1. Introduction

This Privacy Policy describes how the Directorate of Tourism, Union Territory of Ladakh Administration (hereinafter referred to as "we", "us", "our", or "the Department") collects, uses, stores, shares, and protects the personal information and sensitive personal data of users (hereinafter referred to as "you", "your", or "User") of the Ladakh Tourism Portal (hereinafter referred to as "the Portal") accessible at https://tourism.ladakh.gov.in.

This Privacy Policy is published in accordance with the applicable provisions of the Information Technology Act, 2000 ("IT Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and the Digital Personal Data Protection Act, 2023 ("DPDP Act"), to the extent applicable, along with the Reserve Bank of India ("RBI") guidelines on payment data localization.

By accessing or using the Portal, registering as a vendor/service provider, or making any payment through the Portal, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy.

By registering on the Portal, submitting any application, uploading documents, or availing services through the Portal, the user expressly consents to the collection, storage, processing, verification and disclosure of personal data by the Department for purposes connected with registration, certification, regulatory compliance and operation of the Portal in accordance with applicable law.

2. Definitions

"Personal Data" means any data about an individual who is identifiable by or in relation to such data, including name, email address, phone number, Aadhaar number (if applicable), and any other identifier as defined under the DPDP Act, 2023.

"Sensitive Personal Data or Information" (SPDI) means personal information relating to passwords, financial information (bank account, credit/debit card details, or other payment instrument details), biometric information, and any other information as specified under the SPDI Rules, 2011.

"Payment Data" means end-to-end transaction details, information collected, carried, and processed as part of a payment message or instruction, including customer data, payment credentials, and transaction data, as defined by the RBI.

"Data Fiduciary" means the entity (here, the Directorate of Tourism, UT Ladakh) that determines the purpose and means of processing personal data.

"Data Processor" means any entity that processes personal data on behalf of the Data Fiduciary, including payment gateway providers and technology service partners.

3. Information We Collect

3.1 Information Provided by You

When you register on the Portal as a vendor or service provider (hotels, guest houses, homestays, tour operators, etc.) or apply for certification/registration, we collect the following information:

• Full name, gender, date of birth
• Contact details: email address, mobile number, landline number
• Business details: establishment name, type, category, address, registration/license numbers
• Identity documents: Aadhaar number, PAN, trade license, establishment registration certificate
• Bank account details and financial information required for fee payment
• Photographs of the establishment, rooms, and facilities
• Any other information required for certification and registration under applicable Ladakh tourism regulations

3.2 Payment Information

When you make a payment for certification, registration, or renewal fees through the Portal, the following information is collected by our authorised payment gateway partner:

• Debit/credit card number, card expiry date, CVV (collected and processed exclusively by the payment gateway; not stored on our servers)
• Net banking credentials (processed by your bank through the payment gateway)
• UPI ID or UPI transaction reference
• Transaction amount, date, time, and reference number
• Payment status (success, failure, pending)

3.3 Automatically Collected Information

When you access the Portal, we automatically collect:

• IP address and browser type
• Device information and operating system
• Pages visited, time spent, and navigation patterns
• Cookies and session identifiers (see Section 9 below)

4. Purpose of Data Collection and Use

We collect and process your personal data for the following purposes:

• Processing vendor/service provider registration and certification applications for hotels, guest houses, homestays, and tour operators
• Processing payments for registration, certification, and renewal fees through our authorised payment gateway
• Issuing digital certificates and maintaining a registry of certified tourism service providers in Ladakh
• Verifying the identity and credentials of applicants and their establishments
• Communicating with registered users regarding application status, renewals, compliance updates, and advisories
• Listing verified service providers on the Portal for public information of tourists
• Maintaining records as required under applicable laws and regulations
• Improving Portal functionality, user experience, and service delivery
• Complying with legal obligations, court orders, and government directives
• Certain processing activities may also be undertaken for performance of functions of the State, issuance and maintenance of registrations/certifications, compliance with legal obligations, maintenance of official government records, and discharge of functions by the Tourism Department under applicable laws and government policies.

5. Payment Processing and Security

5.1 All payments on the Portal are processed through an authorised and PCI-DSS compliant payment gateway. The Department does not directly collect, store, or process your credit/debit card numbers, CVV, or net banking credentials on its servers.

5.2 The payment gateway partner is a licensed entity under the Payment and Settlement Systems Act, 2007, and operates in compliance with RBI regulations, including the payment data localisation mandate requiring all payment data to be stored exclusively within India.

5.3 We retain only transaction reference numbers, payment status, amount paid, and date/time of transaction for our records and reconciliation purposes.

5.4 Sensitive authentication data such as CVV numbers, PINs, and passwords are never stored by the Department or its payment gateway partner after authorisation, in accordance with PCI-DSS standards.

5.5 Refunds, if applicable, shall be processed in accordance with the Refund Policy published on the Portal and shall be credited to the original payment method.

6. Data Storage and Retention

6.1 All personal data and payment-related data collected through the Portal is stored on servers located within the territory of India, in compliance with the RBI payment data localisation directive and the DPDP Act, 2023.

6.2 Your personal data will be retained for the duration necessary to fulfil the purposes outlined in this Privacy Policy, or for as long as your registration/certification remains active, whichever is longer.

6.3 Upon expiry or cancellation of registration/certification, your data may be retained for an additional period of five (5) years or as required under applicable laws, rules, or government record retention policies.

6.4 Transaction records shall be retained for a minimum period as prescribed by RBI regulations and applicable tax laws.

7. Data Sharing and Disclosure

We do not sell, trade, or rent your personal data to third parties. Your information may be shared only in the following circumstances:

• With authorised payment gateway partners solely for processing your payment transactions
• With other departments or agencies of the Union Territory of Ladakh Administration or the Government of India, as required for verification, regulatory compliance, or inter-departmental coordination
• With law enforcement agencies, courts, or government authorities when required by law, regulation, court order, or government directive
• With technology service providers engaged by the Department for Portal maintenance, hosting, and support, subject to confidentiality obligations
• In aggregated and anonymised form for statistical analysis, research, and policy planning, where individual identification is not possible

8. Data Security Measures

We implement reasonable security practices and procedures consistent with internationally accepted standards, including:

• SSL/TLS encryption for all data transmitted between your browser and the Portal
• Encryption of sensitive data at rest on our servers
• Access controls and role-based permissions restricting data access to authorised personnel only
• Regular security audits and vulnerability assessments
• Secure payment processing through PCI-DSS compliant payment gateway

While we take all reasonable measures to protect your data, no method of transmission over the Internet or electronic storage is completely secure, and we cannot guarantee absolute security.

9. Cookies and Tracking Technologies

The Portal uses cookies and similar technologies for session management, authentication, and improving user experience. Cookies used include:

• Session cookies: Essential for Portal functionality and user authentication; automatically deleted when you close your browser
• Persistent cookies: Used to remember your preferences and login status across visits
• Analytics cookies: Used to understand Portal usage patterns and improve services

You may configure your browser to refuse cookies, but this may limit your ability to use certain features of the Portal, including the payment and registration functionalities.

10. Your Rights

In accordance with the DPDP Act, 2023 and the SPDI Rules, 2011, you have the following rights:

• Right to access your personal data held by us
• Right to correction and updating of inaccurate or incomplete personal data
• Right to withdraw consent for data processing (subject to legal and contractual obligations; withdrawal may affect your registration/certification status)
• Right to erasure of personal data, subject to applicable retention requirements under law
• Right to nominate another individual to exercise your rights in case of death or incapacity, as provided under the DPDP Act

To exercise any of these rights, please contact the Grievance Officer using the details provided in Section 13.

11. Data of Minors

The Portal is intended for use by adults (18 years and above) for business registration and certification purposes. We do not knowingly collect personal data from children under the age of 18. If we become aware that we have inadvertently collected data from a minor, we will take steps to delete such information promptly.

12. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time. Any changes will be posted on this page with a revised "Last Updated" date. We encourage you to review this Privacy Policy periodically. Continued use of the Portal after any changes constitutes acceptance of the revised Privacy Policy.

13. Grievance Officer

In accordance with the Information Technology Act, 2000 and the rules made thereunder, you can register the grievance at UT Ladakh Grievance Redressal Portal at the link below:

Link: https://grievance.ladakh.gov.in

The Grievance Officer shall acknowledge receipt of any complaint within 48 hours and resolve the complaint within 30 days of receipt, in accordance with applicable law.

14. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us at: