Privacy Policy

1. Introduction

Oyster Holidays India ("we," "our," or "us") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services or visit our website.

This policy is compliant with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India and other applicable data protection regulations. By using our services, you consent to the data practices described in this policy.

Data Fiduciary: Oyster Holidays India, Bangalore, Karnataka, India

2. Information We Collect

2.1 Personal Data You Provide

We collect personal data that you voluntarily provide when:

• Making travel bookings or inquiries
• Creating an account on our website
• Subscribing to our newsletter
• Contacting us via phone, email, or contact forms
• Participating in surveys or promotions

This data may include:

• Identity Data: Full name, date of birth, gender, passport details, visa information
• Contact Data: Email address, phone number, postal address
• Financial Data: Payment card details, bank account information (processed securely through payment gateways)
• Travel Preferences: Dietary requirements, accessibility needs, accommodation preferences
• Emergency Contact: Name and contact details of your emergency contact person

2.2 Automatically Collected Data

When you visit our website, we may automatically collect:

• Technical Data: IP address, browser type and version, device information, operating system
• Usage Data: Pages visited, time spent on pages, click patterns, referral source
• Location Data: General geographic location based on IP address

3. Lawful Basis for Processing (DPDP Act Compliance)

Under the Digital Personal Data Protection Act, 2023, we process your personal data based on the following lawful grounds:

3.1 Consent

We obtain your explicit, free, specific, informed, and unambiguous consent before collecting and processing your personal data. You have the right to withdraw consent at any time by contacting us.

3.2 Contractual Necessity

Processing necessary to fulfill our contractual obligations to you, such as booking travel arrangements, processing payments, and providing customer support.

3.3 Legal Obligation

Processing required to comply with applicable laws, regulations, or legal proceedings.

3.4 Legitimate Interests

Processing necessary for our legitimate business interests, such as fraud prevention, network security, and service improvement, provided such interests do not override your fundamental rights.

4. How We Use Your Personal Data

We use your personal data for the following purposes:

• Service Delivery: Processing bookings, arranging travel services, issuing tickets and vouchers
• Communication: Sending booking confirmations, travel updates, itinerary changes, and responding to inquiries
• Payment Processing: Processing transactions securely through authorized payment gateways
• Customer Support: Providing assistance before, during, and after your travel
• Marketing: Sending promotional offers and newsletters (only with your explicit consent)
• Service Improvement: Analyzing usage patterns to improve our website and services
• Legal Compliance: Meeting regulatory requirements, tax obligations, and legal processes
• Fraud Prevention: Detecting and preventing fraudulent transactions

5. Data Sharing and Disclosure

We may share your personal data with the following categories of recipients:

5.1 Service Providers

• Airlines, hotels, and accommodation providers
• Ground transportation and tour operators
• Travel insurance providers
• Visa processing agencies
• Payment processors and financial institutions

5.2 Government Authorities

Immigration authorities, customs officials, and other government bodies as required by law or for your travel documentation.

5.3 Third-Party Data Processors

• IT service providers and cloud hosting services
• Analytics providers (e.g., Google Analytics)
• Marketing and communication platforms

6. Cross-Border Data Transfers

As a travel agency, your personal data may be transferred to and processed in countries outside India where your travel destinations are located, or where our service providers operate.

When transferring data internationally, we ensure:

• Compliance with the DPDP Act requirements for cross-border data transfers
• Appropriate safeguards are in place with data recipients
• Data is only transferred to countries or entities that provide adequate data protection
• Contractual clauses with third parties to protect your data

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Booking Records: 7 years from the date of travel completion (for tax and legal compliance)
• Marketing Communications: Until you unsubscribe or withdraw consent
• Website Analytics: 26 months (anonymized after this period)
• Customer Inquiries: 3 years from last communication

After the retention period, your data will be securely deleted or anonymized.

8. Your Rights Under DPDP Act 2023

As a Data Principal under the DPDP Act, you have the following rights:

To exercise any of these rights, please contact our Grievance Officer using the details provided below.

9. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance your browsing experience:

Types of Cookies We Use:

• Essential Cookies: Necessary for website functionality (e.g., session management)
• Analytics Cookies: Help us understand how visitors interact with our website (Google Analytics)
• Marketing Cookies: Used to deliver relevant advertisements (only with consent)

You can manage cookie preferences through your browser settings. Note that disabling certain cookies may affect website functionality.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

• SSL/TLS encryption for data transmission
• Secure payment processing through PCI-DSS compliant gateways
• Access controls and authentication mechanisms
• Regular security assessments and updates
• Employee training on data protection practices

While we strive to protect your data, no method of transmission over the internet is 100% secure. We encourage you to use strong passwords and protect your account credentials.

11. Children's Privacy

Our services are not directed to children under the age of 18. We do not knowingly collect personal data from children without verifiable parental consent. If we become aware that we have collected personal data from a child without proper consent, we will take steps to delete such information.

For family travel bookings, parents or legal guardians must provide consent for the processing of their children's personal data.

12. Grievance Officer

In accordance with the DPDP Act 2023, we have appointed a Grievance Officer to address your concerns regarding data protection:

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India as established under the DPDP Act 2023.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

• Posting the updated policy on our website
• Updating the "Last Updated" date at the top of this page
• Sending an email notification for significant changes (if you have provided your email)

We encourage you to review this policy periodically.

14. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: