Yatra Cookie Policy

This Cookie Policy ("Policy") explains how Yatra For Fun Pvt. Ltd. ("Yatra", "we", or "us") uses cookies, local-storage entries, session-storage entries, IndexedDB rows, pixels, and similar device identifiers (together, "Cookies") on yatraforfun.com, dashboard.yatraforfun.com, our mobile and progressive-web applications, and any Yatra API served to a browser.

It forms part of our Privacy Policy and our Terms of Service, and is drafted under the Individual Privacy Act, 2075 (2018), the Individual Privacy Regulations, 2077 (2020), and Section 47 of the Electronic Transactions Act, 2063 (2006). Nothing in this Policy reduces the rights you hold under Nepali law or under the non-waivable privacy rules of a destination country.

A cookie is a small text file that a website places on your device the first time you visit. On each subsequent visit, your browser sends the cookie back to the same website so the site can recognise you, keep your session alive, remember your preferences, or measure which features you use.

Cookies set by yatraforfun.com itself are called first-party cookies; cookies set by a third-party domain loaded inside a Yatra page (for example, a payment-gateway checkout or a font provider) are called third-party cookies.

Yatra also uses local storage, session storage, and IndexedDB for similar purposes. Those are not literally cookies, but they operate in a functionally identical way, so this Policy treats them all together.

Yatra groups every cookie, storage entry, and pixel into one of four categories. Strictly-necessary cookies are always active; functional, analytics, and marketing cookies are only set after you indicate your choice in the cookie banner.

1. Strictly necessary

These cookies make the Services work. Without them you could not sign in, place a booking, or pay. Because they are essential, no separate consent is required under Rule 8 of the Individual Privacy Regulations, 2077.

• Session & auth. Short-lived JWT access token (15 minutes) and rotating refresh token (7 days) stored in anhttpOnly cookie plus local storage fallback.
• CSRF. Double-submit token protecting POST and PUT requests against cross-site-request-forgery attacks.
• Cart & payment hold. Identifier for the 15-minute inventory hold applied on flights and hotels at checkout.
• Language & locale. Remembers whether you chose English or Nepali so the next page loads in the right language.
• Consent state. Records the choices you made in the cookie banner so we do not ask again on every page.
• Fraud & rate-limit. Short-lived identifiers used to detect and block credential-stuffing, scraping, and automated booking attempts.

2. Functional

Remember choices that make the Services more convenient but that are not strictly required to deliver a booking. Set only after you accept the cookie banner, or tick the corresponding toggle in Preferences.

• Currency preference (NPR / USD / INR / EUR).
• Theme choice (light, dark, system).
• Recently viewed hotels and experiences.
• Preferred airport and departure city.
• Search-form defaults (travellers, rooms, nationality).

3. Analytics & performance

Measure how visitors use the Services so we can fix bugs and improve the product. Analytics cookies are set only after you accept the cookie banner and can be disabled at any time from the same banner or from Account → Notifications → Privacy.

• First-party analytics. Yatra-operated page-view counters, click-path logs, A/B test bucket assignments. Pseudonymised with a random device ID; not combined with your identity unless you are signed in.
• Error telemetry. Crash reports and JavaScript error stacks. No payload includes passwords, payment data, or passport numbers — these fields are redacted client-side.
• Core Web Vitals. Largest Contentful Paint, Interaction to Next Paint, Cumulative Layout Shift. Aggregated for performance tuning.

4. Marketing

Used to measure campaign effectiveness and, where relevant, to personalise offers. Set only after you explicitly opt in through the cookie banner.

• Campaign source and click identifier (utm_source, utm_medium, gclid, fbclid) stored for attribution.
• Conversion pixels for completed bookings, where a partner campaign is active.
• Retargeting identifiers (disabled by default — we will update this section and re-prompt consent before we enable any retargeting partner).

The table below is a snapshot of the cookies and storage entries the Services set in the current release. Names starting with yatra_ are first-party; names starting with __ are framework defaults from Next.js, Vercel, or Cloudflare. Lifespan values are maximums — cookies are often removed earlier when you sign out or clear your browser.

The inventory above is refreshed whenever we add or remove a cookie. If you notice a cookie on yatraforfun.com that is not listed here, please report it to [email protected] with subject "Undocumented cookie" so we can correct the disclosure.

Certain pages load assets or scripts from third-party domains. Each third party may set its own cookie in accordance with its own privacy notice. The full list of processors is:

• Cloudflare — DDoS protection and bot management in front of every Yatra hostname. Sets __cf_bm. Cloudflare privacy notice.
• eSewa — domestic payment gateway, Nepal Rastra Bank licensed. Sets cookies only on the eSewa checkout redirect. eSewa privacy notice.
• Khalti — domestic payment gateway, Nepal Rastra Bank licensed. Sets cookies only on the Khalti checkout redirect. Khalti privacy notice.
• ConnectIPS — bank-account payment rail operated by Nepal Clearing House Ltd.
• FonePay — domestic QR and wallet payment rail.
• PayPal — cross-border card and wallet payments. Iframe-embedded checkout; cookies scoped to the PayPal domain. PayPal privacy notice.
• Sparrow SMS — Nepali SMS delivery. No cookies; server-to-server only.
• Twilio — WhatsApp and international SMS. No cookies; server-to-server only.
• Anthropic — Claude API for the AI itinerary builder. No cookies; server-to-server only.
• Agoda — hotel inventory and content aggregator. Images and descriptions are proxied through media.yatraforfun.com, so no Agoda cookies reach your browser from Yatra pages.
• Amadeus GDS — flight inventory and PNR issue. Server-to-server; no browser cookies.

We do not embed social-network share buttons with implicit tracking (for example, Facebook Like or Twitter Tweet widgets). Our share links are plain <a> tags that only load a third-party page when you click them.

Yatra does not sell personal data. We do not participate in behavioural ad-tech exchanges, do not syndicate browsing data to data brokers, and do not sell the contents of our booking database to any third party.

Where Yatra shares booking data with an airline, a hotel, a visa consulate, or a payment gateway, it is because the sharing is necessary to deliver the specific service you have asked for, not a commercial data transaction. Our Privacy Policy lists every sharing category.

The Yatra cookie banner

On your first visit, a banner at the bottom of the page asks whether you accept non-essential cookies. You can:

• Accept all — allow strictly-necessary, functional, analytics, and marketing cookies.
• Reject non-essential — allow only strictly- necessary cookies. The site remains fully functional.
• Customise — toggle each category independently.

Your choice is stored for 12 months in the yatra_consent cookie, after which we ask again. You can change your choice at any time by clicking Cookie preferences in the site footer.

Browser-level controls

Every modern browser lets you block cookies, delete stored cookies, or run a private-window session with no cookies. Help articles:

• Google Chrome
• Apple Safari
• Mozilla Firefox
• Microsoft Edge

If you block strictly-necessary cookies, Yatra may be unable to keep you signed in, complete checkout, or apply fraud-prevention rules — in which case the site will ask you to re-enable cookies for yatraforfun.com. No booking can be issued without a secure session.

Mobile device identifiers

Where Yatra ships a mobile application, the equivalent identifiers are the operating system's "Advertising ID" (IDFA on iOS, AAID on Android). You can reset these or opt out of app-tracking from the operating-system settings.

Global Privacy Control

Yatra honours the Global Privacy Control (GPC) signal. Where your browser sends a GPC header, we treat it as an automatic opt-out of analytics and marketing cookies, without the banner.

Yatra does not knowingly set non-essential cookies for visitors we know to be under sixteen (16). Our account minimum is 16; children on a parent's booking are covered by the parent's consent. If you believe a child has interacted with the Services without adult supervision, write to [email protected].

We update the inventory each time we add or remove a cookie. When a change materially reduces your rights — for example, adding a new marketing category — we re-prompt you through the cookie banner before setting any new cookie, and give at least seven (7) days' notice by e-mail or in-app banner.

The Last updated date at the top of the page always reflects the most recent revision. Previous versions are archived and available on request.

Questions, corrections, or undocumented-cookie reports:

• E-mail: [email protected] — subject "Cookie question".
• Postal: Yatra For Fun Pvt. Ltd., Koteshwor-32, Kathmandu, Nepal.
• Support phone: +977 970-8072952.
• Hours: Sun–Fri, 09:00–19:00 (NPT) · Sat on-call for emergencies.