1. Roles under the DPDP Act
For traveler data, your agency is the Data Fiduciary and Payana is your Data Processor: we process traveler personal data only on your documented instructions, under the data-processing terms incorporated into the terms of service. For your own account data, Payana is the fiduciary.
2. What this means for your agency, practically
- Consent: collect your customers' consent for storing their details and sending them trip communications. The Payana web form and WhatsApp opt-in flows capture and timestamp this for you.
- Notice: your traveler-facing pages and app screens include a privacy notice naming your agency — auto-generated from your brand kit, editable.
- Correction & erasure: traveler requests can be honoured in-product: edit the customer record, or use "Erase customer", which cascades through trips, messages, and documents (keeping only legally required invoice records).
- Breach duties: if an incident affects your customers' data, we notify you within 72 hours with the facts you need for your own notifications.
3. Consent records
Every opt-in (web form, WhatsApp, manual) is logged with source, timestamp, and text shown. The consent register is exportable per customer — that export is your evidence if a traveler ever disputes consent.
4. Children's data
Trips often include minors. Store only what the trip needs (name, age) and attach the data to the booking adult's record — Payana's traveler model does this by default. The companion app issues no accounts to minors.
5. Grievances
Our grievance officer (per the DPDP Act and IT Rules) is reachable at grievance@payana.today · Payana Technologies Pvt. Ltd., 27 Anna Salai, Chennai 600001. Acknowledgement within 48 hours, resolution target 15 days.