Privacy Policy

1. Introduction

Journey Express LLP ("Company", "we", "us", or "our"), operating under the brand Journey Xpress, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, store, and safeguard your personal information when you visit our website (journeyxpress.com), use our mobile application, or engage with our corporate travel management services.

By accessing or using our Services, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of our Services immediately.

This Policy is published in compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and applicable provisions of the Digital Personal Data Protection Act, 2023 (DPDP Act).

2. Information We Collect

2.1 Information You Provide Directly

• Full name, designation, employee ID
• Corporate e-mail address and personal e-mail address
• Mobile/telephone number
• Company name, GSTIN, billing address
• Passport number, date of birth, nationality (for international travel bookings)
• Travel preferences, frequent flyer / loyalty programme numbers
• Payment card details (processed via PCI-DSS compliant payment gateways; we do not store raw card numbers)
• Any information submitted via contact forms, demo requests, or support tickets

2.2 Information Collected Automatically

• IP address, browser type and version, operating system
• Pages visited, time spent, referral URL, click-path data
• Device identifiers (for mobile app users)
• Cookies and similar tracking technologies (see Section 8)
• Location data (only with your explicit consent via mobile app)

2.3 Information from Third Parties

• Airlines, hotels, car-rental companies, and ground transport providers (for booking fulfilment)
• Global Distribution Systems (GDS) such as Amadeus, Sabre, Galileo
• Payment gateways and banks for transaction verification
• Your employer / corporate account administrator (where applicable)

3. How We Use Your Information

• To process, confirm, and manage travel bookings and itineraries
• To issue invoices and facilitate payments, refunds, and expense reporting
• To send booking confirmations, e-tickets, and travel alerts via e-mail or SMS
• To provide 24/7 traveller assistance and duty-of-care services
• To create and maintain your corporate travel account
• To personalise your experience and offer relevant travel recommendations
• To comply with legal obligations (DGCA regulations, FEMA, visa requirements, etc.)
• To detect, investigate, and prevent fraudulent transactions and security incidents
• To improve our platform, services, and user experience through anonymised analytics
• To send promotional communications (only with your consent; you may opt out at any time)

4. Legal Basis for Processing

We process your personal data on the following legal grounds:

• Contractual necessity — to fulfil a travel booking or service agreement
• Consent — for marketing communications, cookies, and location data
• Legitimate interest — for fraud prevention, security, and service improvement
• Legal obligation — to comply with applicable Indian laws and regulatory requirements

5. Sharing of Personal Data

We do not sell your personal data. We may share data with:

• Travel Suppliers — airlines, hotels, car rental companies, rail booking systems, visa agencies — solely to fulfil your booking
• Payment Processors — Razorpay, PayU, HDFC Payment Gateway, or equivalent — for secure payment processing (PCI-DSS compliant)
• Corporate Account Administrators — your employer's travel managers who administer the account
• Technology Service Providers — cloud hosting, SMS/e-mail delivery, analytics — under strict data processing agreements
• Legal / Regulatory Authorities — as required by law, court order, or governmental direction
• Business Transfers — in the event of a merger, acquisition, or asset sale (you will be notified in advance)

6. Data Retention

We retain personal data for as long as necessary to provide our Services and comply with legal obligations. Typical retention periods:

• Booking and transaction records — 7 years (Income Tax Act / GST requirements)
• Account information — duration of account + 2 years after closure
• Marketing consent records — until consent is withdrawn + 1 year
• Support interaction logs — 3 years
• Anonymised analytics data — indefinitely

7. Data Security

We implement industry-standard technical and organisational measures to protect your personal data, including:

• SSL/TLS encryption for all data in transit
• Encrypted storage for sensitive personal data at rest
• Role-based access controls and least-privilege principles
• Regular security audits and vulnerability assessments
• PCI-DSS compliant payment processing (we do not store card numbers)

In the unlikely event of a data breach that risks your rights, we will notify affected individuals and, where required, the relevant regulatory authority within the timelines prescribed by the DPDP Act, 2023.

8. Cookies Policy

We use cookies and similar tracking technologies. For full details, please refer to our Cookie Policy. You may manage your cookie preferences at any time via your browser settings.

9. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us personal data, please contact us immediately and we will delete such data.

10. Your Rights

Under the DPDP Act, 2023 and applicable law, you have the right to:

• Access — obtain a summary of personal data we hold about you
• Correction — request correction of inaccurate or incomplete data
• Erasure — request deletion of your personal data (subject to legal retention obligations)
• Grievance Redressal — raise a complaint with our Data Protection Officer
• Nominate — nominate another individual to exercise rights on your behalf in case of death or incapacity

To exercise any right, write to us at privacy@journeyxpress.com. We will respond within 30 days.

11. Cross-Border Data Transfers

Some travel bookings (especially international itineraries) may require transfer of your personal data to foreign airlines, hotels, or GDS providers in countries outside India. Such transfers are made solely for booking fulfilment and are governed by appropriate contractual safeguards.

12. Links to Third-Party Sites

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their respective privacy policies.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via e-mail (if you have an account) and/or a prominent notice on our website at least 7 days before they take effect. Continued use of our Services after the effective date constitutes acceptance of the revised Policy.

14. Grievance Officer

In accordance with the Information Technology Act, 2000, and the DPDP Act, 2023, the details of the Grievance Officer are:

15. Governing Law

This Privacy Policy is governed by the laws of the Republic of India. Any disputes shall be subject to the exclusive jurisdiction of the courts of Hyderabad, Telangana, India.