Privacy Policy

This Privacy Policy is an electronic record within the meaning of the IT Act, 2000. It governs the collection, storage, processing, use, and disclosure of personal data and sensitive personal data or information (SPDI) by HMRA Private Limited (Himalayan Monk Riders Associates Pvt Ltd.) / Motohimalayas.com ("Data Fiduciary" / "Company").

This Privacy Policy is published in compliance with:

• The Information Technology Act, 2000;
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules");
• The Information Technology (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021;
• The Digital Personal Data Protection Act, 2023 ("DPDP Act"), to the extent its provisions are in force; and
• Such other applicable laws, rules, and regulations of India as are in force from time to time.

By visiting the Website or using our services, you agree to be bound by the terms of this Privacy Policy and consent to the collection, use, and processing of your personal data as described herein.

We collect and process the following categories of personal data:

We collect and process your personal data for the following purposes:

• To register you as a member and manage your account;
• To process bookings, payments, and tour confirmations;
• To coordinate tour logistics, emergency response, insurance claims, and medical assistance;
• To communicate with you regarding your bookings, membership, and our services;
• To send marketing communications where you have opted in (with the option to opt out at any time);
• To comply with applicable legal, regulatory, and statutory obligations;
• To detect, investigate, and prevent fraud, unauthorised access, and unlawful use; and
• To improve our Website, services, and user experience through analytics.

As a Data Principal (user), you have the following rights with respect to your personal data processed by the Company:

• Right to Access: to obtain a summary of your personal data held by us and information about how it has been processed;
• Right to Correction and Erasure: to correct inaccurate or incomplete personal data and to request erasure of personal data that is no longer necessary for the stated purposes;
• Right to Grievance Redressal: to have your grievances regarding data processing addressed by the Grievance Officer within prescribed timelines;
• Right to Withdraw Consent: to withdraw consent for processing at any time, subject to the understanding that withdrawal may affect your ability to use certain services; and
• Right to Nominate: to nominate another individual to exercise data rights on your behalf in the event of your death or incapacity.

To exercise any of the above rights, please contact the Grievance Officer / Data Protection Contact at the details provided in Clause 1.15 and Section 9.13.

The Company does not knowingly collect or process personal data of children (persons below eighteen (18) years of age) without verifiable parental consent. Persons below the age of eighteen (18) may not register as members or purchase services except through their legal guardian or parent, as stated in Clause 1.2. If we discover that personal data of a child has been collected without verifiable parental consent, we will delete such data promptly and notify the parent / guardian where practicable.

We retain your personal data only for as long as is necessary for the purposes for which it was collected, as required by applicable law, or as required to resolve disputes and enforce our agreements — whichever period is the longer. Specific retention periods:

• Booking and payment records: seven (7) years from the date of the transaction (as required for statutory accounting and tax purposes);
• Health and SPDI records: two (2) years from the conclusion of the tour, unless a longer period is required for pending insurance claims or legal proceedings;
• Membership records: duration of active membership plus two (2) years from expiry;
• Cookie and technical data: as specified in Section 9 (Cookie Policy).

Upon conclusion of the applicable retention period, personal data will be securely deleted, anonymised, or de-identified in a manner that prevents reconstruction of the original data.

We use your personal information to facilitate the services you have requested. Subject to the limited exceptions below:

The Company will under no circumstances sell, rent, trade, or otherwise commercially transfer your personal information to third parties.

We may share your data with:

• Service Providers and Affiliates: entities engaged under contract to provide services on our behalf — such as payment processors, data analytics providers, IT and cloud infrastructure services, customer support — under strict data processing agreements that prohibit further use or disclosure;
• Tour Operations Partners: accommodation providers, guide services, transport operators, and medical / rescue services — to the extent necessary for tour logistics and emergency response;
• Law Enforcement and Regulatory Authorities: in response to verified legal process (subpoenas, court orders, regulatory directions) — only to the extent necessary and legally required.

In the event of a personal data breach, the Company will:

• Notify the Indian Computer Emergency Response Team (CERT-In) within six (6) hours of detection of the breach, as required under the CERT-In Directions, 2022;
• Notify affected Data Principals as soon as reasonably practicable in a form and manner that enables them to take protective measures; and
• Take all reasonable steps to contain, investigate, and mitigate the breach and to prevent its recurrence.

We use commercially reasonable technical and organisational safeguards — including encryption, firewalls, access controls, and secure server environments — to protect your personal data from unauthorised access, disclosure, alteration, or destruction, in compliance with the IT Act, 2000 and the IT (Reasonable Security Practices) Rules, 2011.

When you place orders or access your account, all information you transmit is encrypted using SSL / TLS technology before transmission. You are responsible for maintaining the confidentiality of your account credentials.

Use of the Website is available only to persons who can form a legally binding contract under the Indian Contract Act, 1872. Persons below eighteen (18) years of age may not purchase or avail of services through the Website independently.