Our commitment to help you with data protection and compliance

ITILITE enables GDPR support for all customers worldwide

ITILITE ensures conformance to global regulations and industry practices to maintain the privacy and security of its customer’s data. All our products provide GDPR-ready capabilities to help our customers meet their compliance obligations. ITILITE extends these capabilities not only to customers in the European Union(EU) but to all our customers worldwide.

To strengthen an individual’s rights to privacy, the European Union brought about the General Data Protection Regulation or GDPR, fortifying existing directives on data protection. The Regulation issued by the European Union applies to businesses processing personal data of European residents and has been in force since 25th May 2018.

ITILITE commitment to the GDPR


Fair and Transparent processing of all client data with data access requests in place


Implement “Security By Design” across all our products to protect and secure client data


Streamlined processes to help our clients meet compliance requirements

7 Key Principles for the GDPR

The GDPR encourages businesses to be responsible for an individual’s data. By ensuring the protection and privacy of this data, businesses earn customer trust and they are likely to engage better with the business. GDPR provides a framework for businesses to standardize and regularize real-world security and privacy needs of an individual’s data used for business purposes. The key principles which the GDPR requires businesses to operate on are:

  • Lawful, fair and transparent processing: Emphasizes transparency for all individuals and businesses alike. The company collecting user data must be absolutely clear as to why data is being collected and what it will be used for.
  • Purpose of collection:Businesses should collect sensitive consumer data only for selective purposes. Data collected for specific purposes should not be further processed in a manner incompatible with the above mentioned purpose.
  • Data minimization: Ensure data captured is adequate, relevant and limited. Based on this principle, organizations must ensure they store a minimum amount of consumer data only specific to company regulations.
  • Accurate processing: Data controllers must ensure information remains accurate, valid and fit for purpose. To comply, organizations must institute processes and policies to address how they maintain the data that is being processed.
  • Storage limit based on identification: Companies that collect user data must have full control over its storage and use within the company. This includes implementing and enforcing data retention policies and preventing unauthorized movement and storage of data to safeguard it in accordance with the above mentioned policies.
  • High levels of security: An organization collecting and processing data is solely responsible for implementing appropriate security measures to protect the individual’s data.
  • Accountability and liability: Organizations must be able to demonstrate the adoption of necessary steps to protect an individual’s data, and be able to pull up every step within the GDPR strategy as evidence.

Frequently Asked Questions

You can log into the ITILITE Platform using sign-in services made available to you by the applicable client or other service providers. These sign-in services will authenticate your identity and provide you the option to share certain personal information with us, like your name and email address, through which log-on to the ITILITE platform are facilitated. The GDPR legal basis for processing this information is the contractual obligation to the client i.e. your employer, to perform the services.

The ITILITE Platform enables users to save on business travel costs and generate value for its consumers. When acting as a service provider, ITILITE only receives and collects information under the direction of its Clients. The Client Agreement may govern the delivery, access and use of the ITILITE Platform and Services, including the processing of personal information and data submitted through Client accounts. The applicable Client (your employer) controls the ITILITE Platform and any associated user data. The Client data gathered will be used by ITILITE in accordance with the Client’s instructions, applicable terms of the Client Agreement, this Privacy Policy, and as required by law. ITILITE acts as the data processor of Client data at the direction of the client, who acts as the data controller. ITILITE also uses other information in furtherance of our legitimate interests in operating the Services.
In case of any further questions regarding the ITILITE Platform settings, the information ITILITE has been authorized by the Client to process, or its privacy practices, you may contact the applicable Client administrator. If you no longer wish to have your personal information used by one of our Clients that use the ITILITE Platform, please contact your Client administrator. The GDPR legal basis for processing this information is the contractual obligation to the Client to perform these Services.

When acting as a service provider, ITILITE may have no direct relationship with the individuals whose personal information is provided to ITILITE while seeking our Services. An individual who is employed by one of our Clients and seeks access to, or who seeks to correct, amend, delete, or object to the processing of their Personal Data should direct the query to their employer’s ITILITE administrator if they are unable to make the appropriate changes via access to the ITILITE Platform. If the Client requests ITILITE to delete their data, we will respond to their request within 30 business days. If a user contacts us directly with such a request, we will notify the Client we are providing our services to.

In addition to the lawful transfer, processing and storage of your Personal Information, the GDPR gives certain European Union members additional rights over our use of your Personal Information. ITILITE respects your control over your information. In the event that you have provided personal information to us in your use of the site, we will provide you with details of any of your personal information we hold as detailed below. You may access, correct, or request deletion of your personal information by contacting us at Our team will get back to you at the earliest.


You can request details of your personal information we hold. We shall then confirm and disclose additional information including the types of Personal information, the sources it originated from, the purpose and legal basis for the processing, the expected retention period and the safeguards regarding data transfers to non-EEA countries, subject to the limitations set out in applicable laws and regulations. A copy of your personal information gathered will be shared free of charge, but additional costs may be incurred to cover our administrative costs in case more copies of the above mentioned information are required.


At your request, we will correct incomplete or inaccurate parts of your Personal information, although we may need to verify the accuracy of the new information provided to us.


At your request, we will delete your personal information if:
(i) it is no longer necessary for us to retain your Personal information,
(ii) you withdraw consent which formed the legal basis for the processing of your Personal Information,
(iii) you object to the processing of your personal information and there are no overriding legitimate grounds for such processing,
(iv) the personal information was processed illegally,
(v) the personal information must be deleted for us to comply with our legal obligations.

We will decline your request for deletion if processing of your personal information is necessary:
(i) for us to comply with our legal obligations,
(ii) for the establishment, exercise or defense of legal claims, or
(iii) for the performance of a task in the public interest.

Restrict Processing

At your request, we will restrict the processing of your personal information if:
(i) you dispute the accuracy of your Personal information,
(ii) your personal information was processed illegally and you request a limitation on processing rather than the deletion of your Personal information,
(iii) we no longer need to process your Personal information, but you need your personal information in connection with the establishment, exercise or defence of a legal claim, or
(iv) you object to the processing of your personal information pending verification as to whether an overriding legitimate ground for such processing exists. We may continue to store your personal information to the extent required to ensure your request to restrict processing is respected in the future.

Data Portability

At your request, we will provide you free of charge with your personal information in a structured, commonly used and machine-readable format, if:
(i) you provide us with your Personal information,
(ii) the processing of your personal information is required for the performance of a contract, or
(iii) the processing is carried out by automated means.


Where we rely on our legitimate interests (or that of a third-party) to process your Personal information, you have the right to object to this processing on grounds related to your particular situation if you feel it impacts your fundamental rights and freedoms. We will comply with your request unless we have compelling legitimate grounds for the processing which override your rights and freedoms, or where the processing is in connection with the establishment, exercise or defence of legal claims. We will always comply with your objection to the processing of your personal information for direct marketing purposes.

Not to be subject to decisions based solely on automated processing

You will not be subject to decisions with a legal or similarly significant effect (including profiling) that are based solely on the automated processing of your Personal information, unless you have given us your explicit consent or where they are necessary for the performance of the contract with us.

Withdraw consent

You have the right to withdraw consent you may have previously given us at any time. In order to exercise your right to withdraw consent we may ask you for certain identifying information to ensure the security of your Personal information.

Please contact us at to make a request to exercise any of the above rights. We will respond to your request within 30 days, or notify you in case of any delay. In case the request, it will be supported with the appropriate reasons. Typically, no fee is charged with respect to the exercise of your rights. However, if your request is manifestly unfounded or excessive (for example, because of its repetitive character) we may charge a reasonable fee, taking into account the administrative costs of dealing with your request.

Kindly note that if you decide to exercise some of your rights, we may be unable to perform the actions necessary to achieve the purposes set out above or you may not be able to use or take full advantage of our Services.

If you are not satisfied with our response, you have the right to complain or seek advice from a supervisory authority and/or bring a claim against us in any court of competent jurisdiction.

Email communications with us

As part of the Services, we may send you transactional, promotional, commercial and informational emails. You may opt-out from receipt of these emails and unsubscribe by clicking “unsubscribe” at the bottom of the emails you receive from us.

As part of the Services, we may send you transactional, promotional, commercial and informational emails. You may opt-out from receipt of these emails and unsubscribe by clicking “unsubscribe” at the bottom of the emails you receive from us.

You have the right to object to the use of your personal information for direct marketing purposes, on a going forward basis, by emailing us at

Information shared with your employer

For users of the ITILITE Platform, we disclose information to your employer such as your travel behavior, redemption behavior and year-end redemption reporting for tax purposes.

Information shared with our service providers and Sub-Processors

We disclose your first and last name and email address to our third-party messaging platform to provide user support. In accordance with the Client contracts, we may disclose your personal information to other third-party vendors that enable us to provide the Services including an email service provider to send emails on our behalf and customer support providers (together with “Sub-Processors”).

Some of these Sub-Processors may be based in locations outside the EU. Transfers to Sub-Processors are covered by the provisions in this Privacy Policy regarding notice and choice and the service agreements with our Clients. You hereby consent to our sharing of personal information with our Sub-Processors.

Third-Party Services

Our Services may contain links to other websites that are independent, are not owned or operated by us, and which may incorporate third-party information. One example is a link to google maps, which can be used for routing. These third-party sites have separate and independent privacy policies. If you access other sites using the links provided, the operators of these sites may collect information from you, which will be used by them in accordance with their privacy policy and terms of service, which may differ from ours.
We,therefore, have no responsibility or liability for the content and activities of other websites, even if they are linked to our Services. This Privacy Policy does not cover information collected on third-party websites. We encourage you to carefully review the privacy policies of any third-party sites you access.

If our assets are merged with or purchased by a third-party, your personal information will be transferred to that third-party.

Information disclosed for our protection and the protection of others

We may also release your information when we believe release is appropriate to comply with the law, enforce our Privacy Policies, detect or prevent fraud, security or technical issues, or protect our or others’ rights, property, or safety. This includes exchanging information with other companies and organizations for fraud protection and spam/malware prevention. Because our servers that store your information are located in the U.S.A., your information may be available to U.S. government entities or agencies under a lawful court order or other legal process in the U.S.

Information we share with your consent

Except as set forth above, you will be notified when your personal information may be shared with third-parties, and will be able to prevent the sharing of this information. We will share your personal information only in the ways that are described in this Privacy Policy.

How long do we retain your information?

When acting as a service provider, we will retain your Personal Information, which we process on behalf of our Clients for as long as needed to provide services to our Client, for as long as your account is active, or as needed to provide you services. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We retain your personal information for up to sixty (60) days after your account is closed.

How do we protect your information?

We will take reasonable precautions to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction. We follow industry standards to protect this personal information submitted to us. All information is stored on secure cloud servers and protected with additional security layers, encryptions and passwords.

For example, our Services sit on secure servers operated by Amazon Web Services (AWS EC2). We use a method endorsed by the National Institute of Standards and Technology to protect your passwords (PBKDF2 algorithm with a SHA256 hash for password stretching). All of the data transfer is over secure HTTP protocol (HTTPS) and we deploy TLS1.2 for transport layer security. No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security.

International transfer of your Personal information

Given that the Internet operates in a global environment and that, if you operate outside of the United States, transfer of your data is necessary for you to use any of our Services or request information from us, using the Internet to collect and process personal information necessarily involves the transmission of data on an international, or cross-border, basis. By accessing any of these Services, and/or communicating with us by email, you acknowledge and voluntarily provide your express consent to our collection, processing and disclosure of your personal information in this way, including our disclosure to Sub-Processors and third-parties located in the US and other locations outside the EU.

For users who are located outside the United States, personal information will be transferred outside of each user’s country to the United States where our servers are located and where it will be processed and stored. According to EU data protection authorities, the U.S. does not provide an adequate level of protection for the purpose of providing the Services. We will take all steps reasonably necessary to ensure that personal information is treated securely and in accordance with this Privacy Policy in respect of such transfer.

By registering for the ITILITE Platform or by accessing any of the Services you voluntarily and expressly agree to such transfer and disclosure.


What is GDPR?

A digital future can only be built based on trust. The General Data Protection Regulation or the GDPR is a key component in building this trust, when it comes to managing and regulating the data that companies work with. It aims’ is to simplify and standardise regulatory environments, so that users can have maximum control over their personal data, and both the business and the user can benefit.

The GDPR encourages businesses to be responsible about an individual’s data. By ensuring the protection and privacy of this data, businesses are likely to engage better with consumers. GDPR, thus, provides a framework for companies to standardize and regularize real-world security and privacy needs of an individual’s data to the best of their capacity.

GDPR compliance practices at ITILITE is supported by 6 principles:


Commitment to the optimization of service efficiency with highly resilient, secure and scalable systems for collecting, storing and processing data, to deliver business value at the highest standard.


Compliance requirements mapped in line with customer and partner awareness, that ensures watertight data protection measures all across the company.


Tracking business performance through continuous improvement loops, adapting best practices, and innovating while benchmarking against industry standards.

Protecting your data

A multi faceted approach towards keeping the customer’s data safe, with robust, watertight policies, strict authorization and security initiatives for both, data at rest and data in transit.

Secure Product Build

The ITILITE platform comes enabled with end to end automated security for each consumer touch point, for fair, transparent and streamlined processes

High Resilient Architecture

Built and backed by tech stacks that are regularly updated, making for highly resilient architecture that always keeps business growth as top priority

Data collection, storage & processing Collect data, only for the purpose its needed for. That is, data collected for specific purposes/reasons cannot be further processed in a manner incompatible with those purposes/reasons. ITILITE products provides the convenience of enforcing your company’s defined limitations/policies through the product itself. Eg: Assistance with restriction of use of data by turning certain product features ON/OFF.

For similar requests reach out to Upon verification of relevance and feasibility of your request, we will assist you with your requirements to meet your compliance obligations.

Data minimization Ensure data captured is adequate, relevant and limited to the purpose it’s collected for. Based on this principle, organizations must be sure they only store the exact amount of data required for their specific purpose. Our support products offer flexibility to build ticket/contact forms according to your needs. Choose what data to collect from customers and stay compliant. Eg: customize fields you want displayed in your contact/ticket form. These options are available in ticket and company forms as well.
Right to rectification Data controllers must ensure information remains accurate, valid and fit for purpose. To comply with this, organizations must institute a process and policies in place to address this right. If your customer reaches out requesting correction of their data, our products provide you the flexibility to meet this request via features within the product. Find more information here.

Some aspects of the GDPR program at Itilite

Individual Rights, Subject Access, and Communication

Itilite GDPR program thoroughly evaluates how Itilite, both as a data controller and processor is placed with its existing procedures for readiness to, provide rights of individuals under GDPR and, assist customers in responding to data access requests from individuals.

Lawful processing

Itilite GDPR program emphasizes on transparency of data processed by establishing processes that help easily respond to requests from customers wanting to know what data Itilite has about them. Information of what data is collected, stored and processed can be obtained from our Privacy Notice


Our leaders commit to support and provide guidelines for data protection compliance through a framework of standard policies and procedures. Itilite defines metrics for monitoring and governing health of the privacy notice which is independently run under the direct control of the Management Steering Committee.

Customer’s Personal Data with Itilite

Itilite delivers on our customer’s privacy objective by maintaining processing records of customer’s data. Periodic and need based Privacy Impact Analysis (PIA) across data flow and process maps aids in keeping our program aligned with ever changing business and technology landscapes.