Privacy Policy
How ORN collects, uses, protects, and respects your personal data — under GDPR, CCPA, India DPDP, and equivalent global frameworks.
Last updated: 1 January 2026
This Privacy Policy describes how ORN Group and its operating entities (collectively, "ORN", "we", "us") collect, use, disclose, and protect personal data when you visit our websites, use NX/OS, or interact with our services.
1. Who we are
ORN Group is the parent entity for a portfolio of travel brands operating under the NX/OS platform. The data controller for the service you are using is the ORN entity identified at the point of collection. A list of entities is available on request.
2. What we collect
We collect data you provide directly (name, contact details, traveller preferences, booking history, payment information), data generated by your use of NX/OS (device, location with consent, interaction telemetry), and data we receive from authorised partners (loyalty status, prior bookings).
3. Why we collect it
To operate the service you have requested, to personalise your experience inside NX/OS, to keep our platform secure, to comply with legal obligations, and — only with your separate, opt-in consent — to communicate marketing relevant to you.
4. Legal bases
Where the GDPR applies, we rely on (a) performance of a contract, (b) legitimate interests carefully balanced against your rights, (c) compliance with a legal obligation, or (d) your consent. Equivalent bases apply under other jurisdictions.
5. Who we share it with
Operating partners required to fulfil your booking (airlines, hotels, ground operators), our service providers under strict contract, and competent authorities where legally required. We do not sell personal data.
6. International transfers
ORN operates globally and your data may be processed outside your home jurisdiction. Where it is, transfers are protected by Standard Contractual Clauses or an adequacy mechanism recognised by your home regulator.
7. Retention
We retain data only as long as needed for the purpose for which it was collected, the duration of our relationship with you, or as required by law — whichever is longest.
8. Your rights
To exercise any of these rights, write to privacy@orn.com. We respond within thirty days.
- Access to your personal data.
- Correction of inaccurate data.
- Erasure, subject to overriding legal obligations.
- Restriction or objection to processing.
- Portability, where applicable.
- Withdrawal of consent at any time, without affecting prior processing.
9. Security
We apply layered technical and organisational measures aligned with ISO 27001 and NIST CSF. No system is impenetrable; if we identify a breach affecting your data, we notify you and the competent regulator within the statutory window.
10. Changes
We may update this Policy. The current version is always posted at this URL with the "last updated" date above. Material changes are notified in-product or by email.