Privacy Policy

1. Scope of This Policy

This Privacy Policy applies to:

• The TourFiles web application and all features accessible after logging into your account.
• Developer and integration APIs used to connect TourFiles with other tools your business uses.
• Third-party integrations configured through your TourFiles workspace.
• In-platform communication features such as internal notes, follow-up logs, and client messaging.
• Any information you share when contacting our support team through email or help tickets.
• Automated emails and notifications sent by the platform as part of normal business operations.

This policy applies only to information processed through TourFiles services.

2. Information We Collect

2.1 Account Information

When you register or manage your account, we collect:

• Your full name, used to identify you within your company's workspace and in communications.
• Your registered business or trade name, used for invoicing and platform identification.
• Your primary email address, used for login, account recovery, and service communications.
• A contact phone number, provided optionally for support and account verification purposes.
• Payment method details, processed securely through our payment gateway partners — we do not store raw card data.
• Your GSTIN or other tax identification details, used solely for generating compliant invoices.
• Your password, stored as a one-way cryptographic hash — we never store or transmit it in plain text.
• The role assigned to each user in your workspace, which determines what they can access and do within the platform.

2.2 Operational Business Data

As you use TourFiles to run your travel business, you may upload or create:

• Lead profiles and inquiry details you enter or import to manage your sales pipeline.
• Confirmed booking details including traveler information, itinerary references, and booking status.
• Custom travel plans and packages you build and manage for your clients.
• Client-facing invoices you generate through the platform, including amounts, taxes, and payment status.
• Payment collection and reconciliation records tied to your bookings and invoices.
• Details of suppliers, hotels, airlines, and service partners you work with.
• Vouchers, visa documents, and other files you upload or associate with a booking.
• Logs of emails, notes, and follow-ups you record against leads, clients, or bookings.

All of this data is owned by your business. TourFiles processes it solely to deliver the service you have subscribed to.

2.3 Technical & Usage Information

We automatically collect certain technical data to keep the platform secure and operational:

• Your IP address, recorded for security purposes including session validation and fraud detection.
• Browser and version details, used to diagnose compatibility issues and optimize the interface.
• Your device's operating system, used to understand platform performance across different environments.
• The date and time of each login, retained as part of your account's activity and audit trail.
• Basic device metadata such as screen resolution and device type, used for responsive design and support.
• Aggregated data on which modules and features your team uses most, used to guide product improvements.
• A record of significant actions taken within your workspace, such as user additions, data exports, and setting changes.
• Request logs from API calls made to or from your TourFiles integration, used for debugging and usage monitoring.
• Automatic error reports generated when the platform encounters an unexpected failure, used to identify and fix bugs quickly.

3. How We Use Information

We use the information we collect strictly to operate and improve TourFiles:

• To operate TourFiles, keep your workspace running, and ensure you have uninterrupted access to all subscribed features.
• To verify the identity of everyone logging into your workspace and enforce your configured access controls.
• To manage your subscription plan, generate invoices, and process payments through our gateway partners.
• To identify bottlenecks, fix bugs, and make informed decisions about what to build or improve next.
• To help your team resolve issues — our support staff may access account details when necessary and with your knowledge.
• To deliver time-sensitive alerts such as booking confirmations, payment receipts, and system warnings.
• To identify and act on suspicious login patterns, API misuse, or behavior that may indicate a compromised account.
• To meet requirements under Indian law and other applicable regulations, including responding to valid legal requests.

We do not sell personal information to third parties.

4. Transactional Emails & Notifications

TourFiles sends emails and in-app notifications that are directly tied to platform activity. These are not marketing messages — they are part of the service itself:

• Emails sent to verify your address when you sign up or add a new user to your workspace.
• Secure reset links sent when you or an admin initiates a password change for any account.
• Automated alerts triggered by booking status changes, upcoming travel dates, or client-facing actions.
• Emails sent to your clients or your team when an invoice is created, updated, or becomes overdue.
• Automated reminders sent to clients or internally when a payment due date is approaching or has passed.
• Alerts about events that require your attention, such as failed integrations, plan limits, or account flags.
• Occasional notices about platform updates, scheduled maintenance windows, or changes to this policy.

5. Third-Party Services

To deliver a fully functional platform, TourFiles works with a limited set of third-party providers. Each receives only the data necessary for their specific role:

• Payment processors that handle card and UPI transactions securely on behalf of your business.
• Cloud infrastructure providers on whose servers TourFiles is deployed and your data is stored.
• Email delivery services responsible for reliably routing transactional emails to your team and clients.
• Messaging APIs used to send WhatsApp or SMS notifications where those channels are configured.
• Internal analytics tools we use to monitor platform health, performance, and aggregate usage trends.
• CRM or ERP systems that you, as a customer, choose to connect with TourFiles via available integrations.

These providers operate under their own privacy policies and are contractually restricted from using your data for any purpose beyond their specific service function.

6. Data Security

We take platform security seriously and have implemented multiple layers of protection:

• All data in transit is encrypted via TLS — your connection to TourFiles is always secured with HTTPS.
• Login is protected by secure session management, and admin controls let you restrict access by user or role.
• Every user in your workspace has a defined role that limits what they can view, edit, or export.
• Our hosting environment is continuously monitored for uptime anomalies and unauthorized activity.
• Databases are access-restricted, encrypted at rest, and backed up on a scheduled basis.
• Key actions within your workspace are logged with timestamps and user attribution for accountability.
• API endpoints and login flows are rate-limited to protect against brute-force attacks and automated abuse.

That said, no online system can guarantee absolute security. We encourage you to use strong passwords, enable appropriate user permissions, and report any suspicious activity to our support team promptly.

7. Data Retention

We retain data only for as long as there is a legitimate reason to do so:

• All data associated with active accounts is retained for as long as your subscription remains in good standing.
• Certain records such as invoices and audit logs may be kept beyond account closure for internal operational continuity.
• We retain specific data categories for the minimum periods mandated by Indian financial and data protection regulations.
• Data may be held for a defined period after account closure to assist in resolving billing disputes or investigating security incidents.

When accounts are permanently deleted, data is removed from active systems and will be purged from backups within the applicable retention window.

8. Data Ownership

The business data you create, upload, or manage within TourFiles — including your leads, bookings, invoices, client records, and documents — belongs to you. We do not claim any ownership over it.

TourFiles functions as a software service provider. We process your data to power the features you use, and nothing more. You may export or request deletion of your data at any time.

9. Cookies & Session Technologies

TourFiles uses a minimal set of cookies and browser-based storage — all of them strictly functional. We do not serve advertising cookies, retargeting pixels, or cross-site behavioral tracking technologies of any kind.

Authentication Cookies

When you log in, we issue an encrypted session token stored as an HTTP-only cookie. This is what keeps you signed in as you navigate between modules. The token is bound to your session, expires on logout or inactivity timeout, and is inaccessible to JavaScript running on the page — which protects against common XSS-based session hijacking attacks.

CSRF Protection Tokens

Every form submission and state-changing request is accompanied by a per-session CSRF token, validated server-side before the action is processed. This prevents cross-site request forgery attacks where a third party might otherwise trick your browser into performing actions on your account without your knowledge.

User Preference Storage

Lightweight workspace preferences — such as your last-active module, sidebar state, or table display settings — may be saved in your browser's local storage. This data stays on your device and is never transmitted to our servers. It exists solely to preserve your interface configuration between sessions.

Platform Session Identifiers

A server-side session identifier ties your browser to your active workspace context. This ensures that your role-based permissions, organization context, and active subscription state are correctly applied to every request you make within the platform — without requiring you to re-authenticate on every action.

Security & Integrity Cookies

Certain short-lived cookies are used to verify the integrity of your session during sensitive operations such as password changes, billing updates, or admin-level configuration changes. These are discarded as soon as the operation completes.

10. Analytics & Tracking Technologies

TourFiles uses lightweight, first-party analytics and monitoring tools to maintain platform quality and guide product decisions. We do not use Google Analytics, Meta Pixel, or any third-party behavioral tracking tools that profile individual users across external websites.

Usage Analytics

We collect aggregated, anonymized data on which modules and features your organization accesses most frequently. This is not individual-user tracking — it operates at the workspace level and is used internally to prioritize development, identify underused features, and understand how different travel businesses use the platform.

Performance Monitoring

Our infrastructure monitoring stack tracks server response times, API latency, database query performance, and error rates across the platform. This data is used exclusively for operational reliability — identifying bottlenecks, planning infrastructure capacity, and diagnosing performance regressions after updates.

Error Diagnostics

When the platform encounters an unexpected failure, an automated diagnostic report is generated capturing the error type, the affected feature, stack trace context, and the conditions under which it occurred. These reports do not contain your business data — they are used exclusively to fix bugs and improve platform stability.

Feature Usage Tracking

At an organization level, we track which plan features have been activated, whether certain modules have been visited, and approximate usage frequency. This informs subscription plan design, helps our support team assist customers more effectively, and allows us to deprecate features that are no longer being used.

Browser & Session Storage

Certain transient in-app state — such as your current navigation context, active filters, or temporary form data — may be stored using browser session storage. This data exists only for the duration of your active browser session and is automatically cleared when you close the tab or window.

None of these tools are used to build individual behavioral profiles, serve advertisements, or share data with marketing or advertising platforms.

11. International Data Processing

TourFiles is operated from India and primarily serves businesses in India. However, some of the infrastructure and third-party services we rely on may store or process data in other countries, depending on where those providers operate their data centers.

Where this occurs, we take reasonable steps to ensure that your data is handled in a manner consistent with the security standards described in this policy.

12. Children's Privacy

TourFiles is a business software platform intended exclusively for use by companies and their adult employees. We do not knowingly collect personal information from individuals under the age of 18. If you believe a minor has accessed or submitted data through the platform, please contact us so we can address it promptly.

13. Account Suspension & Abuse Prevention

We reserve the right to suspend or permanently terminate accounts where we have reasonable grounds to believe the platform is being misused. This includes but is not limited to:

• Using TourFiles to conduct, facilitate, or conceal activities that violate applicable law.
• Sending unsolicited bulk messages through the platform or engaging in behavior that disrupts other users or our systems.
• Attempting unauthorized access to other accounts, reverse-engineering the platform, or deliberately exploiting vulnerabilities.
• Providing false billing information, initiating chargebacks dishonestly, or misusing trial or promotional access.
• Taking actions intended to overload, manipulate, or otherwise undermine the reliability and integrity of TourFiles for all customers.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our features, legal requirements, or business practices. When we make material changes, we will notify you via email or through an in-app notice before the changes take effect.

Continued use of the platform after any update constitutes your acceptance of the revised policy. The effective date at the top of this page will always reflect when it was last changed.

15. Contact Information

If you have questions about this policy, want to exercise your data rights, or need to report a privacy concern, please reach out to us directly. We aim to respond to all privacy-related requests within 5 business days.