Introduction & about us
Discover Drift Planners LLP (“Discover Drift”, “the Company”, “we”, “us” or “our”) is a limited liability partnership incorporated in India. We build and operate our own software products, and we provide engineering services, custom software, system integrations and AI agents to businesses across industries — through our products and service brands, including ItinOps AI (itinops.ai, our travel CRM run by AI travel agents), Edunage (edunage.com, our multi-tenant school ERP), our WhatsApp messaging engine (wa.discoverdrift.com) and Drift Technologies (our engineering-services practice).
We value your privacy. This policy describes the personal data we handle in the course of our business and the safeguards we apply. For the purposes of applicable data-protection law — including India's Digital Personal Data Protection Act, 2023 — Discover Drift acts as the Data Fiduciary (also referred to as a “data controller”) in respect of personal data we determine the purpose and means of processing for, except where we act as a Data Processor on behalf of our business clients (see Section 20).
| Entity detail | Particulars |
|---|---|
| Legal name | Discover Drift Planners LLP |
| Entity type | Limited Liability Partnership (India) |
| LLPIN | ACE-2339 |
| GSTIN | 09AAVFD9720H1ZV |
| Registered office | i-566, 5th Avenue, Gaur City 1, Greater Noida West, Sector 4, Gautam Buddha Nagar, Uttar Pradesh, India — 201318 |
| Contact email | support@discoverdrift.com |
| Business hours | Monday – Friday · 10:00 to 18:30 IST |
Scope of this policy
This Privacy Policy applies to personal data we process in connection with:
- our corporate website at discoverdrift.com and any subdomains, pages and microsites we operate (collectively, the “Website”);
- our software products, platforms, applications and APIs, including ItinOps and Edunage, and any web, mobile or messaging interfaces we make available (the “Products”);
- the engineering, consulting, custom-development and AI services we deliver to clients (the “Services”);
- our communications with you, including email, messaging, calls, forms, sales and support interactions, and events; and
- our business operations, including vendor management, recruitment and compliance.
Together, the Website, Products and Services are referred to as the “Offerings”. Some Products and Services may be governed by additional or separate privacy notices, product terms or data-processing agreements. Where there is a conflict between this policy and a specific notice or signed agreement for a Product or Service, that specific document prevails for that Offering.
This policy does not apply to the practices of third parties that we do not own or control, including third-party websites, services or applications that you access through links on our Website or Products. Please review the privacy policies of those third parties before providing them with personal data.
Key definitions
To make this policy easier to follow, the following terms have the meanings set out below:
- Personal data means any data about an individual who is identifiable by or in relation to such data. It does not include data that has been anonymised so that the individual can no longer be identified.
- Sensitive personal data means categories of personal data that warrant additional protection, such as financial information, payment-card data, government identifiers, health data, biometric data, and similar categories treated as sensitive under applicable law.
- Processing means any operation performed on personal data — including collection, recording, organisation, storage, use, disclosure, transfer, retention and erasure.
- Data Principal / Data Subject means the individual to whom the personal data relates (for example, a website visitor, customer contact, end user or job applicant).
- Data Fiduciary / Controller means the entity that determines the purpose and means of processing personal data — here, Discover Drift, except where stated otherwise.
- Data Processor means an entity that processes personal data on behalf of, and under the instructions of, a Data Fiduciary or controller.
- Sub-processor means a third-party processor engaged by us to assist in providing the Offerings (for example, cloud-hosting or analytics providers).
- Consent means a freely given, specific, informed and unambiguous indication of your agreement to the processing of your personal data for a stated purpose.
Laws we comply with
We are headquartered in India and our processing is primarily governed by Indian law. Because we serve users and clients globally, we also seek to honour the core requirements of other major data-protection regimes where they apply to you. Depending on your location and the nature of our relationship, this policy is informed by:
- the Digital Personal Data Protection Act, 2023 (India) and rules made under it (the “DPDP Act”);
- the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (India);
- the EU General Data Protection Regulation (GDPR) and the UK GDPR, where we process the personal data of individuals in the European Economic Area (EEA) or the United Kingdom;
- the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), where applicable to residents of California; and
- other applicable privacy, consumer-protection and electronic-communications laws in the jurisdictions where we operate.
Nothing in this policy is intended to grant rights beyond those the applicable law confers on you, and where a particular law does not apply to you, the rights and obligations specific to that law do not apply to your personal data.
Information we collect
We collect personal data that you provide to us, data we collect automatically when you use our Offerings, and data we receive from third parties. We only collect what we reasonably need for the purposes described in this policy. The categories below describe the data we may process; the specific data collected depends on how you interact with us.
5.1 Information you provide to us
- Identity and contact data — your name, business name, job title, email address, telephone number, postal address, and country.
- Enquiry and communication data — the contents of messages, contact-form submissions, engagement enquiries, support requests, feedback, and any information you choose to include when you communicate with us.
- Account and profile data — credentials, settings and preferences where you register for a Product or portal.
- Commercial and transaction data — details of products and services you have purchased or enquired about, billing details, GST/tax identifiers, invoices, and records of correspondence.
- Payment data — where you make a payment, billing information processed through our payment partners. We do not store full card numbers on our own systems; card payments are handled by PCI-DSS-compliant payment processors.
- Recruitment data — where you apply for a role, your CV/résumé, work history, qualifications, references and related information (see Section 19).
5.2 Information we collect automatically
- Device and connection data — IP address, browser type and version, operating system, device identifiers, language settings and time zone.
- Usage data — pages and content viewed, referring/exit pages, links clicked, features used, dates and times of access, and approximate location derived from IP address.
- Log and diagnostic data — server logs, crash data, performance data and other technical information generated when you use our Offerings.
- Cookies and similar technologies — see Section 7.
5.3 Information from third parties
- Business partners and suppliers — referral, integration and supplier partners who share contact or transaction data to enable a service.
- Analytics and advertising providers — aggregated or pseudonymised insights about how our Offerings are used.
- Public and commercial sources — publicly available business information, professional networks and corporate registries, used for B2B context and verification.
- Our clients — where we act as a processor, our business clients may provide personal data relating to their own customers or staff for us to process on their behalf (see Section 20).
5.4 Product and service data
When you use a Product such as ItinOps, or when we deliver a Service, we may process the data you or your organisation submit into the Product or share with us for the Service (“customer content”). For travel-related Products, customer content can include traveller names and contact details, itineraries, booking and supplier information, quotes, and invoicing data. We process customer content to operate and provide the relevant Product or Service, in accordance with the applicable product terms or service agreement.
5.5 Sensitive personal data
We try to minimise our processing of sensitive personal data. We only process such data where it is necessary for a specific purpose, where you have provided it to us voluntarily, or where the law permits or requires it. Please do not send us sensitive personal data that we have not requested.
5.6 Children's data
Our Offerings are intended for businesses and adults and are not directed to children. We do not knowingly collect personal data from children below the age at which consent of a parent or guardian is required under applicable law (see Section 22).
How we collect information
We collect personal data through the following channels:
- Directly from you — when you fill in a form, contact us, request information, register for or use a Product, engage our Services, apply for a role, or otherwise interact with us.
- Automatically — through cookies, log files, analytics and similar technologies when you visit our Website or use our Products.
- From third parties — as described in Section 5.3, including partners, suppliers, analytics providers, public sources and our clients.
Where we ask you to provide personal data to comply with a legal requirement or to perform a contract with you, and you do not provide it, we may be unable to provide the requested Offering or fulfil the contract, and we will tell you if that is the case.
Cookies & tracking technologies
We and our service providers use cookies, web beacons, pixels, local storage and similar technologies (“cookies”) to operate, secure and improve our Offerings, remember your preferences, and understand how our Website is used. Cookies are small files stored on your device.
| Category | Purpose |
|---|---|
| Strictly necessary | Required for the Website and Products to function — security, load balancing, session management and basic preferences. These cannot be switched off through our interfaces. |
| Functional | Remember your choices and settings to provide a more personalised experience. |
| Analytics / performance | Help us understand traffic, usage and performance so we can improve our Offerings, typically using aggregated or pseudonymised data. |
| Marketing | Used, where enabled, to measure and improve our communications. We do not use cookies to sell your personal data. |
You can control cookies through your browser settings and, where we provide one, our cookie-preference tool. Most browsers let you refuse or delete cookies; blocking some cookies may affect how the Website works. Where required by law, we will request your consent before placing non-essential cookies. Some browsers transmit “Do Not Track” or Global Privacy Control signals; we honour such signals where the law requires us to do so.
How we use your information
We use personal data for the following purposes:
- To provide our Offerings — operate, maintain and deliver the Website, Products and Services, and to set up and manage your account or engagement.
- To respond to you — answer enquiries, provide quotes and proposals, and deliver customer and technical support.
- To process transactions — handle orders, billing, invoicing, payments, GST/tax compliance and related record-keeping.
- To improve and develop — analyse usage, troubleshoot, conduct research and analytics, and develop new and improved features, products and services.
- To personalise — remember your preferences and tailor content and communications.
- To communicate — send administrative messages, service updates, security alerts, and, where permitted, marketing communications (see Section 18).
- To ensure security and prevent abuse — protect our Offerings, detect and prevent fraud, abuse and security incidents, and enforce our terms and policies.
- To comply with law — meet our legal, regulatory, tax, accounting and reporting obligations, and respond to lawful requests from authorities.
- For recruitment — assess applications and manage our hiring process.
- For corporate transactions — evaluate, negotiate or complete a merger, acquisition, financing, reorganisation, or sale of assets.
- For any other purpose disclosed to you at the time of collection or to which you consent.
Where we wish to use your personal data for a new purpose that is not compatible with the purpose for which it was collected, we will notify you and, where required, obtain your consent.
Legal bases for processing
Under the DPDP Act, we process personal data on the basis of your consent or for certain legitimate uses permitted by law (for example, where you voluntarily provide data for a specified purpose, or to comply with legal obligations). Where the GDPR or UK GDPR applies, we rely on one or more of the following legal bases:
- Consent — where you have given clear consent for a specific purpose (for example, certain marketing or non-essential cookies).
- Contract — where processing is necessary to enter into or perform a contract with you, or to take steps at your request before entering into a contract.
- Legal obligation — where processing is necessary to comply with our legal and regulatory obligations.
- Legitimate interests — where processing is necessary for our legitimate business interests (such as running, securing and improving our Offerings, and B2B marketing), provided these are not overridden by your rights and interests.
- Vital or public interest — in the limited circumstances where processing is necessary to protect someone's vital interests or in the public interest.
If you would like more information about the legal basis on which we process your personal data, please contact us using the details in Section 25.
Artificial intelligence & automation
Our business includes building and operating AI agents and LLM-powered systems. As part of providing certain Products and Services, we may use machine-learning models and third-party AI providers to process inputs and generate outputs — for example, to draft itineraries, summarise information, or assist with support.
- Third-party AI providers. Some features rely on third-party model providers. Where you or your organisation supply your own provider API key (“bring your own key”), the use of that provider is also governed by that provider's terms and privacy policy.
- Use of data for model training. We do not use your customer content to train publicly shared foundation models without an appropriate basis. Where we improve our own systems, we seek to use aggregated, de-identified or pseudonymised data wherever practicable.
- Human oversight. AI outputs may be imperfect and should not be treated as professional advice. We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without a lawful basis and, where required, appropriate safeguards and a right to human review.
How we share & disclose data
We do not sell your personal data. We share personal data only as described below, and we require recipients to protect it appropriately:
- Service providers and sub-processors — vendors who provide hosting, infrastructure, storage, analytics, communications, payment processing, customer-support, security and AI services on our behalf, under contracts that limit their use of the data (see Section 12).
- Group companies and brands — our affiliates and brands (such as ItinOps, Edunage and Drift Technologies) that help us operate our business and provide the Offerings, subject to this policy.
- Our clients — where we act as a processor, we share or return personal data to the client on whose behalf we process it.
- Professional advisers — auditors, lawyers, accountants, bankers and insurers, where reasonably necessary.
- Legal and regulatory authorities — where we are required to do so by law, regulation, legal process or enforceable governmental request, or to protect rights, property or safety.
- Corporate transactions — to actual or prospective buyers, investors or successors in connection with a merger, acquisition, financing, reorganisation, insolvency or sale of assets, subject to appropriate confidentiality protections.
- With your direction or consent — to any other party where you instruct us or consent to the disclosure.
Sub-processors & third-party services
To run our Offerings efficiently and securely, we rely on established third-party providers. These typically fall into the categories below. We carry out reasonable due diligence on our providers and put data-protection terms in place with them.
- Cloud hosting and infrastructure — to host and run our Website, Products and data.
- Analytics and product telemetry — to understand usage and improve performance.
- Communications and email — to send transactional and, where permitted, marketing messages.
- Messaging platforms — Meta Platforms, Inc. (the WhatsApp Business Platform) to deliver WhatsApp messages for business clients who connect their own WhatsApp Business number to our products. Message content and the associated phone numbers pass through Meta's infrastructure under WhatsApp's business terms.
- Payment processing — PCI-DSS-compliant partners to process payments.
- AI and model providers — to power AI-assisted features.
- Security, logging and error monitoring — to keep our Offerings secure and reliable.
We can provide further information about the specific categories of sub-processors relevant to a particular Product or Service on request, or through the applicable product documentation or data-processing agreement.
International data transfers
We are based in India and our providers may be located in, or store data in, countries other than your own. As a result, your personal data may be transferred to, stored in, or accessed from jurisdictions whose data-protection laws may differ from those of your country.
Where we transfer personal data internationally, we take steps to ensure it remains protected, including by transferring only to countries not restricted under applicable law and, where the GDPR or UK GDPR applies, by relying on appropriate safeguards such as Standard Contractual Clauses or other lawful transfer mechanisms. You may contact us to obtain more information about the safeguards we use.
Data retention
We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, including to provide the Offerings, to comply with our legal, tax, accounting and regulatory obligations, to resolve disputes, and to enforce our agreements.
To determine the appropriate retention period, we consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, and applicable legal requirements. When personal data is no longer required, we will securely delete, destroy or anonymise it. We may retain anonymised or aggregated data, which can no longer be associated with you, for legitimate business purposes without further notice.
Data security
We implement reasonable technical and organisational security measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These measures may include encryption in transit, access controls, network protections, logging and monitoring, and internal policies and training.
No method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for using up-to-date, secure devices and networks. If we become aware of a personal-data breach that is likely to result in a risk to your rights, we will notify the affected individuals and the relevant authorities where, and in the manner, required by applicable law.
Your rights & choices
Subject to applicable law and certain exceptions, you may have the following rights in relation to your personal data. The rights available to you depend on where you are located and the law that applies.
16.1 Rights under the DPDP Act (India)
- Right to access — to obtain a summary of the personal data we process about you and the processing activities.
- Right to correction and erasure — to have inaccurate or misleading data corrected, completed or updated, and to have your data erased where no longer required.
- Right to grievance redressal — to readily available means of registering a grievance with us (see Section 25).
- Right to nominate — to nominate another individual to exercise your rights in the event of your death or incapacity.
- Right to withdraw consent — to withdraw consent at any time, as easily as it was given.
16.2 Rights under the GDPR / UK GDPR (EEA & UK)
- Access — to request a copy of your personal data.
- Rectification — to have inaccurate data corrected and incomplete data completed.
- Erasure — to request deletion of your data in certain circumstances (the “right to be forgotten”).
- Restriction — to request that we restrict processing in certain circumstances.
- Portability — to receive certain data in a structured, commonly used, machine-readable format and to have it transmitted to another controller.
- Objection — to object to processing based on legitimate interests or to direct marketing.
- Withdraw consent — where processing is based on consent, to withdraw it at any time.
- Complain — to lodge a complaint with your local supervisory authority.
16.3 Rights under the CCPA / CPRA (California)
- Right to know — the categories and specific pieces of personal information we have collected, the sources, purposes and recipients.
- Right to delete — to request deletion of personal information, subject to exceptions.
- Right to correct — to request correction of inaccurate personal information.
- Right to opt out — of any “sale” or “sharing” of personal information. We do not sell your personal information.
- Right to non-discrimination — we will not discriminate against you for exercising your rights.
16.4 How to exercise your rights
You can exercise your rights by contacting us using the details in Section 25. We may need to verify your identity before acting on a request, and we will respond within the timeframes required by applicable law. There is generally no fee, although we may charge a reasonable fee or decline to act on requests that are manifestly unfounded, excessive or repetitive, to the extent permitted by law. Where we act as a processor for a business client, we will direct your request to that client.
Consent & withdrawal
Where we rely on your consent to process personal data, we obtain it through a clear affirmative action and keep a record of it. You may withdraw your consent at any time, and we will make withdrawal as easy as giving consent. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal, and it may mean we can no longer provide certain Offerings to you. Where another lawful basis applies (for example, a legal obligation or an ongoing contract), we may continue to process your data on that basis.
Marketing communications
We may send you marketing communications about our Offerings where you have asked us to, where you are an existing business contact and applicable law permits, or where you have otherwise consented. You can opt out of marketing communications at any time by using the “unsubscribe” link in our emails or by contacting us. Opting out of marketing does not stop service or transactional messages that are necessary for the Offerings you use (for example, billing or security notices).
Job applicants & recruitment
If you apply for a role with us, we process the personal data in your application (such as your CV, contact details, work history and references) to assess your suitability, communicate with you, and manage our recruitment process. We may retain your application for a reasonable period to consider you for future opportunities, unless you ask us not to. We treat recruitment data confidentially and share it only with those involved in hiring.
Our role as a data processor
When we provide Services or Products to a business client and process personal data on that client's behalf and under its instructions, the client is the Data Fiduciary/controller and we act as the Data Processor. In those cases, the client's privacy policy — not this one — governs how that personal data is handled, and our processing is governed by the agreement (including any data-processing terms) between us and the client.
WhatsApp Business messaging. Where a business client connects its own WhatsApp Business number to one of our products (via our messaging platform built on Meta's WhatsApp Business Platform), we process the WhatsApp messages exchanged between that client and its customers — message content, the sender's phone number and WhatsApp profile name, and message metadata such as timestamps and delivery counts — solely to deliver the messaging service to that client: showing conversations in the client's workspace, sending the client's replies, and tracking message volumes for billing. Each client owns and controls its own WhatsApp Business Account. We do not use this data for advertising, do not sell it, and do not share it with anyone other than Meta (as the platform operator) and the client it belongs to.
If you are an individual whose data we process on behalf of one of our clients and you wish to exercise your rights, please contact the relevant client directly. We will support our clients in responding to such requests as required by our agreement and applicable law.
Third-party links & services
Our Website and Products may contain links to, or integrations with, third-party websites, products and services that we do not own or control — for example, partner sites, payment providers, AI providers and social platforms. This policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third party before providing it with your personal data.
Children's privacy
Our Offerings are intended for businesses and adults and are not directed to children. We do not knowingly collect personal data from children below the age at which parental or guardian consent is required under applicable law (which, in India under the DPDP Act, is eighteen years). Where required by law, we will obtain verifiable consent of a parent or lawful guardian before processing a child's personal data, and we will not undertake tracking, behavioural monitoring or targeted advertising directed at children. If you believe a child has provided us personal data without appropriate consent, please contact us and we will take reasonable steps to delete it.
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements or other factors. When we make changes, we will revise the “Last updated” date at the top of this policy and, where the changes are material, provide a more prominent notice or obtain your consent as required by law. Your continued use of our Offerings after an updated policy takes effect constitutes your acknowledgement of the updated policy to the extent permitted by law. We encourage you to review this policy periodically.
Region-specific disclosures
24.1 India (DPDP Act)
For individuals in India, we act as a Data Fiduciary and process personal data on the basis of consent or other legitimate uses permitted under the DPDP Act. You may exercise your rights, and register grievances, through our Grievance Officer (Section 25). You also have the right to escalate unresolved grievances to the Data Protection Board of India in accordance with the DPDP Act.
24.2 EEA & United Kingdom (GDPR)
If you are in the EEA or the UK, the controller of your personal data is Discover Drift Planners LLP. You have the rights set out in Section 16.2 and may lodge a complaint with your local supervisory authority. Where we transfer your data outside the EEA or UK, we use appropriate safeguards as described in Section 13.
24.3 California (CCPA/CPRA)
If you are a California resident, you have the rights set out in Section 16.3. We do not sell or share your personal information as those terms are defined under the CCPA/CPRA. You may exercise your rights through the contact details in Section 25, and you may use an authorised agent to do so where permitted by law.
Grievance officer & contact
If you have any questions, requests or complaints about this Privacy Policy or our handling of your personal data, or if you wish to exercise your rights, please contact us. We have appointed a Grievance Officer to address your concerns, as required under applicable Indian law.
Grievance & Data Protection contact
Discover Drift Planners LLP — Office of the Grievance Officer
We will acknowledge and respond to your communication within the timeframes required by applicable law. To help us respond, please include enough information for us to identify you and understand your request.