Privacy Policy

This Policy applies to our website, enquiry forms, WhatsApp/phone communications, and booking services. The Data Controller/Data Fiduciary is Next Step Destinations (Insert Legal Entity Name) at the address below.

• Contact & Identity: name, email, phone, address, date of birth, nationality; guest details as per passports/IDs.
• Booking Details: destination preferences, dates, hotel/room choice, special assistance, meal/bed preferences.
• Documents: passport, visa, travel insurance proof (where required). Stored securely and only as long as necessary.
• Payment: method, status, transaction reference (we do not store full card/UPI details; handled by payment gateways).
• Technical: IP, device/browser, pages visited, referral source, cookies & analytics identifiers.
• Communications: emails, calls, WhatsApp messages, chat transcripts, feedback, reviews.

• Respond to enquiries, prepare quotations/itineraries, and fulfil bookings.
• Issue vouchers/tickets, coordinate with airlines/hotels/transporters/ground handlers.
• Process payments and invoices, comply with tax and accounting requirements.
• Provide customer support, resolve complaints, and improve our services and website.
• Send service communications (booking updates, alerts). Marketing emails/WhatsApp only with consent and opt‑out option.
• Detect, prevent, and address fraud, abuse, or security incidents.

• Consent: for optional marketing, cookies, or when required by law. You may withdraw consent anytime.
• Contractual necessity: to take pre‑contract steps and perform your booking contract.
• Legal obligation: KYC, taxation, and regulatory compliance.
• Legitimate interests: service improvement, analytics, and security—balanced against your rights.

• We use essential cookies for core site functionality and preference cookies to remember settings.
• We may use analytics (e.g., Google Analytics) and advertising cookies (e.g., Meta/Google Ads) to measure performance and personalise ads.
• You can manage cookies via your browser settings or a cookie banner (if implemented). Blocking some cookies may impact site functionality.

• Suppliers: airlines, hotels, DMCs, transport companies, activity operators—to fulfil your bookings.
• Payment processors: banks, UPI providers, payment gateways—card/UPI details are handled by them.
• Technology vendors: hosting, email/SMS/WhatsApp service providers, analytics and support tools.
• Legal & compliance: where required by law, court orders, or to protect rights, safety, and property.

• Online payments are processed by third‑party gateways using industry‑standard encryption. We do not store full card numbers, CVV, or UPI PINs on our servers.
• Always verify payment links originate from our official domain or authorised providers before paying.

Your data may be processed outside India when bookings involve foreign suppliers or global cloud services. We take reasonable steps to ensure an adequate level of protection and share only what is necessary for fulfilment.

We keep personal data only as long as needed for the purposes stated, including legal/accounting requirements. Typical retention: enquiries (12–24 months), booking records (7–10 years), passport/visa copies (until completion plus a short archival period unless law requires longer).

• Right to access and obtain a copy of your personal data.
• Right to correction/rectification and updating of inaccurate data.
• Right to deletion/erasure where applicable and not conflicting with legal obligations.
• Right to withdraw consent for optional processing (e.g., marketing).
• Right to grievance redressal and to nominate a person to exercise your rights under DPDP 2023.

To exercise rights, email us from your registered email ID with proof of identity. We acknowledge within 7 working days and endeavour to resolve within 30 days.

We do not knowingly collect personal data from children without parental/guardian consent. If you believe a child has provided data without consent, please contact us to remove it.

• Industry‑standard technical and organisational measures: HTTPS, access controls, encryption in transit, and need‑to‑know access.
• No method of transmission or storage is 100% secure. We will notify you and regulators of significant breaches as required by law.

Some browsers offer “Do‑Not‑Track” (DNT). We do not currently respond to DNT signals due to lack of a consistent industry standard.

Our website may contain links to third‑party websites/apps. Their privacy practices are governed by their own policies. Please review them before sharing any data.

We may update this Policy from time to time. The version and date above indicate the latest revision. Continued use of our services after changes constitutes acceptance of the updated Policy.