Scope & Applicability: This policy applies to anyone who visits www.firguntravels.com, uses our mobile apps, or books travel services (flights, hotels, tours, etc.) with Firgun Travels (“Firgun”, “we”, “us”, “our”). It covers all personal and travel-related data collected during inquiries, bookings, inquiries and any Firgun-managed tours. It does not cover websites or services of third parties (airlines, hotels, payment gateways) linked from our site.

We operate primarily in India; your data will be stored and processed in India (and abroad with consent if needed for travel services). By using Firgun’s services, you consent to this policy. If you do not agree, please do not use our services.

Executive Summary

Firgun Travels values your privacy and handles your information with care and transparency. We collect personal and travel-related data (name, contact, IDs, payment, itinerary, etc.) only to deliver travel services, comply with laws, and improve your experience. We rely on your consent and the need to fulfill our bookings (contract), as well as legal obligations, as lawful bases for processing. We share information only with trusted partners (hotels, airlines, payment processors, permit authorities, analytics, etc.) under confidentiality.

We use cookies for site functionality, analytics, and optional personalization – you can opt out via your browser. We retain data only as long as necessary (e.g. bookings: ~7 years for tax/legal reasons; marketing data: until you unsubscribe; cookies: session or up to 1 year). We protect your data with industry-standard security (encryption, access controls) and comply with India’s IT Act and privacy rules (DPDP Act phases in by 2027). You have rights to access, correct, delete, port, or restrict your data; you can withdraw consent anytime or lodge complaints. Please read on for details, and contact us for any questions.

Data Collected

We collect various categories of information from you:

Personal Data: Identifiers and contact (name, email, phone, postal address, age/DOB, gender, nationality).

Government/Travel IDs: Passport, visa details, Aadhaar/ID proofs, driver’s license (for visa or bookings).

Payment Data: Credit/debit card or bank account details, billing address (collected via PCI-compliant gateway; CVV is not stored).

Travel & Booking Data: Itinerary details, PNR/PNRs, booking history, co-traveler info (with their consent), loyalty program numbers, travel preferences (meal, seat, etc.), special requests, ticketing or visa documents.

Communication Data: Any messages or correspondence you send us (emails, chats, feedback), call recordings (if support calls are recorded).

Technical/Automatic Data: IP address, browser type, device model, OS, location data (if app permissions granted), web session data, cookies, and log data (pages visited, search terms, etc.).

Sensitive Data: Health or disability details (for special assistance or regulatory compliance), dietary needs (for meal preferences); Covid-19 vaccination status or certificates (if required by carriers); we do not collect sensitive traits like race, religion, or biometric data.

We collect data you provide directly (e.g. account registration, booking forms, profiles, documents for visa or hotel check-in) and indirectly (e.g. analytics providers, social media login info). We encourage you to keep data accurate and up-to-date. If you provide information about others (e.g. co-traveler), you must have their consent to share it.

Lawful Basis for Processing
Under Indian law (IT Act 2000 and rules) and best practice, we process data on these bases:

Contract: Data is needed to perform our travel booking contract with you (e.g. name and IDs to book flights, hotels).

Legal Obligation: We must process data to comply with laws (e.g. tax laws, foreign remittance rules, safety regulations).

Consent: For uses beyond core service (e.g. marketing communications, optional features) we rely on your explicit consent. You may withdraw consent at any time without affecting contractual obligations.

Legitimate Interests: In limited cases (e.g. fraud prevention, system security, improving our site) we process data for our business interests provided it does not override your rights.

For example, we’ll use your data to confirm bookings and send alerts (contract), share details with tax authorities if required (legal), send you tour recommendations if you opted in (consent), and detect unusual login attempts (legitimate interest). We do not use data in any way that would unfairly harm your interests.

Purposes of Processing

We use your information for these primary purposes:

Service Delivery: To create and manage your bookings (flights, hotels, tours, etc.), issue tickets and visas, send confirmations, and deliver the travel services you request. This includes sharing necessary details (names, passport, preferences) with airlines, hotels, tour operators, visa agencies, and relevant authorities to make your travel happen.

Customer Support: To respond to your inquiries, provide help (via email, phone, chat), handle changes or cancellations, and improve our support.

Communications: To send you transactional messages about your bookings (itineraries, alerts) and to verify your identity during account/login. We may also send administrative notices.

Marketing & Offers: If you opt-in or haven’t opted out, we send travel deals, newsletters, and promotions by email, SMS or WhatsApp. (You can unsubscribe anytime.) We may combine data points to personalize offers. We do not sell or trade your data.

Improvement & Analytics: To analyze how our services are used, maintain and improve our website/apps (performance analytics), and conduct market research. We may also ask for feedback to improve future trips.

Fraud/Spam Prevention: To detect and prevent fraud, unauthorized use, and to ensure payments are secure (including PCI compliance). For example, analyzing IP/address logs to spot unusual activity.

Legal Compliance: To comply with laws and regulations (e.g. keeping records for taxation for up to 7 years), cooperate with government or law enforcement requests, and enforce our Terms of Service.

Every use of your data falls into one of these. We will only process your personal data in ways that respect your rights and remain consistent with what we’ve told you.

Cookies & Tracking Technologies

Like most travel sites, we use cookies and similar tools to make our site work and to understand how visitors use it:

Essential Cookies: Required for the site to function (e.g. keeping you logged in during a session).

Performance/Analytics Cookies: We use cookies (e.g. Google Analytics) to collect non-identifiable usage data – pages visited, searches, etc. – to improve site performance and design.

Functional Cookies: Remember choices you make (like language or login) to improve experience.

Advertising/Targeting Cookies: Used by third parties (Google/Facebook/ads partners) to show you relevant ads and to measure ad effectiveness.

Most cookies are session cookies (deleted when you close your browser), while some are persistent (stored up to 1 year). You can control or disable cookies in your browser – for example, block all cookies or get notified when a cookie is set. Disabling cookies may impair some site features. For details, refer to our [Cookie Policy].

We do not use cookies to collect new personal information. We keep cookie data separate from personal data – you generally can’t be directly identified from them unless you log in.

Data Sharing

We share your data only with parties necessary to provide services or comply with laws:

Service Providers: Airlines, hotels, transport, tour operators and guides (to fulfill your itinerary). For example, if you book a tour, we share names and contact info with the tour company.

Payment Processors: We send payment details (card or bank info) to secure payment gateways (Razorpay, etc.) to process transactions. We never store your full card data on our servers.

Government/Permit Authorities: When required (mountain permits, visas, national parks), we share data like name, passport, nationality with government agencies or local authorities.

Travel and Visa Partners: Foreign exchange, visa agencies, etc., where you requested these services. (E.g., we share passport/financial documents with visa consultants if you asked.)

Analytics and Marketing Partners: Aggregated or anonymized data with analytics firms (like Google) to optimize our website, or with marketing partners (email/SMS providers) to send you offers. We contractually restrict them to use data only for those tasks.

Affiliates and Group Companies: If Firgun operates any sister brands, we may share data internally for support or marketing (always under strict rules).

Third-Party Platforms: If you log in via Facebook/Google, those platforms may share your profile info (name, email) with us.

Legal Authorities: If required by law (court order, police request) or to enforce our rights, we may disclose necessary info to legal authorities.

We do NOT sell, rent or trade personal data. Any sharing is for delivering services or for our legitimate needs. All third parties are required to protect your information under agreements or under applicable law.

Example: If you book a flight, we share your name, passport, contact with the airline to issue tickets. If you pay by credit card, we share payment details with our bank/payment gateway. Analytics cookies may share usage stats with Google (anonymized).

Third-Party Links

Our site may link to other sites (e.g. hotels, airlines, travel blogs). This policy does not cover those sites. Firgun is not responsible for their privacy practices. We encourage you to review the privacy statements of any third-party site you visit via our links. For example, if you follow a link to a partner hotel, that hotel’s site has its own privacy policy.

Data Retention

We keep your information only as long as needed for the purposes above, and then securely delete or anonymize it. Typical retention periods:

Booking and Reservation Data: We retain records of your trips, payments, and receipts for ~7 years (to meet tax and accounting requirements). This aligns with general practice and protects both of us.

Account/Registration Data: If you create a Firgun account, we keep it while the account is active and for up to 7 years after inactivity, unless you request deletion sooner.

Communication Records: Support emails, chat logs, and call recordings are kept for about 3–5 years to address any disputes or service issues.

Payment Card Data: We do NOT store full card numbers. If you save a card on file, only limited tokenized data or last 4 digits is kept, according to PCI rules (with automatic purge after 2 years).

Cookies and Log Data: Session cookies expire when you close the browser. Persistent cookies and local storage data (e.g. site preferences) are generally kept up to 1 year. Analytics logs are retained in aggregated form; IP addresses are usually removed or hashed after 6–12 months.

Marketing Data: We keep marketing opt-in records and mailing lists until you opt out or unsubscribe. Once you unsubscribe, we move you to a “no contact” list (kept for audit) but no longer send promotions.

Other Personal Data: We may retain other personal data (e.g. identity documents for visa) for up to 7 years or as long as required by law or business need. For instance, if you buy travel insurance, we may retain documents for the statute of limitations period in case of claims.

In all cases, once data is no longer needed and not required by law, we delete or anonymize it.

Retention References: This follows best practice (similar to other travel companies). For example, MakeMyTrip retains data only as long as needed or longer if required by law, and Thomas Cook similarly keeps data while necessary for contractual and legal purposes.

Data Security

We use reasonable technical and organizational measures to safeguard your data, including:

Encryption: All data in transit (website, APIs) is encrypted (HTTPS/TLS). Sensitive data (like saved card tokens, personal IDs) is encrypted at rest.

Access Controls: Only authorized employees and service providers can access personal data, on a “need to know” basis. We enforce strong password policies and (where feasible) two-factor authentication for access.

Network Security: Firewalls, intrusion detection, secure servers, and regular vulnerability scans protect our systems.

Employee Training: Staff are trained on data privacy, phishing awareness, and confidentiality. We have policies to promptly remove access when an employee leaves.

Contractual Safeguards: Partners (hotels, payment gateways, etc.) must follow data security practices; we require them to use encryption and not to further disclose your data except as needed for service.

Audits & Compliance: We periodically review our privacy and security practices to comply with India’s Information Technology Act (IT Act) requirements for “reasonable security practices” and industry standards.

Although we strive to protect your data, no system can be perfectly secure. In case of any data breach, we will follow legal requirements and notify affected users as described below.

Cross-Border Data Transfers

Firgun is based in India, and your data is primarily stored and processed here. However, travel is global and some transfers outside India may occur (for example, if you book a flight with a foreign airline, or if cloud backups are stored overseas).

If we transfer your data abroad (e.g. to airline servers in another country, or to a cloud service outside India), we will ensure appropriate safeguards (such as industry-standard agreements) or rely on your consent for the transfer. You understand that data protection laws vary by country. By using our service, you consent to international data transfers as needed for your trip.

For users outside India: India’s data protection laws may differ from your country’s. Firgun complies with Indian law, which (until DPDP Act is fully enforced) means the IT Act 2000 and Privacy Rules govern us.

Your Rights and Choices

Under current Indian law and emerging best practices, you have the following rights regarding your personal data with Firgun:

Access: You can request a copy of the personal information we hold about you.

Correction: You can ask us to correct or update inaccurate or incomplete data (e.g. change an old address or fix a misspelling).

Data Portability: Where feasible, you can request your data in a structured, commonly used format (for example, your booking history).

Children’s Privacy

Firgun’s services are intended for travelers aged 18 and above. We do not knowingly collect personal data from children under 18 without parental consent. If a child is traveling, any booking made is by a parent/guardian who consents to providing the child’s information (e.g. name, age).

If we learn that we have inadvertently collected personal data of a minor without consent, we will delete it immediately. If you are a parent or guardian and believe we have data of a child under 18, please contact us so we can remove it.

Marketing Communications & Opt-Out

By default, we do not send marketing messages unless you opt in (for newsletters/offers) or have shown interest in our deals. If you do receive marketing emails or SMS from us and wish to stop them, you can unsubscribe via the link or reply “STOP”, or email us. We do not share your contact info with other marketers for their direct use without your permission.

Even if you haven’t explicitly opted in, if we already have a transactional relationship (e.g. you booked with us), we may send you occasional relevant offers (as permitted by law) unless you opt out. You can opt out any time.

Photos & Media Consent

On our group trips or tours, Firgun staff or guides may take photographs or videos of participants. By joining a Firgun trip, you consent to Firgun using images or videos that may feature you in promotional materials (website, social media, brochures). We will not identify you by name without permission. If you do not want your image used, please tell your trip leader.

Breach Notification

In the unlikely event of a data breach that poses a risk to your data, we will promptly notify affected individuals and authorities as required by law. Under India’s IT Act, privacy breaches are penalized. While breach notification is not yet fully mandated, we commit to transparency: we will let you know promptly with recommended steps if any personal data of yours is exposed.

Changes to this Policy

We may update this Privacy Policy from time to time (e.g. for new services or legal changes). We will post the revised policy on our website with an updated effective date. If changes are material, we will highlight them (e.g. via email or site notice). We encourage you to review this policy periodically. Your continued use of our services after changes means you accept the new policy.

Contact & Grievance Officer

If you have questions or want to exercise your rights, contact Firgun Travels as below. Our Grievance Officer (required under India’s IT rules) will address your concerns:

Firgun Travels Pvt. Ltd.

Email: bookings@firguntravels.com (for data protection inquiries)

Grievance Officer: firguntravels@gmail.com

Ph: +91 9354867970

Our Data Protection Officer/Representative will also monitor compliance.