A Project by Meridian Bridge Strategy
Book Consultation
Travel

MakeMyTrip β†—

Ready Score 48/100
Functional Gaps vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
πŸ“… 17 Feb 2026

Executive Summary

MakeMyTrip handles passport numbers, travel destinations, hotel stays, and co-traveler details β€” creating an intimate travel diary. At 48/100, the platform's lack of ID document protection policies and retention timelines for travel history that reveals lifestyle patterns creates significant DPDP exposure.

⚠️ Compliance Gaps

  • No DPDP Act 2023 reference
  • Passport and ID document data handling terms inadequate
  • Travel history reveals religious/cultural patterns without enhanced consent
  • Hotel booking data shared with accommodation partners in detail
  • No data retention timelines for travel history and documents
  • Data Protection Board not referenced
  • Cross-border data transfer with international hotels/airlines

βœ… Strengths

  • Comprehensive data categories listed
  • Security measures including PCI compliance for payments
  • Grievance officer designated
  • Some travel data handling described

Overview

MakeMyTrip (MMT) is India’s largest online travel company. The platform collects uniquely sensitive data: passport numbers, government ID documents, travel destinations (revealing religious pilgrimages, lifestyle choices, relationship patterns), hotel booking details, co-traveler information (revealing relationships), and payment data for high-value transactions.

DPDP Readiness: Section-by-Section Analysis

Section 6 β€” Consent & Notice πŸ”΄

MMT’s consent is bundled for all travel services. Problematic data includes:

  • Passport numbers and government IDs β€” shared with airlines and hotels without granular consent
  • Travel destinations β€” Amarnath/Vaishno Devi bookings reveal religion; Goa party destinations reveal lifestyle
  • Co-traveler details β€” Booking for a partner reveals relationships
  • Hotel room preferences β€” Single vs. double, room type preferences

DPDP concern: Travel data reveals religion, relationships, and lifestyle choices. Enhanced consent beyond standard e-commerce is needed.

Section 7 β€” Certain Legitimate Uses ⚠️

Booking fulfillment requires sharing data with airlines/hotels. But:

  • Post-travel retention for β€œrecommendations” β€” needs separate consent
  • Travel pattern analytics β€” overreach
  • Third-party travel insurance data sharing β€” separate consent needed

Section 8 β€” Obligations of Data Fiduciary ⚠️

PCI compliance for payments is strong. However:

  • Passport and ID document security needs enhanced encryption
  • Hotel partner access to customer data varies by property
  • Airline data sharing is governed by IATA, not Indian data protection law

Section 9 β€” Data Retention πŸ”΄

No retention timelines for:

  • Passport numbers and ID documents
  • Travel booking history
  • Hotel stay details
  • Co-traveler information
  • Destination search history

Critical question: Can MMT reconstruct 5 years of your travel history including every hotel you stayed at and every person you traveled with?

Section 11 β€” Rights of Data Principal πŸ”΄

  • No mechanism to delete passport data while keeping the account
  • No transparency on travel data shared with airline/hotel partners
  • No data portability for travel history
  • No nomination rights

Section 12 β€” Right of Grievance Redressal ⚠️

Grievance officer exists. No DPB pathway. No mechanism for data complaints about partner hotels/airlines.

Section 16 β€” Cross-Border Data Transfer πŸ”΄

International travel inherently involves cross-border data:

  • Airline bookings: data sent to international airline systems (GDS)
  • International hotel bookings: data shared with properties abroad
  • Payment processing: international payment gateways

This is one of the most legitimate cross-border use cases but still needs DPDP-compliant safeguards.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineHighUp to β‚Ή250 Cr
ID document handlingCriticalPassport data breach = severe
Travel pattern inferenceHighReligious/lifestyle patterns from destinations
Partner data sharingHighUncontrolled data flowing to hotels/airlines
Data retentionCriticalComplete travel diary with no deletion

The Travel Data Inference Problem

Travel bookings reveal deeply personal information:

Booking TypeInferenceSensitivity
Amarnath/Vaishno Devi tripHindu religious practiceHigh
Haj/Umrah packageMuslim religious practiceHigh
Medical tourism destinationHealth conditionVery High
Romantic getaway for twoRelationshipHigh
Solo hotel bookingSingle statusPersonal
Business class vs. economyIncome levelModerate
Frequency of travelProfessional patternModerate

Recommendations

  1. Implement ID document security tier β€” Passport data encrypted at rest, masked in display, auto-deleted after trip completion
  2. Add destination sensitivity controls β€” Don’t use religious/medical travel destinations for marketing analytics
  3. Define travel data retention β€” β€œActive bookings: until trip completion; historical bookings: 2 years; passport data: deleted 90 days post-trip; search history: 6 months”
  4. Build partner data agreements β€” Ensure hotels and airlines handle Indian traveler data per DPDP
  5. Separate co-traveler consent β€” Co-travelers whose data is submitted by a primary booker should be able to control their own data

How Does Your Policy Compare?

πŸ” Run Your Free DPDP Audit β†’

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act β€” 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
πŸ“ž Free Consultation