Privacy Policy
This Privacy Policy governs how Intrepid Marketing and Communications Private Limited (referred to as ‘Intrepid’, ‘we’, ‘us’, or ‘our’), headquartered in Mumbai, India, collects, processes, stores, and protects personal data.
This policy applies to all personal information collected through our official website (www.intrepid-marketing.com), during our physical B2B travel roadshows and networking events, and through our day-to-day operations as a destination representation firm.
To respect and protect both our domestic travel partners and our international clients, this policy is built on a dual-compliance framework for both Digital Personal Data Protection
(DPDP) Act of India, and General Data Protection Regulation (GDPR) of the European Union.
First and foremost, we do not collect personal information ‘just in case’. We strictly adhere to the principles of data minimization (only collecting what is functionally necessary) and purpose limitation (only using your data for the exact reasons you shared it with us).
- Intrepid as the Data Fiduciary (Data Controller)
We act as the Data Fiduciary (or Controller) when we collect and determine the purpose of processing your personal information. This occurs when you:
- Interact directly with our team, exchange business cards, or register for our B2B trade events and roadshows.
- Contact us directly through our website form, subscribe to our company updates, or apply to join the Intrepid
- Provide your business contact details to establish a commercial partnership with
- Intrepid as the Data Processor
We act as a Data Processor when we handle, manage, or distribute information strictly on behalf of our global clients. Because we serve as the local office in India for international
National Tourism Organizations (NTOs) and luxury hospitality groups, we frequently coordinate and execute marketing campaigns, traveler databases, and email newsletters on their behalf.
In these cases:- The international client remains the Data Fiduciary (Controller) and owns the
- Intrepid processes this data – such as sending targeted destination newsletters – strictly under the legal, documented instructions of that
- We ensure that any technical distribution, website maintenance, or database management is executed only by qualified and competent agencies who adhere to strict, legally binding Data Processing Agreements (DPAs).
We only collect information that is absolutely necessary to do our job. We do not gather personal data “just in case”. Depending on how you interact with us, the data we handle falls into three clear categories:
Category A: B2B Trade & Corporate Assets
As a business-to-business agency, we handle highly sensitive, non-public commercial data under strict Non-Disclosure Agreements (NDAs). This includes:
- Unreleased destination marketing strategies, unreleased creative campaign assets, and unreleased market research from our global travel
- Authorized login credentials for project-management portals, shared drives, and destination training
- Business contact details (names, corporate email addresses, phone numbers, and designations) of travel agents, tour operators, and corporate MICE planners within our professional
Category B: Traveler & Delegate PII (For FAM Trips & Events)
When we organize international Familiarization (FAM) trips, high-end trade delegations, or MICE group movements, we act as a Data Processor. To book your flights, hotels, and coordinate with embassies for visas, we must collect:
- Identification Data: Full name (as on passport), date of birth, gender, nationality, and passport
- Contact s Booking Details: Mobile number, email address, emergency contact, flight itineraries, hotel reservation numbers, and frequent flyer
- Sensitive Personal Details: Highly specific dietary requirements, physical accessibility needs, or government-issued ID data strictly required for visa facilitation and flight
Category C: Automatically Collected Technical Data
When you visit our website, we automatically collect basic, non-identifiable technical details through our standard hosting servers and cookie configurations. This includes:
- Your Internet Protocol (IP) address, browser type and version, operating system, and the specific pages you click on during your
- Anonymized website usage patterns (like the time spent on a page) to help our technical team improve our digital reading
We only use your data for the exact reasons you shared it with us. We never bundle our consents or use traveler or partner data for secondary, unrelated commercial activities without asking you first.
Specifically, we process your information for two core purposes:
- Operational Execution & Service Delivery
We use traveler PII and B2B trade data strictly to fulfill our contractual and operational obligations, such as:- Travel Coordination: Booking flights, securing hotel room blocks, issuing tickets, and ensuring your specific dietary or accessibility needs are met by our local
- Visa’s Immigration Support: Preparing and submitting required traveler documentation to consular offices, embassies, and foreign border control authorities for official travel missions.
- Event Management: Registering delegates for our multi-city B2B roadshows, sending operational flight updates, and managing check-ins on-site.
- Permission-Based, Granular Marketing
When we send destination newsletters, market intelligence reports, or promotional campaign materials on behalf of our international tourism board clients, we enforce strict consent guardrails:- We only send marketing materials if you have given us separate, explicit, and unbundled consent to do so. You will never be signed up for a promotional newsletter simply because you registered for a B2B event or visited our site.
- Every single marketing email we distribute includes a prominent, one-click ‘Unsubscribe’ link at the bottom of the page, allowing you to instantly withdraw your consent and opt out at any
Our marketing databases are never sold, rented, or traded with third-party advertisers or commercial data brokers. Your information stays with us and our client
We do not just protect individual traveler data; we also safeguard sensitive, copyrighted brand assets and proprietary business plans of the international destinations we represent. As a tourism marketing agency working with National Tourism Organizations (NTOs) and luxury
hospitality groups, we routinely handle unreleased campaigns, market research, and high-value trade secrets under strict Non-Disclosure Agreements (NDAs).
To ensure absolute confidentiality and prevent unauthorized access or accidental data leakage, we enforce the following internal guardrails:
- Strict Access Control: We restrict access to all client logins, project portals, shared drives, and campaign databases on a strict “need-to-know” Only the specific Intrepid account managers, content writers, and sales leads directly assigned to a client’s account are granted access credentials. You are responsible for keeping any credentials we share with you secure.
- Database Isolation: We store each client’s trade databases and campaign assets in separate, isolated This prevents any risk of cross-contamination, accidental database merges, or data exposure between different client accounts.
- In-House Accountability: Our team is trained directly on information security, the handling of proprietary assets, and the importance of We keep our core strategic loops in-house, ensuring that unreleased brand assets are never exposed to unverified personnel.
We will never sell, rent, trade, or share your personal data with commercial data brokers, advertising networks, or third-party marketing companies for their independent commercial use. Your information is only shared under very specific, necessary conditions to fulfill our services:
- Essential Travel s Booking Providers: When you participate in a FAM trip or trade delegation, we must share your personal details (such as passport details, dates of birth, and travel itineraries) with the third-party providers directly responsible for your This includes airlines, hotels, local Destination Management Company branches (DMCs) in the destination country, and consular offices or foreign immigration departments. These parties only receive the exact data necessary to execute your travel arrangements.
- Qualified Technical Partners: While we design and lead the strategic narrative of our campaigns, we partner with qualified and competent agencies to manage, host, and maintain our digital This includes the secure hosting of our website content, secure database backup systems, and the technical platforms used to deliver our client newsletters and email updates. We enforce strict Data Processing Agreements (DPAs) with these agencies, requiring them to process any data strictly according to our instructions and in compliance with GDPR and DPDP standards.
- Cross-Border Data Transfers: Because we represent global destinations, your booking details and traveler PII must be securely transferred outside of India to process foreign bookings. We ensure that any cross-border transfers are made in full compliance with the legal transfer frameworks of India’s DPDP Act and the EU’s GDPR, utilizing whitelists, adequate protective safeguards, or contract-based data processing
Because we value the trust of our international principals and travelers, we take digital security seriously. We partner with qualified and competent agencies to manage, host, and monitor our digital footprints. This ensures that our web systems and email newsletter databases are protected by modern, enterprise-grade technology.
We work closely with these technical partners to enforce industry-standard security safeguards:
- Encrypted Channels: All personal data entered on our website is protected using Secure Sockets Layer (SSL) encryption during transmission, keeping your details safe from
- Access Verification: We enforce strict access controls, including multi-factor authentication (MFA) and secure login credentials, for all administrative access to our databases and content delivery networks.
- Continuous Monitoring: Our technical service partners maintain security, cloud firewalls, and threat detection to prevent unauthorized access or data
- Supplier Compliance: Every third-party technical partner we engage must sign a strict Data Processing Agreement (DPA) that binds them to our privacy standards and forbids them from using our data for any secondary
We believe that keeping data forever is an unnecessary security risk. We follow a strict data lifecycle model, keeping personal details only as long as they are actively required to complete our services or to comply with legal and regulatory duties.
When that purpose is met, we ensure the data is securely destroyed:
- FAM Trips s Delegate Events: All sensitive personal identifiable information (PII) – including traveler passport scans, dates of birth, and flight itineraries – is completely and permanently deleted from our active systems two years after the FAM trip or travel event has concluded.
- Commercial Registries: B2B contact lists and communication histories used for direct client outreach are retained only as long as our representation contract is If a partner or trade member objects to our outreach or requests removal, we process and delete their records within our legal timeline guidelines.
- Certified Erasure: We do not simply ‘recycle’ or hide old Our technical partners utilize secure information deletion protocols (in line with international data sanitization standards) to ensure that deleted records are completely unrecoverable and permanently erased from all active and backup servers.
We believe that you should have absolute control over your personal information. Depending on whether you are located in India or the European Union, you are protected by distinct, robust privacy frameworks. We respect and honor these rights across all of our digital and physical operations.
- Rights for Indian Residents (under the DPDP Act)
If you are an Indian resident, you hold the following rights regarding your digital personal data:- Right to Access: You have the right to request a summary of the personal data we hold about you, the processing activities we have carried out, and the identities of any third parties we have shared your data
- Right to Correction s Erasure: You can ask us to correct inaccurate details, update incomplete information, or completely erase your personal data once the purpose of its collection has been
- Right to Grievance Redressal: If you feel we have not addressed your privacy concerns adequately, you have the right to file a formal grievance directly with us before escalating it to the Data Protection Board of
- Right to Nominate: You have the unique right to designate another individual to manage and exercise your data privacy rights on your behalf in the event of death or
- Rights for European Union Residents (under the GDPR)
If you are located within the European Union, you are protected by the following rights:- Right to Access s Rectification: You can request a copy of your personal data and demand that we rectify any errors or incomplete
- Right to Erasure (The “Right to be Forgotten”): You can request that we permanently delete your personal data from our systems when it is no longer required for booking operations.
- Right to Object s Restrict Processing: You have the absolute right to object to your data being processed for direct Once you object, we must immediately stop using your details for these campaigns.
- Right to Data Portability: You can request that we transfer your personal data directly to another service provider in a structured, commonly used, and machine-readable format.
- How to Instantly Withdraw Your Consent
Consent is not a permanent commitment. You can withdraw your consent to our marketing communications at any time:- Email Newsletters: Every single email sent on behalf of our clients includes a
prominent, one-click ‘Unsubscribe’ or ‘Manage Preferences’ link in the footer. Clicking this will instantly remove you from that distribution list. - Direct Request: You can email us directly at with the subject line ‘Withdraw Consent’, and our team will process your request manually within our compliant
- Email Newsletters: Every single email sent on behalf of our clients includes a
We have opted to keep our privacy communication direct and human. If you have any questions about this Privacy Policy, wish to exercise your data rights, or want to raise a concern about how we or our technical partners handle your data, you can reach us directly:
- Dedicated Privacy Inbox: contact@intrepid-marketing.com
- Physical Address: Intrepid Marketing and Communications Private Limited, C/o Redbrick Offices, 1st Floor A Wing, Kaledonia, Sahar Road, Andheri East, Mumbai – 400 069, India.
Our Response Commitment
We do not use automated bots to screen your privacy inquiries; a senior member of our leadership team actively monitors this inbox. Once we receive a verifiable request regarding your personal data:
- We will acknowledge your request within 48 business hours.
- For EU GDPR-related requests, we will resolve your query or execute data erasure within 30 days.
- For Indian DPDP-related grievances, we are committed to providing a full resolution within a strict G0-day compliant
