DPDPA Compliance Notice & Data Protection Officer Contact
Effective Date: 21 June 2026 Last Updated: 21 June 2026 Version: 1.0
Your rights under the Digital Personal Data Protection Act, 2023, how to exercise them, and who to contact.
This Notice supplements our Privacy Policy. Where any term conflicts, this Notice (as the DPDPA-specific notice) prevails on DPDPA matters.
#1. Who we are (the Data Fiduciary)
| Legal name | GatiMitra Technologies Private Limited |
| CIN | [To be filled — Companies Act registration] |
| Registered office | [Address with PIN, India] |
| Notice address | [Address with PIN, India] |
| privacy@gatimitra.com |
We are the Data Fiduciary for all personal data processed via the GatiMitra customer app.
#2. Data Protection Officer (DPO)
| Name | [To be appointed — required if SDF status is notified] |
| dpo@gatimitra.com | |
| Office hours | 10:00–18:00 IST, Mon–Fri |
| Working address | [India office address] |
| Tenure | Resident in India; full-time employee |
DPO contact is required under DPDPA §10(2)(b) if/when we are designated as a Significant Data Fiduciary. We have appointed one proactively.
#3. Your rights (DPDPA §11–§13)
You have the following rights — exercisable free of charge:
| Right | DPDPA section | How to exercise |
|---|---|---|
| Right to access information about your personal data | §11 | Profile → Settings → Privacy → My data (in-app) OR privacy@gatimitra.com |
| Right to correction & erasure | §12 | Profile → Settings → Privacy → Correct / Delete |
| Right of grievance redressal | §13 | privacy@gatimitra.com (then escalation per Grievance Mechanism) |
| Right to nominate (next-of-kin to exercise rights if you are incapacitated / deceased) | §14 | Profile → Settings → Privacy → Nominee |
3.1 Response timelines (binding under DPDPA Rules — once notified)
| Request | Response within |
|---|---|
| Access | 30 days |
| Correction | 30 days |
| Erasure | 30 days (subject to retention exceptions, see Data Deletion Policy) |
| Grievance | 30 days |
#4. Lawful basis for processing (DPDPA §4–§9)
| Purpose | Basis | Notice given |
|---|---|---|
| Account creation, order/ride fulfilment | Consent (§6) + Legitimate Use (§7) | At signup + this Notice |
| Payment processing | Consent (§6) | At each transaction |
| Push notifications (orders) | Legitimate Use (§7(a)) — voluntarily provided for the purpose | At signup |
| Marketing notifications | Consent (§6) — separate toggle | In Notification settings |
| Fraud prevention, account security | Legitimate Use (§7(j)) | This Notice |
| Compliance with court orders / law-enforcement | Legitimate Use (§7(b)) | This Notice |
| Analytics, product improvement | Consent (§6) — separate toggle | In Privacy settings |
#5. Children (under 18) — DPDPA §9
For any service requiring an account, we ask you to confirm you are 18+. For ride services, this is enforced. If you tell us you are under 18:
- We will not process your personal data for tracking, behavioural monitoring, or targeted ads.
- We will require verifiable parental consent before processing.
If you become aware of a child's account, contact privacy@gatimitra.com — we delete within 72 hours.
#6. Persons with disability
Where we are notified you have a guardian, we process data only with guardian consent (DPDPA §9(2)).
#7. Cross-border transfer (DPDPA §16)
We process personal data primarily within India.
Some processors host data outside India (cloud, push notification, analytics). For each, we follow Indian government notifications under §16 and use Standard Contractual Clauses. Current cross-border processors:
| Processor | Country | Purpose |
|---|---|---|
| Cloudflare R2 | US (eu/in regions available) | Image / document storage |
| Firebase Cloud Messaging | US | Android push |
| Apple Push Notification Service | US | iOS push |
| Sentry (optional) | US | Crash reporting (anonymous) |
We update this list within 30 days of any change.
#8. Data we collect
See Privacy Policy §1–§4 for the comprehensive list. Summary:
- Identifiers: Mobile, email, name, profile photo, device ID, IP.
- Transaction: Orders, rides, parcels, payments, refunds, reviews.
- Location: Precise (live tracking) only during active order/ride; coarse (city) otherwise.
- Device: OS version, app version, network type — for diagnostics.
- KYC (where collected): Government ID number — encrypted; only for legal compliance.
#9. Data we do NOT collect
- Biometrics (face, fingerprint) — your device handles unlock; we never see them.
- Health data.
- Contacts (we ask permission only for referrals; we do not upload your contact list).
- Camera/microphone except when you actively use the upload-photo feature.
#10. Retention
Per Data Deletion Policy §5. Personal data retained only as long as needed; anonymised thereafter.
#11. Sharing
We share data with: delivery partners, drivers, restaurants (only what they need to fulfil), payment processors, cloud providers, government authorities under valid legal process. We never sell personal data.
#12. Security
Industry-standard practices: TLS in transit, AES-256 at rest, role-based access, MFA on admin systems, quarterly external pen-tests, annual ISMS audit (ISO 27001 target). Incidents are notified per CERT-In Direction 28 Apr 2022 within 6 hours.
#13. Personal Data Breach
In a notifiable breach, we will notify the Data Protection Board of India and each affected Data Principal per DPDPA §8(6) and any future Rules.
#14. Grievance escalation
Internal: see Grievance Redressal Mechanism.
External: Data Protection Board of India (once notified by Government). Until then: National Consumer Helpline 1915 / CERT-In incident@cert-in.org.in.
#15. Updates
Material changes (new data category, new purpose, new processor outside India) trigger an in-app re-consent. Editorial updates are silent. Change history below.
#16. Change history
| Version | Date | Change |
|---|---|---|
| 1.0 | 21 Jun 2026 | Initial release |
Owner: Privacy & Compliance — dpo@gatimitra.com