Itiner (“we”, “us”, “our”) operates the Itiner platform accessible at itiner.app (“Service”). This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), and the Information Technology Act, 2000.
Note: This policy is a template for informational purposes. Consult a qualified attorney for legal advice specific to your situation.
1. Data Fiduciary
Under the DPDPA, 2023, Itiner is the Data Fiduciary responsible for determining the purposes and means of processing your personal data.
- Entity: Itiner
- Contact Email: thenavital@gmail.com
- Grievance Officer: Daksh Bathla, reachable at thenavital@gmail.com
2. Personal Data We Collect
2.1 Data You Provide
- Account information: name, email address, password (hashed)
- Agency details: agency name, logo, contact information
- Trip content: itineraries, destination details, pricing, notes
- Client data you enter: traveller names, contact details, preferences
- Payment-related information (processed by third-party payment providers; we do not store card numbers)
- Communications: support messages, feedback you send us
2.2 Data Collected Automatically
- Log data: IP address, browser type, pages visited, timestamps
- Device information: operating system, screen resolution
- Analytics: feature usage, session duration (via privacy-respecting analytics)
- Cookies and local storage tokens (see Cookie Policy)
2.3 Sensitive Personal Data (SPDI)
We do not intentionally collect Sensitive Personal Data as defined under the SPDI Rules 2011 (financial information, health records, biometric data, etc.). Do not enter such data into the platform. If you believe sensitive data has been submitted, contact us immediately for deletion.
3. Purpose and Legal Basis for Processing
| Purpose | Legal Basis (DPDPA) |
|---|---|
| Providing and operating the Service | Consent; Legitimate uses under contractual obligation |
| Creating and managing your account | Consent |
| Processing payments and subscriptions | Legitimate use — performance of contract |
| Sending transactional emails (account alerts, invoices) | Legitimate use — contractual necessity |
| Sending product updates and marketing emails | Consent (you may withdraw at any time) |
| Improving the Service through analytics | Legitimate use — business interest |
| Ensuring security and preventing fraud | Legitimate use — legal obligation |
| Responding to support queries | Consent; Legitimate use |
| Complying with legal obligations | Legal obligation under applicable law |
4. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data. We may share data only in the following circumstances:
- Service Providers: Supabase (database hosting, authentication), Groq (AI processing — trip content only, no personally identifiable data sent), Vercel (hosting infrastructure), Resend (transactional email delivery). These processors are contractually bound to process data only on our instructions.
- Business Transfers: In the event of a merger, acquisition, or sale, personal data may be transferred as a business asset. We will provide notice before such transfer.
- Legal Requirements: We may disclose data to comply with applicable law, court orders, or lawful government requests under the IT Act, 2000 or other Indian law.
- With Your Consent: Any other sharing requires your explicit consent.
5. Cross-Border Data Transfers
Our infrastructure providers (Supabase, Vercel) may store and process data on servers located outside India. Where data is transferred outside India, we ensure adequate safeguards are in place consistent with the DPDPA, 2023 and any applicable government notifications under Section 16 of the Act.
If you have concerns about cross-border transfers, contact our Grievance Officer.
6. Data Retention
- Account data: Retained while your account is active and for 90 days after deletion request, then permanently deleted.
- Trip content: Retained while your account is active. Deleted upon account deletion.
- Log and analytics data: Retained for up to 12 months, then anonymised or deleted.
- Backup data: Encrypted backups retained for up to 30 days; deleted on rolling basis.
- Legal hold: Where we are required by law or ongoing legal proceedings to retain data, we will retain it for the mandated period.
7. Your Rights Under DPDPA, 2023
As a Data Principal under the DPDPA, 2023, you have the following rights:
- Right to Information (Section 11): You may request a summary of personal data we hold about you and how it has been processed.
- Right to Correction and Erasure (Section 12): You may request correction of inaccurate data and deletion of data that is no longer necessary for the purpose for which it was collected, subject to legal retention obligations.
- Right to Grievance Redressal (Section 13): You may file a grievance with our Grievance Officer. We will respond within 30 days. If unsatisfied, you may escalate to the Data Protection Board of India once constituted.
- Right to Nominate (Section 14): You may nominate an individual to exercise your rights in the event of your death or incapacity.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect prior processing.
To exercise any of these rights, email thenavital@gmail.com with subject line “Data Rights Request”. We will respond within 30 days.
8. Data Security
We implement reasonable security practices as required under the SPDI Rules, 2011 (Rule 8) and DPDPA, 2023 (Section 8(5)), including:
- Encryption in transit using TLS 1.2+
- Encryption at rest for all database content
- Row-level security (RLS) policies on all database tables
- Hashed password storage (never stored in plaintext)
- Access controls limiting employee access to personal data
- Daily automated backups
- Security monitoring and intrusion detection via Supabase infrastructure
In the event of a personal data breach, we will notify affected Data Principals and, once constituted, the Data Protection Board of India, in accordance with obligations under the DPDPA.
9. Children's Privacy
The Service is not directed to children under the age of 18. We do not knowingly collect personal data from minors. Processing of personal data of children requires verifiable parental or guardian consent under the DPDPA. If you believe we have inadvertently collected data from a minor, contact us immediately for deletion.
10. Grievance Officer
In accordance with the Information Technology Act, 2000 and Rules thereunder, and the DPDPA, 2023, we have appointed a Grievance Officer:
- Name: Daksh Bathla
- Designation: Founder
- Email: thenavital@gmail.com
- Response Time: Within 30 days of receipt of complaint
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices or applicable law. We will provide prior notice of material changes via email or in-app notification. Continued use after the effective date constitutes acceptance.