Core principle: We share only the minimum data required to deliver each service, only with contractually bound partners, and never for commercial resale. Your government ID data is never shared with any third party.
1. Overview
Viaje Holidays Private Limited integrates with a range of trusted third parties to deliver the Platform's services. This policy explains who our partners are, what data they receive, on what legal basis, and what protections are contractually required. We comply with the DPDP Act 2023, IT (Intermediary Guidelines) Rules 2021, and GDPR Article 28 for processor relationships.
2. Third-Party Categories
Our third-party relationships fall into five categories: travel supply partners (flight, hotel, tour, and experience providers); payment processors (certified gateways handling transaction execution); technology and infrastructure providers (cloud, CDN, communication, and analytics); identity verification providers (DigiLocker, HyperVerge — government-linked or government-authorised); and legal and regulatory bodies (authorities to whom we have legal disclosure obligations).
3. Travel Supply Partners
Viaje sources flight inventory through TBO and direct airline APIs. Hotel inventory is sourced through major bed banks and direct hotel partnerships. Tour and activity inventory is sourced through Viator, GetYourGuide, and registered agency partners. Visa facilitation and forex information are provided through licensed partners in the relevant jurisdictions. For each booking, the service provider receives the minimum data required to fulfil the reservation: typically your name, travel dates, and contact detail for confirmation. Your ID verification data, wallet balance, payment credentials, and social content are never shared with travel supply partners.
4. Payment Partners
Payment processing is handled by Cashfree, Razorpay, CCAvenue, PayU, and Payoneer. These partners are independent data controllers for payment processing, regulated by the RBI (for Indian gateways) and equivalent international authorities. They receive only tokenised payment data required to execute the transaction. Each is PCI-DSS Level 1 certified. Payoneer handles international creator payouts. Payment partner data handling is governed by their own privacy policies and our Data Processing Agreements.
5. Technology & Infrastructure Partners
Cloud & hosting: Data is stored on Google Cloud (primary), Amazon Web Services, Akamai, and NTT Communications (Japan) — all operated under strict Data Processing Agreements. Email delivery: Transactional communications are delivered through a certified email service provider bound by data minimisation obligations. Analytics: Google Analytics 4 with IP anonymisation; no PII is collected through analytics. AI fallback: Claude AI (Anthropic) is used as a fallback for AI-generated content when Viaje's proprietary model encounters limitations — only de-identified prompt data is transmitted. Weather API: Aggregated location data for weather queries; no user identification is transmitted. Currency API: Anonymised currency conversion queries; no user data is transmitted.
6. What Data Is Shared & With Whom
Name and travel dates → travel service providers (to fulfil bookings). Tokenised payment reference → payment gateways (to process transactions). Encrypted device and session data → infrastructure providers (for hosting and delivery). Anonymised aggregate usage data → analytics provider (for product improvement). Verification status token → identity verification APIs during the verification flow only. Security alert signals → Hawkeye and internal security team (fraud and abuse prevention). No data is shared with advertising networks, data brokers, or commercial third parties for marketing purposes.
7. Processor Obligations
All third parties receiving personal data in a processor capacity are required under written Data Processing Agreements to: process data only on Viaje's documented instructions; implement appropriate technical and organisational security measures meeting or exceeding ISO 27001 standards; not engage sub-processors without Viaje's prior written authorisation; notify Viaje of any data breach within 24 hours of discovery; assist Viaje in responding to data subject rights requests; return or securely delete all data on termination of the agreement; and cooperate with Viaje's security audit rights.
8. IT Act Intermediary Obligations
As an intermediary under the IT Act, 2000 and IT (Intermediary Guidelines) Rules, 2021, Viaje: publishes clear terms prohibiting unlawful content; appoints a Grievance Officer resident in India; acts on valid court orders or government directions to restrict access or share information; and does not host, promote, or derive revenue from unlawful third-party content. Viaje cooperates with the Cyber Crime Cell, ED, CERT-In, NCPCR, and equivalent international authorities in lawful investigations.
9. Limiting Third-Party Data Sharing
To minimise third-party data sharing: decline non-essential cookies via the Cookie Preference Centre; opt out of marketing communications in your account settings; do not enable precise GPS unless required for a specific feature; contact legal@viaje.in to exercise your right to object to processing based on legitimate interests; and for partner-specific data concerns, write to partner@viaje.in.