OnArrival Travel - Privacy Policy
Document Version: v3.0 — GDPR/SOC2/PII COMPLIANT
Last Updated: May 26, 2025
Effective Date: June 1, 2025
Regulatory Compliance: GDPR, DPDP Act 2023, CCPA, SOC 2 Type II, ISO 27001
1. Introduction and Regulatory Commitment
OnArrival Travel Tech Pvt. Ltd. ("OnArrival," "we," "our," or "us") operates as an API-first, modular travel technology platform that aggregates flights, hotels, activities, insurance, visa information, and ancillary services. We provide our technology through cloud-hosted SaaS (multi-tenant), on-premise/VPC deployments for enterprise clients, and white-label web & mobile micro-frontends.
Our Business Model:
- Primary Service: API-first travel technology platform serving fintechs, banks, OTAs, TMCs, marketplaces, and enterprises
- Technology Focus: Modular micro-apps, BYOS (Bring Your Own Supplier) capabilities, and comprehensive integration layer
- Geographic Presence: Primary data clusters in India (Bangalore), EU (Frankfurt), and US (Virginia)
- Role Clarity: Technology intermediary and platform provider, not merchant of record in most jurisdictions
Dual Data Processing Roles:
We operate with distinct data processing responsibilities:
- Data Controller: For direct relationships through onarrival.com and our platform administration
- Data Processor: For white-label deployments and on-premise installations where our enterprise clients maintain primary customer relationships
This Privacy Policy demonstrates our compliance with:
- EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
- India's Digital Personal Data Protection Act 2023 (DPDP Act)
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
- Singapore Personal Data Protection Act (PDPA) (on request)
- Brazil Lei Geral de Proteção de Dados (LGPD) (on request)
- SOC 2 Type II security and privacy controls
- ISO 27001:2022 information security management standards
- PCI DSS SAQ-D v4 payment card industry security standards
- IATA NDC Level 4 compliance for airline integrations
Legal Entity: OnArrival Travel Tech Pvt. Ltd.
Registration Number: U72900KA2023PTC174829
Registered Address: 9th Floor, Infinity Tower, Koramangala 4th Block, Bangalore 560095, Karnataka, India
Data Protection Officer: Priya Sharma, CIPP/E, CIPM
DPO Contact: dpo@onarrival.com | +91 80 1234 5678
1.2 EU/UK Representative (GDPR Art. 27)
EU Representative: DataRep Solutions GmbH
Address: Alexanderplatz 7, 10178 Berlin, Germany
Contact: eu-rep@onarrival.com
UK Representative: DataRep UK Ltd.
Address: 15 Bishopsgate, London EC2N 3AR, United Kingdom
Contact: uk-rep@onarrival.com
2. Scope and Application
2.1 Territorial Scope
This Privacy Policy applies to the processing of personal data:
- Within the EU/EEA (GDPR Article 3(1))
- From EU/EEA residents regardless of processing location (GDPR Article 3(2))
- In India (DPDP Act territorial scope)
- California residents (CCPA/CPRA scope)
- Global users of our Services
2.2 Material Scope
This Policy covers personal data processing through our API-first platform ecosystem:
- OnArrival.com direct booking platform and mobile applications
- Developer portal, APIs, SDKs, and webhook integrations
- White-label micro-frontends and embedded travel widgets
- On-premise and VPC deployments for enterprise clients
- BYOS (Bring Your Own Supplier) integration layer
- Multi-cloud infrastructure (India, EU, US data centers)
- Corporate SSO integrations (OAuth/OIDC, SAML)
Special Deployment Considerations:
- Partner-branded deployments hosted on-premise by clients remain subject to specific data processing agreements governing those deployments
- Client-controlled infrastructure inherits client's regional data residency requirements
- BYOS integrations maintain separate data flows as specified in integration agreements
2.3 Temporal Scope
Applies to all personal data processing from the effective date forward and retroactively to data collected under previous versions where lawful basis permits.
3. Legal Definitions and Classifications
3.1 GDPR-Compliant Definitions
Personal Data (GDPR Art. 4(1)): Any information relating to an identified or identifiable natural person ('data subject'), including:
- Direct identifiers: name, passport number, email address
- Indirect identifiers: IP address, device ID, online identifiers
- Location data, behavioral data, and inferred information
Special Categories of Personal Data (GDPR Art. 9):
- Health data (dietary restrictions, medical conditions)
- Biometric data for unique identification
- Data revealing racial/ethnic origin, political opinions, religious beliefs
Processing (GDPR Art. 4(2)): Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
3.2 Data Classification Framework
Sensitivity Level 1 - Public Information:
- Marketing preferences, public reviews
- Retention: As per business requirements
- Access Controls: Standard business need-to-know
Sensitivity Level 2 - Internal Use:
- Contact information, travel preferences
- Retention: 3 years post-relationship end
- Access Controls: Role-based with approval workflows
Sensitivity Level 3 - Confidential:
- Financial information, government IDs
- Retention: 7 years (regulatory requirement)
- Access Controls: Privileged access with MFA
Sensitivity Level 4 - Restricted:
- Special category data, biometric identifiers
- Retention: Minimized periods with regular review
- Access Controls: Executive approval required
3.3 Processing Roles in B2B2C Context
OnArrival as Data Controller:
- Business partner account management and onboarding
- Platform administration and security monitoring
- Developer portal and API usage analytics
- Direct marketing to business partners
- Platform optimization and product development
OnArrival as Data Processor:
- End consumer travel bookings made through partner platforms
- Traveler personal data processed on behalf of business partners
- Payment processing for partner-facilitated transactions
- Customer support services provided to partner's customers
- Analytics and reporting services for business partners
Joint Controller Arrangements:
- Platform-level analytics combining partner and consumer data
- Fraud prevention across partner ecosystem
- Supplier integration requiring shared data responsibilities
- Documented through Joint Controller Agreements per GDPR Art. 26
Partner as Primary Controller:
- Business partners maintain primary controller responsibility for their end customer relationships
- Partners must provide appropriate privacy notices to their customers
- Partners responsible for obtaining necessary consents from end consumers
- OnArrival provides processor services under data processing agreements
4. Lawful Basis Framework (GDPR Art. 6 & 9)
4.1 Primary Lawful Bases
4.1.1 Contract Performance (Art. 6(1)(b))
- Purpose: Travel booking fulfillment, payment processing, customer service
- Data Types: Identity, contact, travel, payment information
- Retention: 7 years post-service completion
- Rights Impact: Limited deletion rights during contract term
4.1.2 Legitimate Interests (Art. 6(1)(f))
- Purpose: Fraud prevention, security, service improvement, direct marketing to customers
- Balancing Test: Documented assessments considering necessity, proportionality, and individual rights
- Data Types: Usage analytics, security logs, marketing profiles
- Safeguards: Pseudonymization, opt-out mechanisms, regular review
4.1.3 Legal Obligation (Art. 6(1)(c))
- Purpose: Regulatory compliance, tax records, AML/KYC requirements
- Legal Sources: DGCA regulations, Income Tax Act, FEMA, PML Act
- Data Types: Identity verification, transaction records, audit trails
- Retention: As mandated by applicable law (typically 7 years)
4.1.4 Explicit Consent (Art. 6(1)(a))
- Purpose: Marketing emails, optional analytics, special category data
- Implementation: Clear, specific, informed, freely given
- Withdrawal: Simple mechanisms, honored within 72 hours
- Record Keeping: Consent proofs retained per GDPR Art. 7(1)
4.2 Special Category Data Processing (GDPR Art. 9)
4.2.1 Explicit Consent (Art. 9(2)(a))
- Dietary restrictions indicating religious/health preferences
- Accessibility requirements and medical conditions
- Biometric data for enhanced security (where offered)
4.2.2 Substantial Public Interest (Art. 9(2)(g))
- Fraud prevention and security measures
- Regulatory compliance and audit requirements
5. Comprehensive Data Collection
Traveler-Provided Data (Controller Role):
- Collection Points: OnArrival.com bookings, mobile app usage, SDK/micro-app checkout forms
- Data Elements: Identity data (full name, gender, nationality, date of birth, passport details), contact information, travel preferences, loyalty program information
- Storage: MongoDB with encryption at rest (AES-256)
- Legal Basis: Contract performance, legitimate interests
- Retention: 7 years for flight booking data (DGCA compliance), other data per business requirements
Payment Information (Tokenized Processing):
- Collection Points: Booking checkout, payment method storage
- Processing Method: Tokenized by PSP partners (Stripe, Adyen, PayU)
- OnArrival Storage: Last 4 digits + payment token only (no CVV or full PAN)
- Security: PCI DSS SAQ-D v4 compliance, end-to-end encryption
- Legal Basis: Contract performance, legal obligation (RBI tokenization rules)
- Retention: 7 years (financial record requirements)
Corporate SSO and Enterprise Data:
- Collection Method: OAuth/OIDC, SAML integrations
- Data Elements: Employee profiles, department codes, authorization levels, audit claims
- Access Control: Audience claims used for data access gating
- Legal Basis: Contract performance (as processor for enterprise clients)
- Special Handling: Maps to internal user objects with role-based access controls
API and Developer Platform Data:
- Collection Points: Developer portal registration, API key generation, SDK integration
- Data Elements: Technical contact information, usage metrics, integration specifications
- Usage Monitoring: API rate limiting, transaction volume tracking
- Legal Basis: Contract performance (Developer Agreement)
- Retention: Duration of developer relationship + 3 years
Support and Communication Data:
- Channels: Email, chat, phone support, survey responses
- Data Elements: Communication content, support ticket history, feedback responses
- Legal Basis: Contract performance, legitimate interests
- Retention: 5 years from case closure
Frontend Monitoring and Analytics:
- Collection Method: Frontend Monitoring SDK, navigation heat-maps, clickstream analysis
- Data Flow: Real-time events → Kafka → ClickHouse (client-side error analytics)
- Data Elements: Page views, user interactions, performance metrics, error logs
- Legal Basis: Legitimate interests, consent (non-essential analytics)
- Pseudonymization: Device IDs pseudonymized after 12 months
- Retention: 24 months for analytics data
System and Infrastructure Logs:
- Sources: API gateway, microservices, cloud infrastructure
- Data Elements: IP addresses, timestamps, request/response metadata, system performance metrics
- Storage: Elasticsearch for real-time data, PostgreSQL for long-term analytics warehouse
- Legal Basis: Legitimate interests (system security and performance)
- Retention: 12 months for operational logs, 5 years for security incidents
Device and Technical Information:
- Collection Method: HTTP headers, SDK telemetry, browser fingerprinting
- Data Elements: Device identifiers, browser type, OS version, language preferences
- Security Processing: Used for fraud detection and account security
- Legal Basis: Legitimate interests, contract performance (security)
- RBAC Integration: Technical data used for role-based access control decisions
Network and Security Data:
- Sources: CDN logs, security scanning, threat detection systems
- Processing: Real-time security analysis, intrusion detection
- Integration: OFAC/EU sanctions screening via Accuity integration
- Legal Basis: Legal obligation (sanctions compliance), legitimate interests (security)
- Retention: 5 years for security incidents, 12 months for routine monitoring
5.3 Third-Party Sources and Supplier Integration
Global Distribution Systems and NDC Sources:
- Suppliers: Amadeus, Sabre, Travelport, direct airline NDC connections
- Data Elements: PNRs, ticket status, flight schedules, fare rules, seat maps
- Processing: Real-time booking data, cached in Elasticsearch, long-term storage in PostgreSQL
- Legal Basis: Contract performance, legitimate interests
- IATA Compliance: NDC Level 4 certification requirements
Hotel and Accommodation Partners:
- Sources: Hotelbeds, direct hotel connections, property management systems
- Data Elements: Reservation confirmations, guest preferences, property information
- Integration: Real-time availability and booking confirmation APIs
- Legal Basis: Contract performance (booking fulfillment)
- Data Retention: 7 years per hospitality industry requirements
BYOS (Bring Your Own Supplier) Integrations:
- Model: Client-proprietary GDS/NDC or hotel sources connected via orchestration layer
- Data Handling: Client maintains control over supplier relationships and data flows
- OnArrival Role: Technology facilitation only, data processor role
- Legal Framework: Separate data processing agreements for each BYOS integration
- Client Responsibility: Supplier terms compliance and data protection obligations
Fraud Prevention and Risk Scoring:
- Vendors: Accuity (sanctions screening), specialized fraud detection services
- Data Elements: Risk scores, identity verification results, sanctions screening outcomes
- Processing Purpose: OFAC, EU sanctions compliance, fraud prevention
- Legal Basis: Legal obligation (sanctions compliance), legitimate interests (fraud prevention)
- Enhanced Security: Real-time screening with automated flagging and manual review procedures
Revenue Management and Pricing Intelligence:
- Sources: Market data providers, competitive intelligence platforms
- Data Elements: Market pricing trends, demand forecasting, competitive analysis
- Usage: Dynamic pricing optimization, inventory management
- Legal Basis: Legitimate interests (business optimization)
- Data Minimization: Aggregated market data without individual traveler profiling
6. Data Processing Purposes and Activities
6.1 Primary Business Functions
Travel Service Delivery:
- Activities: Booking processing, itinerary management, service fulfillment
- Data Used: Identity, travel preferences, payment information
- Legal Basis: Contract performance
- Automated Decision-Making: Dynamic pricing algorithms, availability optimization
- Human Oversight: Customer service escalation procedures
Customer Relationship Management:
- Activities: Account management, customer support, relationship building
- Data Used: Contact information, service history, communication records
- Legal Basis: Contract performance, legitimate interests
- Retention: 5 years post-relationship end
- Cross-Team Access: Role-based with audit logging
Payment and Financial Operations:
- Activities: Transaction processing, refund management, financial reconciliation
- Data Used: Payment details, billing information, transaction history
- Legal Basis: Contract performance, legal obligation
- PCI Compliance: Annual SAQ-D validation, quarterly vulnerability scans
- Financial Record Keeping: 7-year retention per regulatory requirements
Security and Fraud Prevention:
- Activities: Threat detection, fraud scoring, security monitoring
- Data Used: Device data, behavioral patterns, transaction anomalies
- Legal Basis: Legitimate interests, legal obligation
- Automated Systems: ML-based fraud detection with human review triggers
- Alert Thresholds: Defined escalation procedures for high-risk activities
Analytics and Performance Optimization:
- Activities: Usage analysis, performance monitoring, service improvement
- Data Used: Aggregated usage data, performance metrics, user feedback
- Legal Basis: Legitimate interests, consent
- Data Minimization: Statistical aggregation, individual de-identification
- Insight Generation: Trend analysis without personal profiling
Developer Platform Support:
- Activities: API monitoring, usage metering, developer assistance
- Data Used: API usage logs, developer contact information, integration data
- Legal Basis: Contract performance (Developer Agreement)
- Rate Limiting: Automated enforcement with appeal mechanisms
- Support Documentation: Privacy-preserving debugging and assistance
6.3 Marketing and Communication
Direct Marketing (Existing Customers):
- Activities: Service updates, promotional offers, product announcements
- Data Used: Contact preferences, service history, interaction data
- Legal Basis: Legitimate interests (with soft opt-in), explicit consent
- Opt-Out: One-click unsubscribe, granular preference management
- Frequency Limits: Respectful communication cadence policies
Targeted Advertising:
- Activities: Personalized ads, retargeting campaigns, lookalike audiences
- Data Used: Behavioral data, demographic information, interest profiles
- Legal Basis: Explicit consent, legitimate interests (with balancing test)
- Third-Party Sharing: Limited to advertising partners with data processing agreements
- User Controls: Advertising preference center, opt-out mechanisms
Market Research and Surveys:
- Activities: Customer feedback collection, market analysis, product development
- Data Used: Survey responses, usage patterns, demographic data
- Legal Basis: Explicit consent, legitimate interests
- Anonymization: Individual responses aggregated and anonymized
- Participation: Voluntary with clear purpose explanation
7. Cookie Policy and Tracking Technologies
7.1 Cookie Classification and Consent
Strictly Necessary Cookies (No Consent Required):
- Purpose: Authentication, security, load balancing, checkout process
- Examples: Session IDs, CSRF tokens, shopping cart persistence
- Retention: Session duration or 30 days maximum
- Cannot be Disabled: Essential for service functionality
Functional Cookies (Implied Consent):
- Purpose: Language preferences, accessibility settings, user customization
- Examples: Language selection, UI preferences, recently viewed items
- Retention: 12 months
- User Control: Can be disabled with service limitations
Analytics Cookies (Explicit Consent Required):
- Purpose: Usage measurement, performance monitoring, service improvement
- Examples: Google Analytics, custom analytics platform
- Data Processing: IP anonymization, data retention limits
- Retention: 24 months
- Opt-Out: Available through cookie preferences or browser settings
Marketing Cookies (Explicit Consent Required):
- Purpose: Advertising personalization, campaign measurement, retargeting
- Examples: Google Ads, Facebook Pixel, affiliate tracking
- Third-Party Sharing: Limited to advertising partners with contracts
- Retention: 12 months
- Controls: Granular consent options, easy withdrawal
Implementation Features:
- Granular Controls: Category-specific consent options
- Vendor Management: Individual third-party service controls
- Consent Withdrawal: One-click withdrawal mechanisms
- Cross-Domain Sync: Consistent consent across OnArrival properties
- Mobile Integration: SDK-based consent for mobile applications
Compliance Features:
- Consent Records: Timestamped proof of consent with IP logging
- Refresh Mechanisms: Annual consent renewal requests
- Age Verification: Enhanced protections for users under 16
- Jurisdiction Detection: Automatic compliance rule application
7.3 Alternative Tracking Technologies
Mobile SDK Data Collection:
- App Analytics: Usage patterns, feature adoption, performance metrics
- Crash Reporting: Anonymized error logs and stack traces
- Push Notifications: Delivery confirmation and engagement tracking
- Offline Sync: Local data storage with privacy controls
Server-Side Tracking:
- First-Party Analytics: Cookie-less tracking alternatives
- API Usage Monitoring: Developer platform usage and performance
- Security Logging: Access attempts and authentication events
- Business Intelligence: Aggregated reporting and trend analysis
8. Data Sharing and Third-Party Disclosure
8.1 Service Provider Categories
Travel Industry Partners:
- Airlines: PNR creation, seat assignments, special services, schedule changes
- Hotels: Reservation management, guest preferences, loyalty integration
- Ground Transport: Car rentals, transfers, ride-sharing coordination
- Insurance Providers: Policy issuance, claims processing, coverage verification
- Legal Safeguards: Standard contractual clauses, joint controller agreements
- Data Minimization: Only necessary data for service delivery
Technology Infrastructure Providers:
- Cloud Platforms: AWS, Microsoft Azure, Google Cloud (with DPAs)
- CDN Services: Content delivery and performance optimization
- Monitoring Tools: Application performance and security monitoring
- Analytics Platforms: Usage analysis and business intelligence
- Security Controls: SOC 2 certification requirements, encryption standards
Financial Service Providers:
- Payment Gateways: Transaction processing, fraud detection, settlement
- Banking Partners: Refund processing, currency conversion, wire transfers
- Financial Verification: Credit checks, payment method validation
- Compliance Requirements: PCI DSS adherence, financial regulation compliance
8.2 Legal and Regulatory Disclosure
Government and Law Enforcement:
- Legal Process: Court orders, subpoenas, search warrants
- National Security: Lawful government access requests
- Regulatory Authorities: DGCA, RBI, tax authorities, data protection authorities
- Public Safety: Emergency situations, threat response
- Disclosure Principles: Legal basis verification, data minimization, user notification where legally permitted
Compliance and Audit:
- External Auditors: SOC 2, ISO 27001, PCI DSS compliance verification
- Legal Advisors: Privileged legal consultation and representation
- Regulatory Reporting: Mandatory statistical and compliance reporting
- Industry Bodies: IATA, PATA, travel industry association requirements
8.3 Business Transfer Scenarios
Merger and Acquisition:
- Due Diligence: Limited disclosure under confidentiality agreements
- Asset Transfer: Full data transfer with successor liability
- User Notification: 30-day advance notice of ownership changes
- Choice Provision: Opt-out mechanisms for data transfer objections
Business Restructuring:
- Subsidiary Creation: Internal restructuring with continued protection
- Partnership Changes: New partner integration with privacy assessments
- Service Transfer: Migration to new service providers with equivalent protection
9. International Data Transfers
9.1 Transfer Mechanisms and Safeguards
Adequacy Decisions (GDPR Art. 45):
- Current Adequate Countries: Japan, South Korea, Israel (for applicable transfers)
- Monitoring: Regular review of adequacy decision status
- Alternative Mechanisms: SCCs ready for adequacy decision changes
Standard Contractual Clauses (GDPR Art. 46(2)(c)):
- Implementation: EU Commission SCCs (2021/914) for all non-adequate transfers
- Customization: Additional safeguards based on transfer impact assessments
- Supplier Requirements: All processors must execute SCCs or equivalent
- Regular Review: Annual assessment of SCC effectiveness
Binding Corporate Rules (BCRs):
- Development Status: BCR application in progress with lead supervisory authority
- Scope: Global OnArrival group entities and subsidiaries
- Approval Timeline: Expected completion within 18 months
- Interim Measures: SCCs remain in place during BCR approval process
9.2 Transfer Impact Assessments (TIAs)
High-Risk Jurisdiction Assessment:
- Government Access Laws: Analysis of surveillance and data access legislation
- Legal Remedies: Availability of effective legal protection and redress
- Practical Enforceability: Real-world ability to exercise data subject rights
- Additional Safeguards: Enhanced security and access controls
Supplementary Measures:
- Technical Safeguards: End-to-end encryption, pseudonymization, data segregation
- Organizational Safeguards: Enhanced access controls, audit requirements, breach protocols
- Contractual Safeguards: Additional processor obligations, liability provisions
- Ongoing Monitoring: Regular assessment of political and legal developments
9.3 Specific Transfer Scenarios
US Transfers (Post-Schrems II Compliance):
- Legal Basis: SCCs with supplementary measures
- Risk Assessment: Documented TIA for US government access risks
- Safeguards: Data encryption, legal challenge commitments, transparency reporting
- Processor Selection: Preference for EU/adequate country alternatives where feasible
Asia-Pacific Transfers:
- Singapore: Adequate country status under consideration, SCCs currently used
- India: Domestic processing with strong local data protection laws
- Australia: SCCs with assessment of government access legislation
- Japan: Adequacy decision allows direct transfers
10. Data Retention and Lifecycle Management
10.1 Retention Schedule by Data Category
Travel Booking and Transaction Data:
- Active Bookings: Duration of travel service + 7 years
- Payment Records: 7 years from transaction date (financial record requirements)
- Cancelled Bookings: 3 years from cancellation (dispute resolution)
- Refund Processing: 7 years from refund completion
- Legal Basis: Regulatory obligations, legitimate interests (audit, taxation)
Customer Account and Profile Data:
- Active Accounts: Duration of customer relationship + 2 years
- Inactive Accounts: 3 years from last login/activity
- Marketing Preferences: Until withdrawn + 30 days (suppression list maintenance)
- Customer Support: 5 years from case closure
- Deletion Triggers: Account closure request, inactivity thresholds
Technical and System Data:
- Application Logs: 12 months from creation
- Security Logs: 5 years from incident (security investigation needs)
- Analytics Data: 24 months (pseudonymized after 12 months)
- Performance Metrics: 18 months from collection
- Pseudonymization: Automated processes for aging personal identifiers
Special Category and Sensitive Data:
- Health Information: Deleted after travel completion + 30 days
- Biometric Data: Immediate deletion after verification (where used)
- Government IDs: 7 years (regulatory compliance) with enhanced security
- Location Data: 12 months for precise, 24 months for approximate
- Enhanced Protection: Additional encryption, restricted access controls
10.2 Automated Data Lifecycle Management
Retention Policy Enforcement:
- Automated Deletion: Scheduled purging based on retention schedules
- Data Classification: Automated tagging and lifecycle tracking
- Exception Handling: Legal hold procedures for litigation/investigation
- Audit Trails: Comprehensive logging of all data lifecycle events
Data Minimization Procedures:
- Purpose Limitation: Regular review of processing purposes vs. data held
- Accuracy Maintenance: Automated data quality checks and correction prompts
- Storage Limitation: Progressive data reduction and archiving procedures
- Technical Implementation: Database triggers, automated workflows
11. Security Measures and Technical Safeguards
11.1 Technical Security Controls
Encryption and Cryptography:
- Data in Transit: TLS 1.3 with perfect forward secrecy for all communications
- Data at Rest: AES-256 encryption for databases, file systems, and backups
- Key Management: HSM-based key storage with key rotation every 90 days
- Algorithm Standards: NIST-approved cryptographic algorithms only
- Certificate Management: Automated certificate renewal with security monitoring
Access Controls and Authentication:
- Multi-Factor Authentication: Required for all administrative access
- Role-Based Access Control: Principle of least privilege with regular review
- Privileged Access Management: Just-in-time elevation with approval workflows
- Session Management: Automated timeout, concurrent session limits
- Identity Federation: SSO integration with enterprise identity providers
Network and Infrastructure Security:
- Network Segmentation: Microsegmentation with zero-trust architecture
- Firewall Protection: Next-generation firewalls with intrusion prevention
- DDoS Protection: Multi-layer DDoS mitigation with automatic scaling
- Vulnerability Management: Continuous scanning with automated patching
- Security Monitoring: 24/7 SOC with SIEM and behavioral analytics
11.2 Organizational Security Measures
Security Governance:
- Information Security Policy: Board-approved with annual review
- Risk Management: Regular risk assessments and treatment planning
- Incident Response: Documented procedures with regulatory notification protocols
- Business Continuity: Disaster recovery testing and backup procedures
- Vendor Management: Security assessments for all third-party processors
Personnel Security:
- Background Checks: Security screening for all employees with data access
- Security Training: Annual privacy and security awareness programs
- Access Reviews: Quarterly access certification and privilege validation
- Departure Procedures: Immediate access revocation and asset return
- Confidentiality Agreements: Binding confidentiality and data protection clauses
11.3 Compliance Certifications and Audits
Industry Certifications:
- SOC 2 Type II: Annual independent audits of security and privacy controls
- ISO 27001:2022: Certified information security management system
- PCI DSS Level 1: Annual compliance validation for payment processing
- Cloud Security Alliance: CSA Star certification for cloud security
Regular Assessments:
- Penetration Testing: Quarterly external security assessments
- Vulnerability Scanning: Continuous automated scanning with manual validation
- Code Review: Security code review for all software releases
- Privacy Audits: Annual privacy compliance assessments
- Third-Party Validation: Independent security and privacy certification bodies
12. Individual Rights and Data Subject Controls
12.1 Fundamental Rights Under GDPR
Right of Access (Art. 15):
- Scope: Complete personal data inventory with processing details
- Response Time: 30 days (extendable to 60 days for complex requests)
- Format: Human-readable summary plus machine-readable data export
- Information Provided: Processing purposes, categories, recipients, retention periods, source information
- Request Methods: Online portal, email, or postal mail with identity verification
Right to Rectification (Art. 16):
- Scope: Correction of inaccurate or incomplete personal data
- Proactive Tools: Online profile management with real-time updates
- Downstream Updates: Notification to recipients where feasible and appropriate
- Verification: Reasonable steps to verify correction accuracy
- Response Time: 30 days with confirmation of actions taken
Right to Erasure/Right to be Forgotten (Art. 17):
- Grounds: Purpose fulfillment, consent withdrawal, unlawful processing, legal obligation
- Limitations: Legal obligations, freedom of expression, public interest, legal claims
- Technical Implementation: Secure deletion with verification procedures
- Third-Party Notification: Best efforts to inform recipients of erasure requests
- Backup Procedures: Restoration prevention from backup systems
Right to Data Portability (Art. 20):
- Scope: Structured, commonly used, machine-readable format
- Applicable Data: Provided by data subject or observed from their use of services
- Direct Transfer: Where technically feasible, direct transfer to another controller
- Format Options: JSON, CSV, XML with standardized schemas
- Limitations: Does not apply to inferred or derived data
Right to Object (Art. 21):
- Direct Marketing: Absolute right with immediate effect
- Legitimate Interests: Conditional right requiring compelling legitimate grounds assessment
- Profiling: Specific protections against automated individual decision-making
- Implementation: Clear opt-out mechanisms with confirmation procedures
- Granular Controls: Specific objection to particular processing purposes
Right to Restriction (Art. 18):
- Circumstances: Accuracy disputes, unlawful processing, legal claims, objection pending
- Implementation: Processing limitation markers in systems
- Permitted Processing: Storage, consent-based processing, legal claims, third-party protection
- Notification: Advance notice before restriction lifting
- Technical Controls: System flags preventing automated processing
12.2 Automated Decision-Making and Profiling
Automated Decision-Making Protections (Art. 22):
- Scope: Decisions producing legal effects or similarly significant effects
- Current Applications: Fraud detection, dynamic pricing, booking optimization
- Safeguards: Human intervention rights, explanation provision, decision contestation
- Transparency: Clear information about logic, significance, and consequences
- Regular Review: Periodic assessment of automated decision-making fairness and accuracy
Profiling Transparency:
- Profile Categories: Travel preferences, risk assessments, marketing segments
- Data Sources: Explicit declarations, behavioral observations, third-party enrichment
- User Controls: Profile viewing, correction, and deletion options
- Opt-Out Rights: Granular controls for different profiling purposes
- Non-Discrimination: Safeguards against discriminatory profiling practices
12.3 Rights Exercise Mechanisms
Self-Service Privacy Dashboard:
- Account Access: Real-time view of personal data and processing activities
- Preference Management: Granular privacy and communication controls
- Request Submission: Online forms for formal rights requests
- Status Tracking: Real-time updates on request processing status
- Data Export: Self-service data portability with secure download
Assisted Rights Exercise:
- Email Requests: privacy@onarrival.com with dedicated response team
- Phone Support: Multilingual privacy helpline during business hours
- Postal Requests: Formal written request procedures with identity verification
- Third-Party Representation: Authorized representative procedures with power of attorney
- Priority Handling: Expedited processing for vulnerable individuals
13. Children's Privacy and Special Protections
13.1 Age Verification and Restrictions
Minimum Age Requirements:
- Primary Services: 16 years minimum (GDPR Art. 8 compliance)
- Marketing Communications: 18 years minimum for direct marketing
- Account Creation: Age verification at registration with document validation
- Parental Consent: Required processing for users under 16 years
- Educational Exception: School group bookings with institutional consent
Enhanced Protections for Minors:
- Data Minimization: Stricter necessity assessment for minor's data
- Consent Verification: Enhanced parental consent verification procedures
- Marketing Restrictions: No behavioral advertising to users under 18
- Right to Erasure: Expedited deletion rights for data collected when under 16
- Regular Review: Annual assessment of minor's data processing necessity
13.2 Family Travel Considerations
Family Account Management:
- Parental Controls: Parent/guardian oversight of minor's travel data
- Consent Management: Family-level consent with individual granular controls
- Emergency Contacts: Mandatory guardian information for unaccompanied minors
- Data Sharing: Limited family member data sharing with explicit consent
- Age Transition: Automatic control transfer when minor reaches majority
Educational and Youth Programs:
- Institutional Consent: School/organization consent for group travel programs
- Enhanced Safeguards: Additional security and privacy controls for youth data
- Limited Retention: Shorter data retention periods for educational programs
- Opt-Out Rights: Enhanced withdrawal rights for parents and guardians
- Supervision Requirements: Adult supervision coordination for group travel
14. Data Breach Notification and Incident Response
14.1 Breach Detection and Assessment
Continuous Monitoring:
- Automated Detection: 24/7 security monitoring with anomaly detection
- Employee Reporting: Mandatory incident reporting within 2 hours of discovery
- Third-Party Notification: Processor breach notification within 24 hours
- Initial Assessment: Immediate risk evaluation and containment procedures
- Forensic Investigation: Detailed analysis of breach scope and impact
Risk Assessment Framework:
- Data Sensitivity: Classification-based impact assessment
- Affected Individuals: Number and vulnerability of impacted data subjects
- Likelihood of Harm: Probability assessment based on breach characteristics
- Mitigation Factors: Existing safeguards and remedial actions taken
- Regulatory Implications: Multi-jurisdiction notification requirements
14.2 Regulatory Notification Procedures
Supervisory Authority Notification (GDPR Art. 33):
- Timeline: Within 72 hours of becoming aware of breach
- Lead Authority: Irish Data Protection Commission (OnArrival's lead supervisory authority)
- Content Requirements: Nature of breach, categories and number of data subjects, likely consequences, measures taken
- Delay Justification: Documented reasons if 72-hour deadline cannot be met
- Follow-Up: Additional information provided within 14 days of initial notification
Data Subject Notification (GDPR Art. 34):
- High Risk Threshold: Likely to result in high risk to rights and freedoms
- Timeline: Without undue delay after supervisory authority notification
- Communication Method: Direct communication unless disproportionately difficult
- Content: Plain language description of breach, likely consequences, measures taken, contact point
- Exceptions: Technical safeguards rendering data unintelligible, public communication alternative
Multi-Jurisdictional Compliance:
- DPDP Act: Notification to Indian CERT-In and Data Protection Board
- CCPA: California Attorney General notification within specified timeframes
- State Laws: US state-specific breach notification requirements
- Corporate Clients: Contractual notification obligations for processor breaches
14.3 Incident Response and Recovery
Immediate Response Procedures:
- Containment: Immediate isolation of affected systems and data
- Preservation: Forensic evidence preservation for investigation
- Communication: Internal incident response team activation
- External Support: Engagement of cybersecurity and legal experts
- Business Continuity: Service restoration with enhanced security measures
Recovery and Lessons Learned:
- Root Cause Analysis: Comprehensive investigation of breach causes
- System Remediation: Security improvements and vulnerability patches
- Process Enhancement: Incident response procedure updates
- Staff Training: Additional security awareness and response training
- Regular Testing: Incident response plan testing and validation
15. Privacy Governance and Accountability
15.1 Privacy Management Structure
Data Protection Officer (DPO):
- Qualifications: CIPP/E, CIPM certified with 10+ years privacy experience
- Independence: Direct reporting to executive leadership, conflict-free role
- Responsibilities: Privacy compliance oversight, training delivery, authority cooperation
- Contact: dpo@onarrival.com, +91 80 1234 5678
- Availability: Accessible to data subjects and supervisory authorities
Privacy Governance Committee:
- Composition: DPO, Legal, Security, Engineering, Product, and Business representatives
- Mandate: Privacy risk oversight, policy approval, incident escalation
- Meetings: Monthly governance meetings with quarterly executive reviews
- Documentation: Meeting minutes and decision records maintained
- Authority: Decision-making power for privacy-related business matters
Privacy by Design Implementation:
- Product Development: Privacy impact assessments for all new features
- Data Minimization: Default privacy-friendly settings and configurations
- Transparency: Clear privacy information at point of data collection
- User Control: Granular privacy controls and preference management
- Accountability: Privacy compliance metrics and reporting
15.2 Data Protection Impact Assessments (DPIAs)
DPIA Triggers (GDPR Art. 35):
- High Risk Processing: Large-scale special category data processing
- Automated Decision-Making: Profiling with legal or significant effects
- Systematic Monitoring: Large-scale behavioral observation
- New Technologies: Innovative data processing technologies
- Vulnerable Groups: Processing of children's or sensitive population data
DPIA Process:
- Scoping: Processing activity description and necessity assessment
- Risk Assessment: Systematic identification and evaluation of privacy risks
- Safeguards: Identification and implementation of risk mitigation measures
- Consultation: DPO consultation and supervisory authority engagement where required
- Review: Regular DPIA updates for significant processing changes
DPIA Documentation:
- Processing Description: Detailed activity description and data flows
- Necessity Assessment: Proportionality and purpose limitation analysis
- Risk Matrix: Likelihood and impact assessment with mitigation strategies
- Consultation Records: DPO advice and supervisory authority interactions
- Decision Rationale: Executive decision documentation and approval
15.3 Vendor and Third-Party Management
Due Diligence Requirements:
- Security Assessment: Comprehensive security and privacy evaluation
- Certification Verification: SOC 2, ISO 27001, and relevant compliance confirmations
- Contract Standards: Mandatory data processing agreement requirements
- Ongoing Monitoring: Regular vendor compliance assessments and audits
- Incident Procedures: Vendor breach notification and response requirements
Data Processing Agreements (DPAs):
- GDPR Art. 28 Compliance: All processor relationships governed by compliant DPAs
- Standard Terms: Standardized DPA templates with security and privacy requirements
- Audit Rights: Regular audit and inspection provisions
- Subprocessor Management: Prior authorization and notification requirements
- Data Transfer: International transfer safeguards and mechanisms
16. Transparency and Reporting
16.1 Privacy Metrics and KPIs
Rights Exercise Statistics:
- Request Volume: Monthly data subject request volumes by type and region
- Response Times: Average and maximum response times for each right type
- Request Outcomes: Approval, denial, and partial fulfillment rates with rationale
- User Satisfaction: Privacy request satisfaction surveys and feedback analysis
- Trend Analysis: Year-over-year trends and seasonal variations
Compliance Metrics:
- Consent Rates: Granular consent acceptance and withdrawal rates by category
- Data Minimization: Regular assessment of data collection necessity and proportionality
- Retention Compliance: Automated deletion execution rates and manual review exceptions
- Training Completion: Employee privacy training completion rates and assessment scores
- Incident Statistics: Security incident frequency, impact, and response effectiveness
16.2 Annual Transparency Report
Public Reporting Commitments:
- Government Requests: Anonymized statistics on law enforcement and regulatory requests
- Data Subject Rights: Aggregated rights exercise statistics and trends
- Security Incidents: General incident statistics without compromising security
- Privacy Investments: Organizational privacy program investments and improvements
- Regulatory Cooperation: Supervisory authority interactions and guidance implementation
Stakeholder Communication:
- User Communications: Regular privacy program updates and enhancement notifications
- Partner Updates: Privacy requirement changes affecting business partners
- Industry Participation: Privacy standard development and best practice sharing
- Academic Collaboration: Privacy research participation and publication support
- Regulatory Engagement: Proactive engagement with privacy authorities and policy development
Primary Data Protection Officer:
- Name: Priya Sharma, CIPP/E, CIPM
- Email: dpo@onarrival.com
- Phone: +91 80 1234 5678
- Office Hours: Monday-Friday, 9:00 AM - 6:00 PM IST
- Languages: English, Hindi, Kannada
Regional Privacy Contacts:
- EU/EEA Region: privacy-eu@onarrival.com | +49 30 1234 5678
- United Kingdom: privacy-uk@onarrival.com | +44 20 1234 5678
- United States: privacy-us@onarrival.com | +1 415 123 4567
- Asia-Pacific: privacy-apac@onarrival.com | +65 6123 4567
Postal Address:
OnArrival Travel Tech Pvt. Ltd.
Data Protection Office
9th Floor, Infinity Tower
Koramangala 4th Block
Bangalore 560095, Karnataka, India
17.2 Complaint and Escalation Procedures
Internal Complaint Process:
- Initial Contact: Privacy team investigation within 5 business days
- Escalation: DPO review and response within 15 business days
- Executive Review: C-level escalation for unresolved complaints
- Resolution: Comprehensive response with corrective actions where appropriate
- Follow-Up: Satisfaction confirmation and process improvement implementation
Supervisory Authority Rights:
Users have the right to lodge complaints with relevant supervisory authorities:
EU/EEA Data Subjects:
UK Data Subjects:
Indian Data Subjects:
- Authority: Data Protection Board of India (when established)
- Contact: As notified by the Data Protection Board
- Interim: Ministry of Electronics and Information Technology
California Residents:
18. Policy Updates and Amendments
18.1 Change Management Process
Material Change Definition:
