Privacy Policy

Effective Date: April 25, 2026  · Last Updated: April 25, 2026

We do not sell your personal data. Ever. This policy explains exactly what we collect, why, and how you can control it.

1. Overview

Itinera Technology Private Limited ("Itinera", "we", "our", or "us") operates the website itinera.in and the Itinera mobile applications (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our Service.

This policy is drafted in compliance with the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 of India, as well as the principles of the EU General Data Protection Regulation (GDPR) for users in the European Economic Area.

By using the Service, you consent to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

2. Information We Collect

2.1 Account & Identity Data

When you create an account, we collect:

  • Full name and email address
  • Password (stored as a bcrypt hash — we never store plaintext passwords)
  • Profile photo (optional, if you choose to upload one)
  • Phone number (optional, for account recovery)
  • Country of residence (for pricing and compliance)

2.2 Travel & Itinerary Data

  • Destinations, travel dates, group size, and budget preferences you enter
  • AI-generated itineraries saved to your account
  • Places, hotels, and restaurants you mark as visited or preferred
  • Group trip details: collaborators, shared expenses, and group chat messages

2.3 Payment & Billing Data

All payments are processed by Razorpay, a PCI-DSS Level 1 compliant payment gateway. We do not store credit card numbers, CVV codes, or full banking details on our servers. We receive and store:

  • Transaction ID and payment status
  • Subscription plan and billing period
  • Last 4 digits of card (provided by Razorpay for your reference only)

2.4 Usage & Technical Data

  • IP address, browser type, operating system, and device identifiers
  • Pages visited, features used, and time spent on the Service
  • Error logs and crash reports to improve reliability
  • Approximate geolocation (derived from IP address; we do not track GPS location)

2.5 Communications Data

If you contact our support team, we store the content of your messages and our responses to provide effective support and for quality assurance purposes.

3. How We Use Your Information

We use your data exclusively for the following purposes:

Service Delivery

To generate personalised itineraries, save your plans, authenticate your account, and display your travel history.

AI Personalisation

Your travel preferences and destinations inform the AI model's outputs. We do not use your data to train third-party AI models. Your data is used as context input, not as training material.

Billing & Subscription Management

To process payments, manage your subscription tier (Free, Explorer, Pro), issue refunds, and send receipts.

Communication

To send transactional emails (password resets, payment confirmations, itinerary exports). We will only send marketing emails if you have explicitly opted in, and you may unsubscribe at any time.

Safety & Security

To detect and prevent fraud, abuse, and unauthorised access to accounts.

Product Improvement

Aggregated, anonymised usage patterns help us identify which features to improve. This data cannot be traced back to you.

Legal Compliance

To comply with applicable laws, respond to lawful requests from government authorities, and enforce our Terms of Service.

5. Data Sharing & Third Parties

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

OpenAI

Your trip inputs (destination, dates, preferences) are sent to OpenAI's API to generate itineraries. OpenAI does not use API-submitted data to train its models per their enterprise policy.

Razorpay

Payment processing. Razorpay receives billing information necessary to complete your transaction and is PCI-DSS Level 1 certified.

Google (Maps & Geocoding)

Destination names are geocoded via Google Maps API for paid-tier users to display accurate interactive maps. No personal identity data is shared with Google for this purpose.

Nominatim / OpenStreetMap

Free-tier users' destination queries are sent to the OpenStreetMap Nominatim API for geocoding. No account data is transmitted.

Cloud Infrastructure

Our servers are hosted on secure cloud infrastructure. Your data is stored in encrypted databases accessible only to authorised Itinera engineers.

Legal Authorities

We may disclose data if required by a valid court order, subpoena, or applicable law. We will notify you unless prohibited by law.

6. Data Retention

  • Account data: Retained for the lifetime of your account plus 30 days after deletion to allow recovery in case of accidental deletion.
  • Itineraries: Retained until you delete them or your account. Free users may have older itineraries archived after 12 months of inactivity.
  • Group chat messages: Retained for 30 days from the date of the message, then automatically purged.
  • Payment records: Retained for 7 years as required by Indian GST and accounting regulations.
  • Logs & analytics: Aggregated, anonymised usage logs retained for up to 12 months.
  • Support communications: Retained for 24 months for quality assurance.

7. Data Security

We implement industry-standard and best-practice security measures, including:

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption for sensitive data at rest
  • Bcrypt hashing for all passwords (never stored in plaintext)
  • Role-based access control (RBAC) — employees access only data necessary for their role
  • Regular third-party security audits and penetration testing
  • Automated anomaly detection and intrusion monitoring
  • Responsible disclosure programme — report vulnerabilities to security@itinera.in

Despite our best efforts, no internet transmission is 100% secure. If you believe your account has been compromised, contact security@itinera.in immediately.

8. Your Rights

Regardless of your location, you have the following rights regarding your personal data:

Right to Access

Request a copy of all personal data we hold about you.

Right to Correction

Correct inaccurate or incomplete data via your profile settings or by contacting us.

Right to Erasure

Delete your account and all associated data. Use Dashboard → Settings → Danger Zone, or email privacy@itinera.in.

Right to Data Portability

Request your itinerary data in a machine-readable format (JSON or CSV).

Right to Restrict Processing

Ask us to stop processing your data while a dispute is under review.

Right to Object

Object to processing based on legitimate interests, including for direct marketing.

Right to Withdraw Consent

Where processing is based on consent (e.g., marketing emails), withdraw at any time via your settings or by emailing privacy@itinera.in.

We will respond to all rights requests within 30 days. To exercise any right, email privacy@itinera.in.

9. Cookies & Tracking

We use the following types of cookies:

TypePurposeOpt-out?
EssentialAuthentication sessions, CSRF protection, load balancing. The Service cannot function without these.No
FunctionalRemembering your language preference and UI settings across sessions.Settings
AnalyticsAnonymised aggregate usage statistics to understand which features are popular.Yes
Google AdSenseServed on free-tier pages to support our free plan. Uses Google's own cookie policy.Via Google

You can manage cookies through your browser settings. Blocking essential cookies will prevent you from logging in.

10. Children's Privacy

The Service is not directed at children under the age of 13 (or 16 in the EU). We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact privacy@itinera.in and we will delete it within 72 hours.

11. International Data Transfers

Itinera is based in India. By using the Service, you understand that your data may be transferred to and processed in India and in countries where our service providers (OpenAI, Razorpay, cloud hosting) operate.

For EEA users, such transfers are conducted under appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms ensuring an adequate level of data protection.

12. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable law. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Send an email notification to registered users at least 14 days before the change takes effect
  • Display a banner on the Service for 30 days after a material change

Continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact & Data Protection Officer

For any privacy-related questions, requests, or concerns:

Itinera Technology Private Limited

Privacy Team: privacy@itinera.in

General Support: support@itinera.in

Security: security@itinera.in

We will respond to all privacy requests within 30 days.

Share Feedback

Goes directly to the team

Rate your experience(optional)

0/500

Anonymous by default · No account needed

Privacy Policy — Itinera | Itinera