COMPREHENSIVE PRIVACY POLICY AND DATA PROTECTION FRAMEWORK

Journeymeister

Effective Date: November 13, 2025

Version: 3.0

1. Introduction and Definitional Framework

Journeymeister (referred to as "we," "us," or "our") is a specialized travel and tourism enterprise providing Tourist Visa Services, Attestation, Emigration Services, and curated Tour Packages. Our core operational model is Business-to-Business (B2B), serving accredited Travel Agents (our "Agent Partners") via a dedicated B2B Portal for application processing, tracking, and document management.

This Comprehensive Privacy Policy ("Policy") details the mechanisms by which we collect, utilize, secure, and potentially disclose the personal information of our Agent Partners and their end-customers ("Travelers"). This Policy serves as our commitment to transparency and adherence to international data protection principles.

1.1 Key Definitions

For the purpose of this extensive Policy, the following terms carry specific legal meanings:

• Personal Information (PI) / Personal Data: Any information relating to an identified or identifiable natural person. This includes but is not limited to names, contact details, identification numbers, and location data.
• Sensitive Personal Data (SPD): A subset of PI that, if compromised, could cause significant harm or discrimination. For Journeymeister, this critically includes Passport Data, Biometric Information (e.g., facial images, fingerprints submitted for visa applications), Financial Statements, Health Information (for specific visa types), and Official Documents required for visa/attestation/emigration services.
• Data Subject: The identified or identifiable natural person to whom the PI relates (i.e., the Traveler or the Agent contact person).
• Data Controller: The entity that determines the purposes and means of processing PI. In our B2B model, the Agent Partner is primarily the Data Controller regarding Traveler data, as they initiated the relationship and determine the necessity of the service.
• Data Processor: The entity that processes PI on behalf of the Data Controller. Journeymeister acts as the Data Processor regarding Traveler SPD, processing it according to the Agent Partner’s instructions (i.e., submitting a visa application). Journeymeister acts as a Controller for the Agent’s contact and billing information.
• Processing: Any operation performed on PI, such as collection, recording, organization, structuring, storage, retrieval, disclosure, and erasure.
• B2B Portal: The online platform provided by Journeymeister for Agent Partners to submit, manage, and track applications.

2. Categories of Information We Collect and Sources

We collect information based on two distinct categories of data subjects: Agent Partners and Travelers.

2.1 Information Collected from Agent Partners (B2B Data - Journeymeister as Controller)

Category of Data	Purpose and Context	Lawful Basis
Business Registration Data	Vetting and verification of the Agent Partner’s legal status; Contract formation.	Contractual Necessity
Account Credentials	Access control for the B2B Portal; Security and session management.	Legitimate Interest; Contractual Necessity
Contact Personnel PI	Communication regarding services, billing, and policy updates.	Contractual Necessity; Legitimate Interest
Billing and Transaction Data	Processing payments, accounting, audit requirements.	Legal Obligation; Contractual Necessity

2.2 Sensitive Information Collected from Travelers (End-Customer Data - Journeymeister as Processor)

This data is received exclusively from the Agent Partner and is required by foreign governments/embassies.

Category of Data	Specific Examples and Sensitivity	Processing Purpose
Identity & Contact Data	Full legal name, date/place of birth, nationality, home address, email, phone number.	Mandatory submission for visa and official forms.
SPD - Passport & Travel	Passport number, issuance/expiry dates, travel history, previous visa details.	Core requirement for international services; high-security risk.
SPD - Financial and Employment	Bank statements, tax returns, employment letters, salary slips (as required by embassies).	Financial solvency and intent demonstration.
SPD - Biometric and Medical	High-resolution photographs, fingerprints (if mandated), medical examination results, vaccination records.	Health and security vetting by governmental bodies.

3. Lawful Basis and Purpose of Processing

We rely on the following legal bases to process PI, which are mutually dependent on the instructions received from the Agent Partner:

3.1 Fulfillment of Contractual Services

The primary basis is the necessity of processing PI to provide the requested services (visa application submission, attestation, tour booking) to the Agent Partner under our B2B agreement. Without the Traveler's SPD, the service cannot be rendered.

3.2 Compliance with Legal Obligations

Processing is required to comply with binding legal obligations, such as:

• Submitting mandatory SPD to foreign government entities (embassies, consulates).
• Anti-money laundering (AML) and counter-terrorism financing (CTF) checks.
• Tax, accounting, and audit requirements.

3.3 Explicit Consent (Via Agent)

For the most sensitive data categories (e.g., health, biometrics), the legal basis hinges on the Agent Partner having obtained explicit, revocable, and informed consent from the Traveler prior to submitting the data to us.

4. International Data Transfers and Disclosure Framework

The very nature of our business involves extensive cross-border data transfers, often to countries outside the Data Subject's jurisdiction, which may not possess data protection laws equivalent to those in the origin country.

4.1 Mandatory Disclosure to Governmental Authorities

By submitting an application through an Agent Partner, the Traveler explicitly acknowledges and consents to the necessary transfer of their PI and SPD to the following Third-Party Data Controllers located internationally:

• The Embassies, High Commissions, and Consulates of the Traveler's destination country.
• Official Visa Application Service Providers (VFS Global, BLS, etc.) acting as authorized intermediaries.
• Destination Country Immigration and Border Control Authorities.

Journeymeister ensures secure transmission but holds no responsibility for the subsequent processing, security, or retention policies of these governmental and sovereign entities once the data has been legally submitted.

4.2 Disclosure to Third-Party Sub-Processors

We engage trusted sub-processors under contractual agreements to facilitate our services. These may include:

• Cloud Hosting Providers: For secure data storage (ensuring encryption in transit and at rest).
• Payment Gateways: For transactional processing, strictly adhering to PCI DSS standards.
• Logistics Partners: For secure transmission of physical documents (e.g., passports).
• Tour/Travel Suppliers: Airlines, hotel chains, and local ground handlers for package execution.

All sub-processors are required to adhere to data protection standards equivalent to those mandated by Journeymeister, documented via a formal Data Processing Addendum (DPA).

5. Data Security, Integrity, and Incident Response

We are committed to maintaining the confidentiality, integrity, and availability of all PI and SPD under our stewardship.

5.1 Security Architecture

Our security framework comprises three pillars:

1. Technical Measures:
   • Encryption: Implementing industry-standard $AES-256$ encryption for data at rest and $TLS/SSL$ encryption for data in transit (B2B Portal communication).
   • Access Control: Role-based access control (RBAC) ensures personnel can only access the minimum data required for their job function (Principle of Least Privilege).
   • Network Security: Use of firewalls, intrusion detection systems (IDS), and continuous vulnerability scanning.
2. Organizational Measures:
   • Staff Training: Mandatory, recurring training on data protection, privacy policy adherence, and handling of SPD for all employees.
   • Internal Audit: Regular internal and external audits of security procedures and compliance with DPAs.
3. Physical Measures:
   • Securing physical storage areas where hard copies of documents (if any) are temporarily held, using restricted access and surveillance.

5.2 Data Retention Policy

We retain PI and SPD for the minimum period necessary to satisfy our contractual and legal obligations.

• Service Fulfillment Period: Data is actively retained for the duration required to process and conclude the visa/attestation/tour service, plus a reasonable post-completion period for administrative wrap-up.
• Legal Hold Period: Following service completion, certain records (e.g., application copies, transaction logs) are retained for up to seven (7) years or as mandated by the relevant governmental authority (e.g., embassy archive rules) or financial audit requirements.
• Data Destruction: Upon expiry of the retention period, data is securely destroyed, erased, or irreversibly anonymized using industry-accepted standards (e.g., cryptographic erasure or physical destruction).

5.3 Data Breach Notification Protocol

In the event of an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, PI transmitted, stored, or otherwise processed by Journeymeister (a "Security Incident"), we will adhere to the following:

1. Immediate Containment: Isolation and mitigation of the security incident.
2. Notification to Controller (Agent): We will notify the affected Agent Partner (the Data Controller) without undue delay, and in no case later than 72 hours after becoming aware of the incident, providing details required for the Agent to meet their own legal notification requirements.
3. Investigation: Conduct a thorough forensic investigation to determine the scope, cause, and impact of the breach.

6. Procedural Framework for Data Subject Rights

Data Subjects (both Agents and Travelers) have rights regarding their PI. Due to the B2B relationship, all Traveler rights must be initially asserted through the Agent Partner.

6.1 Traveler Rights Asserted via Agent Partner

1. Right of Access (Article 15, GDPR Equivalent):Travelers may request confirmation of whether their PI is being processed and obtain a copy.
   • Procedure: The Traveler submits the request to the Agent Partner. The Agent Partner verifies the Traveler's identity and forwards the formal request to Journeymeister's Data Protection Office. Journeymeister responds within the statutory timeframe (e.g., 30 days), providing the data we hold, except where disclosure is prohibited by law or compromises the privacy of others.
2. Right to Rectification (Article 16):The right to correct inaccurate or incomplete PI.
   • Procedure: The Agent Partner submits the corrected data via the B2B Portal, or via a formal request if the application is locked or archived.
3. Right to Erasure ('Right to be Forgotten' - Article 17):The right to request the deletion of PI.
   • Limitation: This right is severely limited concerning data already submitted to governmental authorities (Embassies/Consulates), as Journeymeister cannot mandate the erasure of sovereign records. We can only delete data held solely on our systems that is no longer required for legal compliance.
4. Right to Data Portability (Article 20):The right to receive PI in a structured, commonly used, and machine-readable format.
   • Procedure: Applicable primarily to data provided by the Agent/Traveler, not derived or inferred data. Handled via the official access request procedure.

6.2 Agent Partner Rights

Agent Partners, as individuals and businesses, have the right to manage their own account and contact information by accessing and updating their profile details directly through the B2B Portal.

7. Compliance with Global Regulations (Detailed Annex)

Although Journeymeister may be headquartered in India, our global service delivery necessitates awareness of international regulations:

7.1 General Data Protection Regulation (GDPR)

Relevant if the Agent Partner or Traveler is located within the European Economic Area (EEA) or if the processing is related to the offering of goods or services to EEA residents. We commit to:

• Adhering to the principles of lawfulness, fairness, and transparency.
• Maintaining records of all processing activities (Article 30).
• Implementing necessary technical and organizational measures (Article 32).

7.2 California Consumer Privacy Act (CCPA/CPRA)

Relevant if our processing activities meet the CCPA's thresholds and involve California residents. We clarify:

• We do not "sell" (as defined by CCPA) Traveler PII.
• Agent Partners must comply with CCPA requirements for "Service Providers" when contracting with us.

7.3 India's Digital Personal Data Protection Act (DPDP Act, 2023)

As an Indian entity, we adhere to the DPDP Act. Key compliance points include:

• Acting as the Data Processor under a lawful contract with the Agent (Data Fiduciary).
• Ensuring the accuracy of data submitted by the Agent.
• Complying with the duties regarding cross-border transfer requirements as defined by the Act.

8. Cookies, Tracking, and Web Technologies

The B2B Portal and Journeymeister website utilize various technologies to optimize performance and security:

1. Strictly Necessary Cookies: Essential for the functioning of the B2B Portal (e.g., session management, security checks, load balancing). They do not require explicit consent.
2. Authentication Cookies: Used to verify the identity of the Agent Partner and securely manage their login session throughout the Portal.
3. Performance and Analytics Cookies: Used to collect aggregated, anonymized data on how the website and Portal are used (e.g., page views, application submission flow). This helps us optimize system efficiency.

Agents can manage non-essential cookies through their browser settings, though blocking necessary cookies will render the B2B Portal non-functional.

9. Governing Law and Policy Acceptance

This Policy is governed by the laws of India, excluding its conflicts of law principles. By utilizing the B2B Portal or engaging our services, the Agent Partner acknowledges and accepts this Policy and all international data transfer implications inherent in global travel services.

10. Contacting Our Data Protection Officer

For any questions, concerns, or to initiate a request regarding this Policy, please contact our designated Data Protection Officer (DPO). All Traveler requests must be routed through the Agent Partner first.

Journey meister powered by Global gate tourism 

Address: Mini Bypass Rd, near District Co-Operative Hospital, Passport Office, Eranhippalam, Kozhikode, Kerala 673006

Email: [email protected]

Telephone: +91 906 111 2084