Table of Contents
1
Introduction & Commitment
DigiReg ("Platform", "We", "Us") is committed to protecting the personal data of hotel partners, their staff, and guests in full compliance with Indian law. This policy governs how data is collected, stored, processed, and protected across all modules of the DigiReg Hotel Management System.
Modules covered: Guest Check-In, Reservations, Billing & Invoicing, OTA Channel Management, Room Management, and Admin Dashboard.
We believe privacy is a fundamental right. Every feature of DigiReg is designed with data minimisation and security as core principles, not afterthoughts.
2
Legal Framework
This policy is governed by the following Indian laws and regulations:
| Law / Regulation | Relevance |
|---|---|
| Digital Personal Data Protection Act, 2023 (DPDP Act) | Primary data protection framework |
| Information Technology Act, 2000 | Cybersecurity and digital data obligations |
| IT (SPDI) Rules, 2011 | Sensitive personal data handling standards |
| Indian Contract Act, 1872 | Partner agreement obligations |
| Consumer Protection Act, 2019 | Guest / consumer rights |
| Aadhaar (Targeted Delivery) Act, 2016 | ID verification compliance |
| Income Tax Act, 1961 | Financial record retention periods |
| The Foreigners Act, 1946 | Foreign guest registration requirements |
3
Definitions
| Term | Meaning |
|---|---|
| Data Principal | The individual whose personal data is collected (hotel guest, staff member) |
| Data Fiduciary | DigiReg — the entity determining purpose and means of processing |
| Data Processor | Hotel partner processing guest data via the DigiReg platform |
| Personal Data | Name, mobile, email, address, ID number, photograph, signature |
| Sensitive Personal Data (SPDI) | Aadhaar number, PAN, financial information, biometric data |
| Partner | Any registered hotel or lodging establishment using DigiReg |
| Platform | The DigiReg Hotel Management System at digireg.online |
4
Data We Collect
Guest Data (collected by hotel partners)
- Full name, mobile number, email address
- Home / permanent address
- Government ID type and number (Aadhaar, PAN, Passport, Driving Licence, Voter ID)
- ID photographs — front and back images
- Digital guest signature
- Check-in and check-out date & time
- Room number, duration of stay, agreed rate
- Payment details — advance paid, balance due, payment mode, transaction reference
- Booking reference number and reservation linkage
- Special remarks or requests
Hotel Partner Data
- Hotel name, contact person name, address, city, state
- Mobile number, email address
- GST number and PAN number
- Username and cryptographically hashed password
- WiFi credentials (stored encrypted)
- SMS API keys (stored encrypted, never exposed in UI)
- Total rooms count and room configuration
Automatically Collected Data
- Login timestamps and IP addresses
- Session identifiers and activity logs
- Browser and device information (user-agent)
- Draft form data (temporary, cleared after submission)
5
Purpose of Data Collection
Data is collected strictly for the following lawful purposes under Section 4 of the DPDP Act, 2023:
| # | Purpose | Basis |
|---|---|---|
| 1 | Guest check-in registration as required under Hotel & Lodging House Rules and state police regulations | Legal obligation |
| 2 | Reservation creation, confirmation, and management | Contract |
| 3 | Billing, invoice generation, advance and balance tracking | Contract |
| 4 | Identity verification as mandated for lodging establishments | Legal obligation |
| 5 | OTA channel management — room availability synchronisation only | Legitimate interest |
| 6 | Operational analytics and occupancy reports for hotel management | Legitimate interest |
| 7 | Compliance with police, tourism department, and tax authority requirements | Legal obligation |
Data is never used for advertising, profiling, or sold to any third party.
6
Legal Basis for Processing
Under the DPDP Act, 2023 and SPDI Rules, 2011, we process data on the following lawful bases:
- Consent — Obtained from guests at check-in via digital signature on the registration form
- Legal Obligation — Hotel establishments are legally required to maintain guest registers under state Police Acts and The Foreigners Act, 1946
- Contractual Necessity — For executing reservations, issuing invoices, and managing room allocations
- Legitimate Interest — For platform security, fraud prevention, session management, and service continuity
7
Partner Obligations
As a DigiReg partner (acting as Data Processor under the DPDP Act, 2023), registered hotels agree to:
- Collect guest data only for lawful lodging and compliance purposes
- Display a privacy notice at the front desk or on the check-in interface
- Not share guest data with any third party without explicit written consent
- Ensure all staff accessing the system are bound by confidentiality obligations
- Report any suspected or confirmed data breach to DigiReg within 72 hours of discovery
- Not retain guest data beyond the legally required retention period (generally 1–5 years depending on state regulations)
- Ensure physical and device security for all terminals accessing the platform
- Not use guest data for marketing, promotions, or upselling without a separate, explicit opt-in consent
- Cooperate with DigiReg in any audit or investigation related to data protection
Violation of partner obligations may result in suspension or termination of platform access as per the partner agreement.
8
Data Storage & Security
Storage
- All data is stored on servers located in India in compliance with data localisation requirements
- Guest ID photographs and signatures are stored as encrypted data
- Database access is restricted by role-based access control (RBAC)
- Each hotel can only access its own data — complete data isolation
Security Measures (as per Rule 8, SPDI Rules 2011)
- Encryption — All sensitive data encrypted at rest and in transit via HTTPS/TLS
- Access Control — Hotel staff see only their own hotel's guest data
- Password Security — Passwords stored using one-way cryptographic hashing (never plain text)
- Session Management — Automatic session timeout after inactivity
- Audit Logs — All login events and data access actions are logged with timestamps
- API Security — All API endpoints require authenticated hotel sessions
- Draft Data — Form drafts cleared after successful submission or after 30 days
Data Retention Schedule
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Guest check-in records | 5 years | State police / lodging house requirements |
| Reservation records | 3 years | Operational / contractual |
| Financial / billing records | 7 years | Income Tax Act, 1961 |
| Login / activity logs | 1 year | IT Act, 2000 |
| Deleted hotel & data | Purged immediately | DPDP Act, 2023 |
| Draft / temporary form data | 30 days or on submission | Legitimate interest |
9
Rights of Data Principals
Under the Digital Personal Data Protection Act, 2023, guests and individuals have the following rights:
Right to Access
Know what personal data is held about you
Right to Correction
Request correction of inaccurate data
Right to Erasure
Request deletion where legally permissible
Right to Grievance
Lodge complaints regarding data handling
Right to Nominee
Designate a nominee for data rights
Right to Withdraw
Withdraw consent where applicable
To exercise these rights, contact the hotel directly or reach DigiReg at privacy@digireg.online. We respond within 30 days.
10
ID Data Special Provisions
Collection of Aadhaar numbers is governed by the Aadhaar Act, 2016. DigiReg and its partners:
- Do not use Aadhaar for authentication purposes — only for identity recording as legally permitted
- Do not store Aadhaar data in any central biometric database
- Store all ID numbers in encrypted form with restricted access
- Recommend hotels record only the last 4 digits of Aadhaar where the full number is not legally required
- Do not share ID data with any third party except law enforcement with a valid legal order
- ID photographs are stored locally per hotel and are not shared across the platform
Partners must not photocopy or retain physical Aadhaar cards. Digital recording via the DigiReg platform is the approved method.
11
Data Breach Policy
In the event of a data breach, DigiReg will follow this response protocol:
| Step | Action | Timeline |
|---|---|---|
| 1. Contain | Isolate affected systems immediately upon discovery | Immediate |
| 2. Assess | Determine scope, type of data affected, and number of individuals impacted | Within 24 hours |
| 3. Notify Partners | Inform affected hotel partners with details of the breach | Within 72 hours |
| 4. Notify Authorities | Report to the Data Protection Board of India as required under DPDP Act, 2023 | As per DPB timeline |
| 5. Notify Individuals | Inform affected individuals with clear information about the breach | Without undue delay |
| 6. Remediate | Patch vulnerabilities, strengthen controls, and conduct post-breach audit | Within 7 days |
| 7. Document | Maintain full record of breach and all remedial actions taken | Ongoing |
12
Third-Party Data Sharing
DigiReg does not sell, rent, or trade personal data under any circumstances.
Data may be shared only in the following strictly limited circumstances:
| Recipient | Data Shared | Legal Basis |
|---|---|---|
| Law Enforcement / Police | Guest register as per legal order | Legal obligation |
| State Tourism Department | Compliance reporting where mandated | Legal obligation |
| OTA Platforms (Booking.com, Airbnb) | Room availability only — no guest PII shared | Contractual |
| SMS Service Providers | Mobile number for OTP / notification delivery only | Legitimate interest |
| Payment Processors | Minimum required for transaction processing | Contractual |
All third-party processors are contractually bound to data protection standards equivalent to this policy.
13
Grievance Officer
As required under Rule 5(9) of the SPDI Rules, 2011 and Section 13 of the DPDP Act, 2023:
DigiReg Data Protection & Grievance Officer
Platform: DigiReg Hotel Management System
Website: digireg.online
Email: privacy@digireg.online
Response Time: Within 30 days of receiving a complaint
Jurisdiction: Courts of Uttarakhand, India
14
Policy Updates
This policy may be updated periodically to reflect changes in Indian law, platform features, or operational practices.
- Partners will be notified of material changes via email at least 30 days before they take effect
- The updated policy will be published at digireg.online/data-protection-policy
- Continued use of the platform after the effective date constitutes acceptance of the updated policy
- Version history will be maintained and available on request
Current Version: 1.0 | Effective Date: April 2026 | Next Review: April 2027
15
Partner Agreement
By registering and using the DigiReg platform, hotel partners confirm they have:
- Read and fully understood this Data Protection Policy
- Agreed to comply with all partner obligations as Data Processors under Indian law
- Accepted responsibility for ensuring their staff follow data protection practices
- Acknowledged that violations may result in suspension of platform access