Magical Andaman — Cruises, Hotels, Tours
Privacy

Privacy Policy

Last updated 27 May 2026

Magical Andaman ("we", "us", "our") operates the website at magicalandaman.com and the booking services on it. This Privacy Policy explains what personal data we collect, the purposes we collect it for, how we use and protect it, and the rights you have under India's Digital Personal Data Protection Act, 2023 (the "DPDP Act").

1. Data Fiduciary identity

For the purposes of the DPDP Act, we are the Data Fiduciary. Our details are:

  • Legal entity: TRVL ADVENTURE ESCAPES PVT LTD
  • GSTIN: as stated on your invoice
  • Grievance Officer: reachable at privacy@magicalandaman.com. We aim to respond to all grievances within 7 working days.

2. Personal data we collect

We collect data in three ways:

  • Data you give us directly — when you book a trip, fill an enquiry form, sign up for an account, or message us on WhatsApp. This includes name, contact details, passenger details (including government- issued ID details where required by ferry operators), travel preferences, and payment details (processed by our payment gateway; never stored on our servers).
  • Data we collect automatically — log data, device information, IP address, browser type, pages viewed, and the referring URL. We use cookies and similar technologies for session management, security, analytics, and to remember your preferences. Non-essential cookies are only loaded after you consent (see §8).
  • Data from third parties — when you book a cruise we exchange booking and passenger details with the relevant ferry operator (Makruzz, Green Ocean, Nautika, Sealink, or others). Our payment gateway (Razorpay) shares transaction status with us.

3. Purposes for which we process your data

The DPDP Act requires us to specify each purpose. We use your data to:

  • Deliver the bookings, refunds, and customer support you have asked for.
  • Send transactional emails and WhatsApp messages — confirmations, tickets, pre-departure reminders, disruption alerts.
  • Comply with legal obligations, including tax records, GST invoicing, and identity-verification requirements set by ferry operators or government authorities.
  • Detect and prevent fraud, including verification of payments via Razorpay.
  • Improve the website and services using aggregate analytics (only with your consent for analytics cookies).
  • Send you marketing communications about other Andaman travel services (only with your consent; you can opt out at any time).

4. Legal basis

We rely on the following bases under the DPDP Act:

  • Consent — for marketing communications and non-essential cookies.
  • Legitimate uses (s.7 of the DPDP Act) — for processing necessary to perform a booking you have asked us to make, to respond to enquiries, and to comply with law.

5. Who we share your data with

We share personal data only with:

  • Ferry operators and other service providers (hotels, tour operators, experience providers) whose services you have booked.
  • Payment processors — primarily Razorpay — for transactions and refunds.
  • Technical service providers (cloud hosting, email delivery, analytics, customer support tools, error monitoring) under data-processing terms.
  • Government authorities when required by law, including in response to subpoenas, tax assessments, or court orders.

We do not sell your personal data to third parties.

6. Data retention

Booking, payment, and tax-relevant records are retained for at least 7 years to meet Indian tax law (Income Tax Act, GST rules). Marketing preferences are retained until you opt out. Account data not attached to a booking is retained while your account is active. When you ask us to delete your account (see §9) we anonymise the records we are legally required to retain and hard-delete the rest.

7. Data security

We use industry-standard measures: HTTPS sitewide, encrypted database connections, hashed passwords, restricted internal access, and isolated environments for staging and production. Payment information is handled by PCI-DSS-compliant gateways and is never stored on our servers. We monitor for and act on security incidents; if we suffer a personal data breach that is likely to result in significant harm, we will notify you and the Data Protection Board of India as required by the DPDP Act.

8. Cookies and tracking

We use three categories of cookies:

  • Necessary — required for sign-in, bookings, and security. These do not require consent under the DPDP Act because they are needed to deliver a service you have requested.
  • Analytics — Google Analytics, used to understand how the site is used in aggregate. Loaded only after you opt in.
  • Marketing — Meta Pixel, used to show relevant Andaman trip ads on other sites. Loaded only after you opt in.

You can change your choices any time from the "Cookie preferences" link in the footer or from Account → Privacy & data.

9. Your rights as a Data Principal

Under the DPDP Act you have the following rights:

  • Right to information (s.11) — to know what personal data we hold about you and how it is processed. Use the "Download my data" button on the profile page to get a JSON export.
  • Right to correction — to ask us to correct inaccurate or incomplete data. You can update your name, phone, and email from the profile page; for changes to booking records, write to us.
  • Right to erasure (s.12) — to ask us to delete your personal data. Use "Delete my account" on the profile page. As explained in §6, records we are required to retain by law will be anonymised rather than deleted.
  • Right to withdraw consent — for marketing or analytics, at any time. Withdrawal does not affect processing already carried out.
  • Right of grievance redressal — write to our Grievance Officer at privacy@magicalandaman.com. We aim to acknowledge within 48 hours and resolve within 7 working days.
  • Right to nominate (s.14) — to nominate another individual to exercise these rights on your behalf in case of incapacity. Email us to register a nomination.
  • Right to complain to the Data Protection Board of India — if you are dissatisfied with how we have handled your request.

10. Children

Our services are not directed at children under 18, and we do not knowingly process personal data of children without verifiable parental consent. Bookings on behalf of minors must be made by a parent or legal guardian. If you believe we have inadvertently collected a child's data, contact our Grievance Officer and we will delete it.

11. International transfers

Some of our service providers (cloud hosting, email delivery, error monitoring) may process data outside India. Where this happens, we ensure contractual safeguards consistent with the DPDP Act.

12. Changes to this policy

We may update this Privacy Policy from time to time. The current version will be posted on this page with a new "Last updated" date. Material changes will be communicated by email to account holders, and where the change affects the legal basis for our processing, we will ask you to re-consent.

13. Contact us

For privacy or data-protection questions, write to privacy@magicalandaman.com or use the contact details in the footer.

Questions? We're happy to walk you through it.

WhatsApp usContact