Privacy Policy | Our Policies

01Scope & applicability

This policy applies to personal data that TraCarta India Private Limited (“TraCarta”, “we”, “us”) collects in the course of operating the website at tracarta.com, the SkyBoard customer portal, and the underlying SkySuite platform. It applies whether the data principal is an individual visitor, a customer’s employee whose information passes through our reconciliation engine, or a partner’s contact in commercial dealings with us.

Where TraCarta acts as a data fiduciary, meaning we determine the purpose and means of processing, this policy describes our commitments to you. Where we act as a data processor on behalf of a customer (for example, when our SkyLedger module reconciles employee booking data on behalf of a corporate customer), the corporate is the fiduciary and our obligations flow from our agreement with them.

02Definitions

We use the terms defined in the Digital Personal Data Protection Act 2023 (“DPDP Act”). The most relevant ones, in plain words:

Data principal

The individual the personal data is about, you, in most cases.

Data fiduciary

The entity that decides why and how personal data is processed.

Data processor

An entity that processes personal data on the fiduciary’s behalf, under their instructions.

Personal data

Any data about a person from which they can be identified, directly or in combination with other information.

Processing

Any operation performed on personal data, collecting, storing, structuring, using, transmitting, deleting.

03What we collect

3.1From visitors to tracarta.com

When you browse the marketing website, we collect technical information necessary to serve the site. IP address (truncated for storage), browser type, pages visited, time of access. We do not maintain a marketing profile of visitors and we do not run third-party advertising trackers.

3.2From people who contact us

If you write to us through the contact form, or directly to contact@tracarta.in, we receive whatever you choose to share, typically your name, work email, company, and the substance of your message. We use this information to reply to you.

3.3From the SkySuite platform in operation

When TraCarta processes data on behalf of a customer, the reconciliation work that is our core service, we receive personal data within airline GST invoices and booking records. This includes passenger names, ticket numbers, and corporate GSTIN linkages. We act as a data processor in this context; the corporate customer is the fiduciary. See our PII Policy for the full handling protocol.

04Why we collect it

We process personal data only for the specific, lawful purposes set out below. We do not process personal data for any purpose other than those listed, and we do not retain it beyond the duration each purpose requires.

To operate and secure the website. Server logs help us detect abuse, debug errors, and understand which pages are visited.
To respond to enquiries. When you contact us, we use your contact information to reply and to follow up on the substance of the conversation.
To deliver our contracted services. When a customer engages SkySuite, we process the personal data within their travel records to extract, reconcile, and journalize airline GST invoices.
To comply with applicable law. We retain certain records under the GST Act 2017, the Income Tax Act 1961, and the Companies Act 2013 for the durations those statutes require.
To enforce our agreements. If a contractual dispute arises, we may use relevant records to defend our position or seek remedy.

05Who we share with

We share personal data only with the following categories of recipient, only to the extent necessary, and only under contractual obligations that bind them to handling it consistently with this policy:

Cloud infrastructure providers hosting TraCarta’s systems within India. Customer data is stored on infrastructure located in India and is not transferred outside the country.
Tax and accounting professionals we engage for our own statutory compliance, bound by confidentiality.
Legal counsel in connection with actual or anticipated proceedings.
Government authorities where compelled by valid legal process, we will challenge requests we consider overbroad and will, where lawfully possible, notify the affected data principal.

What we never do

We do not sell personal data. We do not share customer data with marketing partners. We do not pool data across customer tenants for shared training. We do not retain personal data after our contractual obligation to process it ends, except where statute requires.

06How long we keep it

We retain personal data only for as long as the purpose requires, or for the period law mandates:

Website logs

90 days, then deleted.

Contact correspondence

24 months, unless the conversation matures into a contract (then governed by the contract’s retention terms).

Customer GST records

Six years from the relevant filing year, as required under Section 36 of the GST Act 2017.

Contracts & commercial records

Eight years after termination, per the Companies Act 2013 and the Income Tax Act 1961.

After retention ends

Records are deleted or, where deletion is technically impractical, irreversibly anonymised.

07Your rights as a data principal

Under the DPDP Act, you have the following rights with respect to your personal data. To exercise any of them, write to us at contact@tracarta.in with “DPDP request” in the subject. We will acknowledge within seven days and respond substantively within thirty days.

Right to access. You may request a summary of the personal data we hold about you, the purposes we process it for, and the entities we’ve shared it with.
Right to correction. You may request correction of inaccurate or incomplete personal data, and updating where the data has changed.
Right to erasure. You may request deletion of personal data we no longer need for the purpose it was collected, subject to retention obligations under law.
Right to withdraw consent. Where processing relies on your consent, you may withdraw it at any time. Withdrawal does not affect processing already carried out.
Right to grievance redressal. If you are dissatisfied with our response, you may escalate to the Data Protection Board of India under Section 28 of the DPDP Act.
Right to nominate. You may nominate another individual to exercise your rights in the event of your death or incapacity, by written notice to us.

Where you are a customer’s employee whose data passes through our systems as part of a customer engagement, please direct your request to your employer (the data fiduciary) in the first instance, we will support them in responding to you.

08How we secure it

We maintain technical and organisational measures appropriate to the sensitivity of the data we process:

Encryption in transit (TLS 1.3) for all data exchange, and encryption at rest (AES-256) for stored records.
Tenant isolation, each customer’s data sits in its own logical partition; we do not commingle records across customers.
Principle of least privilege for internal access, with audit logging of every access event involving personal data.
Annual third-party penetration testing of production systems.
Background checks for personnel with access to production data.
Disaster-recovery procedures with documented recovery-time and recovery-point objectives.

No security regime is absolute. Our commitments are to the discipline of the practice, the diligence of the response when something is found, and the honesty of the disclosure if a breach affects you.

09Breach notification

In the event of a personal data breach that is likely to affect a data principal, we will:

Notify the Data Protection Board of India within 72 hours of becoming aware, where notification is required under Section 8(6) of the DPDP Act.
Notify the affected data principals without undue delay, in language that describes what happened, what data was affected, what we are doing about it, and what they can do.
Where the affected data is held by us as a processor on behalf of a customer fiduciary, notify the customer within 24 hours so they may meet their own notification obligations.

10Changes to this policy

We may update this policy from time to time. Material changes, meaning anything that meaningfully changes the purposes we process for, the retention periods, or your rights, will be notified to active customers in writing. Non-material changes (clarifications, contact updates, formatting) will be reflected with a new version number and effective date at the top of this document.

Earlier versions remain available on request to contact@tracarta.in.

11Contact us

For any question, request, or grievance relating to this policy or our handling of your personal data, write to:

Grievance officer

Karan Chander, designated under Section 8(10) of the DPDP Act. Email contact@tracarta.in with “DPDP request” or “Grievance” in the subject.

Registered office

TraCarta India Private Limited, 12th Floor, The Executive Centre, Two Horizon, Golf Course Road, Gurugram, Haryana 122002, India. CIN U63090HR2013PTC051042.

Response timeline

Acknowledgement within seven days; substantive response within thirty days.