Privacy Policy

This Privacy Policy describes how M/s. Trip Jack Private Limited a company incorporated under the Companies Act, 2013 and having its registered office at Unit No. 001, C wing, Marathon Innova, Ganpatrao Kadam Marg, Lower Parel, Mumbai- 400 013 (“Tripjack”, “we”, “our”, “us”, and their affiliates/subsidiaries including but not necessarily limited to “Trip Jack Limited”, “Trip Jack Tourism LLC”) collects, uses, stores, discloses and otherwise processes personal data in accordance with the Digital Personal Data Protection Act, 2023 and applicable rules thereunder and as modified from time to time.

User (“you” or “your”)

Sales channels (website, mobile app, mobile website)

Effective Date: [02 Apr 2026]

As a registered member of Tripjack, you will be entitled to savings and benefits on airfares, hotel reservations, and car rentals, among other travel services. In addition, look forward to receiving monthly newsletters and exclusive promotions offering exclusive deals. That is why we have provided this Privacy Policy, which sets forth our policies regarding the collection, use, and protection of the personal information of those using our website. Personal information means information that can be linked to a specific individual, including but not limited to name, address, date of birth, passport number, telephone number, e - mail address, frequent flyer number, IP address, credit card number. Further this policy applies to any person, user who has purchased or intends to purchase or inquiries about any product or service made by Tripjack through any of Tripjack’s interface channels including but not limited to website, mobile site, mobile app, or any other sales channel.

Trip Jack may use automated systems, risk scoring models, behavioural analytics, and fraud detection tools to analyse booking patterns, payment behaviour, search activity, and transaction anomalies for the purposes of fraud prevention, platform security, inventory protection, and regulatory compliance.

We encourage you to review our Privacy Policy, and become familiar with it, but you should know that we do not sell or rent our any personal information to third parties. Please note that we review our Privacy Policy from time to time, and we may make periodic changes to the policy in connection with that review. Therefore, you may wish to bookmark this page and/or periodically review this page to make sure you have the latest version. Regardless of later updates, we will abide by the privacy practices described to you in this Privacy Policy at the time you provided us with your personal information.

This Privacy Policy describes how Tripjack collects, uses, discloses, stores, and protects personal data in accordance with the Digital Personal Data Protection Act, 2023 (“DPDPA”) and its rules thereunder and or any other applicable law. By accessing or using the Tripjack website or services, you agree to the terms described here.

1. Definitions

Personal Data: Any data about an identified or identifiable individual including child data, data of person with disability.

Data Principal: You, the individual whose data is collected or relates to.

Data Fiduciary/Controller: A Data Fiduciary is any entity that decides the purpose (why) and means (how) of processing an individual's personal data. They collect, use, store, and share data based on their own decisions and must ensure privacy and security for the Data Principal (“individual,” “user”, “you”,” your”).

Data Processor: Any person who processes personal data on behalf of the Data Fiduciary.

Consent: means a voluntary, specific, informed, free, unconditional agreement to process personal data, given through clear affirmative action (not silence or pre-ticked boxes), and easily withdrawable, making data collection a trust-based exchange, not a coercive one, with Data Fiduciaries (companies) bearing the burden of proof for valid consent.

Supplier: means airlines, hotels, visa processors, transport operators, forex providers and any third-party fulfilling travel services.

Significant Data Fiduciary (SDF): Tripjack acknowledges that it may be notified by the Central Government as a Significant Data Fiduciary under Section 10 of the DPDPA, 2023, based on the volume and sensitivity of personal data processed, risk to the rights of Data Principals, national security, and public order considerations. Where so notified, Tripjack shall comply with additional obligations including appointment of a Data Protection Officer, engagement of an independent data auditor, and conduct of Data Protection Impact Assessments (DPIAs) as prescribed.

As per the circumstances warrant Tripjack may be the controller or processor of your personal information.

1. Role of Company

Tripjack acts both as Data Fiduciary and Data Controller based on the nature of processing activity.

Tripjack as Data Fiduciary – Personal Data of our Clients, Visitors and other individuals (Data Principal) that is collected and processed directly by us. Tripjack acts as Data Fiduciary while processing such Personal Data.

Tripjack acting as Data Processor – Personal Data that forms part of data that is provided by our clients/ Travel Service Provider or their end-users on the directions of our clients/ Travel Service Provider. Our clients / Travel Service Provider are the Data Fiduciary for such data. Tripjack acts as Data Processor for such processing activities and process the data on the written directions of our client/ Travel Service Provider. If you think that your Personal Data falls under such category, we advise you to connect with your Data Fiduciary and consider the Privacy Notice available on the official website of your Data Fiduciary.

Trip Jack acts as a technology intermediary facilitating transmission of traveller data between Travel Service Providers and Suppliers. Trip Jack does not independently determine the purpose of processing such traveller data where Travel Service Providers or Corporate Customers submit such data. In such cases, the Travel Service Providers or corporate entity shall remain the primary Data Fiduciary. Trip Jack shall rely on personal data as provided by users, Travel Service Providers or corporate customers and shall not be responsible for inaccuracies, outdated information or incomplete submissions.

1. What personal information we collect from you

We collect either directly or indirectly, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this policy.

We do not collect any special categories of personal data about you through our sales channels until and unless it is necessary or needed for any services availed by you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data, data on or about children). Nor do we collect any information about criminal convictions and offences until and unless it is needed for any services availed by you.

We collect, use, store and transfer distinct kinds of personal data about you. We have grouped together the following categories of personal data to explain how we use this type of information. These terms are used throughout this Notice:

• “Contact Data”: including your residential address, work address, email address and telephone numbers;
• “Identity Data”: including your first name, last name, username or similar identifier, title;
• “Website User Data”: Usernames, Passwords and other security related information used by you in relation to our services.
• “Transaction Data: Transactional history about your e-commerce activities, buying behavior. Information pertaining any other traveller(s) for whom you made a booking through your registered Travel account. In such case, you must confirm and represent that each of the other travellers(s) for whom a booking has been made, has agreed to have the information shared by you disclosed to us and further be shared by us with the concerned service provider(s).
• “Marketing and Communications Data”: including your marketing and communication preferences. We also track when you receive and read marketing communications from us, which information we use to improve our marketing services, provide you with more relevant information and improve the quality of our marketing materials. Additional information about the personal data we process in connection with marketing is included with the marketing communications we send you;
• “Public Domain or Third Party Data”: Data available in public domain or received from any third party including social media channels, including but not limited to personal or non-personal information from your linked social media channels (like name, email address, friend list, profile pictures or any other information that is permitted to be received as per your account settings) as a part of your account information.
• “Profile Data”: including information collected progressively when you visit our site including your referral website, pages you visit, actions you take, patterns of page visits and information from forms you fill in;
• “Technical Data”: includes information collected when you access our website, mobile site or mobile app your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you are using; and
• “Usage Data”: information about how you use our website or any sales channel.
• “Any other Personal Data”: If you request us to provide visa related services, then copies of your passport, bank statements, originals of the filled in application forms, photographs, and any other information which may be required by the respective embassy to process your visa application. If you request us to provide foreign exchange (Forex) related services then passport copies, A2 form, air tickets or travel authentication document to verify confirmed travel or any other documents required to process your Forex transaction.
• “Credit card”: to help you make purchases on our sales channels and to save your time in typing all the data.
• “Child Data”: to ensure that we have all the information of the travellers travelling and in case of minor we have details of the guardian. This will help us make reservations and necessary travel arrangements. We do not collect any data without the permission/knowledge/consent of the parents/guardians.
• “Data of person with disability”: to ensure that we have all the information of the travellers travelling and in case of person with disability we have details of the guardian. This will help us make reservations and necessary travel arrangements. We do not collect any data without the permission/knowledge/consent of the parents/guardians.

1. Mode of collecting Personal Data

The only way we will get any kind of personal data is if you choose to give it to us in the following circumstances:

1. Direct Interactions

• When you make an enquiry or quotation request or make a reservation or purchase from our ‘Website’ or through our customer service team – by email(s), letter(s), fax, on the phone or in physical store.
• When you register with us, subscribe to our newsletter, enter in lucky draws/competitions/surveys/feedback, send us queries or register for promotions.
• When you engage with us in any online or offline event, promotions, page hosted by us on a third-party platform or location.
• Through cookies on our website or any sales channels as per the Cookie Policy
• We receive Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see cookie policy for further details of the information collected.

1. Third parties or publicly available sources:

• We receive Technical Data from analytics providers such as Google.

1. GROUNDS FOR PROCESSING OF DATA

When you use our website or any sales channel we will use your personal data in the following circumstances:

(a) Processing of Personal Data for certain Legitimate Uses

For certain processing, we may also process the Personal Data for legitimate uses as provided under the Digital Personal Data Protection Act, 2023.

• Processing of Personal Data disclosed Voluntarily by you
• Processing of Personal Data when consent is provided for the performance of State Function
• Processing of Personal Data for the purpose of performance of State Function in the interest of sovereignty and integrity of India
• Processing of Personal Data when there is Regulatory obligation to disclose the information.
• Processing of Personal Data to comply with Court Order
• Processing of personal data is required due to medical emergency.
• Processing of Personal Data during an epidemic
• Processing of Personal Data during any disaster

(b) Processing of Personal Data based on Consent

When we process the Personal Data based on ‘Consent’ we ensure that we have informed you about the type of data personal data being collected and purpose of such data collection. We ensure that such personal data is being used only for the informed and specific purpose. Where you have consented to a particular processing, you have a right to withdraw the consent at any time. You can withdraw your consent by writing to us at privacy@tripjack.com. If you do so, your personal data will be erased, unless there is any legal requirement to retain it.

Tripjack shall maintain a verifiable record of consent in accordance with Section 7 of the DPDPA, 2023.

1. USE OF PERSONAL DATA

We will only process (i.e. use) your personal data when the law allows us to, that is, when we have a legal basis for processing. We use the information to establish and enhance our relationship with our users for the following purposes:

While you make a booking:

We may use your Personal Information available with us to ease your booking process. This information may include all the data provided by you earlier i.e. contact data. We may also use the information of travellers list as available in or linked with your account. This information is presented to the User at the time of making a booking to enable you to complete your bookings expeditiously.

1. We may also use your Personal Information for several reasons including but not limited to:

• keep you informed of the transaction status.
• send booking confirmations either via SMS or WhatsApp or any other messaging service.
• send any updates or changes to your booking(s)
• allow our customer service to contact you, if necessary
• confirm your reservations with respective service providers.
• request for reviews of products or services or any other improvements
• send verification message(s) or email(s)
• validate/authenticate your account and to prevent any misuse or abuse.
• contact you on your birthday/anniversary to offer a special gift or offer.
• send you important notices and communications regarding our products and services availed or changes to the terms and conditions and/or policies.
• send information about products and services offered by us and our affiliates.
• send you payment reminders and/or travel vouchers.
• Newsletters to keep you updated on the travel sector. If you do not wish to receive such intimation, you may unsubscribe this facility in the email message you receive.

1. We may share your personal data to third parties for reasons cited below but not limited to:

• Where it is necessary to process your booking, enquiry or participation.
• To fulfil the service offering and/or to make booking, reservation, blocking and any such activity initiated by user.
• We may share personal data with companies who provide services such as information processing, extending credit, fulfilling customer orders, delivering products to you, managing and enhancing customer data, providing customer service, assessing your interest in our products and services, and conducting customer research or satisfaction surveys. These companies are obligated to protect your information.
• We may use your personal information for Marketing Promotions, Research and other programs.
• As a registered user, you will receive our latest product and service announcements, offers, promotions and event updates. If you wish to unsubscribe, you can choose to do so.
• We may also use the personal data to improve our product offering, develop and deliver products, services, content and advertising. – Personal data may also be used internally for research, analysis and auditing
• We may from time to time launch promotions to give its Users an opportunity to win great travel and travel related prizes. During such activity the personal information collected by us may include contact information and survey questions.
• We will use such information to notify contest winners and survey information to develop promotions and product improvements.
• We may launch travel referral or reward programs from time to time by way of which users would win travel related rewards or other rewards. We may use your personal information to enroll you in the rewards program. Depending on the reward program, each time you win a reward, we may share your personal information with a third party that will be responsible from fulfilling the reward to you. You may however choose to opt out of such reward program if you choose to do so. Here too while rewarding any user we at times may verify information of customers on selective basis for various purposes such as fraud protection or any other purpose.

1. COLLECTION AND USE OF NON-PERSONAL DATA

Non-personal data is data which can never be used to identify an individual. We may collect information regarding customer activities on our various portals. This aggregated information is used in research, analysis, to improve and monitor products and for various promotional schemes. It may be shared in aggregated, non-personal form with third party to enhance customer experience, products offering or services.

1. PROCESSING OF PERSONAL DATA OF CHILDREN

In certain cases, personal data of children (individuals below 18 years of age) may be collected and processed as part of the services we provide to our clients. Such personal data may be collected through our authorised Travel Service Provider or representatives while delivering these services.

Where the personal data of children is processed, we ensure that verifiable consent of the child’s parent or lawful guardian is obtained in accordance with the Digital Personal Data Protection Act, 2023. We process children’s personal data only for the purposes of providing the relevant services and in a manner that safeguards the rights and well-being of the child, and we do not undertake any processing that is likely to cause harm to the child.

Prohibition on Targeted Advertising to Children (Section 9, DPDPA 2023):

Tripjack shall not undertake targeted advertising directed at children on the basis of personal data processed under this section. Tripjack shall not track or behaviourally monitor children, and shall not undertake any processing that is likely to cause harm to the well-being of the child. Where Tripjack becomes aware that a user is below 18 years of age, marketing preferences shall automatically be restricted to prevent delivery of profiled or targeted promotional content.

For any queries regarding the processing of a child’s personal data, parents or lawful guardians may contact us at privacy@tripjack.com.

1. PROCESSING OF PERSONAL DATA OF A PERSON WITH DISABILITY

In certain cases, personal data of person with disability may be collected and processed as part of the services we provide to our clients/Travel Service Providers. Such personal data may be collected through our authorized Travel Service Providers or representatives while delivering these services.

Travel Service Provider ensures that the verifiable consent of the lawful guardian is obtained for the processing of personal data of a person with disability. If you are a lawful guardian of a person with disability, you can contact us at privacy@tripjack.com for any query related Personal Data of the Person with disability.

1. COOKIES AND OTHER TECHNOLOGIES

We use cookies and other technologies to enhance your experience when you use our website or any sales channel. To that effect, we have developed a cookie policy to familiarize you with our practices. You can access the cookie policy on our website.

1. LINKS

For your convenience, our website provides links to other sites. When you click on one of these links, you are leaving our website and entering another site. We are not responsible for such third-party sites. You should carefully review the privacy statements of any other sites you visit, because those privacy statements will apply to your visit to such other sites.

1. WITH WHOM YOUR PERSONAL DATA IS SHARED

• Group Companies (Companies in the same group): In the interests of improving personalization and service efficiency, we may, under controlled and secure circumstances, share your Personal Information with our affiliate or associate entities. If the assets of Tripjack are acquired, our customer information may also be transferred to the acquirer depending upon the nature of such acquisition. In addition, as part of business expansion/development/restructuring or for any other reason whatsoever, if we decide to sell/transfer/assign our business, any part thereof, any of our subsidiaries or any business units, then as part of such restructuring exercise customer information including the Personal Information collected herein shall be transferred accordingly.
• Service Providers and suppliers: Your information shall be shared with the end service providers like airlines, hotels, visa consulates, bus service providers, cab rental, railways or any other suppliers who are responsible for fulfilling your booking. You may note that while making a booking with Tripjack you authorize us and consent to share your information with the said service providers and suppliers. It is pertinent to note that we do not authorize the end service provider to use your information for any other purpose(s) except as for fulfilling their part of service.
• We do not sell or rent individual customer names or other Personal Information of Users to third parties except sharing of such information with our business/alliance partners or vendors who are engaged by us for providing various services and for sharing promotional and other benefits to our customers from time to time basis their booking history with us.
• Third Party Vendors and Business Partners: We may also share certain filtered Personal Information to our corporate affiliates or business partners who may contact the customers to offer certain products or services, which may include free or paid products / services, which will enable the customer to have better travel experience or to avail certain benefits specially made for our customers. Examples of such partners are entities offering savings/EMI on travel, co-branded credit cards, travel insurance, insurance cover against loss of wallet, banking cards or similar sensitive information etc. If you choose to avail any such services offered by our business partners, the services so availed will be governed by the privacy policy of the respective service provider.
• Tripjack may share your Personal Information to third party that we may engage to perform certain tasks on its behalf, including but not limited to payment processing, data hosting, and data processing platforms.
• We may provide non personal data based on this data to suppliers, advertisers, affiliates and other current and potential business partners. We may also use such aggregate data to inform these third parties as to the number of people who have seen and clicked on links to their websites.
• Occasionally, Tripjack will hire a third party for market research, surveys etc. and will provide information to these third parties specifically for use in connection with these projects. The information (including aggregate cookie and tracking information) we provide to such third parties, alliance partners, or vendors are protected by confidentiality agreements and such information is to be used solely for completing the specific project, and in compliance with the applicable regulations.
• Once personal data is shared with independent Suppliers for fulfilment of travel services, such Suppliers process such data under their own privacy practices and Trip Jack shall not be responsible for subsequent processing beyond transmission required for booking fulfilment.

1. DISCLOSURE OF INFORMATION

Where required, we will (subject to our professional obligations and any terms of business which we may enter with you) disclose your personal data to:

• Any person or entity to whom we are required or requested to make such disclosure by any court of competent jurisdiction or by any governmental, taxation or other regulatory authority, law enforcement agency or similar body;
• Our professional advisers or consultants, including lawyers, bankers, auditors, accountants and insurers providing consultancy, legal, banking, audit, accounting or insurance services to us; and
• Service-providers who provide information technology and system administration services to us.

1. CROSS BORDER TRANSFER

Due to the nature of the business, some of the affiliated companies and other recipients may be located outside India that do not provide a level of data protection equivalent to that set forth by the law in your home country.

Tripjack ensures that all third parties are assessed for the identification of appropriate level of organisational and technological measures implemented by the vendor for Confidentiality, Integrity and Availability of personal data.

Tripjack executes a Data Processing Agreement (DPA), to meet the adequacy and security requirements for our clients and other international transfers of Client Data. The DPA is the contractual commitment between parties transferring Personal Data (for example, between Tripjack and its clients, suppliers or Data Processors outside India), binding them to protect the privacy and security of the data.

Restriction on Cross-Border Transfers

Notwithstanding the above, personal data shall not be transferred by Tripjack to a country or territory outside India unless such transfer is to a country or territory notified by the Central Government of India under Section 16 of the Digital Personal Data Protection Act, 2023, as a permitted destination for cross-border data transfer. Until such notification is issued, Tripjack shall apply a risk-based assessment and contractual safeguards (including standard contractual clauses and Data Processing Agreements) to any international transfer of personal data of Indian Data Principals.

Where personal data is transferred to any Supplier or third party located outside India, Tripjack shall ensure that such recipient is contractually bound to maintain data protection standards at least equivalent to those required under the DPDPA, 2023. A copy of our standard Data Processing Agreement template is available on request at privacy@tripjack.com.

1. USER GENERATED CONTENT

Tripjack provides an option to its users to post their experiences by way of reviews, blog articles, ratings and general poll questions. The customers also have an option to give their feedback or ask questions w.r.t a service offered by us or post answers to questions raised by other users. We may also engage a third party to contact you and gather your feedback about your recent booking with us. Though the participation in the feedback process is purely optional, you may still receive emails, notifications (app, SMS, WhatsApp or any other messaging service) for you to share your review(s). These reviews may be written (with or without images) or in video format. The reviews written or posted will be visible on our website or sales channels and may also be visible on other travel or travel related platforms. The User Generated Content that we collect may be of the following kinds:

• Articles for Website or Blog
• Review and Ratings
• Question and Answers
• Crowd Source Data Collection (poll questions).

Each User who posts review or ratings, Q&A, photographs shall have a profile, which other Users will be able to access. Other Users may be able to view the number of trips, reviews written, questions asked and answered and photographs posted Each User shall be diligent and take due care to ensure that the views expressed by you on the social media platform or the website is not derogatory or oppose to law, public policy, morality, religion, caste, creed, colour, sex, race, culture, ethics, customs, traditions, decency, good conscience, third party intellectual property etc. By uploading pictures, views, images, contents, visuals, audios, experiences etc. on the social media platform or website, you consent to us to use, reproduce, copy, upload pictures, views, look and feel, images, contents, visuals, audios, experiences etc. in any manner, as may deem fit by us, without any responsibility, liability, compensation or cost due to you or any third party, on the part of us. Tripjack hereby disclaims all or any disputes, responsibilities, liabilities, litigations, costs, expenses, compensations etc., arising with respect to or in connection with the use, reproduction, copying, uploading of pictures, views, look and feel, images, contents, visuals, audios, experiences etc. contributed, shared, expressed by you, or on your behalf and/or otherwise to any third party.

1. PERMISSIONS REQUIRED FOR USING OUR MOBILE APPLICATIONS

When the app is installed on your phone a list of permissions will appear and are needed for the smooth functioning of the application. The permissions that require and the data that shall be accessed and its use are as below:

Android permissions:

Location: This permission enables us to give you the nearest branch details from your location in case you require any physical assistance with regards to any travel query.

SMS: If you allow us to access your SMS, we can send you SMS related to ‘OTP’ and send holiday package details to your mobile number.

Phone: The app requires access to make phone calls so that you can make phone calls to our customer contact centres directly through the app.

Contacts: If you allow us to access your contacts, it enables us to provide a lot of social features to you such as sharing holiday packages with your friends, etc.

Photo / Media / Files: The libraries in the app use these permissions to save and cache images and document data for your ease and faster use of the app while you browse with us the next time. By saving image and document data locally, your phone does not need to re-download the same every time you use the app.

IOS Permissions:

Notifications: If you opt in for notifications, it enables us to send across exclusive deals, promotional offers, travel related updates, etc. on your device.

1. INFORMATION PROTECTION AND SECURITY

1. Considering the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including:
   • the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
2. We ensure that those who have permanent or regular access to personal data, or participate in the processing of personal data, or in the development of tools used to process personal data, are trained and informed of their rights and responsibilities in when processing personal data.
3. To protect your personal data and prevent unauthorized access, we have put in place appropriate security measures and certifications. We have SSL site and user should use it to protect the information transmission while transacting online.
4. We require any third parties processing your information to do the implement the same levels of protection with respect to your data.
5. While no system is foolproof, including ours, we will continue using internet security procedures to ensure your data remains safe with us. By opening, browsing, using this site for transactions, or storing any data/information, you agree to comply with the latest revised privacy notice in effect at such time. If you use some social networking or other service which maintains your information, it is governed by their terms of use and privacy notice.

1. DATA RETENTION

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. This includes, for example, the purposes of satisfying any legal, regulatory, accounting, reporting requirements, to carry out legal work, for the establishment or Défense of legal claims.

We will retain your personal data in our databases in accordance with our document management, retention and destruction policy and applicable laws. This period may extend beyond the end of your relationship with us, but it will be only as long as it is necessary for us to have sufficient information to respond to any issues that may arise later. For example, we may need or be required to retain information to allow you to obtain credit for trip you purchased but had to cancel. We may also need the retain certain information to prevent fraudulent activity; to protect ourselves against liability, permit us to pursue available remedies or limit any damages that we may sustain; or if we believe in good faith that a law, regulation, rule, or guideline requires it.

In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Trip Jack may log, monitor, and retain platform access logs, IP records, device identifiers, and usage metadata for security, audit, dispute resolution, and fraud investigation purposes.

1. CHANGES TO THE POLICY

We reserve the right to update or change this Policy at any time, and we will provide you with the updated policy when we make any substantial updates at the earliest either through email or by providing a prominent notice of change on our website. You should check the policy periodically. Your continued use of our website after we post any modifications to the policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified notice.

1. YOUR RIGHTS

We strive to give you ways to access, update/modify your data quickly or to delete it unless we must keep that Personal Data for legal purposes. Rights can be access via contacting us at privacy@tripjack.com. For visitors, these rights can be exercised by contacting us with your specific request.

• The Right of Access: You have the right to access personal data and supplementary information. You can ask us for a copy of your personal information.
• The Right to Correction: You can ask us to change, update, or fix your data in certain cases, particularly if it is inaccurate.
• The Right to Erasure: You can ask us to erase or delete all or some of your personal information (e.g., if it is no longer necessary to provide services to you) without undue delay.
• The Right to file a complaint: You have the right to file a complaint with the Data Protection Board if you are dissatisfied with the way we handle or process your personal data.
• Nomination: the Digital Personal Data Protection Act, 2023 provides data principals with a right to nominate a person on their behalf to exercise their rights and to ensure safeguarding the personal data. The right can be exercised in the event of the data principal’s death or incapacity. To exercise your right to nomination you may contact us at privacy@tripjack.com
• Grievance Redressal: You have a right to grievance redressal under the Digital Personal Data Protection Act, 2023. We wish to resolve your grievances amicably. If you have any grievances regarding the processing of your personal data or your rights regarding the personal information, and in case you have any questions, comments or concerns about this Policy, you may raise your grievances at privacy@tripjack.com.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within a desirable timeframe. Occasionally it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

1. LIMITATION OF LIABILITY

To the extent permitted by law, Trip Jack shall not be liable for indirect or consequential damages arising from unauthorised access, transmission errors, third-party breaches, or circumstances beyond reasonable control.

1. PLATFORM INTERMEDIARY LIABILITY DISCLAIMER

Trip Jack operates as a technology platform and intermediary facilitating booking, data transmission, and travel service coordination between users, Travel Service Providers, and Suppliers. Trip Jack does not independently control or guarantee the performance, data protection practices, or security standards of third-party Suppliers. Users acknowledge that Suppliers may act as independent Data Fiduciaries for the personal data processed by them.

1. INDEMNITY FOR THIRD-PARTY DATA SUBMISSION

Where personal data of travellers or third parties is submitted by Travel Service Providers, corporate customers, or users, such parties represent and warrant that they have obtained valid consent and lawful authority for such submission and shall indemnify and hold harmless Trip Jack from any claims, penalties, or liabilities arising from unlawful data sharing.

1. GOVERNING LAW

This Policy shall be governed by laws of India and courts of Mumbai shall have exclusive jurisdiction.

1. RETENTION SCHEDULE

In accordance with the DPDPA, 2023 and applicable Indian law, Tripjack shall erase personal data as soon as the purpose for which it was collected is no longer being served, unless retention is required by law.

Data retained beyond the primary purpose is anonymised or pseudonymised to the extent practicable. Upon expiry of the applicable retention period, personal data shall be securely erased or destroyed.

1. DATA BREACH

In the event of a personal data breach — meaning any unauthorised processing, accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data — that is likely to cause harm to a Data Principal, Tripjack shall:

(a) Notify the Data Protection Board of India: Tripjack shall notify the Data Protection Board of India of such breach in such form, manner, and within such timeframe as may be prescribed by the Board under the DPDPA, 2023 and its rules. As of the effective date of this Policy, the Board has indicated that notification shall be made promptly without undue delay.

(b) Notify Affected Data Principals: Tripjack shall inform each affected Data Principal of the nature of the breach, the categories of personal data affected, the likely consequences of the breach, the measures taken or proposed to address the breach, and the contact details of the Grievance Officer through whom the Data Principal may seek further information.

(c) Internal Incident Response: Tripjack maintains an internal data breach response procedure, which includes: immediate containment and assessment of the breach; forensic investigation to identify the cause and scope; remediation steps to prevent recurrence; and documentation of the breach and response in a breach register.

Tripjack shall not be liable for data breaches caused by third-party Supplier failures, telecom outages, force majeure cyber incidents, or events beyond reasonable security control, provided that Tripjack has implemented the security measures described in this Policy.

1. COMPLAINTS

If you have any complaint about how we have handled a Subject Access Request, please let us know and we will try to fix it. You can email at privacy@tripjack.com. In the event of any personal data breach likely to cause harm, Trip Jack shall take reasonable steps to notify affected Data Principals and the Data Protection Board of India in accordance with applicable law. Trip Jack shall not be liable for breaches occurring due to third-party platform failures, telecom outages, force majeure cyber incidents, or acts beyond reasonable security control.

If you are dissatisfied with handling of any privacy complaints, if you do not receive timely acknowledgement of your complaint, or your complaint is not satisfactorily addressed please contact our team at privacy@tripjack.com.

1. Contact Our Privacy Officer

If you have any questions regarding the processing of your data or if you want to exercise your rights, you can contact us by privacy@tripjack.com during working business days. The concern will be acknowledged within a reasonable time frame and be resolved at the earliest opportunity. Where the matter requires additional time, you will be informed of the reasons for the delay and an expected resolution date.

If you are not satisfied with the resolution provided by the Privacy Officer, you may escalate your complaint to the Data Protection Board of India, once constituted, at the official portal notified by the Ministry of Electronics and Information Technology (MeitY).