Privacy Policy

1. LEGAL STATUS, SCOPE & APPLICABILITY

1.1 Legal Framework

This Privacy Policy ("Policy") is an electronic record in terms of the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 ("DPDP Act").

1.2 Scope

This Policy governs the collection, use, processing, storage, disclosure, retention, and protection of personal data of individuals ("Users", "you", "your") who access or use the Travonex platform, including through:

• the website,
• mobile or web interfaces,
• email,
• SMS,
• WhatsApp and other electronic communication channels (collectively, the "Platform").

1.3 Electronic Record

This electronic record is generated by a computer system and does not require physical or digital signatures.

1.4 Acceptance

By accessing or using the Platform, you acknowledge that you have read, understood, and agreed to the terms of this Policy.

2. DEFINITIONS & STATUTORY INTERPRETATION

2.1 "Personal Data" means any data about an identifiable individual, as defined under Section 2(t) of the DPDP Act.

2.2 "Sensitive Personal Data" or "SPDI" shall have the meaning assigned under Rule 3 of the IT Rules and includes financial information, health data, passwords, and authentication credentials.

2.3 "Processing" includes collection, recording, organisation, structuring, storage, use, sharing, disclosure, retention, anonymisation, and erasure of personal data.

2.4 "Data Principal" means the individual to whom the personal data relates.

2.5 "Data Fiduciary" means Wanderlynx Labs LLP, which determines the purpose and means of processing personal data.

2.6 "Organizer" means an independent third-party service provider listing and conducting travel experiences on the Platform.

2.7 "Consent" means any freely given, specific, informed and unambiguous indication of the Data Principal's wishes by which they, by a clear affirmative action, signify agreement to the processing of personal data, in accordance with Section 6 of the DPDP Act, 2023.

2.8 "Withdrawal of Consent" means the right of the Data Principal to withdraw consent at any time, in accordance with Section 6(2) of the DPDP Act, without affecting the lawfulness of processing carried out prior to such withdrawal.

3. PLATFORM OWNERSHIP & CONTACT DETAILS

The Platform is owned and operated by:

4. ROLE OF TRAVONEX AS DATA FIDUCIARY

4.1 Travonex operates as a technology-based travel marketplace and digital intermediary.

4.2 Travonex does not own, operate, manage, or control the travel experiences listed on the Platform.

4.3 Organizers are independent service providers and are responsible for their own data processing practices once User data is shared with them for experience fulfillment.

4.4 Travonex acts as a Data Fiduciary under the DPDP Act for personal data processed for platform operations, payments, security, compliance, and customer support.

5. CATEGORIES OF PERSONAL DATA COLLECTED

5.1 Identity & Contact Information

• Full legal name
• Email address
• Mobile number

Purpose: Account creation, authentication, booking confirmations, customer support, legal communication.

Legal Basis: Consent + contractual necessity.

5.2 Booking, Travel & Transaction Data

• Booking IDs and references
• Experience details
• Travel dates and participant details
• Cancellation, refund, and dispute records

Purpose: Experience fulfillment, accounting, audits, dispute resolution, and compliance.

5.3 Payment-Related Information

Travonex does not store or process full payment credentials.

5.3.1 Payment Gateway Data Flow

What Travonex Receives: Transaction ID, status (success/failure), payment mode (generic), timestamp, and masked card info (first 6 and last 4 digits only).

What Travonex Does NOT Receive: Full card numbers, CVV, UPI PINs, Net banking credentials, or OTPs.

PCI-DSS Compliance: Payment gateways like Razorpay, PhonePe, or Cashfree are PCI-DSS Level 1 compliant and act as independent Data Fiduciaries.

5.4 Emergency, Health & Special Requirement Data (Sensitive Personal Data)

Users may voluntarily provide emergency contacts, medical declarations, or dietary restrictions. This is shared only with the relevant Organizer for safety and fulfillment.

Retention: Deleted within 90 days of trip completion unless required for legal/insurance reasons.

6. PURPOSE & LEGAL BASIS OF PROCESSING

6.1 Legal Basis for Processing (Section 7, DPDP Act)

Travonex processes personal data based on: (a) Consent, (b) Contractual Necessity, (c) Legal Obligations, (d) Legitimate Interest (fraud prevention), and (e) Vital Interest (user safety during emergencies).

6.2 Data Minimization

Travonex collects only personal data that is adequate, relevant, and limited to what is necessary for stated purposes, in accordance with Section 4 of the DPDP Act.

7. DATA SHARING & DISCLOSURE

7.1 Sharing with Experience Organizers

Data Shared: Booking details, User contact information, Special requirements (if provided), Payment status.

Organizer Obligations: Use data solely for experience delivery, delete data within 180 days post-experience (excluding tax/legal records), and comply with the DPDP Act.

7.2 Sharing with Service Providers (Data Processors)

• Cloud Hosting: AWS (Mumbai Region) for secure hosting and backups.
• Payment Gateways: Razorpay, PhonePe, Cashfree for secure transactions.
• Communication: SMS/Email/WhatsApp providers for transactional messages.
• Analytics: Google Analytics for platform health (pseudonymised data).

8. COOKIES & TRACKING

Travonex uses essential, functional, and analytics cookies. This includes **Meta Pixels** for serving relevant travel ads based on your platform behavior. Users may manage cookie preferences via browser settings.

For full details on cookies, tracking tools, and consent management see Section 8A, 8B, and 8C below.

8A. COOKIES, TRACKING & CONSENT MANAGEMENT

8A.1 Types of Cookies Used

Essential Cookies

Required for core platform functionality including login sessions, booking flow, and payment processing. These cannot be disabled and do not require consent.

Analytics Cookies

Travonex uses Google Analytics to understand how travelers discover and use the platform. Data collected is aggregated and anonymised. No personally identifiable information is shared with Google Analytics.
Opt out: tools.google.com/dlpage/gaoptout

Marketing & Retargeting Cookies

Travonex uses Meta Pixel (ID: 1220726809673027) to measure advertising effectiveness and to show relevant travel content to users who have previously visited the platform. This is only activated after explicit cookie consent is provided.
Manage preferences: facebook.com/ads/preferences

AI Personalisation

Anonymised search queries entered into the Travonex AI Trip Planner are stored and used to improve trip recommendations on the platform. No personally identifiable information is stored from AI Planner searches. See Section 8B for full details.

8A.2 Cookie Consent Banner

Travonex displays a cookie consent banner to all first time visitors. Users may: Accept all cookies; Manage individual preferences by category (Essential, Analytics, Marketing, AI Personalisation); Withdraw consent at any time by clearing browser cookies or using the preference manager.

8A.3 Conditional Loading

Analytics and Marketing cookies are only loaded after a user provides explicit consent via the banner. Essential cookies load by default as they are required for platform functionality.

8A.4 Consent Records

Consent preferences are stored locally for 365 days. Users may update their preferences at any time.

8B. AI TRIP PLANNER - DATA COLLECTION & USAGE

8B.1 What We Collect

When you use the Travonex AI Trip Planner at travonex.com/ai-planner, your search queries are collected in anonymised form.

8B.2 How We Use It

Anonymised query data is used to:

• Improve the relevance and quality of trip recommendations shown on Travonex.
• Understand travel trends, popular destinations, and traveler intent patterns across our user base.
• Improve the AI Planner's ability to match traveler preferences with verified trip listings.
• Support internal analytics and platform development decisions.

8B.3 What We Do NOT Do

• We do not store personally identifiable information from AI Planner searches.
• Queries are anonymised before storage and are never linked back to individual user accounts or profiles.
• This data is never sold to third parties or shared with advertisers.

8B.4 Disclaimer on Planner Page

A disclosure is shown below the AI Planner search input informing users that anonymised queries are used to improve recommendations.

8C. THIRD PARTY ANALYTICS & ADVERTISING TOOLS

8C.1 Google Analytics

Provider: Google LLC
Purpose: Platform usage analysis, traffic measurement, user behaviour insights (aggregated and anonymised).
Data location: Google servers (subject to Google's privacy policy)
Data shared: Anonymised, aggregated usage data only. Travonex does not share personally identifiable information with Google Analytics.
Opt out: tools.google.com/dlpage/gaoptout
Google Privacy Policy: policies.google.com/privacy

8C.2 Meta Pixel

Provider: Meta Platforms Inc.
Pixel ID: 1220726809673027
Purpose: Advertising effectiveness measurement and delivery of relevant travel content to users who have visited Travonex.
Activation: Only after explicit cookie consent is provided.
Data shared: Anonymised event data (page views, button clicks) only. Travonex does not share personal booking data or payment data with Meta.
Manage preferences: facebook.com/ads/preferences
Meta Privacy Policy: facebook.com/privacy/policy

8C.3 Firebase & Google Cloud

Provider: Google LLC
Purpose: Platform hosting, database, authentication, and cloud functions.
Region: Asia East (Google Cloud)
Safeguards: ISO 27001, SOC 2 compliant.

8C.4 Cashfree Payments

Provider: Cashfree Payments India Pvt Ltd
Purpose: Payment processing, escrow, and automatic settlement via Easy Split.
Data shared: Booking amount, transaction reference, and settlement details only. Travonex does not store card numbers, UPI PINs, CVV, or any payment credentials. Cashfree is RBI regulated and PCI-DSS compliant.
Cashfree Privacy Policy: cashfree.com/privacy-policy

9. DATA RETENTION

9.1 Data is retained only as long as necessary for stated purposes or legal compliance.

9.2 Aggregated or anonymised data may be retained indefinitely.

9.3 Specific retention periods:

• Account data: Duration of account plus 3 years.
• Transaction records: 8 years for tax and audit purposes.
• Emergency/health data: Deleted within 90 days of trip completion.
• Dispute records: Duration of dispute plus applicable limitation period.

10. DATA SECURITY & BREACH RESPONSE

10.1 Travonex implements reasonable technical and organisational safeguards including encryption, access controls, and security audits.

10.2 In the event of a data breach likely to cause harm, Travonex shall notify affected Users and authorities as required by applicable law.

11. USER RIGHTS

11.1 Users may exercise the following rights by writing to contact@travonex.com:

• Right to Access personal data held.
• Right to Correction of inaccurate data.
• Right to Deletion subject to legal retention requirements.
• Right to Withdrawal of Consent.
• Right to Data Portability.

11.2 Requests will be processed within statutory timelines under the DPDP Act.

12. ACCOUNT DELETION

Upon verified request, personal data will be deleted or anonymised except where retention is legally required.

13. CHILDREN'S PRIVACY

The Platform is not intended for use by individuals under 18 without guardian involvement.

14. MARKETING COMMUNICATIONS

Promotional communications are optional and can be opted out at any time.

15. THIRD PARTY LINKS

Travonex is not responsible for third-party privacy practices.

16. GRIEVANCE REDRESSAL