Legal & Regulatory
Compliance requirements across India and US — licensing, data privacy, AI regulations, and consumer protection.
Priority Matrix
Must Do Before Launch
| Item | Jurisdiction | Est. Cost | Timeline |
|---|---|---|---|
| Business entity registration (Pvt Ltd/LLP) | India | Rs 10-25K | 2-4 weeks |
| GST registration | India | Rs 2-5K | 1-2 weeks |
| Privacy policy + Terms of Service | Both | Rs 30K-1L | 2-3 weeks |
| DPDPA consent mechanisms | India | Dev time | 1-2 weeks |
| PCI SAQ-A compliance | Both | Free | 1 week |
| AI disclosure in bot | Both | Free | 1 day |
| DOT full fare disclosure | US | Free | 1-2 weeks |
| E&O / Professional Indemnity Insurance | Both | $500-3K/yr | 1-2 weeks |
| Confirm Duffel India coverage | India | Free | 1 week |
Within 90 Days of Launch
| Item | Jurisdiction | Est. Cost |
|---|---|---|
| Seller of Travel registration (CA, FL, HI, WA) | US | ~$1.5-3K total |
| Trademark application (Class 39) | India + US | Rs 4,500 + $250 |
| Cyber liability insurance | Both | $500-5K/yr |
| Data Processing Agreements with vendors | Both | Legal costs |
Key Legal Precedent
Moffatt v Air Canada (2024)
Air Canada's chatbot told a customer he could apply for bereavement fares within 90 days after travel. This was incorrect. The tribunal ruled:
- Company is liable for ALL information on its website, including chatbot-generated content
- Air Canada's argument that the chatbot was "a separate legal entity" was rejected
- "A consumer cannot be expected to double-check information from one part of the website against another"
- "The AI made a mistake" is NOT a defense
Implication: All booking-critical information must come from live API data, never from LLM generation. Prices, times, policies — always from Duffel API.
Data Privacy
India DPDPA 2023
MandatoryExplicit consent for each purpose. Purpose limitation. Data minimization. Breach notification within 72 hours. Delete data when purpose fulfilled. Grievance redressal mechanism required.
GDPR (if serving EU)
If applicableDPAs with all processors. Right to erasure. India is NOT an "adequate" jurisdiction — need Standard Contractual Clauses. Can defer if not initially targeting EU.
PCI DSS
Via StripeUsing Stripe Checkout = PCI SAQ-A (simplest level). Card data never touches our servers. Must complete annual self-assessment. Never store card numbers/CVVs.
Claude API Data
SafeAPI data never used for model training. Retention reduced to 7 days. Zero-Data-Retention addendum available. Business customers get Commercial Terms.
AI Regulations
WhatsApp AI Bot Policy (Jan 2026)
CriticalBanned: General-purpose AI chatbots. Allowed: Structured bots for bookings, support, sales. Our travel booking bot is explicitly in the "allowed" category — AI is ancillary to the booking service.
Risk: Keep conversations focused on travel. Don't add general chat features.
FTC AI Enforcement (US)
ImportantOperation AI Comply (Sept 2024): crackdown on AI overpromises. DoNotPay fined $193K. Five rules: don't deceive, don't overpromise, don't discriminate, disclose limitations, be transparent.
EU AI Act
Low riskTravel booking chatbot = limited risk (NOT high risk). Only obligation: transparency disclosure. Full applicability August 2026. Only relevant if serving EU travelers.
India AI Stance
No regulationNo standalone AI legislation. Non-binding governance guidelines only. "India has consciously chosen not to lead with regulation but to encourage innovation." Monitor for changes.
Licensing
India: No Mandatory License
Ministry of Tourism recognition is voluntary. IATA accreditation NOT needed if using Duffel Managed Content (they hold the accreditation). GST registration is mandatory. Basic Shops & Establishment registration required.
Important: Duffel is accredited in US, UK, AU, FR, IE — India is NOT listed. Verify India coverage before launch.
US: Seller of Travel
4 states require registration: California ($100 + TCRC), Florida ($300/yr + $25K bond), Hawaii ($146-215), Washington ($221). Applies if selling to residents of these states, even without physical presence.
Estimated total: $1,500-$3,000 including bonds.
Key Risk Areas
Bot presents incorrect flight info → wrong bookings → financial liability (per Air Canada precedent). Mitigation: Never generate prices from LLM. Always from Duffel API. Require user confirmation.
Meta determines bot is "general-purpose AI" and bans it. Mitigation: Keep strictly focused on travel. No general chat features. Document that AI is ancillary to booking.
Passport numbers, booking data exposed. Mitigation: Minimize data storage. Pass passport data directly to Duffel, don't retain. Encrypt at rest and in transit.
Serving US customers from India without proper registrations. Mitigation: Register as Seller of Travel in CA, FL, HI, WA. Comply with DOT rules.