Privacy Policy

Pearl Destination Management Company ("PearlDMC", "we", "us", or "our") is committed to protecting the privacy and personal data of our B2B partners, their employees, and the end travellers whose data we process on their behalf. This Privacy Policy explains how we collect, use, store, share, and protect personal data in connection with our services, website, and B2B Partner Portal.

This Policy applies to all individuals whose data PearlDMC processes, including: registered partner agency contacts, individual users of the B2B portal, and travellers whose personal information is shared with us by partner agencies to facilitate bookings.

We comply with applicable data protection laws including the Digital Personal Data Protection Act, 2023 (India), the European Union General Data Protection Regulation (GDPR) for data subjects in the EEA, the UK GDPR for UK data subjects, and other applicable national privacy frameworks.

Partner Registration & Account Data

When you register as a B2B partner, we collect the following information about your agency and its designated contact persons:

• Agency name, registered address, country, city, and website
• Agency type, trade membership details, and IATA or ABTA number
• Full name, job title, business email address, and phone number of the contact person
• WhatsApp or mobile number (optional, for operational communication)
• Annual booking volume range and typical group size
• Destinations of interest and how you heard about PearlDMC
• Portal login credentials (password stored in hashed, salted form — never in plain text)

Booking & Traveller Data

When partner agencies submit bookings or quotation requests, we process personal data of the travellers to be served. This data is shared with us by you as the partner agency and may include:

• Traveller full names as they appear on passports
• Nationality, date of birth, and passport number (where required for visa processing or hotel check-in)
• Dietary requirements, medical conditions, or accessibility needs relevant to the travel arrangements
• Flight details and travel dates
• Emergency contact information
• Special occasion details (e.g., honeymoon, anniversary) where disclosed for service personalisation

Technical & Usage Data

• IP address, browser type, and device type when accessing our website or portal
• Pages visited, time spent, and click behaviour for portal usability analytics
• Login timestamps and session activity for security monitoring
• Cookies and similar tracking technologies (see Cookie Policy section below)

Communications Data

We retain records of communications between your agency and PearlDMC, including emails, inquiry forms, chat messages, and telephone call logs, to the extent required for service delivery, dispute resolution, and legal compliance.

PearlDMC processes personal data only for specific, legitimate purposes and only to the extent necessary for those purposes. We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.

Partner Data — Purposes & Legal Bases

Traveller Data — Purposes & Legal Bases

• Fulfilling hotel reservations, transfers, tours, and other booked services — Contract performance
• Processing visa assistance requests and immigration documentation — Legal obligation / Contract
• Providing on-ground emergency support during travel — Vital interests
• Sharing with suppliers strictly necessary to fulfil the booking — Contract performance

PearlDMC shares personal data with third parties only when strictly necessary and under appropriate contractual protections. We maintain a record of all third-party processors with whom we share data.

Categories of Recipients

• Hotels, resorts, and accommodation providers — to fulfil room reservations (traveller names, check-in dates, special requests)
• Ground transportation operators — to coordinate airport transfers and vehicle bookings (flight details, pax names)
• Tour guides and activity operators — to deliver booked excursions (names, group size)
• Visa processing authorities and government departments — where legally required for entry documentation
• Payment processors and banking institutions — to process invoices and payments (financial data only)
• Cloud infrastructure providers — to host and operate the B2B Portal securely
• Email and communication service providers — to send booking confirmations and support messages
• Legal and accounting advisors — under strict professional confidentiality obligations

All third-party suppliers and processors engaged by PearlDMC are contractually required to process data only for the specified purpose, maintain appropriate technical and organisational security measures, and comply with applicable data protection laws.

International Data Transfers

As a global DMC operating across multiple regions, data may be transferred to countries outside your home jurisdiction. Where data is transferred outside the EEA or UK to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms. Transfers within India are governed by the Digital Personal Data Protection Act, 2023 and the rules issued by the Data Protection Board of India.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, and to resolve disputes or enforce agreements.

Retention Periods

• Partner account and registration data: Duration of the active partnership plus 5 years after termination
• Booking records and transaction data: 7 years from the date of travel (financial record-keeping requirement)
• Traveller personal data: 2 years from the travel date, unless retained longer for legal or insurance purposes
• Marketing communication preferences and opt-in records: Duration of consent plus 3 years
• Security logs and access records: 12 months on a rolling basis
• Correspondence and email records: 3 years from the date of last communication
• Legal claims and dispute records: Until the claim is fully resolved plus applicable limitation period

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised. Anonymised data (which can no longer identify any individual) may be retained indefinitely for statistical and analytical purposes.

PearlDMC implements a comprehensive set of technical and organisational security measures to protect personal data against unauthorised access, loss, alteration, disclosure, or destruction.

Technical Safeguards

• 256-bit SSL/TLS encryption for all data transmitted between users and our portal
• AES-256 encryption for sensitive data fields stored at rest
• Bcrypt password hashing with individual salts — passwords are never stored in plain text
• Multi-factor authentication (MFA) available and strongly recommended for all portal accounts
• Regular penetration testing and vulnerability assessments by independent security firms
• Automated intrusion detection and real-time security monitoring of portal infrastructure
• Role-based access controls — staff access data only on a strict need-to-know basis

Organisational Safeguards

• Annual data protection training mandatory for all staff with access to personal data
• Designated Data Protection Officer (DPO) responsible for compliance oversight
• Data Processing Agreements (DPAs) in place with all third-party processors
• Documented incident response procedures with 72-hour breach notification capability
• Regular internal audits of data handling practices and access logs

Despite our robust security measures, no system can guarantee absolute security. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected parties and relevant supervisory authorities within the timeframes required by applicable law.

Depending on your location and the applicable data protection law, you may have the following rights regarding your personal data held by PearlDMC. We will respond to all valid requests within 30 days, or within the shorter timeframe required by applicable law.

To exercise any of these rights, please submit a written request to privacy@pearldmc.com. We may need to verify your identity before processing your request. There is no charge for exercising your rights, though we may charge a reasonable fee for manifestly unfounded or excessive requests.

PearlDMC uses cookies and similar technologies on our website and B2B Portal to ensure proper functionality, improve user experience, and analyse usage patterns. A cookie is a small text file placed on your device by our website.

Types of Cookies We Use

• Strictly Necessary Cookies — Required for the portal to function. These cannot be disabled (e.g., session authentication, CSRF protection tokens, load balancing)
• Functional Cookies — Remember your preferences such as language, currency, and portal layout settings. These can be disabled but may affect functionality
• Analytics Cookies — Collect anonymised data about how you use our portal to help us improve the experience. We use privacy-first analytics tools that do not track individuals across sites
• Marketing Cookies — Only used if you have opted in to receive marketing communications. These track email open rates and link clicks in our newsletters

You can manage your cookie preferences at any time through the Cookie Settings panel accessible from the footer of our website. Blocking strictly necessary cookies will prevent the portal from functioning correctly.

PearlDMC's B2B Portal and services are intended exclusively for travel industry professionals and are not directed at individuals under the age of 18. We do not knowingly collect personal data directly from children.

Where traveller bookings include minors, the personal data of those minors is shared with us by the partner agency acting as the responsible adult or legal guardian. Such data is processed solely for the purpose of fulfilling the travel arrangements and is subject to the same security standards as adult traveller data.

Partner agencies are responsible for ensuring they have appropriate parental or guardian consent before sharing minor traveller data with PearlDMC. If you become aware that a minor has directly submitted personal data to us, please contact privacy@pearldmc.com immediately.

PearlDMC reviews and updates this Privacy Policy periodically to reflect changes in our data processing activities, applicable law, or industry best practice. The most current version of this Policy is always available on this page.

We will notify registered partner agencies of material changes to this Policy by email to the registered contact address and/or via a prominent notice on the B2B Portal login page. We will provide at least 14 days' notice before material changes take effect.

Continued use of our services after the effective date of any changes constitutes your acceptance of the revised Policy. If you do not agree with the changes, you may close your partner account by notifying us in writing at b2b@pearldmc.com.

For all privacy-related enquiries, data subject rights requests, or concerns about how we handle your personal data, please contact our Data Protection Officer:

Supervisory Authorities

If you are based in India, you have the right to lodge a complaint with the Data Protection Board of India (DPBI) once it is constituted under the Digital Personal Data Protection Act, 2023. If you are based in the EU or EEA, you may contact your national Data Protection Authority. UK-based partners may contact the Information Commissioner's Office (ICO) at ico.org.uk.

We encourage you to contact us first before escalating to a supervisory authority, as we are committed to resolving all privacy concerns promptly and fairly.