Utazzo Services Limited

1. Who we are

Utazzo Services Limited ("Utazzo", "we", "us", "our") is a travel company incorporated in India, with its registered office at [Registered Office Address, New Delhi]. We design and operate group departures, private customised holidays, honeymoons, cruises, corporate and MICE travel, and visa advisory services across India and overseas.

•     CIN: U63040DL2012PTC232652

•     GSTIN: 07AAGCP5566K1ZX

•     Website: www.utazzo.com

•     Email: Sales@utazzo.com

•     Phone: +91 9811916164

For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"), Utazzo is the Data Fiduciary for the personal data described in this policy. For the EU GDPR, we are the Data Controller in respect of clients to whom we offer goods or services in the European Union or the United Kingdom.

This policy explains what personal data we collect from you, why we collect it, how long we keep it, who we share it with, and the rights you have over your data. It applies to our website (utazzo.com), our booking and enquiry processes, our group departure programmes, and any communication we have with you over email, telephone, WhatsApp, or in person.

2. Our commitments to you

Before we get into the detail, here is the substance of how we treat your data:

•     We do not sell your personal data. We have never sold data, and we do not share it with any third party for that party's independent commercial or marketing purposes.

•     We use your data only for the purposes set out in this policy. Those purposes are limited to planning and delivering your travel, running our business, complying with the law, and — if you have separately consented — staying in touch with you about our services. We do not use your data for any unrelated commercial exploitation.

•     We share your data only where it is necessary to deliver your trip or where the law requires it. Travel cannot be delivered in a vacuum: airlines, hotels, cruise lines, ground operators, embassies, insurers, and payment processors will receive what they need from us to do their part. Section 5 of this policy lists who they are. They are bound by contract or by law to handle your data confidentially.

•     Marketing is opt-in, and opt-out is one click. We will send you marketing communications — about new departures, group holidays, offers, and travel content — only if you have given us consent for that. You can withdraw your consent at any time, by clicking "unsubscribe" in any email, replying STOP to any WhatsApp message, or writing to our Grievance Officer. Withdrawing marketing consent will not affect the booking and service communications we send you (such as itinerary updates, voucher dispatches, payment reminders, travel advisories, and visa-related notifications) — those are essential to delivering the service you booked, and we will continue to send them as long as you are a client.

•     You stay in control. You can ask us at any time what data we hold about you, ask us to correct it, ask us to delete it (where the law permits), or raise a grievance. Section 10 explains how.

3. The data we collect

We collect only the data we genuinely need to plan, book, and deliver your travel. We organise this into three buckets: data you give us, data we collect automatically, and data we receive from others.

3.1 Data you give us directly

When you make an enquiry, request a quote, or confirm a booking:

•     Full name (as it appears on your passport)

•     Date of birth, gender, nationality

•     Passport number, passport issue and expiry dates, place of issue

•     PAN, Aadhaar (only where required for GST invoicing or specific bookings — we do not collect or store the full Aadhaar number; we collect a masked Aadhaar / VID where the law permits)

•     Residential address, billing address

•     Email address, mobile number, alternate contact number

•     Emergency contact details

•     Marital status (only for honeymoon bookings or where required by visa authorities)

•     Photographs (for visa applications, where required)

•     Travel preferences — meal preferences, room preferences, accessibility requirements, frequent-flyer numbers, hotel loyalty numbers

•     Health information you choose to share — dietary restrictions, allergies, mobility limitations, pregnancy, medical conditions relevant to insurance or to the safe conduct of the trip

•     Payment instrument details (we do not store full card numbers; payments are processed by PCI-DSS-compliant payment gateways)

•     Bank account details (only where you request a refund directly to bank)

•     Billing GSTIN (for corporate bookings)

3.2 Sensitive Personal Information

Some of the data above falls into the category of "Sensitive Personal Information" — a category recognised under the IT (Reasonable Security Practices) Rules, 2011, the EU GDPR, and equivalent privacy laws. For the purposes of this policy, Sensitive Personal Information includes:

•     Passwords

•     Financial information (bank account details, card details, payment instrument details)

•     Health information and medical records

•     Official identifiers (passport number, Aadhaar, PAN, driver's licence, biometric data)

•     Information about sexual life or sexual orientation

•     Race, ethnicity, religious belief, caste, political affiliation

We collect Sensitive Personal Information only where it is genuinely needed to deliver your booking, comply with the law, or where you have specifically consented. We apply heightened security measures to this category — including restricted access, encryption at rest where applicable, and additional logging.

The DPDP Act, 2023 does not formally distinguish between "personal" and "sensitive personal" data — but our internal practice treats the categories above as sensitive regardless, because the consequence of a breach is materially greater.

3.3 If you are booking on behalf of others — please read this

This is important to us because, under the DPDP Act and GDPR, the data principal (the individual the data is about) has rights regardless of who shared the data. If a co-traveller later contacts us to exercise their rights, we will engage with them directly.

3.4 Data we collect automatically when you visit our website or apps

Whether or not you end up making a booking, when you use utazzo.com or any of our digital channels, we automatically collect:

•     IP address and approximate location (city level)

•     Device type, hardware information, operating system, browser type and version

•     Date and time of access, pages visited, time spent on each page, referring URL, exit page

•     Language and locale settings

•     Cookies and similar tracking technologies (see Section 9 for the full breakdown)

3.5 Data we receive from others

•     Corporate clients may share their employees' details to make MICE or group bookings.

•     Travel partners (airlines, hotels, cruise lines, DMCs, GDS systems) may share booking confirmations, changes, and traveller information back to us as part of fulfilling your reservation.

•     Public and professional sources (such as your LinkedIn profile or your company website, where you have shared it as part of a corporate enquiry).

•     Referrers — if an existing client refers you to us, we receive the contact details they share.

3.6 Children

We do not knowingly collect personal data from children under 18 years of age except as part of a family or group booking, and only with verifiable consent from a parent or lawful guardian, in line with Section 9 of the DPDP Act. We do not use children's data for behavioural advertising, profiling, or any tracking other than what is strictly necessary to deliver the booked service.

4. How we use your data, and on what legal basis

Under the DPDP Act, we process your personal data on one of two grounds: (a) your consent, or (b) certain legitimate uses specified in the Act. Under GDPR (where applicable), we additionally rely on contract performance, legal obligation, and legitimate interests.

What we do	Why we do it	Legal basis
Respond to your enquiry, send a quote, plan your itinerary	To take steps at your request before entering a contract	Consent / contract performance
Make bookings with airlines, hotels, cruises, DMCs, visa offices on your behalf	To deliver the holiday you booked	Contract performance
Process payments, issue invoices, refund money	To deliver the service and meet tax/financial reporting obligations	Contract / legal obligation
Share traveller details with embassies, consulates, immigration authorities	Required for visa processing and travel	Legal obligation / contract
Issue insurance, where requested	To procure the policy for you	Contract
Send you transactional communications (booking confirmations, vouchers, itinerary updates, travel advisories, payment reminders, visa-related notifications)	Necessary to deliver the service you have booked	Contract performance — these are not marketing and do not require separate consent
Send you marketing communications about new departures, offers, group holidays, and travel content (over email, WhatsApp, or phone)	To stay in touch about services you may be interested in	Your separate, opt-in consent — withdrawable any time, with no effect on the booking and service communications above
Operate Friday review processes, sales reviews, internal audits, and quality control	To run our business and improve service	Legitimate use / legitimate interests
Comply with statutory obligations — GST, Income Tax, Companies Act, anti-money-laundering	To meet legal requirements	Legal obligation
Deal with complaints, disputes, refunds, chargebacks, and litigation	To establish, exercise, or defend legal claims	Legal obligation / legitimate interests
Improve our website, analyse usage, run advertising campaigns	To understand what works and reach the right audience	Consent (for non-essential cookies and ads)

 

Where we rely on your consent, you have the right to withdraw it at any time, and the withdrawal will be as easy as the giving of it (Section 6(4), DPDP Act). Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

5. Who we share your data with

Travel cannot be delivered without sharing data. We share only what is necessary, and only with parties who are bound to handle it confidentially.

Travel suppliers — airlines, hotels, cruise lines, ground operators (DMCs), restaurants where reservations are made on your behalf, transfer companies, tour leaders, guides. These suppliers are independent businesses and process your data under their own privacy policies.

Visa and immigration authorities — embassies, consulates, VFS Global, BLS International, and equivalent visa service centres. We share what they require for visa decisions.

Insurers — when you have requested travel insurance.

Payment processors and banks — Razorpay, [other gateways used], and our banking partners, who process card and account payments on our behalf.

Technology providers — our customer-relationship-management system, email and calendar provider, cloud storage provider, telephony provider, WhatsApp Business API provider, accounting software provider, and analytics providers. These are bound by Data Processor agreements requiring them to process your data only on our instructions and to keep it secure.

Professional advisers — lawyers, chartered accountants, auditors, and insurers, where engagement requires it.

Regulators and authorities — tax authorities, the Reserve Bank of India, the Ministry of Tourism, the Data Protection Board of India, courts and law-enforcement bodies, where the law requires disclosure or where a valid order is served on us.

Corporate clients — where you are travelling as part of a corporate or MICE booking, we share booking and itinerary details with the booking corporate.

We do not sell your personal data to anyone. We do not share your data with any third party for that party's independent marketing purposes.

6. Sending your data outside India

Your personal data is primarily processed in India, on our systems and on the systems of vendors we engage in India. However, travel is by nature cross-border, and to deliver your holiday your data will also be processed outside India in two specific situations:

•     Country of travel. Airlines, hotels, cruise lines, DMCs, embassies, and other travel suppliers in the country you are visiting (and any transit country) will receive whatever they need from us to deliver their part of the trip.

•     Cloud and SaaS vendors. Some of our technology vendors store or process data on servers outside India — typically in the European Union, the United Kingdom, the United States, or Singapore. These include our cloud hosting provider, email and calendar provider, CRM, accounting software, and analytics providers.

The DPDP Act permits transfers of personal data outside India, except to specific countries notified by the Central Government as restricted (no such restrictions are in force as of the date of this policy). Where the EU GDPR applies to your data, we rely on Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms.

Every vendor outside India is bound by a written agreement requiring them to apply equivalent or better levels of data protection than we apply ourselves.

7. How long we keep your data

We do not keep personal data longer than we need it. Indicative retention periods:

•     Booking files (invoices, vouchers, itineraries, communication): 8 years from the end of the financial year of the trip — to meet Income Tax Act and GST record-keeping obligations.

•     GST and accounting records: 6 years (GST) and 8 years (Income Tax) from the relevant financial year.

•     Marketing contact lists: until you withdraw consent or are inactive for 24 months, whichever is earlier.

•     Website enquiry data (where no booking is made): 24 months from the last contact.

•     Server access logs and processing logs: at least 12 months from the date of processing, as required by the DPDP Rules.

•     CCTV footage at our office: 30 days, then overwritten.

•     Records relating to legal disputes, complaints, or chargebacks: until the matter is fully resolved and the limitation period under the relevant law has expired.

When the retention period ends, we securely erase your personal data or anonymise it so it can no longer identify you.

8. Security

We protect your personal data with administrative, technical, and physical safeguards proportionate to the sensitivity of the data and the risk of harm if it were compromised:

•     Access to client data is restricted to staff who need it to do their jobs, on a role-based basis.

•     All staff sign confidentiality undertakings as part of their employment contract.

•     Devices are password-protected; sensitive folders are encrypted.

•     Our website uses SSL/TLS encryption.

•     Payment data is handled only by PCI-DSS-compliant gateways; we do not store card details on our systems.

•     We maintain logs of access and processing and review them on a periodic basis.

•     We have a personal-data-breach response procedure aligned with the DPDP Rules, 2025.

No system is perfectly secure. If we ever discover a personal data breach affecting you, we will notify you and the Data Protection Board of India in accordance with the DPDP Rules, including the nature of the breach, the data affected, and the steps we are taking to address it.

9. Cookies and tracking

Our website uses cookies and similar technologies to make the site work, to remember your preferences, to understand how visitors use the site, and to deliver advertising on partner platforms.

•     Strictly necessary cookies — required for the site to function (session, security, load balancing). These are always on.

•     Analytics cookies — Google Analytics 4, used to understand site usage in aggregate. These run only with your consent.

•     Advertising and remarketing cookies — Meta (Facebook/Instagram) Pixel, Google Ads, LinkedIn Insight Tag — used to show you relevant ads on those platforms. These run only with your consent.

You can accept, reject, or change your cookie preferences at any time through the cookie banner on our website or your browser settings. Rejecting non-essential cookies will not affect your ability to enquire or book.

10. Your rights

Under the DPDP Act and DPDP Rules, you have the following rights in respect of personal data we hold about you:

•     Right to information — to know what personal data we hold about you and how we are using it.

•     Right to correction and erasure — to ask us to correct inaccurate data, complete incomplete data, update outdated data, or erase data that is no longer needed for the purpose for which it was collected.

•     Right to grievance redressal — to raise a grievance with our Grievance Officer (see Section 12). We will respond within 90 days, as required by the DPDP Rules, and usually much sooner.

•     Right to nominate — to nominate another person to exercise your rights in the event of your death or incapacity.

•     Right to withdraw consent — to withdraw consent for any processing based on consent, with the withdrawal being as easy as the giving of consent.

If GDPR applies to you (typically because you are in the EU/UK), you additionally have the rights of access, rectification, erasure, restriction, portability, and objection, and the right to lodge a complaint with your local supervisory authority.

To exercise any right, please write to our Grievance Officer at the contact details in Section 12. We may need to verify your identity before acting on a request.

11. How we handle Sensitive Personal Information in practice

Section 3.2 sets out what we treat as Sensitive Personal Information. Here is how we actually handle each category in our day-to-day operations:

Health information — we ask about dietary restrictions, allergies, mobility limitations, pregnancy, and medical conditions only where it is needed for a specific booking (special meals on a flight, accessible rooms, suitability of a shore excursion, travel insurance underwriting, emergency response on a group departure). You decide what to share. We share what you share only with the supplier or insurer who needs it for that purpose, and we do not retain it once the trip is concluded except in your booking file for the statutory retention period.

Passport and identity data — we collect this only for the booking and visa process. It is shared with airlines, embassies, hotels (where required by local law), and cruise lines. Internally, access is restricted to the team handling your booking.

Children's data — for any traveller below 18, we obtain verifiable consent from a parent or lawful guardian, captured in writing (email is acceptable) at the time of booking. We do not use children's data for behavioural advertising, profiling, or any tracking other than what is strictly necessary to deliver the booked service.

Persons with disability under lawful guardianship — we obtain consent from the lawful guardian. Where you ask us to make accessibility arrangements, we share the relevant information with the supplier providing the service.

12. Grievance Officer and contact

If you have any question about this policy, want to exercise any right, or want to make a complaint, please contact:

Grievance Officer

•     Name: Shambhu

•     Designation: Grievance Manager

•     Utazzo Services Limited

•     7th Floor, Unit No-701, Pearls Best heights-ll, Plot No-C9, Netaji Subhash Palace, New Delhi, Delhi-110034

•     Email: Shambhu@utazzo.com

•     Phone: 83682-83306

We will acknowledge your communication promptly and respond within 90 days, in line with Rule 13 of the DPDP Rules. If you are not satisfied with our response, you may approach the Data Protection Board of India under Section 27 of the DPDP Act.

13. Changes to this policy

We will update this policy from time to time — for example, when the law changes, when we introduce new services, or when we work with new vendors. The "Last updated" date at the top will tell you when. If a change is material, we will tell you by email or a prominent notice on our website before it takes effect.

14. Business transfers, restructuring, and corporate changes

In the event that Utazzo undergoes a corporate change — including a merger, acquisition, sale or transfer of all or part of the business, restructuring, change of control, or transfer of assets — your personal data may be transferred to the acquiring or successor entity, or to advisers and counterparties involved in the transaction, as part of the relevant due-diligence and completion process.

In any such case, we will ensure that the recipient is bound to handle your data in line with this policy and applicable law. We will notify you by email or a prominent notice on our website if your data has been transferred to a new controller and your rights are materially affected.

This section does not authorise the sale of personal data as a standalone asset.

15. Governing law and jurisdiction

This policy is governed by the laws of India. The courts at New Delhi shall have exclusive jurisdiction in respect of any disputes arising out of or in connection with this policy, subject to any contrary mandatory provision of the DPDP Act or DPDP Rules.

This policy was last reviewed by Utazzo on 28/04/026.