Who is the data controller for Yatra?

Yatra For Fun Pvt. Ltd., a Nepali company at Koteshwor-32, Kathmandu. Questions: support@yatraforfun.com.

What personal data does Yatra collect?

Identity data (name, DOB, nationality), contact data (email, phone, address), travel-document data (passport number and expiry, visa support documents), booking and trip data for every passenger or guest, payment metadata (never full card numbers — card data goes straight to the regulated gateway), and device usage data (IP, browser, cookies).

Who does Yatra share my data with?

The airline, hotel, or supplier you book; the Amadeus GDS and Agoda hotel aggregator; regulated payment gateways (eSewa, Khalti, ConnectIPS, FonePay, PayPal); messaging providers (Sparrow SMS, Twilio, SMTP email); Anthropic for the AI itinerary builder under a zero-retention API posture; and Nepali or foreign authorities when legally compelled.

How long does Yatra keep my data?

Booking records and tax invoices are retained for 7 years as required by Nepal's Income Tax Act 2058 (2002) and VAT Act 2052 (1996). Visa supporting documents for 180 days. Dummy-ticket PDFs for 48 hours then cold-archived for 12 months. Server logs for 90 days. Your profile is retained while your account is active.

What rights do I have under Nepali privacy law?

Under the Individual Privacy Act 2075 (2018): right to be informed, access, rectify, erase, restrict, port (JSON export), object, and withdraw consent. Write to support@yatraforfun.com and we respond within 15 business days.

Does Yatra allow AI to train on my data?

No. We use Anthropic's commercial API for the itinerary builder under a contractual zero-retention, no-training posture. Personally identifying fields are stripped before being sent to the model.

How does Yatra protect my data?

HTTPS/TLS everywhere, bcrypt password hashing, short-lived JWT access tokens (15 minutes) with rotating refresh tokens (7 days), tokenised card references (no PAN stored), role-based access control, network-segmented database, encrypted daily backups, and a 72-hour breach-notification commitment.

Privacy Policy | Yatra For Fun

01

One-page summary

We know nobody reads the full privacy policy. Here is the TL;DR before the long-form version:

Who we are. Yatra For Fun Pvt. Ltd., a Nepali company at Koteshwor-32, Kathmandu, Nepal. We run yatraforfun.com and the Yatra partner dashboards.
What we collect. The data you type (name, e-mail, phone, passport for flights and visa, date of birth, nationality), the data your device sends (IP, browser, device ID), payment metadata (not full card numbers — those go straight to the payment gateway), and booking history.
Why we collect it. To deliver your booking, contact you about it, comply with airline and border rules, prevent fraud, and improve the product.
Who we share it with. The specific airline, hotel, or supplier you book; GDS and aggregator APIs (Amadeus, Agoda); payment gateways (eSewa, Khalti, ConnectIPS, FonePay, PayPal); e-mail and SMS providers; and our AI itinerary provider (Anthropic) in a non-training capacity.
Your rights. You can access, correct, download, or delete your data — write to [email protected].
How long we keep it. Most data stays while your account is open; accounting records are retained for seven (7) years as required by Nepali tax law.
Our compliance base. This policy is drafted to the standard of Nepal's Individual Privacy Act, 2075 (2018) and Individual Privacy Regulations, 2077 (2020).

02

Who is the data controller?

The data controller for your personal data is:

Yatra For Fun Pvt. Ltd.
Registered office: Koteshwor-32, Kathmandu, Nepal
E-mail: [email protected]
Phone: +977 980-2348957
Business hours: Sun–Fri, 09:00–19:00 (NPT) · Sat on-call for emergencies

Where Yatra operates a B2B product (the Hotel Manager or the Travel-Agent Platform) for a business customer, the business customer is the controller of its own guests' or clients' data, and Yatra is the data processor acting on its instructions under a written data-processing arrangement.

For day-to-day privacy questions, our Data Protection Officer can be reached at [email protected] with "Privacy request" in the subject line.

03

What data we collect

We collect the data set out below. Fields marked optional are collected only when you choose to supply them.

Identity data

First name and last name (required at sign-up).
Preferred display name or salutation.
Gender (optional).
Date of birth (required for flight, visa, and certain hotel bookings).
Nationality (required for visa, helpful for flights).
Profile avatar URL (optional).

Contact data

E-mail address (required for the account).
Phone number (required for booking confirmations and OTP).
Postal, residential, or correspondence address (optional, but required for visa applications).
WhatsApp or Viber handle (optional).

Travel-document data

Passport number and expiry date (for flights, visa).
Scanned passport, photograph, identity proof, bank statement, and similar supporting documents (visa applications only, uploaded by you).
Citizenship certificate number (optional).

Booking & trip data

Passenger or guest details for every traveller in the booking.
Dates, routes, destinations, meal preferences, special requests, room type, room-sharing arrangements.
For dummy tickets: the passenger name, airports, dates, and airline you specify; the system-generated 6-character PNR.

Payment & transaction data

Amount, currency, base price, VAT (13 percent), service charge.
Payment method (eSewa, Khalti, ConnectIPS, FonePay, PayPal, bank transfer).
Gateway transaction ID, idempotency key, signature-verification status, settlement timestamp.
We do not store full card numbers or CVV. Card data is submitted directly to the regulated payment gateway; Yatra receives only a tokenised reference.

Device & usage data

IP address, approximate city-level geolocation.
Browser family, operating system, device type.
Referring URL, pages visited, search terms, session duration.
Interactions with our AI itinerary chat.

Cookies & similar identifiers

We use first-party cookies and local-storage entries to authenticate your session (short-lived access token, 7-day refresh token), remember your preferences (currency, theme), and run basic analytics. Strictly-necessary cookies do not require consent; analytics cookies are set only after you accept our cookie banner.

Communications data

Support tickets, WhatsApp messages, call recordings for quality-control purposes (you are notified at the start of the call).
Feedback, reviews, and ratings you post on the Services.

Data we do NOT collect

Yatra does not knowingly collect: biometric templates; health records; caste, religion, or political affiliation; nor sensitive data relating to children under sixteen (16) without a parent or guardian's consent.

04

Where the data comes from

Directly from you — when you sign up, search, check out, upload documents, or chat with support.
From your device — logs, cookies, analytics pings.
From another person — when a family member, colleague, or travel-agent books on your behalf. That person warrants to us that they have your permission.
From suppliers and aggregators — airlines confirm your PNR and return e-ticket numbers; hotels return confirmation codes; Agoda returns hotel descriptions.
From payment gateways — the success or failure of your payment, masked card metadata (last four digits, brand), and anti-fraud signals.
From public sources — in rare cases we may consult publicly available sanctions lists or airline denied- boarding notices to comply with law.

05

Why we process your data

We process personal data only for one or more of the following specific purposes:

Account management — create, authenticate, and secure your Yatra account; reset your password; detect suspicious log-ins.
Delivering the booking — passing passenger, guest, and payment details to the airline, hotel, supplier, or consular channel you have chosen; issuing tickets, vouchers, and e-mail or SMS confirmations; generating dummy ticket PDFs.
Customer support — answering your questions by e-mail, WhatsApp, Viber, or phone; helping you with a cancellation or refund claim.
Payments, taxes & accounting — processing your payment, issuing a VAT-compliant tax invoice, deducting tax at source where required by the Income Tax Act, 2058 (2002), keeping the books of account required under the Companies Act, 2063 (2006) and the VAT Act, 2052 (1996).
Fraud prevention & security — detecting and investigating suspicious bookings, chargebacks, account-takeover attempts, and violations of the Banking Offences and Punishment Act, 2064 (2008) or sanctions regulations.
Service improvement — product analytics, A/B testing, error diagnostics. Analytics data is pseudonymised where practical.
Marketing — sending transactional offers to existing customers about similar products, or promotional offers where you have opted in. You can opt out at any time (see Section 8).
Legal compliance — responding to lawful orders of Nepali or foreign courts, regulators, and law- enforcement agencies.
AI itinerary generation — sending a sanitised copy of your trip brief to Anthropic's Claude API to produce an itinerary. We do not allow Anthropic to train on your data; we rely on Anthropic's zero-retention API posture.

06

Legal basis for processing

Under the Individual Privacy Act, 2075 (2018), Yatra relies on one of the following lawful bases for every act of processing:

Your consent — for non-essential cookies, marketing e-mails, and uploads of sensitive supporting documents during visa applications. You may withdraw consent at any time without affecting prior processing.
Necessity for contract performance — for creating your account, taking payment, issuing a ticket, generating a dummy ticket, and supporting the booking after confirmation.
Legal obligation — tax, accounting, passenger- name-record retention under aviation-security rules, and responses to lawful requests from Nepali authorities.
Legitimate interest — network security, fraud prevention, product analytics. We balance our interest against your privacy and use the minimum data needed.
Vital interest — in rare safety emergencies, to share your next-of-kin contact with hospitals or embassies.

07

Who we share data with

Yatra does not sell personal data. We share only the minimum required with the following categories of recipient:

Travel partners & suppliers

Airlines and the Amadeus GDS — for issuing and managing your flight PNR.
Hotels and Agoda — for confirming and managing your hotel stay.
Ground operators, tour guides, transport providers — for sightseeing, vehicles, and apartments.
Consular channels, visa centres, and document-courier services — for submitting your visa application.
Travel insurance and eSIM providers — where you purchase these products.

Payment processors

eSewa, Khalti, ConnectIPS, FonePay — domestic Nepal payment gateways licensed by the Nepal Rastra Bank.
PayPal — cross-border card and wallet payments.
Banks — for direct bank-transfer settlement.

Technology sub-processors

Sparrow SMS — for Nepali SMS delivery.
Twilio — for WhatsApp and international SMS.
SMTP e-mail providers (including Nepal Fillings as a backup) — for transactional e-mail.
Anthropic PBC — for AI itinerary generation. Yatra uses Anthropic's API with a zero-retention posture; Anthropic does not train on your data.
Hosting providers (Contabo VPS, Cloudflare) — for serving and protecting our websites, APIs, and object- storage files such as dummy-ticket PDFs.

Professional advisers

Auditors, lawyers, tax advisers, and insurers, under contractual confidentiality obligations and only where access is strictly necessary.

Authorities

We disclose personal data to courts, regulators, and law- enforcement agencies of Nepal and of foreign jurisdictions where we are legally compelled to do so — including requests under the Electronic Transactions Act, 2063 (2006), the Banking Offences and Punishment Act, 2064 (2008), and aviation-security passenger- name-record requirements.

Business transfers

If Yatra is merged, acquired, restructured, or sells its assets, your data may be transferred to the acquiring entity under an equivalent or stronger privacy standard. You will be notified.

08

International transfers

Booking a flight to London, a hotel in Bangkok, or a visa for the Schengen area necessarily involves transferring your data to the supplier in that country. Where the destination country has not adopted a privacy framework equivalent to the Individual Privacy Act, 2075 (2018), Yatra relies on one or more of the following safeguards:

Transfer is strictly necessary to perform the contract that you have asked us to deliver (for example, sending your passport data to a Schengen embassy is essential to process your visa).
Written confidentiality and data-processing obligations in our supplier agreements.
Your explicit consent to the specific cross- border transfer, collected at the point of checkout for international bookings.

Our core customer database is hosted in Nepal (PostgreSQL on a Contabo VPS in Kathmandu). Certain edge caches and DDoS- protection layers (Cloudflare) process encrypted traffic globally.

09

How long we keep your data

We retain personal data only for as long as we need it for the purpose we collected it, then either delete it or anonymise it.

Category	Retention period
Account profile	While account is active; 30 days after deletion request (restoration window); permanent deletion within 90 days unless subject to legal hold.
Booking records & tax invoices	7 years after the booking date — required by Income Tax Act, 2058 (2002), VAT Act, 2052 (1996), and the Companies Act, 2063 (2006).
Passenger-name-record data	As long as required by the airline and applicable aviation-security rules in the country of departure and arrival (typically 3–5 years).
Visa supporting documents	180 days after the visa decision, unless you instruct us to delete sooner; retained longer if required by the consulate.
Dummy-ticket PDFs	Until expiry (default 48 hours), then auto-archived to cold storage for 12 months for audit; then deleted.
Refresh tokens	7 days after issue, rotated on every use.
Marketing preferences	Until you opt out, plus a suppression list kept indefinitely to honour your opt-out.
Server logs with IP	90 days, then truncated to aggregated analytics.
Support tickets & call recordings	24 months.

10

Your rights

Under the Individual Privacy Act, 2075 (2018) and the Individual Privacy Regulations, 2077 (2020), you have the following rights. You can exercise them free of charge by writing to [email protected].

Right to be informed — about the collection and use of your data (this Policy).
Right of access — request a copy of the personal data we hold about you.
Right of rectification — ask us to correct inaccurate data (most fields are self-service inside your profile).
Right of erasure — ask us to delete your data, subject to the retention obligations in Section 9.
Right to restrict processing — in the limited circumstances permitted by law.
Right to data portability — receive your data in a structured, commonly used, machine-readable format (JSON export).
Right to object — to processing based on our legitimate interest, including direct marketing.
Right to withdraw consent — at any time, for processing based on consent. Withdrawal does not affect prior lawful processing.
Right to complain — to the appropriate authority in Nepal. At present, the supervisory function is exercised by the National Information Commission of Nepal and, for tourism-sector complaints, the Department of Tourism.

We verify your identity before acting on a request (to prevent social-engineering attacks) and respond within 15 business days of verification, or up to 30 days for complex requests — as permitted under the Individual Privacy Regulations.

11

How we protect your data

We apply technical and organisational safeguards proportionate to the risks of our processing. Concretely:

Transport security — HTTPS/TLS everywhere; modern cipher suites enforced at Cloudflare and at the origin.
Password security — passwords are never stored in plain text; they are hashed with bcrypt.
Session security — short-lived JWT access tokens (15 minutes) plus rotating refresh tokens (7 days).
Payment security — card data never touches Yatra servers; only tokenised references are stored. Idempotency keys and signature verification prevent replay and duplicate-charge attacks.
Access control — role-based access (super-admin, hotel-admin, travel-agent-admin, staff, customer) with least-privilege defaults.
Network segmentation — database and Redis are not exposed to the public internet; they sit behind the API gateway.
Backups — encrypted daily snapshots with a tested restore procedure.
Logging — application and access logs are centralised and reviewed for anomalies.
Breach response — we follow a documented incident-response playbook and will notify you and the competent authority of a personal-data breach likely to result in a risk to your rights, without undue delay (within 72 hours of becoming aware).

12

Cookies & similar technologies

Yatra uses cookies and similar identifiers to operate the Services. The categories are:

Strictly necessary

Session tokens, CSRF tokens, cart identifiers, language preference. Cannot be disabled without breaking the site.

Functional

Theme choice, preferred currency, recently viewed properties.

Analytics

Page views, click paths, A/B-test assignments. Set only after you accept our cookie banner and can be withdrawn at any time from the same banner or your browser settings.

Marketing

We do not run third-party ad-retargeting pixels on yatraforfun.com by default. If we enable a retargeting partner in future, we will update this section and refresh the cookie banner.

13

Marketing communications

We send marketing e-mails, SMS, WhatsApp messages, or push notifications only where:

you are an existing customer and we are promoting a similar product (the "soft opt-in" baseline); or
you have explicitly opted in through a check-box or settings toggle.

Every marketing message includes a one-click unsubscribe link (e-mail) or a "STOP" short-code (SMS). You can also manage your preferences from the Account → Notifications page. Transactional messages (booking confirmations, OTP, cancellation notices) are operationally essential and cannot be unsubscribed from.

14

Children

The Services are designed for adults booking travel, including travel for children in their family group. We do not allow children under sixteen (16) to create their own account.

When you add a child as a passenger or guest on your own booking, we process that child's data on the basis of your parental consent. If you learn that a child under 16 has created an account without consent, please alert us at [email protected] and we will delete the account.

15

AI itinerary builder — specific notice

When you use the AI itinerary builder, your trip brief (dates, destination, budget, interests, party size, any free-text preferences you type) is sent to Anthropic PBC's Claude API so it can produce a day-by-day plan.

We strip out personally identifying fields (name, e-mail, phone, passport, account ID) before sending.
We operate under Anthropic's commercial API terms, which contractually prohibit Anthropic from training on API input or output.
The AI's output is stored in your account so you can revisit it and so we can improve the product; delete the itinerary from the itinerary page and we purge it within 30 days.

16

Notice for hotels and travel-agent partners

If you are a hotel using Yatra Hotel Manager or a travel agency using the Yatra Travel-Agent Platform, you are the controller of the guest, passenger, or client data you load into our software. Yatra is the processor. We:

process your data only on your documented instructions and as needed to provide the Services;
keep your data logically separated from other customers' data by a tenant identifier;
pass through any valid data-subject request you forward to us;
give you a 30-day export window on termination, after which we delete the tenant data (except for anonymised aggregates).

The Yatra Data Processing Addendum is available on request.

17

Changes to this Policy

We may update this Policy to reflect changes in the Services or the law. Material changes will be notified at least seven (7) days in advance by e-mail or in-app banner. The "Last updated" field at the top of this page always reflects the current version. Superseded versions are archived and available on request.

18

Contact & complaints

To exercise a privacy right, report a data breach, or raise any privacy concern:

E-mail (primary): [email protected] — subject line "Privacy request".
Postal: Yatra For Fun Pvt. Ltd., Koteshwor-32, Kathmandu, Nepal.
Phone: +977 970-8072952 (support line).
Hours: Sun–Fri, 09:00–19:00 (NPT) · Sat on-call for emergencies.

If you are not satisfied with our response, you may complain to the National Information Commission of Nepal, to the Department of Tourism, or to any other authority competent under Nepali law. The relevant contact details are published on the Nepal government portals nic.gov.np and tourism.gov.np.