processing (Art. 18): You may ask us to restrict processing of your data — for example, while we verify the accuracy of data you have contested.
- Right to Data Portability (Art. 20): Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
- Right to Object (Art. 21): You may object at any time to processing based on legitimate interests or for direct marketing purposes. If you object to direct marketing, we will stop immediately.
- Rights in Relation to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions made solely by automated processing — including profiling — that produce legal or similarly significant effects. We do not currently carry out such processing.
- Right to Withdraw Consent (Art. 7(3)): Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right to Lodge a Complaint: If you are an EU resident and believe we have not handled your personal data lawfully, you have the right to lodge a complaint with your national Data Protection Authority — for example, the Information Commissioner’s Office (ICO) in the UK (www.ico.org.uk), or the relevant supervisory authority in your EU Member State. We would, however, appreciate the opportunity to address your concerns directly before you approach a regulator.
A8
8. How We Protect Your Data
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, destruction, or disclosure. These measures include:
- Encryption: Data transmitted between your browser and our website is encrypted using SSL/TLS technology (HTTPS).
- Access Controls: Personal data is accessible only to authorised Trivoyager staff and contractors who need it to perform their job functions.
- Staff Training: All staff who handle personal data receive regular training on data protection obligations and best practices.
- Third-Party Security: All third-party suppliers and technology providers who process data on our behalf are vetted for security compliance and bound by data processing agreements.
- Payment Security: Card payment data is processed by a PCI-DSS certified payment gateway. Trivoyager does not store full card numbers.
- Incident Response: We maintain a data breach response procedure. In the event of a breach affecting your personal data, we will notify you and the relevant authorities within the timescales required by law.
No method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.
A9
9. Children’s Privacy
Our website and travel services may be used by families including children. We take special care to protect the privacy of children.
For EU/UK residents (GDPR): We do not knowingly collect personal data from children under the age of 16 without verified parental or guardian consent. If you are under 16, please do not submit personal data to us without the consent and involvement of a parent or guardian.
For Indian residents (DPDP Act 2023): We do not knowingly collect or process the personal data of children under the age of 18 without obtaining verifiable consent from the parent or lawful guardian. We do not engage in tracking, behavioural monitoring, or targeted advertising directed at children.
When booking travel for minors, the parent or guardian making the booking provides consent for the collection and use of the child’s personal data (such as name, date of birth, and passport details) solely for the purpose of fulfilling the travel booking.
If you believe we have inadvertently collected personal data from a child without appropriate consent, please contact us immediately at info@trivoyager.com and we will delete the data without delay.
B1
10. Notice Under the Digital Personal Data Protection Act 2023 (India)
In accordance with Section 5 of the Digital Personal Data Protection Act 2023, we provide you this notice before collecting your personal data.
10.1 Personal Data Collected
We collect the personal data described in Section 2 of this policy — including identity information, contact details, travel preferences, passport details, and (for Medical Value Tourism) health information. Sensitive personal data (health information) is collected only with your explicit consent.
10.2 Purpose of Processing
Your personal data is processed for the purposes set out in Section 2 of this policy — primarily to arrange and deliver travel services you have requested, respond to your enquiries, process payments, send marketing communications (with your consent), and improve our website.
10.3 Your Rights as a Data Principal
Under the DPDP Act 2023, you have the following rights. To exercise any of these rights, contact our Grievance Officer (see Section 12 below):
- Right to Access Information (S. 11): You may obtain a summary of your personal data being processed and the processing activities being undertaken.
- Right to Correction and Erasure (S. 12): You may request correction of inaccurate or incomplete personal data, or erasure of personal data that is no longer needed for the purpose for which it was collected, or where you have withdrawn consent.
- Right to Grievance Redressal (S. 13): You may register a complaint with our Grievance Officer if you believe your data rights have been violated. If dissatisfied with our response, you may approach the Data Protection Board of India.
- Right to Nominate (S. 14): You may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity. Please contact our Grievance Officer to submit a nomination.
10.4 How to Complain to the Data Protection Board
If you are not satisfied with the resolution provided by our Grievance Officer, you may lodge a complaint with the Data Protection Board of India. Details of the Board and the complaint procedure will be published at the official government portal once available. We will update this section with the link as soon as it is published.
B2
11. Consent and How to Withdraw It
Where we rely on your consent to process personal data, we obtain that consent through a clear, affirmative action — such as ticking a checkbox, clicking an ‘I Agree’ button, or signing a consent form. We do not use pre-ticked boxes or treat your silence as consent.
How we obtain consent: A separate, clearly worded consent request is presented at each point where consent is required — for example, when you submit an enquiry form, sign up for our newsletter, or allow cookies on our website.
Consent records: We maintain records of the consent you gave, including what you consented to and when, as required by law.
Withdrawing consent: You may withdraw your consent at any time and it is as easy to withdraw as it was to give:
- Marketing emails: Click the ‘Unsubscribe’ link in any marketing email.
- Cookie consent: Click ‘Cookie Settings’ in the website footer and update your preferences.
- General consent: Email us at info@trivoyager.com with the subject line ‘Withdraw Consent’.
- Medical data consent: Contact our Grievance Officer (see Section 12).
Withdrawal of consent does not affect the lawfulness of any processing carried out before you withdrew it. Please note that withdrawing consent for certain processing (e.g., processing of booking data) may affect our ability to fulfil your travel arrangements.
B3
12. Grievance Officer (DPDP Act 2023)
In accordance with Section 13 of the Digital Personal Data Protection Act 2023, Trivoyager India Private Limited has appointed a Grievance Officer to address any concerns or complaints regarding the processing of your personal data.
Grievance Officer Details:
Name: Vikram Rathore
Designation: VP Operations
Email: vikram@trivoyager.com
Phone: +91 – 9599769001
Working Hours: Monday to Friday, 10:00 AM – 6:00 PM
How to submit a grievance:
You may submit your grievance by email or in writing to the Grievance Officer at the contact details above. Please include: (a) your full name and contact details; (b) a description of the concern or complaint; and (c) the personal data involved.
Response timelines:
We will acknowledge your grievance within 48 hours of receipt. We aim to resolve all grievances within 30 days, or within such period as may be prescribed by the Rules under the DPDP Act 2023. If we require additional time, we will inform you of the reason and the expected resolution date.
Escalation:
If you are not satisfied with the outcome of your grievance, you may approach the Data Protection Board of India as provided under Section 28 of the DPDP Act 2023.
B4
13. Right to Nominate (DPDP Act 2023)
Under Section 14 of the Digital Personal Data Protection Act 2023, you have the right to nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity.
To register a nominee, please write to our Grievance Officer (see Section 12 above) providing: (a) your full name and contact details; (b) the full name and contact details of your nominated person; and (c) a signed declaration of nomination.
We will maintain a record of your nomination and honour requests made by your nominee in the event of your death or incapacity, subject to verification of identity and the circumstances of the request.
B5
14. Data Breach Notification
In the unfortunate event of a personal data breach — meaning any accidental or unlawful access, disclosure, alteration, or loss of your personal data — Trivoyager will take immediate steps to contain the breach and assess its impact.
- For EU/UK residents (GDPR): We will notify the relevant supervisory authority (e.g., the ICO) within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
- For Indian residents (DPDP Act 2023): We will notify the Data Protection Board of India and each affected Data Principal in the manner prescribed by the Rules under the DPDP Act 2023.
Breach notifications will describe: (a) the nature of the breach; (b) the categories and approximate number of individuals and records affected; (c) the steps taken to address the breach; and (d) recommendations for steps you can take to protect yourself.
Â
B6
15. Keeping Your Data Accurate
We take reasonable steps to ensure that the personal data we hold about you is accurate, complete, and up to date — particularly when it is used to make decisions that affect you, such as arranging travel documentation or medical travel plans.
You can help us maintain accurate records by:
- Notifying us promptly of any change to your contact details, passport information, or other data we hold.
- Reviewing your booking confirmations and informing us of any errors.
- Requesting correction of inaccurate data by contacting info@trivoyager.com or our Grievance Officer (see Section 12).
We will correct inaccurate data without undue delay and at no cost to you.
B7
16. Processing Without Consent in Limited Circumstances
In very limited circumstances, we may process your personal data without your consent, as permitted under Section 7 of the DPDP Act 2023 (deemed consent). These circumstances include:
- Medical Emergency: In the event of a medical emergency during your travel that poses a threat to your life or health, we may share your personal data (including health information previously collected) with emergency medical providers, hospitals, or local authorities, to the extent necessary to address the emergency.
- Legal Compliance: Where we are required by law, court order, or a government or regulatory authority to disclose your personal data, we will do so to the extent legally required.
- Vital Interests: Where processing is necessary to protect your vital interests or those of another person and consent cannot reasonably be obtained.
In all such cases, processing is limited strictly to what is necessary for the specified purpose and is carried out in accordance with applicable law.
B8
17. Marketing & Newsletter Communications
We send marketing communications only to individuals who have explicitly opted in to receive them. We will never add you to a marketing list without your prior consent.
What we send: Travel inspiration, destination guides, exclusive offers, new tour packages, and company news.
How we send it: Via email through Mailchimp / Brevo. Your email address and name are stored on this platform under a data processing agreement.
Unsubscribing: You may unsubscribe at any time by clicking the ‘Unsubscribe’ link in any marketing email, or by emailing info@trivoyager.com with the subject ‘Unsubscribe’. We will action your request within 7 business days.
Retention: Your data is retained on our marketing list until you unsubscribe or request deletion, whichever occurs first. We perform annual list hygiene to remove inactive subscribers.
C1
18. How to Contact Us
If you have any questions about this Privacy Policy, wish to exercise any of your rights, or have concerns about how your personal data is handled, please contact us through any of the following channels:
- Email: info@trivoyager.com
- Phone: +91-9599769001
- Website: www.trivoyager.com/contact
For data protection-specific enquiries and to exercise your rights under the DPDP Act or GDPR, please contact our Grievance Officer directly (see Section 12).
We aim to respond to all enquiries within 5 business days.
C2
19. Embedded Content and Third-Party Websites
Our website may include embedded content from third-party providers (such as YouTube videos, Instagram feeds, or Google Maps). This embedded content behaves as if the visitor has visited the third-party website directly. These providers may collect data about you, use cookies, embed additional tracking, and monitor your interaction with the embedded content — particularly if you have an account with them and are logged in.
Our website also contains links to third-party websites. These links are provided for your convenience only. We are not responsible for the privacy practices of those websites and recommend you review their privacy policies independently.
We will only embed content from third parties where we have assessed their data practices and believe them to be appropriate. Where embedded content activates tracking technologies, it will be subject to your Cookie Consent preferences.
C3
20. Changes to This Privacy Policy
We review and update this Privacy Policy at least once a year, or whenever there is a significant change to our data processing activities, applicable law, or our business operations.
When we make material changes to this policy, we will notify you by:
- Posting the updated policy on this page with the revised ‘Last Updated’ date;
- Sending an email notification to registered users or newsletter subscribers; and/or
- Displaying a prominent notice on our website homepage.
Your continued use of our website and services after notification of changes constitutes acceptance of the updated policy, where permitted by law. Where we require fresh consent, we will ask for it explicitly.