Vihar Tours operates vihartours.co.in — a travel campaign and slot-booking platform based in Hyderabad, Telangana, India. We are the data controller for the personal information collected through this platform. Contact: support@vihartours.co.in or WhatsApp +91 93475 56927.

We collect the following types of information:

• Mobile number — used as your primary account identifier and for OTP-based login via WhatsApp.
• Name — provided optionally and used for booking records and WhatsApp communication.
• Email address — collected if you provide it; used for booking receipts and support communication.
• Booking and payment data — slot purchases, payment status, entry codes, campaign history, and wallet balance.
• Device and session data — IP address and session tokens used for security hardening and fraud prevention. Not used for advertising.
• Address — collected only if required for prize claim delivery or specific tour documentation.

Your data is used only for the following purposes:

• Account creation and OTP login via WhatsApp
• Processing slot bookings and verifying payments
• Sending booking confirmation, tour updates, pickup details, and result notifications via WhatsApp
• Operating wallet and reward credit systems
• Running lucky draw processes for reward campaigns
• Responding to support queries
• Preventing fraud, duplicate entries, and platform abuse
• Meeting legal and regulatory obligations

We do not use your data for targeted advertising and we do not sell your data to third parties.

We use WhatsApp Business messaging to send OTPs and booking-related notifications (confirmation, tour details, results). These messages are operational and not marketing messages.

WhatsApp messages are processed through BhashSMS, our WhatsApp Business API provider. The phone number you provide is shared with BhashSMS only to the extent necessary to deliver these messages. BhashSMS does not use your data for any other purpose.

If you wish to stop receiving WhatsApp notifications from us, contact us on support@vihartours.co.in and we will update your preferences.

Online payments are processed through third-party payment gateways (Razorpay, PhonePe, or Cashfree depending on the campaign). These providers are PCI-DSS compliant. Vihar Tours does not store your full card number, CVV, or net banking credentials on our servers.

We store the transaction reference ID, payment status, and amount to maintain your booking record. This data is retained for as long as required by applicable law and our internal audit requirements.

We do not sell, rent, or trade your personal data. We share data only with:

• Payment gateway providers (Razorpay / PhonePe / Cashfree) — for payment processing.
• BhashSMS — for WhatsApp OTP and notification delivery.
• Tour logistics partners — limited operational details (name, contact number) may be shared with vehicle operators or hotel partners for the specific trip you are booked on.
• Legal authorities — if required by law, court order, or to protect rights and safety.

We retain your account and booking data for as long as your account is active and for up to 7 years after your last transaction, as required for financial and legal recordkeeping under Indian law.

Session tokens are invalidated after 7 days of inactivity. OTP records are retained for a limited audit period and then deleted.

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and associated data (subject to legal retention obligations)
• Opt out of non-essential communications

To exercise any of these rights, contact us at support@vihartours.co.in. We will respond within 15 working days.

We implement session hardening, rate limiting, CSRF protection, and secure HTTPS transport to protect your data. Passwords (where set) are stored as bcrypt hashes. OTP codes are hashed and never stored in plain text. Despite these measures, no system is completely immune to security risks — please contact us immediately if you suspect unauthorised access to your account.

We use a single session cookie to maintain your login state. This cookie contains an opaque session token — no personal data is embedded in it. We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. We will notify registered users of significant changes via WhatsApp where feasible. Continued use of the platform after updates constitutes acceptance.