Privacy Policy
Effective Date: June 18, 2026
1. Data Controller Information
Trayago ("we", "us", or "our") acts as the Data Fiduciary and Data Controller for the personal data collected from users of our train assistant platform. Our registered head office is located in Mumbai, India. For all privacy inquiries, you can reach our Data Protection Officer at **support@trayago.in**.
2. Contact Information
If you wish to exercise your data principal rights, request account deletion, or report a privacy concern, please contact us at **support@trayago.in**. We commit to acknowledging all queries within **48 hours** and resolving them in accordance with statutory timelines.
3. Information We Collect
We collect information to provide, secure, and optimize our split-journey planning services:
- Profile Data: Email address, optional full name, date of birth, and verified mobile number (if you choose to register).
- Search Preferences: Origin and destination stations, travel dates, and class preferences used for routing queries.
- Device Telemetry: Anonymized OS version, browser type, and diagnostic logs for bug monitoring.
4. PNR / Travel Data Processing Disclosure
When you search or track a PNR status, the query is transmitted securely to our backend server and processed via third-party railway APIs to fetch real-time booking details. We cache PNR statuses temporarily to speed up subsequent queries, but passenger details (names, seat assignments) are never permanently stored in our database records.
5. PostHog Analytics Disclosure
We utilize **PostHog** for product analytics (tracking search button clicks, split journey selection rates, and viewport layout usage). PostHog helps us understand conversion funnels and improve the app layout. Personally Identifiable Information (PII) capture and session IP addresses are explicitly masked or disabled.
6. OneSignal / Push Notification Disclosure
We use **OneSignal** and **Firebase Cloud Messaging (FCM)** to deliver push notifications regarding delay alerts, waitlist status shifts, or platform changes. Outbound device notification tokens are securely transmitted and encrypted using **AES-256-GCM** in our backend database. You can opt-in or opt-out of notification categories in your profile settings.
7. Local Storage & PWA Cache Disclosure
To enable offline support and fast loading, our service worker (`sw.js`) caches static bundles and the offline page shell in browser Cache Storage. We also store UI variables (`theme`, `pwa_prompt_dismissed`, and `betaCode`) in browser `localStorage`. No personal data is written to localStorage.
8. Data Retention Policy
We retain your registered profile data (email, name) for as long as your account remains active. Outbound device push tokens are immediately purged upon user logout. PNR status search cache records are automatically deleted from database cache tables **24 hours** after the scheduled travel date is completed.
9. User Rights (India DPDP Act 2023)
In accordance with the Digital Personal Data Protection Act, 2023, Indian data principals possess specific rights:
- Right to Summary: Request a summary of the personal data processed.
- Right to Correction/Erasure: Request the correction of inaccurate details or erasure of your profile.
- Right to Grievance Redressal: Register grievance queries directly with our support desk.
- Right to Nominate: Nominate another individual to exercise your rights in the event of death or incapacity.
10. GDPR Rights Section
For users residing in the European Economic Area (EEA), you possess the following rights under the GDPR:
- Right to access, edit, or delete your stored personal data.
- Right to restrict or object to specific processing operations.
- Right to data portability (requesting a structured export of your profile).
- Right to withdraw consent at any time (for cookies and notification registrations).
11. Account Deletion Request Process
You can request the deletion of your account and purge all associated personal data (email, name, mobile, and verified tokens) by clicking the **Delete Account** button inside your User Profile tab, or by contacting our data support desk at **support@trayago.in**. Upon verification, your database record will be permanently deleted.
12. Third-Party Services List
We leverage trusted external compliance infrastructure and service partners:
- Supabase: For user profile database storage.
- PostHog / Sentry: For anonymous analytics and crash reports.
- OneSignal / Firebase: For push alert distribution.
- Stripe / Razorpay: For subscription payment processing.
13. Security Measures
We implement industry-standard security safeguards. All client-server communications are encrypted in transit using Transport Layer Security (TLS/HTTPS). In the backend, sensitive fields (like push tokens and contact profiles) are encrypted at rest using **AES-256-GCM**.
14. Children's Privacy
Trayago is intended for users who are at least **18 years of age** (or the age of majority in your jurisdiction). We do not knowingly collect personal data from minors. If you believe a child has submitted personal details, please contact us immediately to purge the records.
15. Changes to Policy
We may update this Privacy Policy to reflect changing operational practices or statutory regulations. Any changes will be published on this page, and the Effective Date will be updated accordingly. Continued use of the service constitutes agreement with the revised policy.
Secure travel assistance in compliance with DPDP & GDPR rules.