Privacy Policy

This Privacy Policy describes how Care My Trip CRM("we", "our", or "us") collects, uses, and shares information when you use our travel CRM software (the "Service") operated by Care My Trip.

We are committed to protecting your personal information and your right to privacy. If you have any questions about this Policy or our practices, please contact us at info@caremytrip.com.

1. Information We Collect

1.1 Information from Team Members (users of the CRM)

• Name, email address, phone number (optional)
• Login credentials (passwords stored as bcrypt hashes, never in plain text)
• Activity logs within the CRM (lead actions, status changes, notes)
• Browser session information (IP address, login timestamps)

1.2 Information from Leads (travel inquiries received via integrations)

When your customers submit inquiries via Facebook Lead Ads, Google Lead Forms, website contact forms, or direct outreach, we store:

• Name, phone number, email address, city
• Travel preferences (destination, dates, passenger count, budget)
• Source attribution (which ad, campaign, landing page they came from)
• Any custom form fields you configured (travel questions, special requests)

1.3 Integration Data

When you connect Facebook, Google, or other ad platforms, we store authentication tokens (Page Access Tokens, API keys) needed to retrieve lead data on your behalf. These tokens are encrypted at rest and used only for the functionality you explicitly authorize.

2. How We Use Information

• Operate the Service: display leads, track pipeline, generate quotations
• Notify your team: send in-app notifications about new leads, overdue follow-ups, TAT breaches
• Generate reports: aggregate anonymized usage patterns for your admin dashboards
• Audit & security: log sensitive actions (user management, deletions, assignment changes)
• Communication: respond to support inquiries, critical security alerts

3. Information Sharing

We do NOT sell, rent, or trade your personal information. Your lead data belongs to you. We only share data in these cases:

• With your team members — based on role-based access (Admins see all, Executives see assigned leads)
• With integration partners you authorize — when you connect Facebook / Google / etc., data flows between their systems and ours per your configuration
• Infrastructure providers — Hostinger (hosting), MySQL databases, third-party libraries (all act under strict confidentiality)
• Legal requirements — if compelled by valid legal process in India

4. Data Security

• All connections use HTTPS/TLS encryption
• Passwords are hashed with bcrypt (never stored in plain text)
• Database access is restricted via authentication
• Webhook payloads are verified with HMAC signatures (Facebook) or API keys
• Sensitive operations (password resets, deletions, assignment changes) are logged in an audit trail

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

5. Data Retention

• Lead data: retained for as long as the lead is active in your CRM
• Deleted leads: soft-deleted (marked inactive), recoverable by admin for 90 days, then permanently removed on request
• User accounts: retained while the account is active; deleted accounts are purged within 30 days of confirmation
• Activity logs: retained for 12 months for compliance and audit purposes
• Backups: encrypted backups retained for 30 days

6. Your Rights

Under applicable data protection laws (including India's DPDP Act, 2023), you have the right to:

• Access the personal information we hold about you
• Correct inaccurate or incomplete information
• Delete your personal information (subject to legal retention requirements)
• Export your data in a machine-readable format
• Withdraw consent for data processing where consent was the basis
• Lodge a complaint with the Data Protection Board of India

To exercise any of these rights, email us at info@caremytrip.com. We will respond within 30 days.

7. Facebook Lead Ads Integration

When leads submit Facebook Lead Ads for your business, Facebook transmits the lead data directly to our servers via their Webhooks API. We fetch the complete lead details from Facebook's Graph API using the Page Access Token you've authorized. This data is stored in your CRM and is never shared back with Facebook or any third party.

You can revoke our access at any time by removing the our app from your Facebook Business Settings → Apps, or by disconnecting the integration from within the CRM settings.

8. Cookies

We use HTTP-only, secure cookies strictly for authentication (keeping you logged in) and CSRF protection. We do not use tracking cookies, third-party analytics, or advertising pixels within the CRM application.

9. Children's Privacy

Our Service is intended for use by travel businesses and is not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a minor, contact us for immediate removal.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal reasons. We will notify you of any material changes by posting the updated policy here with a revised "Last updated" date. Continued use of the Service after changes constitutes acceptance.

11. Contact