A Project by Meridian Bridge Strategy
Book Consultation
Travel & Hospitality

Cleartrip

Ready Score 58/100
Functional Gaps vs Industry Avg: 48
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 7 Apr 2026

Executive Summary

Cleartrip’s privacy policy remains heavily anchored in the pre-DPDP regulatory era. While it provides transparency regarding 'what' is collected, it fails the 'how' and 'why' standards of the DPDP Act 2023. Specifically, the lack of granular consent for non-essential processing (marketing vs. fulfillment) and the omission of new statutory rights like nomination and DPBI escalation represent significant compliance gaps for a major travel intermediary handling sensitive passport and financial data.

⚠️ Compliance Gaps

  • Still references IT Act 2000 and SPDI Rules rather than the DPDP Act 2023 framework
  • Consent is largely bundled with the booking process and Terms of Use, lacking granular opt-ins
  • No mention of the Data Principal's right to nominate a representative under Section 14
  • Data retention policy uses 'as long as necessary' language without defined expiry for specific categories
  • Lacks explicit reference to the Data Protection Board of India (DPBI) for grievance escalation
  • Notice requirements under Section 5 are not fully met (missing detailed itemization of data processed for each purpose)

✅ Strengths

  • Clear identification of a Grievance Officer with contact details
  • Transparent list of third-party categories (airlines, hotels, payment gateways) with whom data is shared
  • Robust description of technical security measures (SSL encryption, PCI-DSS compliance)
  • Detailed cookie policy with information on how to manage tracking preferences

Overview

Cleartrip (a subsidiary of Flipkart/Walmart) is a major Online Travel Agency (OTA) in India. It processes high volumes of sensitive personal data, including financial details, government IDs (passports for international travel), and precise location data. Following its acquisition by Flipkart, its data ecosystem is integrated with a larger retail conglomerate, making DPDP Act compliance critical regarding data sharing and purpose limitation.

DPDP Readiness: Section-by-Section Analysis

Section 5 & 6 — Notice and Consent ⚠️

Cleartrip utilizes a “deemed consent” or “bundled consent” approach. By clicking “Pay” or “Register,” users are considered to have accepted the entire privacy policy.

What the policy says: “By using the Website and/or by providing your information, you consent to the collection and use of the information…”

DPDP requirement: Consent must be a “clear affirmative action” that is free, specific, informed, and unconditional. Section 5 requires a notice to be sent at the time of seeking consent, detailing the data collected and the purpose.

Gap: There is no “Consent Manager” integration or layered notice that allows a user to consent to travel booking while opting out of “marketing profiling” or “third-party affiliate sharing.”

Section 8 — Obligations of Data Fiduciary ✅

Cleartrip demonstrates strong compliance regarding security safeguards. They explicitly mention industry-standard protocols for protecting data during the booking lifecycle.

Strength: The policy highlights the use of secure servers and encryption for credit card transactions. Being part of the Flipkart group, they leverage enterprise-grade security infrastructure, which aligns with Section 8(5) of the Act.

Section 9 — Data Retention and Erasure 🔴

Critical Gap. The current policy allows for indefinite retention under the guise of “business purposes.”

What the policy says: “We will retain your Personal Information for as long as it is necessary to fulfill the purposes for which it was collected, or as required by law.”

DPDP requirement: Data must be erased once the specified purpose is fulfilled or consent is withdrawn, unless retention is required by law.

Gap: There is no clear mechanism for a “Right to be Forgotten” or a defined schedule for when a traveler’s passport details are purged from Cleartrip’s active databases after a trip is completed.

Section 11 — Rights of Data Principal ⚠️

The policy acknowledges the right to access and rectify data but ignores the newer rights introduced by the 2023 Act.

  • Right to Erasure: Mentioned vaguely but often contingent on closing the entire account.
  • Right to Nominate (Section 14): Totally absent. There is no provision for a user to nominate an individual to exercise their rights in case of death or incapacity.
  • Right to Withdraw Consent: While users can unsubscribe from emails, there is no clear dashboard to withdraw consent for specific data processing activities (like behavioral tracking) without losing access to the service.

Section 12 — Grievance Redressal ⚠️

Cleartrip provides the name and address of a Grievance Officer, satisfying the basic requirements of the IT Act.

Gap: Under the DPDP Act, the data principal must exhaust the fiduciary’s internal grievance process before approaching the Data Protection Board. Cleartrip’s policy does not define the timelines for resolution (which should be efficient) nor does it provide the mandatory link or information regarding the Data Protection Board of India as the ultimate regulatory authority.

Section 16 — Cross-Border Data Transfer ⚠️

As a travel platform, Cleartrip must share data with international airlines and hotels.

What the policy says: “We may transfer your information to countries other than India…”

DPDP requirement: Data transfer is permitted unless the Central Government restricts it (“Negative List”). However, the Fiduciary remains responsible for the data’s protection regardless of where it is stored.

Gap: The policy does not explicitly state that the recipient third parties are contractually bound to the same data protection standards as mandated by the DPDP Act.

Risk Assessment

CategoryRisk LevelFindings
ConsentHighBundled consent and lack of granular choices violate Section 6.
RetentionHighNo defined “expiry date” for sensitive traveler data.
RightsMediumMissing nomination rights; erasure process is cumbersome.
SecurityLowStrong encryption and Flipkart-backed infrastructure.
RegulatoryMediumNo mention of DPBI; still based on 2011 SPDI Rules.

Final Analyst Note: Cleartrip’s privacy policy requires a structural overhaul to move from “Transparency-based compliance” (old IT Act) to “Accountability-based compliance” (DPDP Act). The immediate priority should be implementing a granular consent notice and a data erasure framework.

📖 Related Compliance Guides

city DPDP Consulting in Agra: What Local Businesses Need to Know city DPDP Consulting in Amritsar: Protecting Data in the City of Golden Temple city DPDP Consulting in Bhubaneswar: Protecting Data in the Temple City

What Should You Do Next?

🔍 Check Your Own Score

Take the free 60-second DPDP audit. 16 questions, instant risk report.

🎓 Train Your Team

Book a DPDP compliance workshop — available online, onsite, and hybrid.

📰 Stay Updated

Get the daily DPDP news digest. Track enforcement, breaches, and policy changes.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation