Data Protection Policy for Shiv Yatra

Last Updated: September 9, 2025

This Data Protection Policy describes how Shiv Yatra protects personal data across our websites, apps, and related services. We follow applicable data protection laws and apply privacy-by-design and security-by-default in our systems and processes.

Scope and Applicability

This Policy applies to all personal data processed by Shiv Yatra and its service providers in connection with our services.

  • Covers data collected from users, customers, creators, support interactions, and visitors.
  • Applies to online and offline data collection where relevant.
  • Supplements our Privacy Policy, Terms of Use, Cookie Policy, and Community Guidelines.

Key Roles and Responsibilities

We establish clear accountability for data protection.

  • Data Controller:Shiv Yatra determines purposes and means of processing for our services.
  • Data Processors:Trusted vendors process data on our behalf under contract.
  • Internal Ownership:Product, Engineering, Security, and Compliance teams share responsibility for implementing controls.

Lawful Bases and Fair Processing

We only process personal data where we have a valid legal basis.

  • Contractual necessity to provide and support the service.
  • Legitimate interests such as security, fraud prevention, analytics, and service improvement after considering user impact.
  • Consent for optional features like certain marketing and non-essential cookies.
  • Legal obligations including record-keeping and compliance requirements.

Data Minimization and Purpose Limitation

We collect only what we need and use it for defined purposes.

  • Collect the minimum data necessary to operate the service.
  • Use data only for stated purposes or compatible purposes with appropriate safeguards.
  • Review collection points periodically to remove unnecessary fields.

Accuracy and Quality

We take reasonable steps to keep data accurate and up to date.

  • Provide user-accessible settings to view and update profile information.
  • Apply validation and sanity checks at intake and during processing.
  • Correct or delete inaccurate records upon verification.

Data Subject Rights

Depending on your location, you may have rights over your personal data.

  • Access, rectification, deletion, and portability requests where applicable.
  • Objection or restriction to certain processing and withdrawal of consent where processing is based on consent.
  • We verify identity before fulfilling rights requests and respond within reasonable timelines.

Privacy by Design and Default

We embed privacy protections into our systems from the outset.

  • Conduct privacy impact assessments for high-risk features or new data uses.
  • Default to the least-privilege access for staff and systems.
  • Use data segmentation, pseudonymization, or anonymization where feasible.

Security Measures

We apply layered technical and organizational safeguards.

  • Encryption in transit; encryption at rest where applicable.
  • Access controls, role-based permissions, and multi-factor authentication for internal systems.
  • Network security, vulnerability management, logging, and monitoring.
  • Secure software development lifecycle with code reviews and dependency scanning.
  • Regular backups, recovery procedures, and least-privilege key management.

Vendor and Subprocessor Management

We carefully select and oversee service providers.

  • Due diligence on security, privacy, and compliance posture.
  • Written data processing agreements with confidentiality and security obligations.
  • Periodic reassessments and prompt remediation of identified risks.

International Data Transfers

We implement safeguards when data is processed across borders.

  • Use appropriate contractual protections and technical measures for cross-border transfers.
  • Limit transfers to what is necessary to operate and improve the service.

Data Retention and Deletion

We retain personal data only as long as needed.

  • Retention schedules tied to legal, contractual, and operational requirements.
  • Deletion or anonymization when data is no longer necessary.
  • Documented processes for user-initiated deletion requests where applicable.

Incident Response and Breach Notification

We prepare for and respond to security incidents promptly.

  • Maintain an incident response plan with defined roles and escalation paths.
  • Investigate incidents, contain impact, and implement corrective actions.
  • Provide notifications to users and authorities when legally required and as soon as practicable.

Children’s Data

We do not knowingly collect personal data from children where prohibited.

  • Age-gating or equivalent controls where required by law.
  • Prompt deletion of any inadvertently collected children’s data upon notice.

Training and Awareness

We equip our teams to handle data responsibly.

  • Periodic privacy and security training for relevant personnel.
  • Clear internal policies on data handling, acceptable use, and incident reporting.

Records and Auditing

We maintain documentation to demonstrate accountability.

  • Maintain records of processing activities where required.
  • Internal reviews and audits of key controls and vendor compliance.
  • Track and document changes to systems affecting personal data.

Updates to This Policy

We may update this Policy to reflect changes in law or our practices.

  • We will update the last updated date when changes are made.
  • Where required by law, we will provide additional notice of material updates.

Contact Us

Email:contact@shivyatra.com
Address:New Delhi, India

Related Policies

Privacy Policy

How we collect and use your data

Terms of Use

Rules and guidelines for using our service

Refund Policy

Our refund and cancellation terms

Cookie Policy

How we use cookies on our website

Community Guidelines

Community standards and behavior guidelines

Data Protection Policy | Shiv Yatra | Shiv Yatra