Digi Yatra Privacy Policy
Effective as of 27 October 2024
1. About Digi Yatra Foundation (DYF)
DYF is a not-for-profit company incorporated under Section 8 of the Companies Act 2013, for the implementation of a digital ecosystem i.e., Digi Yatra Central Ecosystem (“DYCE”) aimed at streamlining air travel pursuant to and in accordance with the Digi Yatra Policy issued by Ministry of Civil Aviation (MoCA) (link here)
DYF has developed the Digi Yatra Application and DYCE platform, which provides a unique and memorable digital travel experience for air travellers (passengers/users) using real time selfie-based facial biometric validation
The DYCE uses the concept of Self-Sovereign Identity (SSI) to enable the creation of digital Verifiable Credentials (VC) and allow sharing of these verifiable credentials for identity and travel for the purpose of achieving a seamless, hassle-free travel at airports in India using a single token face biometric, decentralised identifiers (“DIDs”) and the created verifiable credentials (VCs).
DYF is committed to protecting user privacy by adhering to SSI principles which empower users with control over their personal data, ensuring that their information is secure, private, and used only for the intended purposes. These principles ensure that users can manage their digital identities with greater autonomy and confidence, aligning with the highest standards of data protection and privacy.
2. Introduction
Digi Yatra (“Digi Yatra”, “Digi Yatra App”, “DY”, “DYF”, “DYCE”, “our”, “we”, or “us”) respects your privacy and we are committed to protecting the Personal Data we process about you. This Privacy Policy (“Policy”) helps explain our practices with respect to the Personal Data processed about users to create and Save Verified Credentials on their devices using Digi Yatra Application; Policy also explains our practices with respect to sharing of Verified Credentials with Airport Verifiers to facilitate seamless access of airport touch points using your face and / or Boarding Pass. This policy also covers information on the grounds of processing personal Data, Rights of an individual and our approach to security of your personal data.
If you have any questions about this policy or on processing of your Personal Data, please see section 9 for information on how to contact us.
3. Scope
The Privacy Policy applies to Digi Yatra (“Digi Yatra”, “Digi Yatra App”, “DY”, “DYF”, “DYCE”, “our”, “we”, or “us”), any third-party agents or partners we may work with to provide our services, ensuring that all data is handled in accordance with the standards outlined herein for the purposes of this privacy policy, agents may include third-party service providers and outsourced entities.
4. Objective
The objectives of DYF’s Privacy Policy are:
- Protection of User Privacy: Ensure the protection of personal data collected from users, adhering to the highest standards of data privacy and security.
- Transparency:Provide clear and transparent information about DYF’s data collection, usage, retention, sharing, and deletion practices.
- Collection Limitation: Limit the collection of personal data and obtain it by lawful and fairness means, with knowledge of the data principal
- User Control: Empower users with control over their personal data by providing them with information to enable them to manage their digital identities, consent, and preferences.
- Compliance:Comply with applicable data protection laws and regulations, including the Digital Personal Data Protection Act .
- Promote Trust:Foster trust among users by demonstrating our commitment to respecting and protecting their privacy.
5. Brief Yet Important Note
Before you read the details, we have summarized few key points below:
- Digi Yatra Process does not create any user profile in the backend and has no personally Identifiable information related to the usage of the application at and individual user level.
- This means that we can never identify if a particular phone #, Aadhaar # ever created profile with us or shared their travel details using Digi yatra Application or travelled through any Digi Yatra Airports.
- Digi Yatra Journey is privacy-preserving, with the complete flow initiating and finishing ONLY on Individual’s phone.
- User is always in full control of their data and only shares VC and Travel details with Origin Airport after giving consent before every travel. Individual can always decide not to use Digi Yatra and not share their travel details with Airport.
- When you interact with us or our team, while sending issues and queries, Digi Yatra Foundation does not request for any personal details to be shared (Sharing Aadhaar Copies or Aadhaar Numbers over email or any other mode is a BIG NO!) – we do not need it, as it will not help in resolving issues.
- For most scenarios, we would just need User’s name (as saved in the Digi Yatra App) and the boarding pass QR/Bar Code – that too if required, we will request you to share with to analyse the issue and help with resolution. This will only be required if issues are tricky or user specific (e.g., related to name mismatch and boarding pass not getting uploaded or similar ones).
- On such instances if a passenger while providing feedback or seeking support for any issues or problems faced shares any Personally Identifiable Information (PII) data such as their Email address, Name, PNR details, Boarding Pass, Mobile number, etc., they agree to the use of their personal information (including sensitive personal data) in accordance with this privacy policy.
6. Information shared by Users
To access or use Digi Yatra Application Users provide certain personal information. DYCE uses this information to enable the functionality on Digi Yatra mobile application by processing this data to create VC, storing the VC in each user’s Digi Yatra wallet on their phones. Users, on giving consent can also choose to share VC and Boarding Pass details with Digi Yatra enabled origin airport (List of currently Live Airports) before every travel. Below is the explanation of various stages in the Digi Yatra Application with the details of user information involved and processed:
| Information | Stage | Purpose | Storage | Retention | Sharing |
|---|---|---|---|---|---|
| Mobile Number | Digi Yatra App – Login | OTP Authentication to Login | Yes, to create access token to authenticate users for secure access to DYCE services | Till user logs out of Digi Yatra Application | No |
| Aadhaar ID/ Virtual Aadhaar ID | Digi Yatra App – Onboarding – To create Digi yatra Verified Credential (VC) | Creation of VC | Yes, it is stored only Locally inside Digi Yatra Wallet on individual user’s phone. Aadhaar Image is not retained; it is immediately purged after creation of VC | On User’s phone – till user deletes the VC using Delete functionality OR Uninstall Digi Yatra Application. Origin Airport – From the time of sharing to up to 24 hours of flight departure | Yes, on user consent, before every travel, VC is shared by user with Origin Airport |
| Facial Image (Selfie captured using User’s phone camera) | Digi Yatra App – Onboarding – Facial Image (Selfie) Validation | To match with Aadhaar image and authenticate that individual creating VC is same as the person initiating the transaction | Yes, Selfie forms the part of VC and is stored on user’s phone as explained above | Same as explained above for VC | Yes, Same as explained above for VC |
| Boarding Pass Data – M1 String data | Digi Yatra App – Boarding Pass upload and sharing with origin Airport. | Used by DYCE, Digi Yatra App, and Airport | DYCE – 14 Days as Transaction log. Digi Yatra App – Till user decides to delete the BP or uninstall the app | Same as explained above for VC | Yes, with origin Airport along with VC as explained above. |
| Information | Stage | Purpose | Storage | Retention | Sharing |
|---|---|---|---|---|---|
| Email ID or any other unsolicited information user might share with us on email. | Customer Support | For user grievance resolution or capturing customer feedback for app/service improvement. In most cases, PII is not required to resolve issues unless specifically requested. | Yes, as part of email or customer support portal. | 30 Days | Yes – Our partners for tech support and customer support teams can have access to this information for issue resolution and customer interactions. |
| Feedback on Digi Yatra Application – This is anonymous feedback with no PII requested by Digi Yatra unless unsolicitedly shared by the user in the message body. | Feedback submission in Digi Yatra App | Feedback is used to improve Digi Yatra app and facilities | Yes – In Email | 30 Days | Yes, same as above |
| Social media – No PII is requested by Digi Yatra, unless unsolicitedly shared by the user in messages. | User interactions with us via public posts or direct messages on social media channels like X, Instagram, LinkedIn, Facebook, or other public forums. | Social media channels are used to engage with users, respond to inquiries, and gather feedback for service improvement. | Public interactions are stored according to platform policies. | NA | NA |
| User Reviews and Feedback on Play Store and Apple Store | User reviews, ratings, and feedback provided on Play Store or Apple Store | Used to monitor user satisfaction and identify areas for improvement. | Public interactions are stored according to platform policies. | NA | NA |
| Information | Stage | Purpose | Storage | Retention | Sharing |
|---|---|---|---|---|---|
| IP Address | Automatically during user interactions with DYCE platform. | To analyse and set firewall rules to allow access only from Indian IPs and block others (e.g., VPN users). | IP information is anonymized and not linked back to user details; processed in real-time and logged to review blocked attempts and help enhance security posture of DYCE. | Few Hours | Yes – Our Partners for Tech Support may have access to this information for review and analysis. |
| Backend Logs | At various steps of interaction with DYCE – e.g., Onboarding, Aadhaar Validation, Selfie Matching, Boarding Pass Sharing. | To log and monitor processes such as Aadhaar validation status, Boarding Pass M1 string parsing, and results of facial algorithm deployed by Digi Yatra (only match score and result without any PII). | Temporarily stored for monitoring and troubleshooting purposes. | 14 Days | Yes – Our Partners for Tech Support may have access to this information for issue resolution. |
| Information | Stage | Purpose | Storage | Retention | Sharing |
|---|---|---|---|---|---|
| Device Types and OS Version | When user submits feedback on app or play store, Crash Analytics reports which gives access to anonymous details on crashes and errors in the Application during usage. | To optimize app performance and ensure compatibility across devices | Yes – available as reports from App stores dashboards, Firebase reports. | As Per platform Policy | Yes – Our Partners for Tech Support may have access to this information for issue resolution. |
| Anonymous App Data – Download, Usage and Application’s geographical availability Data available with Application stores (Apple and Google) | At various stages of Application from Download till Uninstall | To track app popularity, analyse visibility, monitor user engagement, and understand usage patterns. | Yes – Anonymous and Aggregated data as Per Platform Policy | As per platform policy | Yes – Our Partners for Tech Support may have access to this information for issue resolution. |
7. Data Processing for a Minor (less than 18Y of age)
- Digi Yatra application does not allow creation of VC for Minors (Any individual who is less than 18 years of age) and thus they cannot use Digi yatra application without Guardian /Adult’s consent. This is enabled by a business rule that allows Minor profile creation only on those mobile devices where 1 Adult profile is available.
- Once Adult profile is created on a phone, Adult can add and consent on behalf of Minor to complete onboarding process to create Minor VC and share Boarding pass M1 string with Origin Airport.
- This business rule is implemented by doing age check with the Date of Birth available in Aadhaar eKYC data.
- Thus, DYF does not collect, store, process, or transfer personal information of a child without consent from the parent or guardian.
8. Data Storage and Processing
Digi Yatra Foundation (DYF) uses Self-Sovereign Identity (SSI) principles, ensuring that personal information is not stored in any central repository or database. In general, personal information collected and processed under this policy is hosted within India. DYF takes all necessary steps to ensure that the data collected is processed in compliance with this Privacy Policy and in accordance with the requirements applicable to Indian laws as well as the Digi Yatra Policy issued by the MoCA.
9. Your Personal Data Rights and Controls
Our users have specific rights concerning their data, including the ability to modify data, withdraw consent, and ensure their grievances are addressed. Below are the details of these rights and how to exercise them:
| Personal Right and Controls | Discription |
|---|---|
| Data Modification | Our users have the right to review, access, and modify their personal data (Verifiable Credential and Boarding Pass). In case of changes to the boarding pass, users can delete the current boarding pass from the Digi Yatra App and then upload the new boarding pass. In case of updates to the Aadhaar ID, passenger can delete their current credential from the app and then create new credentials by authenticating with Aadhaar following the similar steps as earlier. This may also lead to loss of the user’s previous travel data present on their device. Allowing updates in Original Aadhaar or other IDs is not in scope of Digi Yatra Foundation, if required user can do so by visiting Aadhaar Seva Kendra; once updated in Aadhaar user should, in DY App delete already stored VC and complete Aadhaar authentication again to recreate and store with VC with updated details. |
| Withdrawal/Revocation or Transfer of Consent | You can opt out of Digi Yatra by deleting your VC and Travel Credentials data or uninstalling the app. Since all data is stored locally on your device, this action will permanently erase all Digi Yatra-related data and cannot be retrieved. |
| Grievance Redressal | For any questions, complaints, or concerns about the processing of your personal information or this privacy policy, you can contact the Digi Yatra Foundation (DYF) at dataprivacy@DigiYatraFoundation.com |
10. Data Sharing
In accordance with this privacy policy and as explained in section 6 – Information Shared by Users, DYF may share individual”s/users’ personal information with:
- DYF employees, advisers, agents and third parties who provide services on DYF’s behalf insofar as reasonably necessary and in relation to the fulfilment of the purpose for which the information is sought for.
- Service-providers who assist in protecting and securing DYF systems and provide services to DYF.
- Successors or assigns to whom DYF may assign or transfer the functions in whole or part.
- DYF does not store any data in a central repository. Information from the DYF App present on the user’s device is only shared with explicit consent and not disclose any personal information to others.
11. Technical and Organizational Measures
DYF ensures security and safety of personal information by adopting reasonable data protection practices, measures, procedures such as internal policies, periodic security audits, adherence to code of conduct, data security techniques and privacy principles, data privacy by design techniques, personal data guidelines and certification mechanism, to also ensure that the personal information is protected from security breaches. Employees of DYF responsible for handling Personal Information on behalf of DYF are mandated to follow ethical code of conduct when processing Personal Information which is considered sensitive and hence classified as confidential. To prevent unauthorized disclosure or access to Personal Information, which are compliant with prevailing IT laws and for all the Aadhaar related transactions, compliant with Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016, as may be amended from time to time. DYF has implemented physical and cyber security safeguards. Transmission channels are encrypted, and access to information is restricted to authorized individuals only on a need-to-know basis for the fulfilment of objectives set out herein.
Furthermore, to enhance data protection DYF performs a yearly comprehensive audit and two non-comprehensive audits in a fiscal year.
12. Retention of Personal Data
DYF shall retain any personal information in the manner and only for a minimum duration of time as may be prescribed under applicable law and/or to comply with regulatory requirements. In section 6 – Information Shared by Users we have detailed out the retention period for each data point.
13. Links to other websites and/or applications
The DYF public website may contain links to other third-party sites and/or applications. DYF is not responsible for the content and privacy practices of those third-party websites. DYF is not responsible for protection and privacy of information shared by users on those third-party applications while accessing them through links from DYF website and/or application.
14. Changes to privacy policy
DYF reserves the right to change, alter, modify, update or add terms in this privacy policy when it may deem necessary. Changes to privacy policy will be updated on the DYF website and application. The changes shall be part of this Policy and apply from the date of the amendment/alteration/change/modification/addition/update.
15. Jurisdiction
If you choose to use the DYF Platform, your visit and any dispute over privacy is subject to this privacy policy. In addition to the foregoing, any disputes arising under this privacy policy shall be governed by the laws of India and the courts of New Delhi, India shall have exclusive jurisdiction in case of disputes.
