Privacy Policy
Draft for review. Written in plain language as the Digital Personal Data Protection Act, 2023 (DPDP Act) requires — notices must be clear, specific, and purpose-limited.
Last updated: [DATE]
EcoHikes ("we") operates ecohikes.in. This policy explains what personal data we collect, why, who sees it, how long we keep it, and your rights. It applies to the website, our booking and interest forms, and our WhatsApp/email communication with you.
Data Fiduciary: EcoHikes, [registered entity name and address], Visakhapatnam, Andhra Pradesh · [email] · [phone]
1. What we collect, and why
We collect only what each purpose needs, and we ask your consent at the point of collection.
When you book an experience
- Name, age, gender, phone, email, city — to manage your booking and group logistics.
- Emergency contact name and phone — used only if something goes wrong on an experience.
- Government photo-ID details where forest permits or Himalayan trek permits require them — shared only with the issuing authority.
- Health and fitness information you declare (conditions, medications, allergies, fitness declaration) — used solely by our trek leaders to keep you safe. This is the most sensitive data we hold and access is restricted to the operations team and your experience's leaders.
When you pay
Payments are processed by Razorpay. Your card/UPI/banking details go directly to Razorpay and its banking partners — we never see or store them. We receive only confirmation of payment and a transaction reference. Razorpay's own privacy policy applies to the payment step.
When you fill the Eco-circle interest form, contact form, or volunteer/join-us form
Name, contact details, and what you tell us about yourself — to respond, review applications, and invite you if selected.
When you buy or redeem a gift card
Purchaser and recipient name and contact — to issue and honour the card.
When you browse the website
Basic analytics (pages visited, device type, approximate location from IP) via [analytics tool — e.g. Wix Analytics/Google Analytics] to understand what content helps people. Cookies used for this are described in Section 6. We do not run third-party advertising trackers.
Photos and videos on experiences
Our team photographs and films experiences. We ask for your consent in the Participation Agreement before using images in which you are identifiable on our website, social media, or promotional material — and you can decline or withdraw at any time (Section 5) without affecting your participation.
2. What we never do
We do not sell or rent your personal data. We do not use your health information for anything except safety. We do not send marketing without an unsubscribe option.
3. Who we share data with
Only what each party needs:
- Trek leaders and community hosts for your experience — participant list, emergency contacts, declared health information.
- Permit authorities (forest departments, district administration, protected-area authorities) — ID details where legally required.
- Razorpay — for payments, as above.
- Insurance providers — if the experience includes group accident cover, the insurer receives names, ages, and dates. (verify: current insurer arrangement)
- Website and email infrastructure (Wix, email/WhatsApp business tools) — as processors storing data on our behalf.
- Authorities — if the law requires us to.
Some processors (e.g. website hosting) may store data outside India; we use providers permitted under the DPDP Act's transfer rules.
4. How long we keep it
- Booking records and payment references: [7 years] — accounting and tax law requires this. (verify with CA)
- Health declarations and emergency contacts: 1 year after the experience ends, then deleted (retained longer only if an incident occurred and records are legally needed).
- Interest/volunteer forms: 2 years, then deleted if inactive.
- Photos/videos: retained as part of our archive; identifiable images are removed from active use on withdrawal of consent.
- Analytics: aggregated after [14 months].
5. Your rights (DPDP Act, 2023)
You can, at any time, by writing to [privacy email]:
- Access — ask what personal data of yours we hold and how we've used it.
- Correct — fix inaccurate or incomplete data.
- Erase — ask us to delete data we no longer legally need to keep.
- Withdraw consent — including photo/media consent, as easily as you gave it; withdrawal doesn't affect processing already done.
- Grievance — complain to our Grievance Officer (below); if unresolved, you may approach the Data Protection Board of India.
- Nominate — name someone to exercise these rights for you in case of death or incapacity.
We respond within the timelines prescribed under the DPDP Rules.
6. Cookies
Essential cookies keep the site and booking flow working (no consent needed). Analytics cookies load only after you accept them via the cookie notice. You can clear or block cookies in your browser; the site keeps working, though forms may need re-entry.
7. Children
Bookings for participants under 18 are made by a parent/guardian, who provides consent for the minor's data as the DPDP Act requires. We do not knowingly collect data directly from children, and we do not use children's data for tracking or advertising.
8. Security
Data lives in access-controlled systems (website CMS, booking records); health information is restricted to those who need it for safety. Payment security is handled end-to-end by Razorpay (PCI-DSS compliant). No internet system is perfectly secure, but if a breach affecting you occurs we will inform you and the Data Protection Board as the law requires.
9. Grievance Officer
Name: Ravi Gutamentla (verify spelling) · Email: mail@ecohikes.in · Phone: +91 93465 66101 · Address: [address]
We acknowledge complaints within 48 hours and aim to resolve within 15 days.
10. Changes
We'll post updates here with a new "last updated" date; material changes will be flagged on the website or by email.