A Project by Meridian Bridge Strategy
Archived analysis

This page is old. Cleartrip was reviewed on 2026-04-07.

This is a historical, policy-only review. Policies, product behavior and source URLs may have changed since this analysis was published.

For current public evidence from website trackers, policy findings and proof samples, go to State of Privacy 2026.

View current public evidence
Travel & Hospitality

Cleartrip

Ready Score 58/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 7 Apr 2026

Discuss this page with an LLM

ChatGPT Claude Gemini Perplexity

Executive Summary

Cleartrip’s privacy policy remains heavily anchored in the pre-DPDP regulatory era. While it provides transparency regarding 'what' is collected, it fails the 'how' and 'why' standards of the DPDP Act 2023. Specifically, the lack of granular consent for non-essential processing (marketing vs. fulfillment) and the omission of new statutory rights like nomination and DPBI escalation represent significant compliance gaps for a major travel intermediary handling sensitive passport and financial data.

How To Read This Analysis

This is an archived policy-only review of the company's public privacy policy. It is not a government certification and it is not legal advice.

For current public evidence from website trackers, policy findings and proof samples, see State of Privacy 2026.

We look for:

  • Notice and consent clarity
  • Purpose limitation
  • Data minimization
  • Retention and deletion language
  • Vendor and processor disclosures
  • Data Principal rights
  • Grievance redressal
  • Breach and security posture

Source Check

  • Source policy was reviewed for this archived analysis, but the old policy URL is not linked because public policy locations may have changed.
  • Date reviewed: 2026-04-07
  • Company: Cleartrip
  • Readiness score: 58/100
  • Policies and product behavior may have changed since review
  • Whether the current source policy still matches this archived policy-only review
  • Whether app, web and product flows match the policy

What To Do With This

If your company has a similar data model, use this analysis as a warning map. Do not copy the score. Map your own data flow.

Ask internally:

  • Do we collect similar categories of personal data?
  • Do we share data with the same number or type of vendors?
  • Can users understand why their data is shared?
  • Can we prove deletion, retention and grievance workflows?
  • What evidence would we show if questioned?

If this analysis resembles your business model, the next step is not a better privacy-policy paragraph. It is a data map and gap analysis.

Book a DPDP readiness call

⚠️ Compliance Gaps

  • Still references IT Act 2000 and SPDI Rules rather than the DPDP Act 2023 framework
  • Consent is largely bundled with the booking process and Terms of Use, lacking granular opt-ins
  • No mention of the Data Principal's right to nominate a representative under Section 14
  • Data retention policy uses 'as long as necessary' language without defined expiry for specific categories
  • Lacks explicit reference to the Data Protection Board of India (DPBI) for grievance escalation
  • Notice requirements under Section 5 are not fully met (missing detailed itemization of data processed for each purpose)

✅ Strengths

  • Clear identification of a Grievance Officer with contact details
  • Transparent list of third-party categories (airlines, hotels, payment gateways) with whom data is shared
  • Robust description of technical security measures (SSL encryption, PCI-DSS compliance)
  • Detailed cookie policy with information on how to manage tracking preferences

Overview

Cleartrip (a subsidiary of Flipkart/Walmart) is a major Online Travel Agency (OTA) in India. It processes high volumes of sensitive personal data, including financial details, government IDs (passports for international travel), and precise location data. Following its acquisition by Flipkart, its data ecosystem is integrated with a larger retail conglomerate, making DPDP Act compliance critical regarding data sharing and purpose limitation.

DPDP Readiness: Section-by-Section Analysis

Section 5 & 6 — Notice and Consent ⚠️

Cleartrip utilizes a “deemed consent” or “bundled consent” approach. By clicking “Pay” or “Register,” users are considered to have accepted the entire privacy policy.

What the policy says: “By using the Website and/or by providing your information, you consent to the collection and use of the information…”

DPDP requirement: Consent must be a “clear affirmative action” that is free, specific, informed, and unconditional. Section 5 requires a notice to be sent at the time of seeking consent, detailing the data collected and the purpose.

Gap: There is no “Consent Manager” integration or layered notice that allows a user to consent to travel booking while opting out of “marketing profiling” or “third-party affiliate sharing.”

Section 8 — Obligations of Data Fiduciary ✅

Cleartrip demonstrates strong compliance regarding security safeguards. They explicitly mention industry-standard protocols for protecting data during the booking lifecycle.

Strength: The policy highlights the use of secure servers and encryption for credit card transactions. Being part of the Flipkart group, they leverage enterprise-grade security infrastructure, which aligns with Section 8(5) of the Act.

Section 9 — Data Retention and Erasure 🔴

Critical Gap. The current policy allows for indefinite retention under the guise of “business purposes.”

What the policy says: “We will retain your Personal Information for as long as it is necessary to fulfill the purposes for which it was collected, or as required by law.”

DPDP requirement: Data must be erased once the specified purpose is fulfilled or consent is withdrawn, unless retention is required by law.

Gap: There is no clear mechanism for a “Right to be Forgotten” or a defined schedule for when a traveler’s passport details are purged from Cleartrip’s active databases after a trip is completed.

Section 11 — Rights of Data Principal ⚠️

The policy acknowledges the right to access and rectify data but ignores the newer rights introduced by the 2023 Act.

  • Right to Erasure: Mentioned vaguely but often contingent on closing the entire account.
  • Right to Nominate (Section 14): Totally absent. There is no provision for a user to nominate an individual to exercise their rights in case of death or incapacity.
  • Right to Withdraw Consent: While users can unsubscribe from emails, there is no clear dashboard to withdraw consent for specific data processing activities (like behavioral tracking) without losing access to the service.

Section 12 — Grievance Redressal ⚠️

Cleartrip provides the name and address of a Grievance Officer, satisfying the basic requirements of the IT Act.

Gap: Under the DPDP Act, the data principal must exhaust the fiduciary’s internal grievance process before approaching the Data Protection Board. Cleartrip’s policy does not define the timelines for resolution (which should be efficient) nor does it provide the mandatory link or information regarding the Data Protection Board of India as the ultimate regulatory authority.

Section 16 — Cross-Border Data Transfer ⚠️

As a travel platform, Cleartrip must share data with international airlines and hotels.

What the policy says: “We may transfer your information to countries other than India…”

DPDP requirement: Data transfer is permitted unless the Central Government restricts it (“Negative List”). However, the Fiduciary remains responsible for the data’s protection regardless of where it is stored.

Gap: The policy does not explicitly state that the recipient third parties are contractually bound to the same data protection standards as mandated by the DPDP Act.

Risk Assessment

CategoryRisk LevelFindings
ConsentHighBundled consent and lack of granular choices violate Section 6.
RetentionHighNo defined “expiry date” for sensitive traveler data.
RightsMediumMissing nomination rights; erasure process is cumbersome.
SecurityLowStrong encryption and Flipkart-backed infrastructure.
RegulatoryMediumNo mention of DPBI; still based on 2011 SPDI Rules.

Final Analyst Note: Cleartrip’s privacy policy requires a structural overhaul to move from “Transparency-based compliance” (old IT Act) to “Accountability-based compliance” (DPDP Act). The immediate priority should be implementing a granular consent notice and a data erasure framework.

📖 Related Compliance Guides

city DPDP Consulting in Lucknow city DPDP Consulting in Noida compare DPDP vs Kenya Data Protection Act Guide

What Should You Do Next?

🔍 Map Your Own Exposure

Book a DPDP readiness call if this analysis resembles your business model.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation >
Book clarity call