TL;DR: We collect only what we need, use it only to run our services, never sell it, store it on trusted global servers (Google Cloud, AWS, Akamai, NTT), and give you full control at any time. Your government ID is verified digitally — we receive only a success signal, not your ID data.
1. Overview & Who We Are
Viaje Holidays Private Limited ("Viaje", "we", "us"), CIN: U79110UP2026PTC243597, registered at 261, Kartora, Akbarpur, Ambedkar Nagar, Uttar Pradesh 224146, India, operates an AI-powered travel platform available globally. This Privacy Policy explains how we collect, use, store, and protect the personal data of users across all countries, including India, Japan, South Korea, Russia, China, the UAE, the USA, the UK, France, and beyond.
We comply with India's Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000 and associated Rules, the Sensitive Personal Data Rules, 2011, and — for users in the EEA and UK — the General Data Protection Regulation (GDPR) and UK GDPR. We also align with the APEC Privacy Framework for Asia-Pacific users, Japan's Act on Protection of Personal Information (APPI), South Korea's Personal Information Protection Act (PIPA), Russia's Federal Law No. 152-FZ, China's Personal Information Protection Law (PIPL), UAE's PDPL, and the US state privacy laws applicable to our users including the CCPA/CPRA.
2. Data We Collect
Account data: name, email address, mobile number, date of birth, profile photo (optional), and language/currency preferences.
Verification data: verification status token and minimal identity fields (name, DOB) authorised via DigiLocker or HyperVerge — no raw ID images or full ID numbers are collected or stored.
Travel & activity data: itineraries generated by the AI Planner, bookings for flights, hotels, tours, and experiences, published posts, photos and videos, searches and destination views, messages and call metadata (content is end-to-end encrypted and inaccessible to us), and wallet transactions.
Device & technical data: device type, operating system, app version, IP address, approximate geolocation (city-level, unless precise GPS is granted for location-dependent features), crash diagnostics, and session identifiers.
3. How We Use Your Data
We process your data strictly for: account creation and authentication (contract performance); digital ID verification (legal obligation + contract); delivery of travel planning, booking, and creator services (contract); payment processing and wallet management (contract); fraud prevention and platform safety (legitimate interest); customer support (contract); anonymised product analytics — no PII, no cross-site tracking (legitimate interest); legal compliance with Indian and applicable international law (legal obligation); and, where you have consented, marketing communications about new features.
We do not use your data for advertising targeting by third parties, do not sell or rent your data, and do not share it with any advertising network.
4. Identity Verification
Verification is performed entirely via authorised government-linked APIs (DigiLocker, HyperVerge). Viaje receives only a verification success token and the minimal data fields you consent to share. No document images or raw ID numbers are stored by Viaje. See our dedicated ID & Data Protection Policy for full technical details.
5. Travel Service Data
When you book flights, hotels, tours, or other travel services through Viaje, relevant booking data (name, travel dates, passenger details) is shared with the service provider required to fulfil your booking — including airlines, hotels, tour operators, and aggregators such as TBO, Viator, and GetYourGuide. For forex and visa services, minimum required data is shared with the relevant licensed provider. We only share what is operationally necessary and all providers are bound by contractual data protection obligations.
6. Data Sharing
We share your data only in the following circumstances: with service providers to fulfil your bookings (name and trip details only — never ID data); with payment processors (Cashfree, Razorpay, CCAvenue, PayU, Payoneer) for transaction processing, who receive only tokenised payment data; with infrastructure providers (Google Cloud, AWS, Akamai, NTT Communications) who process encrypted data as contracted processors; with authorised government or licensed verification APIs during the verification flow; and with law enforcement or regulatory authorities on receipt of a valid legal order. We never sell, rent, or trade your personal data.
7. International Data Transfers
Your data is processed on servers distributed across India, the USA, Japan, and Europe. India-stored data is primary; international servers provide redundancy and performance optimisation. All cross-border transfers are protected by appropriate safeguards: Standard Contractual Clauses (SCCs) for EEA transfers, Data Processing Agreements binding all processors, Transfer Impact Assessments where required, and compliance with the specific data localisation requirements of applicable jurisdictions (including India's DPDP Act critical data provisions). Users in countries with data localisation requirements (China, Russia) should note that some data may be replicated to servers in those jurisdictions to comply with local law.
8. Retention
Active account data is retained for the lifetime of your account. On account closure, personal data is purged within 90 days except where legal retention is required: financial records are kept for 7 years under the Companies Act, 2013; tax records as required by the Income Tax Act; KYC verification logs for 7 years under PMLA 2002. End-to-end encrypted message content is inaccessible to us. Message metadata is retained for 12 months. Security logs are retained for 12 months for forensic capability.
9. Your Data Rights
You have the right to access a copy of your personal data; correct inaccurate or incomplete data; request erasure (subject to legal retention requirements); receive your data in portable JSON/CSV format; withdraw consent for optional processing at any time without affecting prior lawful processing; object to processing based on legitimate interests; nominate another person to exercise rights on your behalf (DPDP Act); and raise a grievance with our Data Protection Officer. EEA/UK users may also lodge complaints with their national supervisory authority. Submit any request to legal@viaje.in — we respond within 30 days.
10. Platform Tools & Third-Party APIs
Weather information is provided via a third-party meteorological API — data accuracy and real-time availability depend on the provider. Currency conversion rates are sourced from a third-party financial data provider — rates are indicative and actual bank rates may differ. Language translations use Viaje's internal localisation system; translations are not generated by a third-party translation API. Minor translation inaccuracies may occur — report them to report@viaje.in. Viaje's AI model is proprietary and actively being improved; for AI fallback scenarios, Claude AI (Anthropic) is used. Google Analytics 4 is used for aggregated product analytics with IP anonymisation enabled.
11. Safety Monitoring — Hawkeye
Viaje's proprietary Hawkeye system monitors platform-level signals for fraud, account security, and abuse prevention. Hawkeye does not track individual user behaviour, location, or content in real time. Monitoring is triggered only by algorithmic anomaly detection — for example, unusual login patterns, payment velocity, or flagged content — or when a user activates the SOS/emergency feature. Hawkeye alerts are reviewed by our safety team. No individual is actively monitored unless a specific security trigger or emergency signal is detected.
12. Children's Privacy
The Platform is not intended for users under 18. Our digital ID verification process enforces the minimum age requirement. We do not knowingly collect data from minors. Report suspected underage accounts to report@viaje.in for immediate action.
13. Disputes & Escalation
For privacy complaints, contact our Data Protection Officer at legal@viaje.in. We acknowledge within 48 hours and resolve within 30 days. Unresolved complaints may be escalated to the Data Protection Board of India (DPDP Act 2023) or your national supervisory authority (EEA/UK users). For service disputes, refer to our Dispute Resolution Policy.