TripBng

Compliance

DPDP Act 2023 compliance

Last updated · 14 May 2026

The Digital Personal Data Protection Act, 2023 (“DPDP Act”) is India's comprehensive personal data protection law. This page summarises how Tripbng India Private Limited (“TripBng”) complies with the Act and how partners and end users can exercise their rights.

This page is a plain-language overview, not the full legal document. For the contractual terms, see our Terms of Service and Privacy Policy.

In short

  • We are a Data Fiduciary under the DPDP Act for the personal data of partner agencies, sub-agents, and travel customers booked through our platform.
  • We process personal data only for lawful purposes, with consent or under a legitimate use specified by the Act.
  • We notify the Data Protection Board of India and affected principals of any personal-data breach without undue delay.
  • Our Data Protection Officer is reachable at dpo@tripbng.com.

DPDP principles we follow

1. Lawful purpose & consent

We collect personal data only for clearly stated purposes — running your account, processing bookings, complying with regulatory requirements, and providing trade-desk support. Where consent is the legal basis, it is freely given, informed, specific, and revocable.

2. Data minimisation

We collect the minimum data required. We do not aggregate behavioural data into advertising profiles. We do not share booking PII with third parties beyond what the underlying carrier or supplier needs to complete a transaction.

3. Accuracy

Partners can update their KYC, address, and contact information in the dashboard at any time. End-customer corrections (name changes on tickets) are subject to airline rules and forwarded to the underlying carrier.

4. Storage limitation

Personal data is retained only as long as needed for the stated purpose or as legally required. See the retention table in our Privacy Policy.

5. Accountability

Every privileged action on personal data is logged in a tamper-evident audit trail. We review access patterns weekly and rotate credentials on a fixed schedule.

Technical controls

  • TLS 1.3 in transit; AES-256-GCM encryption at rest
  • Field-level encryption (FLE) for PAN, GSTIN, passport, bank details
  • Mandatory two-factor authentication for super-admin and distributor roles
  • Role-based access control with permission strings (resource:action:scope)
  • Daily backups; quarterly recovery drills
  • Cloud workloads pinned to ap-south-1 (Mumbai) by default
  • Annual SOC 2 audit (in flight); ISO 27001 in progress

Your DPDP rights

As a Data Principal under the DPDP Act, you have the right to:

  1. Information. Know what personal data we hold, the purposes of processing, and the identities of any third parties with whom the data is shared.
  2. Correction & erasure. Ask us to correct inaccurate data or erase data that is no longer needed (subject to legal retention obligations).
  3. Grievance redressal. File a complaint with us; if unresolved, escalate to the Data Protection Board of India.
  4. Nominate. Nominate another individual to exercise your rights in the event of death or incapacity.
  5. Withdraw consent. Withdraw consent at any time where consent was the legal basis for processing. We honour withdrawals within 7 working days.

How to file a request

  1. Email dpo@tripbng.com from the address registered on your TripBng account.
  2. Include: your name, account ID (if available), the nature of the request (access / correction / erasure / nomination / consent withdrawal), and any supporting details.
  3. We verify identity within 3 working days and respond substantively within 30 days. If a request requires more time we will explain why.
  4. If you are not satisfied with our response, you may escalate to the Grievance Officer at the same registered office address. Beyond that, the Data Protection Board of India is your next forum.

Breach notification

In the unlikely event of a personal-data breach, we will:

  • Notify the Data Protection Board of India within the timeline specified by the Act and its subordinate rules.
  • Notify each affected Data Principal, describing the nature of the breach, the data involved, the measures taken, and the remedies available.
  • Publish a public post-incident summary on the status page for transparency, redacting only what is necessary to protect ongoing investigations.

Data Protection Officer

Data Protection Officer
Tripbng India Private Limited
WeWork BKC, Bandra Kurla Complex, Mumbai 400051
dpo@tripbng.com · +91 22 6196 4040

For escalations beyond the DPO, write to the Grievance Officer at the same address. The Data Protection Board of India is the statutory authority for unresolved complaints.