This policy explains how TraCarta India Private Limited collects, processes, stores, and safeguards personal data when you engage with our platform, our websites, or our services. It is drafted in line with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Digital Personal Data Protection Rules, 2025 (DPDP Rules).
TraCarta India Private Limited ("TraCarta," "we," "our," "us") is a company incorporated under the Companies Act, 2013, with its registered office at Registered Office Address. We build and operate the TraCarta platform, which helps enterprises reconcile corporate travel spend and recover Input Tax Credit on airline GST.
This PII Policy applies to all personal data we process when you visit our websites, request a demonstration, enter into a commercial relationship with us, or when your employer or travel provider shares your data with us as part of a reconciliation engagement. It applies to personal data collected on or after the effective date set out above.
For the purposes of the DPDP Act, TraCarta acts as a Data Fiduciary in respect of personal data we collect directly from visitors and prospective customers, and as a Data Processor in respect of personal data shared with us by our enterprise customers for reconciliation purposes.
Capitalised terms used in this policy have the meanings given below. Where a term is defined in the DPDP Act or the DPDP Rules, we use it in the same sense unless otherwise stated.
We collect only the personal data we need to deliver our services, operate our platform, and meet our legal obligations. The categories of personal data we process depend on how you interact with us.
When you request a demonstration, sign up for a newsletter, apply for a role, or otherwise contact us, we may collect your name, work email address, phone number, job title, company name, and any information you choose to include in your enquiry.
When your employer or a travel provider engages TraCarta for reconciliation services, we may process personal data appearing within airline invoices, travel agent statements, expense filings, and related financial records. This typically includes traveller names, employee identifiers, GSTIN numbers, itinerary details, booking references, and associated expense amounts.
In this context, your employer is the Data Fiduciary and TraCarta is the Data Processor. We process such data strictly on documented instructions from our customer, under a written processing agreement.
When you visit our websites, we collect limited technical information such as your IP address, device and browser type, referring URL, pages visited, and timestamps. We use cookies and similar technologies for these purposes; see our Cookies Policy for details.
Where permitted by law, we may receive business contact data from commercial data providers or publicly available professional sources (for example, a corporate directory or a business social network) to support our outreach activities.
We process personal data for the following purposes, and only to the extent necessary for each purpose:
We do not use personal data for automated decisions that produce legal or similarly significant effects on you without human oversight.
Under the DPDP Act, we process personal data on the following bases:
Where we rely on consent, you have the right to withdraw that consent at any time, without prejudice to the lawfulness of processing carried out before withdrawal. See Your Rights below.
We do not sell personal data. We share personal data only in the following limited circumstances:
A current list of our material sub-processors is available on request at legal@tracarta.in. Confirm with counsel
Our primary data processing operations are in India. In limited circumstances, we may transfer personal data outside India — for example, where a cloud service provider operates infrastructure in multiple regions, or where a group company or advisor is located in another jurisdiction.
We only transfer personal data outside India to jurisdictions that are not restricted under applicable notifications issued by the Central Government under the DPDP Act, and in all cases we apply contractual and technical safeguards designed to preserve the level of protection you are entitled to under Indian law. Confirm with counsel
We retain personal data only for as long as necessary for the purposes for which it was collected, or for such longer period as is required to meet legal, regulatory, accounting, or tax obligations.
Our default retention periods are as follows: Confirm with counsel
When the retention period ends, we securely delete, erase, or irreversibly anonymise the personal data, unless continued retention is required by law.
We apply reasonable technical and organisational safeguards designed to prevent unauthorised access, alteration, disclosure, or destruction of personal data, in line with the standards expected of a Data Fiduciary and Data Processor under the DPDP Act and Rules.
These safeguards include encryption of data in transit and at rest, role-based access controls, segregation of environments, logging and monitoring, vulnerability management, personnel training, and incident response procedures. A fuller description of our security programme is set out in our Security Policy.
In the event of a personal data breach that is likely to affect you, we will notify the Data Protection Board of India and, where required, affected Data Principals, in accordance with the timelines and form prescribed under the DPDP Rules.
Subject to the conditions and exceptions set out in the DPDP Act, you have the following rights in respect of personal data we process about you as a Data Fiduciary:
To exercise any of these rights, please write to us at legal@tracarta.in. We may need to verify your identity before acting on a request and will respond within the timelines prescribed under the DPDP Rules.
Where we process personal data as a Data Processor on behalf of an enterprise customer, requests relating to that data should be addressed to the customer as the Data Fiduciary. We will assist our customers in responding to such requests.
We take your concerns seriously. If you have a grievance about how your personal data has been processed, you can contact our grievance officer:
We will acknowledge your grievance promptly and aim to respond substantively within the timelines prescribed under the DPDP Rules. If you are not satisfied with our response, you may escalate your grievance to the Data Protection Board of India in accordance with procedures published by the Board.
Our platform and services are intended for enterprise users and business decision-makers. They are not directed at children. We do not knowingly collect personal data of any individual under the age of eighteen, and we do not engage in tracking, behavioural monitoring, or targeted advertising directed at children.
If you believe we have inadvertently collected personal data of a child, please contact us at legal@tracarta.in and we will take appropriate steps to delete it.
We may update this policy from time to time to reflect changes in our practices, our services, or the law. When we make a material change, we will update the "Last Updated" date at the top of this page and, where required by law, notify you through the contact information we hold for you or through a prominent notice on our website.
We encourage you to review this policy periodically to stay informed about how we protect your personal data.
If you have any questions about this policy or about how we process your personal data, please contact us:
We are the Data Fiduciary responsible for the personal data processed under this policy unless specifically identified as a Data Processor role.