How personally identifiable information inside engagement data, traveller names, PNRs, GSTINs, is handled, minimised, retained and destroyed. The narrowest document in this register, on purpose.
This policy of TraCarta India Private Limited ("TraCarta") governs personally identifiable information ("PII") that enters TraCarta's systems through client engagements. It supplements our Privacy Policy with the operational rules our own team works to. It applies to every person at TraCarta and every system inside our engagement perimeter.
In airline GST reconciliation, PII typically comprises:
We do not require, request or knowingly hold passport numbers, payment card data, health data, or any special category of personal data. If such data arrives embedded in client documents, it is treated as out-of-scope PII and handled under Section 5.
Inside the perimeter, PII is encrypted in transit and at rest, accessed only by personnel assigned to the engagement, and never moved to personal devices, personal email, or unmanaged storage. Exports and reports carry the minimum PII the deliverable requires, gap registers and audit trails reference documents by identifier wherever a name is not needed.
Where documents arrive containing PII beyond what the work needs, we do not use it, do not index it, and, where separation is practical, delete or redact it. Clients are notified of recurring over-supply so it can be stopped at source.
Engagement PII is retained for the life of the engagement plus the period Indian tax and audit law requires of the underlying records, and is then securely destroyed, or returned and then destroyed, as the engagement agreement directs. Destruction covers primary stores, working copies and backups on their cycle.
Suspected compromise of PII triggers our incident procedure: contain, assess, notify. Affected clients are informed without undue delay, and notifications required under the DPDP Act and other applicable law are made within prescribed timelines. Post-incident, the failure that permitted the event is corrected before normal processing resumes.
Everyone at TraCarta is bound to this policy by their engagement terms, trained on it, and re-trained when it changes. Access rights are reviewed on a fixed cycle and withdrawn the day a person's assignment, or association, ends.
Questions, requests or grievances under this policy may be addressed to our Grievance Officer at legal@tracarta.in or by post to our registered office in Gurugram, Haryana. We acknowledge grievances promptly and aim to resolve them within the timelines prescribed under applicable law.