At FestBooking, your privacy is not just a legal obligation — it is a core value. This Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights as a Data Principal under Indian law.
Summary (Plain Language): We collect your name, contact details, location, payment info, and (for vendors) identity documents. We use this to run the FestBooking marketplace, process payments, and comply with Indian law. We do not sell your data. You can access, correct, or delete your data by contacting our Data Protection Officer. Read the full policy below for complete details.
This Privacy Policy is prepared in compliance with the following Indian laws and regulations:
| Law / Regulation | Relevance |
|---|---|
| Digital Personal Data Protection Act, 2023 (DPDP Act) | Primary data protection law in India — governs collection, processing, storage, and rights of Data Principals |
| Information Technology Act, 2000 — Sections 43A, 72, 72A | Liability for data breaches, wrongful disclosure, compensation for privacy violations |
| IT (Reasonable Security Practices and Procedures and SPDI) Rules, 2011 | Mandatory security practices; rules for Sensitive Personal Data or Information |
| IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 | Intermediary obligations, grievance officer, user data transparency |
| Consumer Protection Act, 2019 & E-Commerce Rules, 2020 | Consumer data rights, transparency in data use, prohibition on deceptive practices |
| Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 & Aadhaar Authentication for Good Governance Rules, 2020 | Restrictions on Aadhaar storage and use — we do NOT authenticate via Aadhaar APIs |
| Prevention of Money Laundering Act, 2002 (PMLA) & RBI KYC Master Directions | Mandatory KYC collection and retention for vendor payouts |
| RBI Data Localisation Circular (2018) | Payment data of Indian users must be stored exclusively in India |
| Indian Contract Act, 1872 | Consent as a valid contract element for data processing |
📋 Under the DPDP Act 2023, Section 2(i), the entity that determines the purpose and means of processing personal data is the Data Fiduciary. FestBooking Internet Private Limited is the Data Fiduciary for all personal data collected through festbooking.in.
Registered Office: 123, Business Hub, Vaishali Nagar, Jaipur, Rajasthan – 302021
CIN: [To be registered under Companies Act, 2013]
Email: privacy@festbooking.in |
Website: www.festbooking.in
This Policy applies to all users of FestBooking — Customers (event bookers), Vendors (service providers), and visitors to our website. It covers data collected through our website (festbooking.in), vendor dashboard, customer portal, and any related mobile applications.
📋 DPDP Act 2023, Section 2(t): "Personal data" means any data about an individual who is identifiable by or in relation to such data.
| Category | Specific Data Points | When Collected |
|---|---|---|
| Identity | Full name, profile photo | Registration |
| Contact | Mobile number, email address | Registration / Booking |
| Location | City, GPS coordinates (with consent), event venue address | Booking / Search |
| Booking Details | Event type, date, number of guests, special requirements | Booking |
| Payment | UPI ID / masked card number / payment reference (NOT full card number or CVV) | Payment |
| Communications | Messages sent to vendors through Platform chat | Chat / Support |
| Reviews | Rating, written review, photos submitted with review | Post-service |
| Technical | IP address, browser type, device ID, OS, session logs | Automatic (all visits) |
| Category | Specific Data Points | When Collected |
|---|---|---|
| Identity (KYC) | Full name, date of birth, Aadhaar number (masked / last 4 digits only), PAN number, photo of Aadhaar & PAN card | Registration |
| Business | Business name, GST number, years of operation, service description, portfolio photos | Registration |
| Financial | Bank account number, IFSC code, UPI ID, TDS records, payout history | Registration / Payouts |
| Location | Service city, area, GPS location, travel coverage radius | Registration |
| Operational | Availability calendar, booked slots, pricing, cancellation records | Dashboard usage |
| Technical | Login time, IP address, device type, dashboard activity logs | Automatic |
When you visit our website, we automatically collect:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Creating and managing your account | Name, email, mobile, password hash | Contract (consent) |
| Processing bookings and payments | Booking details, payment data, location | Contract |
| KYC verification of vendors | Aadhaar, PAN, bank details | Legal obligation (PMLA 2002, RBI KYC) |
| Payout to vendors | Bank account, IFSC, UPI ID, TDS records | Contract + Legal obligation (Income Tax Act) |
| Showing relevant vendor listings | Location, event type, search history | Legitimate interest / Consent |
| Customer support and dispute resolution | Booking data, chat logs, complaints | Contract + Legitimate interest |
| Sending booking confirmations & updates | Mobile, email, booking ID | Contract |
| Marketing & promotional communications | Email, mobile (with opt-in consent) | Consent (withdrawable) |
| Fraud detection and security | IP, device ID, transaction patterns | Legitimate interest + Legal obligation |
| Compliance with court orders / government directions | Any data as directed | Legal obligation |
| Platform analytics and improvement | Anonymised/aggregated usage data | Legitimate interest |
| Tax reporting (GST, TDS filing) | Vendor financials, PAN | Legal obligation |
⚠️ We do NOT sell, rent, or trade your personal data to any third party for their own marketing purposes. We do not use your data for automated profiling that produces legal or similarly significant effects without human review.
📋 DPDP Act 2023, Section 4: Personal data may be processed only for a lawful purpose, for which the Data Principal has given consent, or for certain legitimate uses specified under Section 7.
We process your personal data on the following legal grounds:
Where we rely on consent, you will be presented a clear, specific, and informed consent notice before data collection. Consent is recorded with timestamp, version of notice, and the specific data category consented to.
📋 IT (SPDI) Rules, 2011, Rule 3: Sensitive Personal Data includes passwords, financial information, health data, sexual orientation, biometric data, and other categories. Higher protection standards apply.
The following categories of data collected by FestBooking qualify as SPDI under the IT Rules, 2011:
For SPDI, we implement additional safeguards:
📋 Aadhaar Act 2016, Section 29: No Aadhaar number shall be published, displayed, posted, or shared by any entity. Use of Aadhaar for authentication requires UIDAI authorisation under Section 8. Violation is punishable under Section 37 (imprisonment up to 3 years).
For vendor KYC verification (mandatory under PMLA 2002 and RBI KYC Master Directions 2016), we collect a photograph of the Aadhaar card and PAN card. This is for offline visual identity verification only — we are NOT an Aadhaar Authentication Agency and do NOT use UIDAI's authentication API.
Upon verification of the Aadhaar card photo, we redact the first 8 digits and store only the last 4 digits (e.g., XXXX-XXXX-4321) as a reference. The original Aadhaar card photograph is encrypted and stored in a separately secured data store with restricted access.
📋 Your right: You may request deletion of your Aadhaar card photograph from our systems at any time after your vendor account is verified and active. Send a request to kyc@festbooking.in. Post-deletion, we retain only the last-4-digit reference and the verification outcome record.
📋 IT (SPDI) Rules 2011, Rule 5(7): Users must be informed about cookies and given the option to opt out where cookies are not strictly necessary.
| Type | Purpose | Duration | Can be Disabled? |
|---|---|---|---|
| Strictly Necessary | Login session, booking flow, CSRF protection, language preference | Session / 30 days | No — website won't function |
| Functional | Remembering your city, search filters, previously viewed vendors | 90 days | Yes |
| Analytics | Page visits, click patterns, performance monitoring (anonymised) | 365 days | Yes |
| Marketing | Retargeting ads, personalised promotional offers (only with consent) | 180 days | Yes — requires explicit opt-in |
In addition to cookies, we use browser localStorage to maintain session data (e.g., booking in progress, selected vendors, location consent) within your browser session. This data is not transmitted to our servers unless you actively proceed with a booking.
You can manage cookie preferences at any time through your browser settings. Note that disabling strictly necessary cookies will prevent login and booking functionality. You may also use your browser's private/incognito mode to browse without persistent cookies.
📋 DPDP Act 2023, Section 8(3): Data Fiduciaries must ensure that Data Processors they engage provide sufficient guarantees of data protection. IT (SPDI) Rules 2011, Rule 6: Sharing SPDI requires prior consent, except where required by law.
When a Customer makes a booking, the following data is shared with the relevant Vendor:
Vendors are contractually prohibited from using this data for any purpose other than delivering the booked service.
| Category | Purpose | Data Shared |
|---|---|---|
| Payment Gateway / Aggregator | Processing customer payments and vendor payouts | Name, mobile, amount, order ID (PCI-DSS compliant processor) |
| SMS / OTP Provider | Sending OTP, booking confirmations | Mobile number, message content |
| Email Service Provider | Transactional and marketing emails | Email address, name, booking details |
| Cloud Hosting Provider | Data storage and computing (India region) | All Platform data (stored within India) |
| Analytics Provider | Anonymised usage analytics | Anonymised IP, page views, session data only |
| CA / Auditor | Tax filing, TDS returns | Vendor PAN, financial data (under legal obligation) |
All Data Processors are bound by data processing agreements ensuring DPDP Act 2023 compliance.
We may disclose personal data without your prior consent when required by:
We will attempt to notify you of such disclosure to the extent permitted by law.
⚠️ Data Localisation: All personal data of Indian users is stored and processed on servers located within India, in compliance with the RBI Data Localisation Circular (April 2018) and the DPDP Act 2023. We do not transfer personal data outside India without (a) your explicit consent, and (b) verification that the destination country provides adequate data protection as notified by the Central Government under Section 16 of the DPDP Act 2023.
In compliance with the Reserve Bank of India's circular on "Storage of Payment System Data" (6 April 2018) and the DPDP Act 2023:
📋 DPDP Act 2023, Section 8(7): A Data Fiduciary shall not retain personal data beyond the period necessary for the specified purpose. IT (SPDI) Rules 2011, Rule 5(4): SPDI must not be retained longer than necessary.
| Data Category | Retention Period | Basis |
|---|---|---|
| Customer account data | Until account deletion + 3 years | Dispute resolution, legal claims |
| Booking records | 7 years from booking date | Consumer Protection Act 2019 / Tax audit |
| Payment / financial data | 8 years | Income Tax Act 1961 (Section 44AA) / GST law |
| Vendor KYC documents (Aadhaar / PAN photo) | Until account closure + 5 years | PMLA 2002, Rule 9 — 5 years post-account closure |
| Vendor PAN / bank account reference | Until account closure + 8 years | TDS records, Income Tax Act |
| Customer reviews and ratings | Until vendor account deletion | Legitimate interest |
| Server / security logs | 180 days | IT Rules 2021 (Intermediary Guidelines) Rule 3(1)(j) |
| Marketing consent records | Until consent is withdrawn + 3 years | Evidence of lawful processing |
| Cookies (analytics) | 365 days | Functional necessity |
After the retention period expires, personal data is securely deleted or irreversibly anonymised. Anonymised/aggregated data may be retained indefinitely for statistical purposes.
📋 IT (SPDI) Rules 2011, Rule 8: Every body corporate handling SPDI must implement comprehensive documented information security programmes and policies, including IS/ISO/IEC 27001:2013 standard or equivalent.
We implement the following security safeguards to protect your personal data:
⚠️ Your responsibility: You are responsible for keeping your account credentials confidential. Do not share your password or OTP with anyone, including persons claiming to be FestBooking staff. We will NEVER ask for your password or full OTP over phone or email.
📋 DPDP Act 2023, Section 9: Processing of personal data of children (below 18 years) requires verifiable parental consent. Data Fiduciaries shall not undertake tracking, behavioural monitoring, or targeted advertising directed at children.
FestBooking is intended for users who are 18 years of age or older. We do not knowingly collect personal data from individuals below 18 years of age without verifiable parental or guardian consent.
If you are a parent or guardian and you believe your child has provided personal data on our Platform without consent, please contact us immediately at privacy@festbooking.in. We will promptly delete such data upon verification.
We do not engage in behavioural tracking, targeted advertising, or profiling of any user below 18 years of age, in compliance with Section 9 of the DPDP Act 2023.
📋 DPDP Act 2023, Chapter III (Sections 11–14): Data Principals (individuals whose data is processed) have enforceable rights against Data Fiduciaries.
Know what personal data we hold about you, how it is being processed, and who it has been shared with.
Request correction or updating of inaccurate, incomplete, or outdated personal data.
Request deletion of personal data that is no longer necessary, subject to legal retention obligations.
Withdraw previously given consent for processing at any time. Withdrawal does not affect prior processing.
Lodge a complaint with our Grievance Officer if you believe your data rights have been violated.
If unsatisfied with our response, escalate to the Data Protection Board of India established under the DPDP Act 2023.
Nominate another individual to exercise your data rights on your behalf in case of death or incapacity.
Unsubscribe from promotional emails or SMS at any time via the unsubscribe link or by contacting us.
To exercise any of the above rights, submit a written request to our Data Protection Officer at dpo@festbooking.in or use the Privacy Settings in your account dashboard. We will respond within 30 days of receiving your request. We may verify your identity before processing the request. Requests are free of charge for up to 2 requests per year per user.
📍 Data Protection Board of India: If you remain unsatisfied after exhausting our internal process, you may file a complaint with the Data Protection Board of India at the web portal designated by the Ministry of Electronics and Information Technology (MeitY). The Board has the power to impose penalties and direct remediation under the DPDP Act 2023.
📋 IT (Intermediary Guidelines) Rules 2021, Rule 4(2): Significant social media intermediaries and platforms must appoint a Grievance Officer, resident in India, to receive and acknowledge complaints within 24 hours and resolve within 15 days.
Name: Mr. Rahul Sharma
Designation: Grievance Officer
Email: grievance@festbooking.in
Phone: +91 98765-43210
Hours: Mon–Sat, 10 AM – 6 PM IST
Response Time: Within 24 hours (acknowledgement); 15 days (resolution)
Name: Ms. Priya Joshi
Designation: Data Protection Officer
Email: dpo@festbooking.in
Postal: FestBooking Internet Pvt. Ltd., 123 Business Hub, Vaishali Nagar, Jaipur – 302021
Scope: All DPDP Act 2023 and IT Rules 2011 related matters
📋 DPDP Act 2023, Section 8(6): Upon becoming aware of a personal data breach, the Data Fiduciary must notify the Data Protection Board and affected Data Principals in the prescribed manner and within the prescribed time period.
In the event of a personal data breach that is likely to result in harm to Data Principals, FestBooking will:
We also maintain cyber insurance in compliance with best practices for digital platforms.
Our website may contain links to third-party websites (e.g., payment gateways, social media pages, government portals). Clicking such links takes you to a website governed by that third party's privacy policy, not ours.
We are not responsible for the privacy practices, content, or security of any third-party website. We recommend you review the privacy policy of any external site before providing personal data to it.
Embedded content from third parties (such as maps, social share buttons, or videos) may collect your IP address and set cookies independently. Such processing is governed by the respective third party's privacy policy.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes:
Previous versions of this Policy are archived and available upon request from privacy@festbooking.in.
For any privacy-related queries, requests, or complaints, you may contact us through any of the following channels:
General Privacy Queries: privacy@festbooking.in
Data Erasure / Access Requests: dpo@festbooking.in
KYC Document Deletion: kyc@festbooking.in
Grievances & Complaints: grievance@festbooking.in
FestBooking Internet Private Limited
123, Business Hub, Vaishali Nagar
Jaipur, Rajasthan – 302021, India
Phone: +91 98765-43210 (Mon–Sat, 9 AM – 8 PM IST)
🏛️ Regulatory Escalation: If you are not satisfied with our response to your privacy complaint, you have the right to lodge a complaint with the Data Protection Board of India (once operational under DPDP Act 2023) at the portal to be designated by MeitY, or approach the competent civil courts at Jaipur, Rajasthan for relief under Section 43A of the IT Act, 2000.