DPDP Compliance for Travel & Hospitality
Travel platforms process passport data, travel patterns, hotel stays, and location history. Book a DPDP clarity call.
Discuss this page with an LLM
Now replace the sandwich shop with your Travel company. Where does personal data enter? Where does it sit? Who else touches it?
Travel DPDP Self-Check
Start here to understand why DPDP is relevant to Travel. Before any other task, first understand how personal data moves through the business.
What is Travel?
In this context, Travel means the websites, apps, operations, support teams, customer records, employee systems, vendor tools and data workflows that collect or use personal data.
Children's data
- Do you collect age, class, school, parent details or learning progress?
- Can you separate child, parent and guardian data?
- Do you know which users are under 18?
Consent
- Can you prove where consent came from?
- Is consent collected before data is used for the stated purpose?
- Can consent be withdrawn without breaking the entire account flow?
Tracking and profiling
- Do you track usage, performance, attention, behavior or drop-offs?
- Is any of this used for ads, recommendations or nudges?
- Are analytics tools collecting user identifiers?
Vendors and SDKs
- Which CRMs, email tools, payment tools, analytics tools and support tools receive personal data?
- Do contracts say they process data only on your instructions?
- Can you delete or export data from each vendor?
Retention
- What happens when the service ends?
- What happens when a user leaves?
- What data is kept for certificates, invoices, disputes or regulatory records?
First action
- Map one user journey from sign-up to completion.
- Mark where data is collected, stored, shared, used for communication and deleted.
If this self-check exposed more than three unclear answers, the next useful step is a DPDP data journey map.
Book a DPDP clarity callTravel Company Analyses
MakeMyTrip
MakeMyTrip's privacy policy, while detailed, is not aligned with the DPDP Act 2023 for Indian users. Significant gaps exist in consent mechanisms, data retention clarity, and Data Principal rights. This poses substantial compliance risks given the highly sensitive personal and financial data they handle for millions of travelers.
OYO Rooms
OYO processes some of the most personally revealing hospitality data: ID documents, stay patterns, co-guest information, and room preferences — all shared with individual hotel owners. At 40/100, the platform's franchise model creates a data governance vacuum where guest PII flows to thousands of independent hotel operators with minimal oversight.
Goibibo
Goibibo’s policy relies on outdated 'implied consent' models and lacks the specific transparency required by the DPDP Act. While they are clear about what they collect, their claim to sell user data and their vague deletion timelines pose significant compliance risks.
EaseMyTrip
EaseMyTrip does a great job explaining *what* they collect, but falls short on the *how* of the new DPDP law. Their policy still relies on old-school bundled consent and lacks the specific deletion and grievance rights that Indian citizens now possess.
Frequently asked questions
Do we need separate consent to share passport data with airlines?
No, if the data is strictly necessary to fulfill the booking the customer requested. However, you must still provide a notice explaining that this data is being shared with the specific airline for ticketing purposes.
How do we handle data shared with individual local tour guides?
You must have a written agreement with every local vendor or freelancer who handles your customers' names or contact details. These agreements must state that the vendor will delete the data immediately after the tour is completed.
Can we keep guest history to offer "Welcome Back" discounts?
Only if the customer gives specific consent for "marketing and loyalty purposes" during their initial booking. If they only consented to a one-time booking, you must delete their profile after the trip ends.