1. Definitions

2. Data we collect

We collect personal data that is necessary to provide adventure and trekking services safely and efficiently. This includes:

a) Identity & contact data

Name, postal address, email, mobile number, emergency contact, photo/ID proof (Aadhaar/Passport/Driver's license) for verification and regulatory purposes.

b) Booking & transaction data

Trip selections, booking history, refund/cancellation records, payment instrument identifiers (last 4 digits, transaction IDs), billing address, invoices - processed via our payment processors. We do not store full card data on our servers; payment card details are processed through PCI-compliant payment gateways.

c) Health & fitness data (sensitive)

Medical history, fitness declarations, allergies, fitness certificates or doctor's notes needed for safe participation in certain activities. We treat these as sensitive personal data and process them only where necessary for safety and legal compliance.

d) Travel, logistics & preference data

Pickup/drop locations, passport/visa details (for international arrangements), special dietary needs, preferred trip difficulty.

e) Device & usage data

IP address, device identifiers, browser type, cookies and analytics data collected when you visit our website or use our online services.

f) Photographs and media

Photos and videos taken during trips (may be used for marketing with consent; see Section 6).

3. Legal basis and purposes for processing

We process personal data for one or more of the following lawful purposes:

• Performance of contract: To confirm bookings, operate trips, arrange logistics, process payments and provide customer support.
• Consent: Where required (e.g., marketing communications, use of photographs, health disclosures). You may withdraw consent where the law permits.
• Compliance with legal obligations: For statutory/regulatory requirements (e.g., identity verification, record-keeping, tax or safety reporting).
• Legitimate interests: For fraud prevention, improving services, internal analytics and safety management - balanced against data principals' rights.

We will only collect and retain the minimum personal data required for the stated purpose.

4. How we collect personal data

• Directly from you (during booking, registration, medical forms, feedback).
• From third parties (payment processors, travel agents, partner hotels, emergency contacts, guides) to the extent necessary to deliver services safely.
• Automatically via our website (cookies, analytics).
• From publicly available sources or law enforcement, as required.

5. Cookies and similar technologies

We use cookies and similar technologies to run the website, remember your preferences and help improve the experience. You can control cookies via your browser settings; note that some features may become unavailable if cookies are blocked.

6. Marketing and photos

We may, with your explicit consent, use trip photos or testimonials for marketing (website, social media, brochures). You can opt out of marketing at any time by contacting our Grievance Officer (see Section 15) or via the unsubscribe link in our emails.

7. Sharing personal data - recipients and third parties

We may share personal data with:

• Service providers and partners who help deliver services (payment gateways, transportation, accommodation, guides, medical facilities, insurance providers).
• Legal and regulatory authorities when required by law, court order, or to respond to lawful requests.
• Emergency contacts or medical providers in case of medical emergencies.
• Third parties in connection with a business reorganization, sale, merger, or asset transfer - subject to appropriate safeguards.

We will require third-party processors to maintain appropriate security and to process data only per our instructions.

8. Cross-border data transfer

Where necessary for business operations (e.g., cloud services, partner services located outside India), personal data may be transferred to jurisdictions outside India. We will only transfer data to countries that provide an adequate level of protection or where appropriate safeguards (contracts, standard contractual clauses, or other legal mechanisms) are in place as required by law.

9. Data security

We implement industry-standard technical, administrative and organizational measures to protect personal data from unauthorized access, disclosure, alteration or destruction, consistent with Indian legal expectations for reasonable security practices. Examples include access controls, encryption of sensitive data at rest and in transit, regular security assessments and staff training. However, no system is completely secure; in the unlikely event of a security incident we will follow applicable notification requirements under Indian law.

10. Payment security

We use PCI-compliant payment processors/gateways for online payments. We do not store full card numbers or CVV on our servers. For any payment-related queries, please contact our support team.

11. Retention of personal data

We retain personal data only as long as necessary for the purposes for which it was collected, to comply with legal and regulatory obligations, resolve disputes, enforce agreements, and for safety and archival reasons. Specific retention periods vary by data category (e.g., booking records, tax records, waiver forms) and will be documented in our internal retention schedule.

12. Your rights (Data Principal rights)

Under applicable Indian law you have certain rights in relation to your personal data, subject to legal exceptions:

• Right to access: Request confirmation whether we process your personal data and obtain a copy.
• Right to correction: Request rectification of inaccurate or incomplete personal data.
• Right to erasure (right to be forgotten): Request deletion where processing is no longer necessary and no overriding legal reason exists.
• Right to withdraw consent: Withdraw consent where processing is based on consent (withdrawal does not affect processing prior to withdrawal).
• Right to data portability: Receive certain personal data in a structured, commonly used and machine-readable format, where applicable.
• Right to grievance/redress: Lodge a complaint with us (see Section 15) and with the relevant regulatory authority under applicable law.

To exercise your rights, please contact our Grievance Officer at the details below. We will respond within the timelines required by applicable law.

13. Children & minors

Our services are primarily for adults. We do not knowingly collect personal data of children under 18 for participation in activities without parental/guardian consent. For any minor participating in a trip, we collect parental consent and emergency contact/guardian details, and certain health information necessary for safety.

14. Third-party websites and links

Our website may contain links to third-party sites. This Privacy Policy does not apply to those sites. We encourage you to read the privacy notices of every website you visit.

15. Grievance Officer/Data Protection Contact (required under Indian rules)

As required under Indian IT rules and consistent with DPDP Act principles, we have designated a Grievance Officer/Data Protection Contact to address privacy queries and complaints:

We will acknowledge and address grievances promptly and in any event within the time required by applicable law.

16. Data breach notification

If we become aware of a data breach that creates a risk to the rights and freedoms of individuals, we will take steps to contain the breach, assess its impact, notify affected individuals and the relevant authority as required by law, and implement measures to prevent recurrence.

17. Changes to this policy

We may update this Privacy Policy to reflect changes in law, technology or our operations. When changes are material, we will notify users through our website and, where appropriate, via email.

18. How to contact us

For privacy queries, exercising your rights, or to make a complaint: