Overview
EaseMyTrip is one of India’s biggest travel platforms. Think about the sheer amount of info they have on you: your Passport details, Aadhar/PAN numbers, Vaccination certificates, and even your live location when you use the app.
When a company handles this much “Sensitive Personal Data,” the new law (the DPDP Act) treats them as a Data Fiduciary — basically, a person or company that decides how and why your data is used. You are the Data Principal — the owner of that data. If you’re a business owner reading this, you’re likely a Fiduciary too, and the rules just got much stricter.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
EaseMyTrip uses a classic “Take it or Leave it” approach. If you visit the site, they assume you’ve said yes to everything.
What the policy says: “By using or accessing the Website or other Sales Channels, the User hereby agrees with the terms of this Privacy Policy.”
What the law requires: Under the DPDP Act, consent must be free, specific, informed, and unconditional. You can’t just bundle it into the terms of service.
The problem: If a user wants to book a flight but doesn’t want their email used for “surveys,” they don’t have a choice. It’s all or nothing. For your own business, you’ll need to start offering tick-boxes for different uses of data.
Section 7 — Certain Legitimate Uses ✅
The law allows companies to process data without explicit consent in some cases — like if you voluntarily provide it for a specific reason (booking a flight) or for legal requirements.
What the policy says: “For international bookings, User… may be required to provide details such as their PAN information or passport details… as per the aforesaid requirements only.”
The strength: EaseMyTrip correctly identifies that for things like the RBI’s Liberalized Remittance Scheme, they have to collect your PAN. This aligns well with Section 7’s allowance for “legal obligations.”
Section 8 — Obligations of Data Fiduciary ⚠️
A Data Fiduciary (the company) is responsible for keeping your data safe, even if they share it with a third party like an airline or hotel.
What the policy says: “EaseMyTrip shall not be held liable” for how end service providers (like hotels) use your data once EaseMyTrip passes it to them.
The problem: The DPDP Act says the primary Fiduciary is responsible for any processing done on its behalf. While EaseMyTrip can’t control an airline’s internal leaks, the law expects them to have solid contracts in place to protect the Data Principal (you).
Section 9 — Data Retention 🔴
This is a major sticking point in the new law. You can’t keep data forever just because “it might be useful later.”
What the policy says: “EaseMyTrip will retain User’s Personal Information… for as long as is reasonably necessary.”
What the law requires: Data must be erased as soon as the purpose for collecting it is served.
The problem: “Reasonably necessary” is too vague for the DPDP Act. If I book a one-time flight to Goa in 2022 and never return, should they still have my passport copy in 2026? Probably not.
Section 11 — Rights of Data Principal ⚠️
The law gives you “Superpowers” over your data, including the right to correct it, erase it, or nominate someone else to manage it if you pass away.
What the policy says: Users can access their account to “correct or delete such personal information… except for such mandatory fields.”
The gap:
- It doesn’t mention the Right to Nominate (Section 14).
- It doesn’t explain how a user who didn’t create an account (maybe they booked via a call center) can exercise these rights.
Section 12 — Right of Grievance Redressal 🔴
If you’re unhappy with how your data is handled, you need a clear path to complain.
What the policy says: “you may do so by writing to the following email id: care@easemytrip.com.”
What the law requires: You must have a Grievance Officer and a clear process. If the company doesn’t fix the issue, you have the right to take them to the Data Protection Board of India.
The problem: Hiding the privacy complaints in the general “customer care” inbox is a recipe for a fine. The DPDP Act expects a much more professional and dedicated response system.
Section 16 — Cross-Border Data Transfer ⚠️
What the policy says: Data is processed in India and “other jurisdictions where a third party… may process the data.”
The problem: The Indian government will soon release a “Negative List” of countries where data cannot be sent. EaseMyTrip’s policy is a bit too broad here. They need to specify that they follow Government of India restrictions on where your data travels.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Consent Validity | High | Bundled consent (Section 6) is the easiest thing for the Board to penalize. |
| Data Retention | High | Keeping sensitive IDs like Passports indefinitely is a major liability. |
| Grievance Redressal | Medium | Lack of a dedicated DPDP officer makes responding to legal notices harder. |
| Compliance Fines | High | Maximum penalty of ₹250 Crore for failing to protect data. |
Recommendations
If you’re a business owner looking at EaseMyTrip’s policy to learn what to do (or what not to do), here are 3 quick takeaways:
- Stop “Bundling”: Don’t make users agree to “Marketing Emails” just to buy a product. Use separate checkboxes.
- Define “End Dates”: Instead of saying “as long as necessary,” tell your users “we delete your KYC docs 6 months after your trip is completed.”
- Appoint an Officer: Even if you’re a small startup, designate one person as your Grievance Officer and put their direct email in your policy. It shows the government you’re trying.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.