This Privacy Policy complies with the Digital Personal Data Protection (DPDP) Act, 2023. We are a Data Fiduciary. You are a Data Principal. Your rights are protected under Indian law. Read Section 1A below for your rights and how to exercise them.
Trans Bharat Aviation (“TBA”, “we”, “our”, or “us”) is committed to protecting your privacy and ensuring that your personal information is handled securely, transparently, and in line with the Digital Personal Data Protection (DPDP) Act, 2023, India IT Act 2000, SPDI Rules 2011, DGCA Civil Aviation Requirements, and international best practices (GDPR, UK-GDPR, CCPA).
This Privacy Policy explains how we, as a Data Fiduciary, collect, use, retain, and share your personal data when you interact with our aviation services, website, applications, and customer support. It also outlines your rights as a Data Principal and how to exercise them.
Our data handling is governed by the India IT Act 2000, SPDI Rules 2011, DGCA Civil Aviation Requirements, Aircraft Act 1934, Dangerous Goods Rules 2003, GDPR, UK-GDPR, CCPA, and ePrivacy regulations.
1. Scope
This Policy applies to all passengers, website visitors, and charter customers using any Trans Bharat Aviation service, as well as anyone whose data is provided for booking or operational purposes.
1A. DPDP ACT 2023: KEY DEFINITIONS & YOUR RIGHTS
As a Data Principal (a person to whom personal data relates), you have specific rights under the Digital Personal Data Protection (DPDP) Act, 2023:
1A.1 Key Definitions (DPDP Act 2023)
- Data Principal: You — any person to whom personal data relates (passengers, website visitors, customers).
- Data Fiduciary: Trans Bharat Aviation — we decide the purposes and means of processing your data.
- Personal Data: Any information relating to an identified or identifiable person (name, email, ID, health data, etc.).
- Sensitive Personal Data: Health data, official identity numbers (Aadhaar, PAN), genetic data, biometrics, etc.
- Processing: Any operation on personal data (collection, use, storage, sharing, deletion, etc.).
- Consent: Your freely given, specific, informed, and unambiguous agreement to processing for a specific purpose.
1A.2 Your Rights as a Data Principal (DPDP Sections 10-11)
You can request confirmation of whether we hold your personal data and request a copy of your data in a structured, commonly used, machine-readable format.
How to request: Email infotransbharat@gmail.com with “DATA RETRIEVAL REQUEST” in the subject.
You can request correction of inaccurate, incomplete, or out-of-date data. Example: Update phone number, change address, correct spelling of name.
How to request: Email infotransbharat@gmail.com with details of data to correct.
You can request deletion of your data. Note: Some data (tax records, DGCA manifests) must be retained by law; we will inform you.
How to request: Email infotransbharat@gmail.com with “RIGHT TO ERASE REQUEST”.
You can request we stop processing your data for specific purposes. Example: Stop processing for marketing (but not for flight operations).
How to request: Email infotransbharat@gmail.com with purposes to restrict.
You can withdraw consent given for data processing at any time. Withdrawal affects only future processing, not past processing.
How to withdraw: Email infotransbharat@gmail.com or unsubscribe from emails.
If you believe we’re misusing your data, you can lodge a formal grievance. We will respond within 30 days.
How to lodge: Email infotransbharat@gmail.com with details.
If we make decisions about you using automated means (AI, algorithms), you have the right to know and request human review. Currently, we do NOT use automated decision-making for booking approvals or offloading decisions.
1A.3 Response Timeline (DPDP Section 11)
- Data Requests/Grievances: We will respond within 30 calendar days.
- Extension: We may extend by 30 additional days if the request is complex.
- Cost: All requests are processed free of cost (unless requests are manifestly unfounded or repetitive).
2. What Data We Collect
We collect and process:
A. Personal Data Categories (DPDP Section 3(b))
- Full name, email address, phone number, nationality
- Date of birth, gender
- Home/business address
- Emergency contact details
Mandatory for: Booking, identity verification, regulatory compliance.
- Aadhaar number, Voter ID, Passport, Driving License, PAN
- Digital or scanned copies of identity documents
Mandatory for: DGCA compliance, KYP, safety.
Retention: As per Aircraft Act 1934 and Income Tax Act (min 3-7 years).
- Flight route, date, time, PNR
- Passenger list (names of accompanying travelers)
- Seat assignments, weight category
- Special requests (wheelchair, meal, etc.)
Retention: 3 years per DGCA requirements.
Health & Medical: Medical fitness declarations, pregnancy status, allergies, disability needs.
Biometric Data: Passenger weight (measured at check-in for load & balance).
Legal Basis: Explicit Consent + Legal Obligation (DGCA).
Retention: Medical (3 years), Weight (Deleted post-flight).
Payment method, Transaction ID, Billing address.
IMPORTANT: TBA does NOT store full card numbers. Payments are processed via PCI-DSS compliant gateways (Razorpay, PhonePe, PayPal).
Retention: 7 years for tax/audit compliance.
IP address, device type, OS, browser version, pages visited, search queries.
Collection: Automatic via server logs/Google Analytics.
Retention: Aggregated analytics (12 months), IP logs (90 days).
Emails, SMS, WhatsApp, Support chat transcripts, Feedback forms.
Retention: 2 years from last interaction.
Email subscription status, browsing history (for ads), survey responses.
Consent Required: YES – Separate, explicit opt-in.
Retention: Until you unsubscribe.
B. Data Collection Methods
- Personal & Contact Data: Online booking form (WP-Travel Engine)
- Health Data: Medical declaration form / Custom form
- Payment Data: Payment gateway (Razorpay/PhonePe/PayPal)
- Identity Documents: Passenger info form / Check-in
- Technical Data: Server logs, Google Analytics, Cookies
- Communication Data: Contact Form 7, Hustle, Emails
- Weight/Biometric: Check-in counter (Manual weighing)
C. Mandatory vs. Optional Data
- MANDATORY (Cannot book without): Full name, Email, Phone, Country, No. of adults, ID document number. (Before flight: Weight, Health declaration, Valid ID).
- OPTIONAL: Secondary contact number, special requests, marketing consent.
3. How and Why Data Is Used (Purposes)
We use your data for the following purposes (DPDP Section 6):
A. Essential Purposes (Required to provide service)
- Flight Booking & Reservation: Create booking, issue ticket, PNR, manage refunds. (Basis: Consent + Contract)
- Payment Processing: Verify payment, issue receipts. (Basis: Consent + Contract)
- Identity Verification: Check DGCA passenger fitness, age, and weight. (Basis: Consent + Legal Obligation)
- Regulatory Compliance: DGCA manifests, dangerous goods reports, tax filing. (Basis: Legal Obligation)
B. Service Improvement Purposes
- Website Personalization: Remember preferences, fix bugs. (Basis: Consent via Cookie)
- Analytics: Analyze booking patterns and website performance via Google Analytics. (Basis: Consent via Cookie)
C. Communication Purposes
- Customer Support: Respond to inquiries, provide flight info. (Basis: Consent + Legitimate Interest)
- Promotional Marketing: Send emails/SMS about offers. Consent Required: YES (Explicit Opt-in).
D. Safety & Security Purposes
- Fraud Prevention: Detect fraudulent bookings/payments. (Basis: Legitimate Interest)
- Medical & Health: Ensure safe flight operations based on medical fitness. (Basis: Explicit Consent + Legal Obligation)
4. Lawful Bases for Processing (DPDP Act Sections 4-5)
| Processing Activity | Legal Basis (DPDP) | Consent Required? |
|---|---|---|
| Flight Booking | Consent + Contract (Sec 4(b)) | YES |
| Payment Processing | Consent + Contract (Sec 4(b)) | YES |
| DGCA Reporting | Legal Obligation (Sec 4(c)) | NO (Mandatory) |
| Medical Fitness | Explicit Consent (Sec 5(1)) | YES |
| Security/Fraud | Legitimate Interest (Sec 4(f)) | NO |
| Marketing | Explicit Consent (Sec 5(1)) | YES |
5. Data Sharing and Disclosure
IMPORTANT: We do NOT sell, rent, or trade your personal data for commercial purposes.
A. Mandatory Government & Regulatory Disclosures
We share data with:
- DGCA: Passenger manifest, name, DOB, ID details (For safety/compliance).
- Law Enforcement: Identity/booking details (If legally requested).
- Income Tax Dept: Transaction details (For tax compliance).
- RBI/Regulators: Payment data (For AML/KYC).
B. Third-Party Service Providers (Data Processors)
We share data with the following processors under signed Data Processing Agreements:
Purpose: Card payment processing.
Data Shared: Name, email, phone, payment method, amount.
Location: India (PCI-DSS).
Purpose: UPI & wallet payments.
Data Shared: Phone number, amount, transaction ID.
Location: India (NPCI regulated).
Purpose: International payments.
Data Shared: Name, email, PayPal details.
Location: USA (with SCCs).
Purpose: Server hosting.
Data Hosted: All website data, logs, accounts.
Location: India/EU.
Purpose: Website encryption and security.
Data Shared: Domain info, SSL certificate details.
Location: USA/EU.
Purpose: Business email hosting.
Data Shared: Email content, addresses.
Location: India/USA.
Purpose: Email communication.
Data Shared: Email addresses, message content.
Location: USA (with SCCs).
Purpose: Traffic analysis.
Data Shared: IP (anonymized), usage data.
Location: USA (with SCCs).
Other Tools (Self-Hosted): Contact Form 7, WP-Travel Engine, Hustle (Data remains on our Hostinger server).
C. International Data Transfers (DPDP Section 4(e))
For data transfers outside India (e.g., USA, EU), we use Standard Contractual Clauses (SCCs) and encryption to ensure safeguards equivalent to DPDP requirements.
D. Data Sub-Processors
If any primary processor (e.g., Google Analytics) uses sub-processors, you will be notified. You have the right to object to new sub-processors within 30 days of notification. EU/UK), we use Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent safeguards to ensure lawful protection.
6. Cookies, Analytics, and Tracking Tools
We use cookies for authentication, analytics, and personalization.
- Cookie Consent: You can manage preferences via our banner.
- Analytics: Aggregated data—never used to identify you individually.
- Automated Decision-Making: We do not use automated profiling that produces legal effects.
See our Cookie Policy for details.
7. Children’s Privacy (DPDP Section 9)
We do not knowingly collect information from children under 18 without verifiable parental consent.
- Parental Consent: A parent/guardian must provide explicit consent for any passenger under 18.
- Booking: The adult making the booking is responsible for obtaining this consent.
- Rights: Children have the same rights as adults, exercised through their parent/guardian.
- Removal: If data was collected without consent, email infotransbharat@gmail.com for immediate deletion.
8. Data Retention
Your data is kept for the minimum period required by DGCA aviation laws and tax regulations. After legal retention periods expire, data is securely deleted.
9. Data Security
We use industry-standard measures (encryption, access controls, PCI-DSS) to protect your data. In the event of a breach impacting your rights, we will notify you and authorities as required by law.
10. Your Rights (Summary)
You have the right to Access, Correct, Delete, Restrict, and Withdraw Consent. See Section 1A for details. To exercise these rights, email infotransbharat@gmail.com.
11. Comments and Embedded Content
If you leave comments, you may opt-in to saving details in cookies. Our site may embed content (videos, maps) from external sites which function as if you visited those sites directly.
12. Accessibility
This policy is designed to be accessible. If you need it in an alternative format, contact infotransbharat@gmail.com.
13. Internal Links
14. Policy Updates
We may update this Privacy Policy. Significant changes will be posted here and notified where required.
15. Contact & Data Protection (DPDP Sections 11-12)
15.1 Data Requests & Rights Exercising
For Data Retrieval, Correction, Deletion, or Restriction Requests:
- Email: infotransbharat@gmail.com
- Subject Line: “DATA PRINCIPAL REQUEST – [Type]”
- Response Timeline: Within 30 calendar days
- Cost: Free of charge
15.2 Grievance Redressal
If you believe TBA has violated your data protection rights:
- Email: infotransbharat@gmail.com
- Subject Line: “DPDP GRIEVANCE – [Brief Description]”
- Response Timeline: Within 30 calendar days
15.3 General Contact
Phone: +91 9205222031 or +91 6395256470
Postal Address: Room No. 501-503, G+5, T1, IGI Airport, ND-110037
15.4 DPDP Compliance Officer
While not currently designated as a “Significant Data Fiduciary,” Trans Bharat Aviation has assigned data protection responsibilities to:
Data Protection Contact: infotransbharat@gmail.com
Response SLA & Commitments:
- Data Access/Correction: Respond within 30 days.
- Erasure: Respond within 30 days (deleted unless retention applies).
- Complex Requests: May take up to 60 days (we will notify you within 30 days if extension needed).
- Confidentiality: All requests handled confidentially.
15.5 Regulatory Authorities
If not satisfied with our response, you may lodge a complaint with:
- Data Protection Board of India
- Office of the National Cyber Security Coordinator (www.ncsc.gov.in)
- Central Consumer Protection Authority (CCPA)
Jurisdiction: Disputes fall under the exclusive jurisdiction of Delhi courts.