Privacy Policy

How we collect, use, store and protect your data — under India's Digital Personal Data Protection Act, 2023 (DPDP Act)

Last updated: 4 June 2026

Travel Accounting Software ("we", "our", "us") operates the SaaS application at travelaccountingsoftware.com. This Privacy Policy explains how we handle the personal data of our customers (travel agencies) and the personal data of their clients (passengers, business partners) that they upload into our system.

Data Fiduciary Notice (DPDP §10)

Under the Digital Personal Data Protection Act, 2023, Travel Accounting Software acts as the Data Fiduciary for the personal data of registered users (agency owners and staff) and as a Data Processor for the personal data of end-passengers/clients uploaded by our customers. The agency itself is the Data Fiduciary for that downstream data.

1. Data we collect

We collect only data that is necessary to deliver our accounting service:

  • Account data — name, email, hashed password, company name, GSTIN, PAN, branch addresses, optional 2FA secret
  • Operational data — invoices you upload, vendors, clients (including their names, email, GSTIN, PAN — uploaded by you), purchases, sales, payments, bank statements, credit/debit notes, TDS records
  • Usage metadata — IP address, user-agent, request timestamps (stored in audit logs for security and Sec 36 CGST compliance)

We do not collect Aadhaar numbers. If you upload an invoice that contains one, we redact it. We never collect biometrics, location, or browsing history outside our application.

2. How we use it

  • To run accounting, GST, TDS, and reporting features you sign up for
  • To extract data from invoices you upload, via Google Gemini AI (data is sent only at the time of extraction; not used for AI model training)
  • To send transactional emails (account notices, password reset, breach notifications)
  • To comply with Indian law — including 8-year retention under Sec 36 of the CGST Act, 2017

We do not sell or rent your data to anyone, ever.

3. Sub-processors

  • Cloudflare, Inc. (CDN, WAF, DDoS protection, TLS termination) — proxies all incoming HTTPS traffic to travelaccountingsoftware.com. Cloudflare may retain edge request metadata (IP address, user-agent, URL) for up to 30 days for abuse detection and traffic analytics. We do not enable any logging of request bodies. Cloudflare maintains SOC 2 Type II, ISO 27001, and ISO 27018 certifications. Trust hub: cloudflare.com/trust-hub.
  • Emergent (emergent.sh) — application + database hosting. The exact data-centre region, encryption-at-rest standard, and backup policy are governed by Emergent's infrastructure terms. We will publish their signed Data Processing Agreement here when we receive it; in the meantime, you may request it from us in writing at dpo@travelaccountingsoftware.com.
  • Google Gemini API (invoice OCR) — data sent only at extraction time, not retained for training (per Google enterprise policy).
  • Email + payment processors will be listed here once added.

⚠ Data residency disclosure

Our application currently runs on Emergent's managed deployment platform. The physical region where the underlying database is stored is determined by Emergent. If your contract or your own customers require data residency within India, please contact us at dpo@travelaccountingsoftware.com before signing up — we can either obtain confirmation from Emergent in writing for you, or migrate your tenant to our dedicated AWS Mumbai (ap-south-1) stack on a separate paid plan.

4. Data retention (Sec 36 CGST Act)

We retain your accounting records for 8 years from the end of the financial year, as required by Section 36 of the Central Goods and Services Tax Act, 2017. When you delete a Sale, Purchase, Payment, Credit Note, Debit Note, or TDS entry, we mark it as deleted ("soft delete") but keep the record in encrypted storage until the 8-year horizon expires. A background process purges records permanently after that.

When you close your account, your personal profile is deleted within 30 days, but operational records subject to the 8-year statutory retention are preserved (with a marker indicating closed account).

5. Your rights under DPDP (§11–13)

  • Right to access — download all your data anytime from Settings → Export My Data
  • Right to correction — edit your records directly in the app
  • Right to erasure — request via the email below (subject to 8-year statutory retention)
  • Right to grievance redressal — email our DPO at dpo@travelaccountingsoftware.com with a response in ≤ 30 days
  • Right to nominate — designate someone to receive your data in case of incapacity

6. Security measures

  • TLS 1.3 in transit (terminated at Cloudflare's edge with HSTS preload). All HTTP traffic is force-upgraded to HTTPS.
  • WAF + DDoS + bot protection at the edge (Cloudflare OWASP managed ruleset, Bot Fight Mode, rate-limited /api/auth/login).
  • JWT auth with optional TOTP-based 2FA
  • Tenant isolation — every API call is scoped to your user_id
  • Append-only audit logs for create / update / delete operations on Sales, Purchases, Credit Notes, Debit Notes, TDS entries (with Cloudflare's real-client-IP recorded)
  • Backup policy as provided by our hosting platform (see Sub-processors above)
  • PAN and GSTIN are masked in the UI (e.g. AAAAA****A); full values are stored to support GST/TDS filings but never displayed in clear text

7. Cookies

We use a single first-party cookie / localStorage entry to remember your login (JWT). No third-party advertising or tracking cookies.

8. Changes to this policy

If we update this policy materially, we'll email registered users at least 30 days before the change takes effect.

9. Contact

Data Protection Officer (DPO): dpo@travelaccountingsoftware.com
Grievance Officer: grievance@travelaccountingsoftware.com · response within 30 days as required by DPDP §13(2)
Mailing address: [Your registered office address]

Made with Emergent