Privacy Policy | WanderVerse

Last updated: 4 May 2026

1. Who We Are

WanderVerse Travels Pvt Ltd ("WanderVerse", "we", "us") operates wanderverse.duckdns.org and related services. We are the Data Fiduciary under the DPDP Act, 2023.

2. Data We Collect

Identity: name, date of birth, gender, nationality, ID proof (for travel bookings)
Contact: email, phone, billing/pickup address
Payment: via Razorpay (we do not store card numbers or CVV)
Travel: itineraries booked, preferences, special assistance needs
Technical: IP address, browser, device, cookies for session + analytics

3. How We Use It

Fulfil bookings, issue tickets/invoices, coordinate with DMCs/hotels/transport partners
Send trip updates, emergency alerts, feedback requests
Process refunds, handle grievances, legal compliance (GST, income tax, anti-money-laundering)
Improve the site, serve tailored recommendations

4. Lawful Basis & Consent

We rely on your consent (given at signup/checkout) and legitimate use for contractual fulfilment. You can withdraw consent at any time via your account settings or by writing to privacy@wanderverse.in.

5. Sharing With Third Parties

Travel partners: DMCs, hotels, transport operators, guides — only data required for the booking
Payment processors: Razorpay (PCI-DSS Level 1)
Communication: Resend (email), Meta WhatsApp Cloud API, MSG91 (SMS)
Legal: government authorities under valid court orders or tax demands

6. Your Rights Under DPDP Act

Access: request a copy of all data we hold about you
Rectification: correct inaccurate data
Erasure: delete your account and associated data (subject to tax/legal retention)
Grievance: complain to our Data Protection Officer
Nominee: nominate someone to exercise rights if you're unable

Exercise any right at your account → Privacy or email dpo@wanderverse.in — we respond within 30 days.

7. Retention

Booking records: 8 years (GST law). Account data: until you delete. Marketing consent: revocable any time.

8. Security

TLS 1.3 encryption, bcrypt password hashing, Oracle Autonomous Database with wallet-based mTLS, least-privilege RBAC. We disclose any breach to affected users + Data Protection Board within 72 hours.

9. Children

We do not knowingly collect data from children under 18 without verifiable parental consent. Bookings for minors must be made by a parent/guardian.

10. Grievance Officer

Dilip Reddy
Data Protection Officer, WanderVerse Travels Pvt Ltd
Email: dpo@wanderverse.in
Response time: 30 days