Privacy Policy

Data SecurityYour data is encrypted and protected at all times

No Data SellingWe never sell or trade personal information

India FirstAll data stored on servers located in India

TransparentClear and honest about what we collect and why

Your RightsFull support for your data rights under Indian law

1. Who We Are 2. Scope of this Policy 3. Information We Collect 4. How We Use Your Data 5. Legal Basis 6. Hotel Partner Responsibilities 7. Guest Check-In & ID Compliance 8. Data Storage & Security 9. Data Retention 10. What We Never Do 11. Third-Party Services 12. Your Rights 13. Cookies & Sessions 14. Children's Privacy 15. Data Breach Procedure 16. Policy Changes 17. Grievance Officer 18. Governing Law

Who We Are

DigiReg ("we", "us", "our", "Platform") is a cloud-based Hotel Management System operating at digireg.online. We provide hotel partners with digital tools for guest check-in, room management, reservations, billing, OTA channel management, and administrative operations.

DigiReg acts as a Data Fiduciary under the Digital Personal Data Protection Act, 2023, responsible for determining the purpose and means of processing personal data on the platform.

Hotel partners using the DigiReg platform act as Data Processors under Indian law and are equally bound by the obligations outlined in this policy.

Scope of this Policy

This Privacy Policy applies to:

Hotel Partners — registered hotels and lodging establishments using DigiReg
Hotel Guests — individuals whose data is collected at check-in or reservation
Hotel Staff — front desk and management personnel accessing the platform
Platform Visitors — anyone visiting digireg.online
Admin Users — DigiReg super administrators managing the platform

This policy covers all modules: Check-In Registration, Reservations, Billing & Invoicing, Room Management, OTA Channel Management, Draft Saving, and the Admin Dashboard.

Information We Collect

Guest Personal Information

Full name, mobile number, email address
Home / permanent residential address
Government-issued photo ID type and number (Aadhaar, PAN, Passport, Driving Licence, Voter ID)
Photographs of ID documents — front and back
Digital signature captured at check-in
Check-in date, time, and check-out date and time
Room number, duration of stay, agreed room rate
Booking reference, payment amounts, payment mode, transaction references
Special requests or remarks (e.g. early check-in, dietary needs)

Hotel Partner Information

Hotel name, registered address, city, state
Contact person name, mobile number, email address
GST number and PAN number
Login username and cryptographically hashed password
WiFi credentials (stored in encrypted form)
SMS API keys (stored encrypted, never exposed in the user interface)
Room configuration, rates, and room type details
OTA channel integration settings

Technical & Usage Data

IP address and login timestamps
Browser type, device information, and operating system
Session identifiers and activity logs
Temporary draft form data (auto-cleared after 30 days or on submission)
API request logs for security and auditing purposes

Data Minimisation: We collect only the minimum data necessary for lawful hotel operations and compliance with Indian regulations.

How We Use Your Data

Purpose	Data Used	Who Benefits
Guest check-in registration and record keeping as required by law	Name, ID, address, photos, signature	Hotel, Guest, Law
Room reservation creation, confirmation and management	Name, mobile, dates, room, rate	Hotel, Guest
Billing, invoice generation, and payment tracking	Financial data, booking details	Hotel, Guest
Identity verification as mandated for lodging establishments	ID type, ID number, photos	Hotel, Law
OTA channel sync — room availability only, no guest PII	Room IDs, dates only	Hotel
Occupancy reports and operational analytics	Aggregated, anonymised data	Hotel
Platform security, fraud prevention and access control	Logs, session, IP data	Platform
Legal and regulatory compliance	Guest register data	Law, Hotel
Customer support and grievance resolution	Contact details, booking info	Guest, Hotel

Legal Basis for Processing

Under the Digital Personal Data Protection Act, 2023 and IT (SPDI) Rules, 2011, all data processing is conducted on the following lawful bases:

Legal Basis	Application
Consent	Digital signature collected from guests at check-in. Explicit consent for data recording.
Legal Obligation	Hotel guest registers are mandatory under state Police Acts, The Foreigners Act 1946, and Hotel & Lodging House Rules.
Contractual Necessity	Processing required to execute reservations, manage billing, and deliver platform services.
Legitimate Interest	Platform security, activity logging, fraud detection, session management, and service improvement.
Vital Interest	Emergency situations involving guest safety where data disclosure is necessary.

Hotel Partner Responsibilities

As Data Processors under Indian law, hotel partners using DigiReg must:

Collect and use guest data only for lawful lodging, compliance, and operational purposes
Display a physical or digital privacy notice at the reception / check-in point informing guests that their data will be recorded
Obtain guest consent — fulfilled via the digital signature on the DigiReg check-in form
Ensure all staff with platform access are trained on and bound by data protection obligations
Not share, sell, or disclose guest data to any third party without explicit guest consent or legal compulsion
Not use guest data for marketing, loyalty programmes or promotions without a separate explicit opt-in
Report any actual or suspected data breach to DigiReg within 72 hours of discovery
Maintain physical and device security for all computers and mobile devices used to access the platform
Cooperate fully with DigiReg in any data protection audit, investigation, or legal inquiry
Ensure data is not retained beyond the legally prescribed periods (see Section 9)

Non-compliance with these obligations may result in immediate suspension of platform access and may expose the partner to legal liability under Indian law.

Guest Check-In & ID Compliance

Under the Hotel and Lodging House (Licensing and Control) Rules applicable in most Indian states and the Foreigners Act, 1946, hotel establishments are legally mandated to maintain a guest register recording identity proof details for every guest.

Aadhaar & ID Handling Rules

Aadhaar numbers are not used for authentication — recorded only for identity compliance as legally permitted
ID photographs are stored securely per hotel and are not shared across hotels or with any third party
We strongly recommend hotels record only the last 4 digits of Aadhaar where the full number is not legally required
DigiReg does not operate any central biometric database
Physical photocopying of Aadhaar cards is not recommended — use the DigiReg camera capture feature instead
ID data is shared with law enforcement only upon a valid legal order

Digital Signature at Check-In

The digital signature captured in DigiReg constitutes the guest's consent to data collection for lodging compliance
Signatures are stored as encrypted image data linked to the specific guest record
Signatures are not used for any purpose other than the guest register record

For foreign nationals, hotels must comply with the Foreigners Act, 1946 and report guest details to the local Foreigners Registration Office (FRO) as applicable.

Data Storage & Security

Where Data is Stored

All data is stored on servers physically located in India — compliant with data localisation requirements
Each hotel's data is completely isolated — no cross-hotel data access is possible
Database backups are encrypted and stored in India

Technical Security Measures

Security Measure	Description
Encryption in Transit	All data transmitted via HTTPS / TLS 1.2+ — no plain HTTP
Encryption at Rest	Sensitive fields, API keys, and passwords encrypted in database
Password Hashing	Passwords stored using one-way cryptographic hash — never in plain text
Role-Based Access	Hotel staff can only access their own hotel's data — strict RBAC
Session Management	Automatic session timeout after inactivity period
Audit Logging	All logins, data access, and changes logged with timestamps and IP
API Security	All API endpoints require authenticated hotel session tokens
Draft Security	Draft data cleared after successful submission or 30-day expiry

Organisational Security

DigiReg staff access to production data is strictly limited and logged
Regular security reviews and vulnerability assessments conducted
Partner hotel staff are responsible for device and login credential security

Security practices comply with Rule 8 of the IT (SPDI) Rules, 2011 which mandates reasonable security practices for entities handling sensitive personal data.

Data Retention

We retain data only as long as legally required or necessary for platform operations:

Data Type	Retention Period	Legal / Operational Basis
Guest check-in records (name, ID, dates)	5 years	State Police Acts / Hotel Lodging Rules
Guest ID photographs and signatures	5 years	Lodging compliance requirement
Reservation records	3 years	Contractual / operational
Billing and financial records	7 years	Income Tax Act, 1961 — Section 44AA
Login and activity logs	1 year	IT Act, 2000 / platform security
Hotel partner account data	Duration of partnership + 2 years	Contractual
Deleted hotel — all data	Purged immediately	DPDP Act, 2023 — right to erasure
Draft / temporary form data	30 days or on submission	Legitimate interest
OTA sync logs	90 days	Debugging / operational

After retention periods expire, data is permanently and irreversibly deleted from all systems and backups.

What We Never Do

As a commitment to our hotel partners and their guests, DigiReg makes the following absolute guarantees:

Never sell personal data to advertisers, data brokers, or any third party

Never use guest data for targeted advertising or marketing without explicit consent

Never allow cross-hotel data access — your guests are yours alone

Never store passwords in plain text — all passwords are one-way hashed

Never share Aadhaar or PAN data with any entity without a valid legal order

Never transmit data without HTTPS encryption — no plain HTTP allowed

Never run advertisements or allow advertisers to influence platform content

Never build individual profiles for purposes beyond hotel management operations

Third-Party Services

DigiReg integrates with a limited number of third-party services strictly for operational purposes. Data shared is the minimum necessary:

Third Party	Purpose	Data Shared	Guest PII Shared?
Law Enforcement / Police	Guest register verification per legal order	Guest register data	Yes — legal obligation only
State Tourism / FRO	Regulatory compliance reporting	As mandated by regulation	Yes — legal obligation only
OTA Platforms (Booking.com, Airbnb etc.)	Room availability synchronisation	Room IDs and dates only	No
SMS Service Provider (Fast2SMS)	OTP and notification delivery	Mobile number only	Mobile only
Payment Processors	Transaction processing if integrated	Minimum required	Partial
Cloud / Hosting Provider	Server infrastructure	Encrypted database data	Encrypted only

All third-party service providers are contractually required to maintain data protection standards at least equivalent to this policy.

Your Rights

Under the Digital Personal Data Protection Act, 2023, all individuals (Data Principals) have the following rights:

Right to AccessKnow what personal data DigiReg or your hotel holds about you

Right to CorrectionRequest correction of inaccurate or incomplete personal data

Right to ErasureRequest deletion of data where legally permissible

Right to GrievanceLodge a complaint about how your data is handled

Right to WithdrawWithdraw consent where processing is consent-based

Right to NomineeDesignate a nominee to exercise rights on your behalf

How to Exercise Your Rights

Contact your hotel directly for access or correction of your check-in record
Contact DigiReg at privacy@digireg.online for platform-level data requests
All requests acknowledged within 3 business days and resolved within 30 days
If unsatisfied with DigiReg's response, you may approach the Data Protection Board of India

Cookies & Sessions

DigiReg uses only essential session cookies required for platform functionality. We do not use advertising cookies, tracking cookies, or analytics cookies from third parties.

Cookie Type	Purpose	Duration	Can be Disabled?
Session Cookie	Maintains your login session securely	Session (cleared on logout)	No — platform will not function
CSRF Token	Prevents cross-site request forgery attacks	Session	No — security essential
Draft Storage	Saves incomplete forms for later completion	30 days	Yes — clear via browser settings

DigiReg does not use Google Analytics, Facebook Pixel, or any third-party tracking scripts on the hotel management platform.

Children's Privacy

DigiReg's hotel management platform is designed for use by adults only — hotel partners, staff, and adult guests.

We do not knowingly collect personal data from individuals under 18 years of age as independent platform users
Guest data for minor family members may be recorded as part of a family check-in — with the consent of the accompanying adult
Under the DPDP Act, 2023, processing of data of children requires verifiable parental consent
If we discover that data of a child has been collected without parental consent, we will delete it promptly

Data Breach Procedure

In the event of a data breach, DigiReg follows this structured response protocol:

Step	Action	Timeline
1 — Contain	Isolate affected systems to prevent further data exposure	Immediate
2 — Assess	Determine scope, data types affected, and number of individuals impacted	Within 24 hours
3 — Notify Partners	Inform all affected hotel partners with clear details of the breach	Within 72 hours
4 — Notify Authorities	Report to the Data Protection Board of India as required by DPDP Act, 2023	Per DPB guidelines
5 — Notify Individuals	Inform affected guests and individuals without undue delay	As soon as possible
6 — Remediate	Patch vulnerabilities and strengthen security controls	Within 7 days
7 — Document	Maintain complete record of the breach and all actions taken	Ongoing
8 — Review	Conduct post-incident security audit to prevent recurrence	Within 30 days

Hotel partners must report any breach or suspected breach to DigiReg at privacy@digireg.online within 72 hours of becoming aware of it.

Policy Changes

This Privacy Policy may be updated periodically to reflect changes in Indian law, platform features, or operational practices.

Hotel partners will be notified of material changes via email at least 30 days before they take effect
The updated policy will always be available at digireg.online/privacy-policy
Continued use of the DigiReg platform after the effective date of a policy update constitutes acceptance of the revised policy
Version history is maintained and available upon request
For minor clarifications or formatting changes, no advance notice may be given — the "Last Updated" date will reflect any change

Current: Version 1.0 | Effective: April 2026 | Next Review: April 2027

Grievance Officer

As required under Rule 5(9) of the IT (SPDI) Rules, 2011 and Section 13 of the DPDP Act, 2023, DigiReg has designated a Grievance Officer:

DigiReg Grievance & Privacy Officer

Organisation: DigiReg Hotel Management System

Website: digireg.online

Email: privacy@digireg.online

Acknowledgement: Within 3 business days

Resolution: Within 30 days of complaint receipt

Jurisdiction: Courts of Uttarakhand, India

If unsatisfied with our resolution, you may approach the Data Protection Board of India at meity.gov.in

Governing Law & Jurisdiction

This Privacy Policy is governed exclusively by the laws of the Republic of India. The following acts and regulations apply:

Digital Personal Data Protection Act, 2023 (DPDP Act) — primary data protection law
Information Technology Act, 2000 and IT (Amendment) Act, 2008
IT (Reasonable Security Practices) Rules, 2011
Indian Contract Act, 1872 — for partner agreements
Consumer Protection Act, 2019 — for guest rights
Income Tax Act, 1961 — for financial data retention

Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of the courts located in Uttarakhand, India.

Table of Contents