Overview
ixigo (Le Travenues Technology Limited) is a major player in the Indian travel space, owning brands like Confirmtkt and Abhibus. Because they handle everything from passport details and Aadhaar numbers to medical conditions (for travel assistance), they sit on a mountain of sensitive info.
As a Data Fiduciary—the legal term for the company that decides why and how your data is used—ixigo has a big responsibility. If you’re a traveler (the Data Principal—aka the person the data belongs to), your digital life is effectively in their hands every time you book a train or flight.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice ⚠️
ixigo has updated its policy to mention the new law, but it still uses the old “browsing is consenting” trick.
What the policy says: “By using our platform, you, as a user… consent to the terms of this Privacy Policy.”
What the law requires: Under Section 6, consent must be free, specific, informed, and unconditional. You can’t just bundle it into the Terms of Use.
The problem: If you use the app, you’re “consenting” to everything at once—marketing, tracking, and booking. The law wants you to have choices. You should be able to say “Yes to my flight ticket” but “No to your marketing emails” without being blocked from the service.
Section 7 — Certain Legitimate Uses ⚠️
What the policy says: ixigo claims it can process data for “security, fraud prevention, and analytics” under Legitimate Use.
What the law requires: The DPDP Act is very strict about when a company can skip asking for your permission. This is usually for things like medical emergencies, court orders, or if you voluntarily gave your data for a specific purpose (like giving a waiter your number for a reservation).
The problem: Using “analytics” as a legitimate use is a stretch. Most legal experts agree that business analytics usually requires explicit consent, not a “legitimate use” shortcut.
Section 8 — Obligations of Data Fiduciary ✅
What the policy says: They promise “reasonable technical and organizational security measures, including encryption and role-based access controls.”
What the law requires: Companies must protect data to prevent breaches. If a breach happens, they must notify the government and the users.
The strength: ixigo actually mentions their duty to notify the Data Protection Board (the new government watchdog) if something goes wrong. This shows they are actually reading the new rules.
Section 9 — Data Retention 🔴
What the policy says: “We retain your personal information only as long as necessary to fulfill the purposes for which it was collected.”
What the law requires: Once the purpose is over (e.g., your trip is finished and the tax audit period has passed), the company must delete your data.
The problem: “As long as necessary” is a lawyer’s favorite phrase because it means nothing. Does it mean 5 years? 50 years? Small businesses should note: the DPDP Act wants specific timelines. Users shouldn’t have to guess when their Aadhaar copy will finally be deleted.
Section 11 — Rights of Data Principal ⚠️
What the policy says: ixigo acknowledges your right to access, correct, and erase your data. They also mention the Right to Nominate (letting someone else manage your data if you pass away).
What the law requires: You should have an easy way to see what they have on you and ask them to delete it.
The problem: While they mention these rights, they don’t provide a one-click dashboard. To exercise these rights, you usually have to email their Grievance Officer and wait. The law expects this process to be seamless.
Section 12 — Right of Grievance Redressal ✅
What the policy says: They have a named Grievance Officer with an email ([email protected]) and a physical address in Gurugram.
What the law requires: You must have a clear path to complain before you take them to court.
The strength: Unlike many startups, ixigo provides a direct contact. They’ve clearly set up a process to handle complaints, which is a major requirement of Section 12.
Section 16 — Cross-Border Data Transfer ⚠️
What the policy says: Data might be processed in India or “such other jurisdictions where a third party… may process the data.”
What the law requires: The government will eventually release a “restricted list” of countries where data cannot go. Companies must be transparent about where your data travels.
The problem: ixigo is very vague here. As a travel company, they have to send data abroad (e.g., to an airline in Dubai). However, the policy doesn’t explain what safeguards are in place when that data leaves Indian shores.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory Fine | Medium | They reference the Act, which reduces “willful negligence” risks. |
| Consent Validity | High | Bundled consent is the “Achilles heel” of most Indian apps right now. |
| Data Deletion | Critical | Keeping sensitive KYC data indefinitely is a huge liability. |
| Third-Party Risk | Medium | Sharing data with hotels/airlines globally creates a wide attack surface. |
Recommendations
- Unbundle your “I Agree” button. Let users opt-in to marketing and analytics separately from the core booking service.
- Pick a number for retention. Instead of “as long as necessary,” say “7 years for financial records, 30 days for search history.”
- Build a Privacy Center. Don’t make people email a Grievance Officer just to see what data you have. A self-service portal is much safer.
- Audit your “Legitimate Uses.” Move “analytics” and “personalization” from the Legitimate Use bucket to the Consent bucket to stay safe.
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.