This Data Processing Agreement (“DPA”) is entered into between the travel agency or individual using the Itiner platform (“Data Fiduciary” or “Controller”) and Itiner (“Data Processor” or “Processor”).
This DPA governs the processing of personal data of the Data Fiduciary's clients (“Travellers”) that is submitted to the Itiner platform by the Data Fiduciary, in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA), the SPDI Rules, 2011, and the Information Technology Act, 2000.
Note: This is a template for informational purposes. Consult a qualified attorney for legal advice specific to your situation. Enterprises requiring a signed DPA should contact us.
1. Definitions
- “Data Fiduciary” (DPDPA term) / “Controller”: The travel agency or advisor who determines the purpose and means of processing Traveller data.
- “Data Processor”: Itiner, which processes Traveller data on behalf of the Data Fiduciary.
- “Data Principal”: The individual Traveller whose personal data is processed.
- “Personal Data”: Any data about an individual that can identify them directly or indirectly.
- “Processing”: Any operation performed on personal data, including storage, retrieval, display, and deletion.
- “Sub-processor”: A third party engaged by Itiner to process personal data in connection with the Service.
2. Scope and Purpose of Processing
Subject Matter
Processing of personal data submitted by the Data Fiduciary to the Itiner platform in connection with creating and sharing trip itineraries for Travellers.
Duration
For the duration of the Data Fiduciary's active subscription and for a deletion period of 90 days thereafter.
Nature of Processing
Storage, retrieval, display (via client portal), AI-assisted generation of itinerary content, and deletion upon request.
Categories of Data Principals
Travellers (clients of the Data Fiduciary) who may be adults or minors (where parental consent has been obtained by the Data Fiduciary).
Categories of Personal Data
- Name, email address, phone number
- Travel preferences and special requests
- Passport/identification details (if entered by the Data Fiduciary)
- Dietary requirements or accessibility needs (if entered)
3. Obligations of the Data Processor (Itiner)
Itiner shall:
- Process personal data only on documented instructions from the Data Fiduciary, as described in this DPA and the Terms of Service.
- Implement and maintain appropriate technical and organisational security measures as described in our Privacy Policy.
- Ensure that persons authorised to process personal data are bound by confidentiality obligations.
- Assist the Data Fiduciary in fulfilling obligations to respond to Data Principal rights requests (correction, erasure, access) within a reasonable timeframe.
- Notify the Data Fiduciary without undue delay upon becoming aware of a personal data breach affecting Traveller data.
- Not sell, rent, or disclose Traveller personal data to third parties except as set out in this DPA.
- Delete or return all Traveller personal data to the Data Fiduciary upon termination of services, except where retention is required by applicable law.
- Make available information reasonably necessary to demonstrate compliance with this DPA upon written request.
4. Obligations of the Data Fiduciary (You)
As the Data Fiduciary, you are responsible for:
- Ensuring you have a valid legal basis (typically consent) to collect and submit Traveller personal data to Itiner.
- Providing Travellers with appropriate privacy notices explaining that their data will be processed by Itiner.
- Ensuring that any Traveller data relating to children (under 18) has been collected with verifiable parental or guardian consent, as required by DPDPA Section 9.
- Not submitting Sensitive Personal Data (as defined under SPDI Rules) unless strictly necessary for the travel service provided.
- Responding to Data Principal rights requests from your Travellers.
- Complying with all applicable data protection laws in your jurisdiction.
5. Sub-processors
By accepting these Terms, you provide general authorisation for Itiner to engage sub-processors. Our current sub-processors are:
| Sub-processor | Purpose | Data Location |
|---|---|---|
| Supabase, Inc. | Database hosting, authentication, storage | AWS (configurable region) |
| Vercel, Inc. | Application hosting, CDN, edge functions | Global CDN |
| Groq, Inc. | AI inference for itinerary content generation (trip content only; no PII sent) | USA |
| Resend, Inc. | Transactional email delivery | USA |
We will notify you of any changes to sub-processors with at least 14 days' notice. If you object to a new sub-processor, you may terminate the Service in accordance with our Terms of Service.
6. Cross-Border Data Transfers
Traveller personal data may be transferred to and stored in countries outside India by our sub-processors. We ensure such transfers are made subject to appropriate safeguards, including contractual obligations with sub-processors that meet the standards required by the DPDPA and any government notifications issued thereunder.
Groq processes only trip itinerary content (destination names, activity descriptions) — no personally identifiable Traveller information is transmitted to Groq's systems.
7. Security Measures
Itiner implements the following technical and organisational measures:
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest
- Row-level security (RLS) ensuring agencies can only access their own Traveller data
- Token-secured unique URLs for client portals (no account needed to access)
- Regular automated backups with point-in-time recovery
- Strict access controls; no Itiner employee has routine access to Traveller data
- Incident response procedures with breach notification protocols
8. Data Breach Notification
In the event of a personal data breach affecting Traveller data, Itiner will notify the affected Data Fiduciary within 72 hours of becoming aware. The notification will include the nature of the breach, categories and approximate volume of data affected, likely consequences, and measures taken or proposed to address it.
9. Termination and Data Deletion
Upon termination of the Service:
- You may export your data (including Traveller data) within 30 days of account termination.
- After 30 days, all Traveller personal data will be permanently deleted from active systems.
- Encrypted backup copies are purged on a rolling 30-day cycle.
- We will provide a deletion confirmation upon written request.
10. Signed DPA
Enterprise customers requiring a countersigned DPA for their compliance records may request one by emailing thenavital@gmail.com with subject line “DPA Request”.
11. Governing Law
This DPA is governed by the laws of India. Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution process set out in our Terms of Service.