Privacy Policy | Golden Triangle India Tours

1. Who We Are

Golden Triangle India Tours ("we", "us", "our") is a UK-registered travel company specialising in bespoke tours of India's Golden Triangle (Delhi, Agra, and Jaipur) and wider India destinations for UK-based travellers.

Company Name: Golden Triangle India Tours Ltd
Registered Address: London, United Kingdom
Website: goldentriangleindiatours.co.uk
Email: info@goldentriangleindiatours.co.uk

We are the data controller for the personal data we hold about you, responsible for ensuring it is handled lawfully and securely.

2. Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of personal data:

Category	Examples	Purpose
Identity Data	Full name, title, date of birth, passport details	Booking & visa processing
Contact Data	Email address, phone number, postal address	Communication & document delivery
Financial Data	Payment card details (processed via secure gateway only)	Payment processing
Travel Data	Destination preferences, travel dates, dietary/health requirements	Itinerary planning & safety
Special Category Data	Health information, dietary/religious requirements (if volunteered)	Safe travel facilitation
Technical Data	IP address, browser type, device identifiers, pages visited	Website analytics & security
Marketing Data	Communication preferences, travel interests	Relevant marketing (with consent only)
Correspondence Data	Emails, enquiry forms, phone call records	Customer service & dispute resolution

We do not collect more data than we need. We apply the principle of data minimisation — only asking for information genuinely necessary to provide our services.

3. How We Collect Your Data

We collect personal data through the following methods:

Direct interactions: When you complete an enquiry or booking form, call us, email us, or communicate via WhatsApp or live chat.
Our website: Through cookies, analytics tools, and contact forms on goldentriangleindiatours.co.uk.
Third-party sources: From travel aggregator sites, referral partners, or social media platforms where you have given consent to share data.
Publicly available sources: For fraud prevention, we may reference public registers or databases.
Partner organisations: Airlines, hotels, ground handlers, and transfer companies engaged to deliver your trip.

4. How We Use Your Data

We use your personal data for the following purposes:

Processing and managing your travel booking and itinerary
Communicating with you about your trip — confirmations, updates, pre-departure information, and post-trip follow-up
Arranging flights, accommodation, transfers, guides, and all ground services on your behalf
Processing payments and managing refunds or disputes
Providing 24/7 in-destination emergency support
Complying with our ATOL and ABTA obligations, including insurance and bonding requirements
Meeting legal obligations including tax, anti-money-laundering, and fraud prevention requirements
Sending relevant marketing communications about India travel (only with your explicit consent)
Improving our website, services, and customer experience through anonymised analytics
Resolving complaints and disputes, and defending or pursuing legal claims where necessary

5. Legal Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following:

Contract performance (Article 6(1)(b)): Processing your booking, communicating trip details, arranging all travel services.
Legal obligation (Article 6(1)(c)): Compliance with ATOL/ABTA regulations, HMRC requirements, anti-fraud laws, and travel regulations.
Legitimate interests (Article 6(1)(f)): Fraud prevention, improving our services, sending service-related updates, and maintaining business records. We conduct a Legitimate Interests Assessment before relying on this basis.
Consent (Article 6(1)(a)): Direct marketing emails and newsletters. You may withdraw consent at any time by clicking "unsubscribe" in any email or contacting us directly.
Vital interests (Article 6(1)(d)): In emergency situations where sharing your health or location information is necessary to protect your safety while travelling.

For special category data (such as health information), we rely on Article 9(2)(c) — vital interests — and Article 9(2)(a) — explicit consent — where applicable.

7. International Data Transfers

Because we arrange travel services in India, some of your personal data will be transferred to and processed in India by our ground partners. India is not currently designated as an "adequate" country under UK data protection law.

To safeguard your data in these transfers, we implement the following protections:

Standard Contractual Clauses (SCCs): We incorporate ICO-approved data transfer clauses into our contracts with India-based partners.
Data minimisation: We only transfer the minimum data necessary — no financial or sensitive data is sent to ground partners.
Supplier vetting: All India-based partners undergo due diligence and are bound by contractual data protection obligations.
Technical measures: Data in transit is encrypted using TLS 1.2 or higher.

8. Data Retention

We retain your personal data only for as long as necessary. Our retention schedule:

Data Type	Retention Period	Reason
Booking & contract records	7 years after trip	ATOL/ABTA legal obligation; HMRC tax records
Passport & identity documents	6 months after return	Visa processing and emergency support
Enquiry records (non-booking)	12 months	Legitimate interests — follow-up only
Marketing contact preferences	Until consent withdrawn	Consent-based — deleted on unsubscribe
Payment records	7 years	HMRC requirement
Call recordings	90 days	Security and dispute resolution
Website analytics (anonymised)	26 months	Service improvement

After the applicable retention period, your data is securely deleted or anonymised so it can no longer be linked to you.

9. Your Rights Under UK GDPR

Under UK data protection law, you have the following rights in relation to your personal data:

Right of Access

Request a copy of all personal data we hold about you (Subject Access Request). We respond within 30 days, free of charge.

Right to Rectification

Ask us to correct any inaccurate or incomplete personal data we hold about you.

Right to Erasure

Request deletion of your personal data where there is no compelling reason for us to keep it ("right to be forgotten").

Right to Restriction

Ask us to stop actively using your data while retaining it — for example while a dispute is resolved.

Right to Portability

Receive your personal data in a structured, machine-readable format and transfer it to another controller.

Right to Object

Object to processing based on legitimate interests, or opt out of direct marketing at any time with immediate effect.

Automated Decisions

We do not use automated decision-making or profiling that produces significant effects about you.

Withdraw Consent

Withdraw any consent given at any time. This does not affect the lawfulness of processing prior to withdrawal.

To exercise any right, contact our DPO using the details in Section 14. We respond within 30 calendar days. If unsatisfied, you may complain to the Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113.

10. Cookies

Our website uses cookies to improve your browsing experience, analyse traffic, and (with consent) support marketing. Types we use:

Strictly necessary cookies: Essential for website function. Cannot be disabled.
Performance & analytics cookies: Google Analytics (anonymised IP) — enabled only with your consent.
Functionality cookies: Remember your preferences to improve your experience. Enabled with consent.
Marketing cookies: Used to show relevant advertisements across the web. Placed only with explicit consent.

For full details, see our Cookie Policy. You can manage your preferences there at any time.

11. Children's Privacy

Our services are not directed at children under 13. We do not knowingly collect personal data from children under 13 without verified parental consent. When booking travel that includes children, the parent or guardian provides required personal details on the child's behalf. If you believe we have inadvertently collected data from a child under 13, please contact us immediately and we will delete it promptly.

12. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

SSL/TLS encryption: All data transmitted via our website is encrypted using TLS 1.2 or higher (HTTPS).
Access controls: Staff access to personal data is role-based and limited to those with a genuine need to process it.
PCI-DSS compliance: Payment data is processed through certified secure gateways. We do not store card numbers.
Regular security testing: We conduct periodic security assessments and vulnerability scans.
Staff training: All staff with access to personal data complete annual data protection training.
Incident response plan: In the event of a breach likely to affect your rights, we will notify you and the ICO within 72 hours as required by law.

13. Changes to This Policy

We review and may update this Privacy Policy to reflect changes in our data practices, legal requirements, or our services. When we make material changes, we will update the "Last Updated" date at the top of this page and display a prominent notice on our homepage for 30 days. Previous versions are available on request.

14. Contact Us & Data Protection Officer

For any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact our Data Protection Officer:

Data Protection Officer

Golden Triangle India Tours Ltd, London, United Kingdom

info@goldentriangleindiatours.co.uk

+91 9829807075

You also have the right to complain directly to the ICO at ico.org.uk — 0303 123 1113.