Core principle: Viaje does not store your government ID number, document image, or biometric data. Verification is performed by authorised government-linked systems (DigiLocker, HyperVerge). We receive only a cryptographic success signal. Nothing more.
1. Purpose & Scope
Viaje Holidays Private Limited operates a Govt ID-verified travel community — one of the first platforms in India to mandate real-identity verification for every user. This policy governs how we handle the identity verification process specifically. For general personal data, refer to our Privacy Policy. We comply with India's Digital Personal Data Protection Act, 2023, the IT (Reasonable Security Practices) Rules, 2011, CERT-In guidelines, KYC norms under the PMLA 2002, and RBI guidelines for payment-linked identity verification.
2. Digital Verification — No Document Upload Required
Viaje's identity verification is fully digital and paperless. You are not required to photograph, scan, or upload any physical document. The process works entirely through government-authorised digital identity infrastructure:
Supported identity frameworks include DigiLocker (India's official digital document repository under MeitY), HyperVerge (an MeitY-empanelled AI verification provider), and equivalent authorised APIs in other countries. For international users, equivalent government-linked digital identity systems are used where available.
3. How Verification Works
You select your ID type from the supported list (Aadhaar, Passport, Driving Licence, Voter ID, or international equivalent), enter your ID number, and consent to the OTP-based verification. An OTP is sent by the issuing authority directly to your registered mobile number. Once you enter the OTP, the government or authorised verification system confirms your identity to Viaje via a secure API response. At no point does your physical ID image or full ID number pass through or get stored in Viaje's systems. We receive only a verification status token and the minimal data fields authorised by you (typically name and date of birth for account creation purposes).
4. What Viaje Does Not Store
Viaje does not store, process, or retain: raw government ID images, full Aadhaar numbers or equivalent national ID numbers, biometric templates of any kind, face images collected during verification, document scan data, or any data beyond what the user explicitly consents to share via the DigiLocker or HyperVerge authorisation flow. Your ID number — if used as a reference — is stored only as a one-way cryptographic hash (SHA-3 with unique salt), ensuring it cannot be reconstructed or read by anyone.
5. Legal Basis for Processing
Verification is processed on the legal bases of contract performance (verification is a contractual condition of Platform use), legal obligation (KYC requirements under PMLA 2002 and RBI guidelines for financial transactions), and legitimate interest (fraud prevention, duplicate account elimination, and platform safety). For users in the European Economic Area, the applicable legal bases under GDPR Article 6 are contract necessity and compliance with legal obligations.
6. Security of Verification Data
All verification API communications occur over TLS 1.3 with certificate pinning. The verification token and minimal authorised data fields are stored on ISO 27001:2022 certified cloud infrastructure hosted in India, with replication to geographically distributed servers including Google Cloud, Amazon Web Services (AWS), Akamai, and NTT Communications (Japan) for redundancy and resilience. Access to verification records is restricted by role-based access controls and multi-factor authentication, with all access events logged and audited.
7. Retention Schedule
The verification status token and consent record are retained for the lifetime of your account and deleted within 90 days of account closure. The minimal data fields (name, date of birth) authorised during verification are retained for the lifetime of your account as part of your verified identity record. The ID number hash, if stored, is retained for the lifetime of your account for duplicate-account prevention and deleted on account closure. All verification logs are retained for 7 years for regulatory audit compliance. No raw ID images or biometric data are ever stored — these are not received by Viaje's systems.
8. Who Sees Your Verification Data
Your verification data is shared only with: the authorised government or licensed verification infrastructure (DigiLocker, HyperVerge) as part of the verification flow; infrastructure security teams in the event of a security investigation under a valid legal order; and regulatory or law enforcement authorities on receipt of a valid court order, CERT-In directive, CBI, ED, or equivalent government process. We challenge overbroad or unlawful data requests and notify you where permitted by law.
Your identity verification data is never shared with other Viaje users, travel partners, advertisers, data brokers, analytics providers, or any commercial third party for any purpose.
9. Your Rights
Under the DPDP Act 2023 and applicable law, you have the right to access confirmation of your verification status, request correction if your verified name or DOB is recorded incorrectly (requires re-verification), request erasure of your verification record on account closure, receive your authorised data fields in portable format, withdraw consent for any optional verification-linked feature, and raise a grievance with our Data Protection Officer. Exercise any right at legal@viaje.in. We respond within 30 days. EEA users may also contact their national Data Protection Authority.
10. Minors
Users under 18 years of age are prohibited from using the Platform. The OTP-based digital verification process enforces this by requiring a valid adult government ID. If you believe a minor has accessed the Platform, contact report@viaje.in immediately — we will act within 24 hours.
11. Policy Changes
Material changes to this policy will be communicated via email and in-app notification at least 14 days before taking effect.