DPDP Compliance for Travel & Hospitality
Travel platforms process passport data, travel patterns, hotel stays, and location history. DPDP compliance requires careful handling of some of the most revealing personal data categories.
Travel Data: A Window Into Personal Lives
Travel and hospitality platforms — MakeMyTrip, OYO, Ixigo, and others — collect data that reveals intimate life details. Where someone travels, with whom, how often, and the type of accommodation they choose paints a comprehensive personal picture.
The Booking Data Trail
A single hotel booking generates:
- Full legal name and phone number
- Government ID or passport data
- Co-traveler names and relationships
- Travel dates revealing work patterns and personal vacations
- Location data showing cities visited
- Payment data linked to the specific trip
Under DPDP, each of these data points has consent, retention, and purpose limitation requirements. Most travel platforms process all of this under a single, broad consent at booking time.
Guest Data: Hotels as Sub-Processors
When you book through MakeMyTrip, your personal data flows to the hotel property. The hotel:
- Checks you in using your government ID
- May photograph your ID for security
- Records room preferences and special requests
- Stores your data in their own PMS (Property Management System)
Under DPDP, the booking platform must ensure that hotel partners maintain adequate data protection. But most hotels — especially smaller properties — have minimal data governance. This creates a significant accountability gap.
The Passport Problem
International travel bookings require passport data. Under DPDP:
- Passport data must be stored with the highest security classification
- Retention should be limited to the booking/travel period plus regulatory minimum
- Most platforms retain passport data indefinitely “for faster rebooking”
- This indefinite retention violates DPDP’s data minimization principles
Loyalty Program Data Accumulation
Travel loyalty programs accumulate years of travel history, creating one of the most comprehensive lifestyle profiles available. A member’s Platinum status on a hotel chain reveals income level, travel frequency, business patterns, and personal preferences — all personal data under DPDP requiring proper consent and purpose limitation.
Travel Company Analyses
MakeMyTrip
MakeMyTrip's privacy policy, while detailed, is not aligned with the DPDP Act 2023 for Indian users. Significant gaps exist in consent mechanisms, data retention clarity, and Data Principal rights. This poses substantial compliance risks given the highly sensitive personal and financial data they handle for millions of travelers.
OYO Rooms
OYO processes some of the most personally revealing hospitality data: ID documents, stay patterns, co-guest information, and room preferences — all shared with individual hotel owners. At 40/100, the platform's franchise model creates a data governance vacuum where guest PII flows to thousands of independent hotel operators with minimal oversight.
Goibibo
Goibibo’s policy relies on outdated 'implied consent' models and lacks the specific transparency required by the DPDP Act. While they are clear about what they collect, their claim to sell user data and their vague deletion timelines pose significant compliance risks.
EaseMyTrip
EaseMyTrip does a great job explaining *what* they collect, but falls short on the *how* of the new DPDP law. Their policy still relies on old-school bundled consent and lacks the specific deletion and grievance rights that Indian citizens now possess.