DPDPA 2023 Notice & Your Rights as a Data Principal
Effective Date: 21 June 2026 Last Updated: 21 June 2026 Version: 1.0
Your rights under the Digital Personal Data Protection Act, 2023, how to exercise them, and who to contact.
This Notice supplements our Privacy Policy. Where any term conflicts, this Notice (as the DPDPA-specific notice) prevails on DPDPA matters. For how long we keep your data see the separate Data Retention Policy.
#1. Who we are (the Data Fiduciary)
| Legal name | GatiMitra On Demand Services Private Limited |
| CIN | [To be filled — Companies Act registration] |
| Registered office | [Address with PIN, India] |
| Notice address | [Address with PIN, India] |
| privacy@gatimitra.com |
We are the Data Fiduciary for all personal data processed via the GatiMitra customer app, the rider app, the merchant app, gatimitra.com, partner.gatimitra.com, control.gatimitra.com and our APIs.
#2. Data Protection Officer (DPO)
| Name | [To be appointed — required if SDF status is notified] |
| dpo@gatimitra.com | |
| Office hours | 10:00–18:00 IST, Mon–Fri |
| Working address | [India office address] |
| Tenure | Resident in India; full-time employee |
DPO contact is required under DPDPA §10(2)(b) if/when we are designated as a Significant Data Fiduciary. We have appointed one proactively so you always have a single named contact for data-protection matters.
#3. Your rights (DPDPA §11–§14)
Every right below is exercisable free of charge. You do not need a lawyer.
| Right | DPDPA section | How to exercise |
|---|---|---|
| Access information about your personal data | §11 | Profile → Settings → Privacy → My data OR privacy@gatimitra.com |
| Correction & erasure | §12 | Profile → Settings → Privacy → Correct / Delete |
| Grievance redressal | §13 | privacy@gatimitra.com — escalation per Grievance Mechanism |
| Nominate a person to exercise your rights if you are incapacitated or deceased | §14 | Profile → Settings → Privacy → Nominee |
3.1 Response timelines
| Request | We respond within |
|---|---|
| Access | 30 days |
| Correction | 30 days |
| Erasure | 30 days (subject to retention exceptions in Data Retention Policy) |
| Grievance | 30 days (15 days for an initial acknowledgement under IT Rules 2021) |
These align with the timelines proposed in the DPDPA Rules; if Government notifies different timelines, the more user-favourable timeline applies.
#4. Lawful basis for processing (DPDPA §4–§9)
| Purpose | Basis | Notice given |
|---|---|---|
| Account creation, order / ride fulfilment | Consent (§6) + Legitimate Use (§7) | At signup + in this Notice |
| Payment processing | Consent (§6) | At each transaction |
| Push notifications (order / ride / parcel updates) | Legitimate Use (§7(a)) — voluntarily provided for the purpose | At signup |
| Marketing notifications | Consent (§6) — separate toggle | In Notification settings |
| Fraud prevention, account security | Legitimate Use (§7(j)) | This Notice |
| Compliance with court orders / law enforcement | Legitimate Use (§7(b)) | This Notice |
| Analytics, product improvement | Consent (§6) — separate toggle | In Privacy settings |
| Verifying age (18+) for ride services | Consent (§6) + statutory obligation under MV Aggregator Guidelines 2020 | At signup |
Withdrawing consent is as easy as giving it — Profile → Settings → Privacy → Consent Manager. Withdrawal does not affect lawful processing before the withdrawal.
#5. Children — DPDPA §9
For any service requiring an account, we ask you to confirm you are 18 or older. For ride services this is enforced.
If you tell us you are under 18, or we have reasonable belief that an account belongs to a minor:
- We will not process personal data for tracking, behavioural monitoring or targeted ads.
- We will require verifiable parental consent before processing.
- We may suspend the account until consent is verified.
If you become aware of a child's account, contact privacy@gatimitra.com — we investigate and delete within 72 hours where appropriate. Full details in Children's Privacy Policy.
#6. Persons with disability
Where we are notified that you have a legal guardian, we process your data only with that guardian's consent per DPDPA §9(2). See also Accessibility Statement.
#7. Cross-border transfers — DPDPA §16
We process personal data primarily within India. Some processors host data outside India. For each, we follow Indian government notifications under §16 and use Standard Contractual Clauses.
Current cross-border processors:
| Processor | Country | Purpose |
|---|---|---|
| Cloudflare R2 | US (EU/IN regions available) | Image / document storage |
| Firebase Cloud Messaging | US | Android push |
| Apple Push Notification Service | US | iOS push |
| Sentry (optional, opt-in) | US | Crash reporting (anonymised) |
| Mapbox | US | Routing, geocoding (anonymous coordinates only) |
| MSG91 | India | SMS OTP |
| Razorpay | India | Payment processing |
| Supabase | India (Mumbai region) | Database, auth, file storage |
We update this list within 30 days of any change.
#8. Data we collect
See Privacy Policy for the comprehensive list. Categorised summary:
- Identifiers — Mobile number, email, name, profile photo, device ID, IP address
- Transactional — Orders, rides, parcels, payments, refunds, ratings, reviews
- Location — Precise (live tracking) only during active order or ride; coarse (city level) otherwise
- Device — OS version, app version, network type — for diagnostics
- KYC (where collected) — Government ID number — encrypted at rest; only for legal compliance
#9. Data we do NOT collect
- Biometrics (face, fingerprint) — your device handles unlock; we never see them
- Health data
- Contacts (we ask permission only for in-app referrals; we do not upload your contact list)
- Camera / microphone audio — except when you actively use upload-photo or call features
- Web browsing history outside our domains
#10. Sharing
We share data only with:
- Delivery partners, drivers, restaurants — only what they need to fulfil
- Payment processors (per Razorpay's PCI-DSS scope)
- Cloud providers (see §7)
- Government authorities under valid legal process
We never sell personal data.
#11. Security
Industry-standard practices: TLS in transit, AES-256 at rest, role-based access, MFA on admin systems, quarterly external pen-tests, annual ISMS audit (ISO 27001 target). Personal-data breaches are notified per CERT-In Direction dated 28 April 2022 within 6 hours.
#12. Personal data breach
In a notifiable breach we will notify the Data Protection Board of India and each affected Data Principal per DPDPA §8(6) and any future Rules. Our incident-response runbook is reviewed annually.
#13. Grievance escalation
Internal: see Grievance Redressal Mechanism.
External:
- Data Protection Board of India (once notified by Government)
- Until DPB is notified: National Consumer Helpline 1915 and CERT-In incident@cert-in.org.in
#14. Updates
Material changes — new data category, new purpose, new processor outside India — trigger an in-app re-consent. Editorial updates are silent. Change history below.
#15. Change history
| Version | Date | Change |
|---|---|---|
| 1.0 | 21 Jun 2026 | Initial release; split from earlier combined DPDPA / Retention notice |
Owner: Privacy & Compliance — dpo@gatimitra.com