Privacy Policy

• Identity & contact: name, mobile number, email, profile photo (if provided via Google).
• Booking data: passenger names, gender, date of birth, passport details (optional), itinerary, PNR, payment status.
• Saved travellers: profiles you store in My Account for faster checkout.
• Technical data: device type, IP address, browser, session logs, and cookies needed for security and performance.
• Communications: support messages, WhatsApp alerts you opt into (e.g. WishFly price alerts).
• Agent / business applications: agency name, GST, address, and registration details if you apply as agent, corporate, or distributor.

We use personal data to authenticate you, process bookings, send tickets and confirmations, provide customer support, prevent fraud, improve our services, and comply with legal obligations. Marketing messages are sent only where you have consented or as permitted by law, with opt-out available.

Login via mobile OTP and Google Sign-In is powered by Google Firebase Authentication. Firebase processes your phone number or Google account identifiers according to Google's privacy policy. We receive a Firebase UID and basic profile fields to link your session to your TravelCNB account. Configure Firebase only in production with appropriate security rules; we do not publish your credentials in client code beyond standard public API keys.

Booking records, user profiles, travellers, agent applications, and related data are stored in Supabase (PostgreSQL) hosted on secure cloud infrastructure. Access from our servers uses service-role credentials kept on the server side only. Row-level security and application checks limit what each user can read or modify.

Payments are handled by licensed payment gateways (e.g. Cashfree). Card and UPI details are processed by the gateway; we do not store full card numbers. We share necessary booking and passenger data with airlines, GDS/consolidators, and SMS/WhatsApp providers solely to fulfil your booking and notifications.

We do not sell your personal data to third parties for their marketing purposes.

We retain booking and tax-related records as required by Indian law and airline audit requirements. Account data is kept while your account is active and for a reasonable period thereafter unless you request deletion, subject to legal hold obligations.

We use HTTPS, access controls, and industry-standard practices to protect data. No method of transmission over the internet is 100% secure; please use a strong device lock and do not share OTP codes.

Subject to applicable law, you may request access, correction, or deletion of your personal data, withdraw consent where processing is consent-based, and lodge a complaint with the Data Protection Board of India when the DPDPA framework is fully operational. We will verify requests using your registered phone or email.

Our services are not directed at children under 18. Bookings for minors must be made by a parent or legal guardian.

To exercise privacy rights or request account / data deletion, contact:

• Email: travelcnbmail@gmail.com (subject: "Privacy / Data Deletion")
• WhatsApp: +91 86553 81001

We will respond within a reasonable timeframe, typically within 30 days, and may retain minimal records where required by law after deletion of active profile data.