Effective date: 2026-05-20 Last updated: 2026-05-20
This Privacy Policy describes how Tripaay Technologies, operated by DevCommX ("Tripaay", "we", "us", or "our"), collects, uses, stores, discloses, and protects personal data of users of the Tripaay platform available at https://tripaay.com and https://app.tripaay.com (the "Service").
This policy is published in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and applicable provisions of the Information Technology Act, 2000.
1. Who we are
Tripaay is a multi-tenant Software-as-a-Service ("SaaS") platform designed for Indian travel agencies. Our customers are travel agencies ("Customer" or "Customers"), and their end-users are travellers ("Travellers" or "Data Principals") whose data the Customer manages through the Service.
- Data Fiduciary (when collecting account-holder data from agency staff): Tripaay
- Data Processor (when processing Traveller data on behalf of a Customer): Tripaay
- Data Fiduciary (for Traveller data): the Customer (the travel agency)
If you are a Traveller and wish to exercise your rights over your personal data, you should first contact the Customer (the travel agency that holds your record). Tripaay will support the Customer's response.
Grievance Officer (under DPDP Act § 8(9) and IT Rules):
- Name: Sumit Nautiyal
- Email: grievance@tripaay.com
- Address: {{tripaay_registered_address}}
- Response time: within 30 days of receipt
2. What personal data we collect
2.1 From agency staff (account holders)
- Identification: name, email address, password (hashed; never stored or transmitted in plaintext)
- Profile: role within the agency (owner / admin / agent / accountant / viewer)
- Agency information: agency name, slug, agency type, team size, address, phone, WhatsApp number, GSTIN, primary brand color, logo URL
- Usage data: pages viewed, features used, timestamps, IP address, user agent string (collected via standard server logs)
- Communications: any support tickets, emails, or messages you send us
2.2 From Travellers (entered by the Customer)
Travel agencies use Tripaay to record information about their leads and customers. This may include:
- Name, phone number, WhatsApp number, email address
- Destination, package, travel dates, party size, budget
- Trip preferences and notes
- Booking and payment status
- GSTIN and address (if the Traveller is a business)
We process this data strictly on the instructions of the Customer. We do not control what data the Customer chooses to enter.
2.3 Automatic technical data
When you access the Service we automatically collect:
- IP address and approximate geolocation derived from it
- Browser type, version, and operating system
- Pages visited, links clicked, time spent
- Referring URL
- Cookies and similar identifiers (see Section 8)
2.4 Payment data
When you pay for a subscription, payment details (card number, UPI handle, bank account) are handled directly by our payment processor Razorpay (operated by Razorpay Software Private Limited). Tripaay does not store payment instrument data. We only store the transaction reference, amount, and status returned by Razorpay.
2.5 Sensitive personal data
We do not intentionally collect sensitive personal data such as financial account numbers, biometrics, health records, sexual orientation, religious or political views, or government-issued identifiers (Aadhaar, PAN). Customers must not enter such data into freeform fields. If you discover such data has been entered, please contact us at privacy@tripaay.com so we can purge it.
3. How we use personal data
We use personal data for the following purposes, on the legal basis described:
| Purpose | Legal basis under DPDP |
|---|---|
| To create and operate your Tripaay account | Performance of contract |
| To provide the Service (process leads, generate proposals/invoices, send share links) | Performance of contract |
| To send transactional emails (signup verification, password reset, payment receipts) | Performance of contract |
| To bill you and collect subscription fees | Performance of contract / Legal obligation |
| To prevent fraud, abuse, and security incidents | Legitimate interest |
| To comply with Indian tax law (GST records retention) | Legal obligation |
| To respond to your support requests | Performance of contract |
| To send service announcements (downtime, breaking changes) | Legitimate interest |
| To send marketing emails | Consent (you can opt out anytime) |
| To improve the Service (aggregated, anonymized analytics) | Legitimate interest |
We do not use personal data for:
- Profiling for credit scoring or insurance
- Targeted advertising
- Selling to third parties
- Training generative AI models
4. How we share personal data
We share personal data only as described below. We do not sell personal data.
4.1 Service providers (sub-processors)
We use the following third-party services to operate Tripaay. Each is bound by data-protection contracts equivalent to our own commitments.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | ap-south-1 (Mumbai, India) |
| Vercel Inc. | Web hosting, edge functions | Global CDN; bom1 region (Mumbai) preferred |
| Razorpay Software Private Limited | Payment processing | India |
| Cloudflare, Inc. | DNS, CDN | Global |
| Resend / SES | Transactional email delivery | (TBD — to be confirmed before launch) |
| AiSensy | WhatsApp Business API (if you enable the integration) | India |
A current list is maintained at https://tripaay.com/legal/sub-processors (this page is added before launch). We will give at least 30 days' notice before adding a new sub-processor with access to Customer data.
4.2 Legal disclosure
We may disclose personal data when required by a valid Indian legal process (court order, subpoena, regulatory notice). We will notify the affected Customer where lawful and practical to do so.
4.3 Business transfers
If Tripaay is involved in a merger, acquisition, or asset sale, personal data may transfer with the business. We will give 30 days' notice and the option to delete your account before the transfer.
5. Cross-border data transfers
Customer data is primarily stored in India (Supabase's ap-south-1 region in Mumbai). Some service providers (Vercel, Cloudflare) may process data on globally distributed infrastructure for performance and availability.
Where data leaves India, we rely on contractual safeguards (standard data protection clauses) with the receiving party. We will not transfer to any jurisdiction restricted by the Government of India under the DPDP Act.
6. Data retention
| Data category | Retention period |
|---|---|
| Active account data | For the duration of the subscription |
| Data after subscription ends | 30 days for export, then permanent deletion |
| Backups | 90 days rolling, encrypted |
| Tax invoices and supporting records | 8 years (Indian Income Tax Act + GST Act requirements) |
| Authentication & access logs | 12 months |
| Marketing email subscription | Until you unsubscribe |
| Support tickets | 24 months after resolution |
Voided invoices remain in the system permanently for GST audit trail compliance.
7. Your rights
Under the DPDP Act 2023, you (or, if you are a Traveller, the Customer holding your record) have the following rights:
- Right to access your personal data (DPDP § 11)
- Right to correction and erasure of inaccurate or unnecessary data (§ 12)
- Right of grievance redressal (§ 13)
- Right to nominate another individual to exercise your rights on your death or incapacity (§ 14)
- Right to withdraw consent at any time, where consent is the legal basis
To exercise these rights:
- Account-holder data: log in to Tripaay and use the Settings page, or email privacy@tripaay.com
- Traveller data: contact the Customer (travel agency) holding your record. The Customer can edit or delete it directly. If the Customer is unresponsive, contact us and we will assist.
We will respond within 30 days. If we cannot fulfil a request (e.g., legal retention requirement), we will explain why.
You also have the right to lodge a complaint with the Data Protection Board of India.
8. Cookies and similar technologies
We use the following cookies:
| Category | Purpose | Required? |
|---|---|---|
| Essential | Login session, CSRF protection, security headers | Yes |
| Functional | Remember preferences (e.g., last selected org if multi-org) | No |
| Analytics | Aggregated usage statistics — not currently in use; we will add a cookie consent banner before enabling | No |
We do not use third-party advertising cookies. We honour the prefers-reduced-motion and Do Not Track browser settings where applicable.
9. Security
We implement reasonable security practices in line with ISO 27001 principles and the SPDI Rules. Specific measures include:
- All data encrypted in transit (TLS 1.2+)
- All data encrypted at rest (Supabase managed encryption)
- Database-level row-level security (RLS) isolating every customer's data
- Multi-factor authentication available for owner accounts (roll-out in progress)
- Regular vulnerability assessments (most recent: 2026-05-19)
- Service-role database credentials stored only in secure environment variables, never in source control
- HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers on all responses
In the event of a personal-data breach, we will notify the Data Protection Board of India and affected Data Principals as required under DPDP § 8(6), within the prescribed timelines.
10. Children
Tripaay is intended for use by businesses and is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently done so, please contact privacy@tripaay.com.
11. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified to active Customers by email and announced on the dashboard at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent change.
12. Contact
- Email (general privacy queries): privacy@tripaay.com
- Email (grievances under DPDP / IT Rules): grievance@tripaay.com
- Grievance Officer: Sumit Nautiyal
- Postal address: {{tripaay_registered_address}}
- Phone: {{tripaay_support_phone}}
This Privacy Policy is provided in English. A Hindi-language version is available on request.