← Check PNR
ENHI

Privacy Policy

We respect your privacy and follow India's Digital Personal Data Protection Act 2023 (DPDP). This page explains exactly what we record when you check a PNR, what we never record, and how long data is kept.

What we record

When you successfully check a PNR, we append a privacy-safe entry to a server log file. The entry contains:

  • A SHA-256 hash of your PNR (one-way; the original 10-digit PNR cannot be recovered).
  • The train number, route, journey date, and class (these are public information about the train, not about you).
  • Aggregate passenger counts — total, confirmed, RAC, waiting list, cancelled. We do not record names, berths, coaches, or any per-passenger detail.
  • A SHA-256 hash of your IP address (used only to detect abuse and rate-limit; the original IP is never stored).
  • A coarse device class (e.g., "mobile-android", "desktop-chrome"); no full user-agent string.
  • The response time of the IRCTC fetch and a UTC timestamp.

What we never record

  • The original 10-digit PNR in plain form.
  • Any passenger name, age, gender, ID, or contact number.
  • Per-passenger booking details — coach, berth, exact status string.
  • Your IP address, full user-agent, cookies, sign-in state, or any cross-site identifier.
  • Anything sent by IRCTC that is not in the list under "What we record" above.

Why we record this

  • To understand which trains and routes are most checked, so we can improve the site.
  • To detect and stop abuse (mass automated checks).
  • To debug failures from the upstream IRCTC service.

Retention

Each daily log file is automatically deleted after 30 days by an unattended cleanup job. There is no longer-term retention.

Storage and access

  • Logs are stored on the same server, inside a directory that is not publicly accessible (blocked at both the application and web-server layer).
  • File permissions are restricted to the application user only.
  • Aggregate statistics (no individual records) are visible only to the site administrator at a password-protected dashboard.

Your rights under DPDP Act 2023

You have the right to:

  • Access — request a copy of any data we hold that pertains to you. (Note: PNRs are hashed, so we generally cannot identify your specific records, but we will assist if you can provide enough context.)
  • Erasure — request deletion of records derived from a specific PNR check.
  • Withdraw consent — by ceasing to use the site you withdraw consent prospectively. Already-stored entries will roll out within 30 days under standard retention.
  • Grievance — write to the contact email below for any concern; we respond within 30 days.

About the IRCTC data we display

The PNR data shown on this site is fetched live from indianrail.gov.in (the official Indian Railways enquiry service) at the moment you submit the captcha. We do not cache or persist the IRCTC response in any form — only the privacy-safe metadata listed above is logged. The full PNR result shown on screen is rendered once and forgotten.

Cookies and trackers

We do not set marketing or tracking cookies. The site uses localStorage only to remember your most recently checked PNRs (so you can re-tap them) and your dismissal of the privacy notice. These are stored on your device and never sent to our server.

Third-party services

We do not share data with third parties. The site fetches the captcha image and PNR JSON from indianrail.gov.in; that service has its own privacy policy. We do not use Facebook Pixel, Google Tag Manager, or any social-network tracker. If anonymous Google Analytics is enabled in the future, it will be IP-anonymised and you will be informed via this page.

Contact

For any privacy question or to exercise a right above, write to privacy@checkmypnr.com. We respond within 30 days.

Updates to this policy

If this policy changes, we will update the "Last updated" line below and notify users via the dismissible banner on the home page.

Last updated: 04 May 2026

Check a PNR now
Free, instant, privacy-safe
Check PNR →