Privacy Policy
Effective Date: 21 June 2026 Last Updated: 21 June 2026 Version: 2.0 (supersedes the 13 May 2026 PDF Privacy Policy)
What personal data we collect, why, with whom we share it, and how to control it — compliant with the Digital Personal Data Protection Act, 2023.
This Policy applies to the GatiMitra customer mobile app, gatimitra.com, and every service we provide. It is supplemented by the DPDPA Compliance Notice, Permissions Rationale, Cookie & Tracking Policy, and Data Deletion Policy.
#1. Data Fiduciary identity
| Legal name | GatiMitra Technologies Private Limited |
| Role | Data Fiduciary under DPDPA 2023 |
| Registered office | [Address with PIN], India |
| privacy@gatimitra.com | |
| Data Protection Officer | dpo@gatimitra.com — [Name once appointed] |
| Grievance Officer | grievance.officer@gatimitra.com |
#2. Personal data we collect
2.1 Provided by you
| Category | Examples |
|---|---|
| Identity | Name, mobile, email, date of birth (age confirmation), profile photo |
| Address | Home, work, other saved addresses; pickup / drop coordinates |
| Payment | Tokenised cards (via Razorpay), UPI handles, wallet balances |
| Preferences | Language, notification toggles, dietary, accessibility settings |
| Content | Reviews, ratings, support tickets, photos uploaded to complaints |
| Identity proof (where required) | Government ID number (encrypted; for KYC where law mandates) |
2.2 Collected automatically
| Category | Examples |
|---|---|
| Device | Model, OS, app version, device ID (hashed), IP, mobile-network type |
| Usage | Searches, taps, screens visited, in-app errors |
| Location | Precise during active orders/rides; coarse (city) for service availability |
| Push tokens | FCM (Android), APNS (iOS) — to deliver notifications |
2.3 From third parties
| Source | Data |
|---|---|
| Razorpay | Payment confirmation (success/failure + reference) |
| MSG91 | OTP delivery status |
| Mapbox | Map tiles, routing data (we send your location to Mapbox while you use a ride/delivery) |
| Authorities (court order) | As required |
#3. Purposes of processing
| Purpose | Lawful basis (DPDPA §6/§7) | Examples |
|---|---|---|
| Service delivery (orders, rides, parcels) | Consent + Legitimate Use §7(a) | Match driver to ride, route to partner, notify status |
| Account creation & authentication | Consent | OTP, session management |
| Payments | Consent + necessary for contract | Razorpay flow |
| Live tracking | Consent | Map + ETA |
| Safety (SOS, ride sharing, women safety) | Legitimate Use §7(j) | Emergency response |
| Fraud detection | Legitimate Use §7(j) | Account anomaly, payment-pattern review |
| Customer support | Consent | Resolve your ticket |
| Compliance with law | Legitimate Use §7(b) | Court order, IT Act §69 direction |
| Analytics & product improvement | Consent (opt-in) | Cohort A/B, feature usage |
| Marketing & personalisation | Consent (opt-in) | Tailored offers |
#4. Sharing of personal data
We share data only as follows. We never sell personal data.
| Recipient | Why | Data shared |
|---|---|---|
| Drivers & delivery partners | Fulfilment | First name, pickup/drop coordinates, masked phone, photo to confirm delivery |
| Restaurants | Order fulfilment | First name, items, address, contact for pickup |
| Razorpay | Payments | Order amount, tokenised card |
| MSG91 | OTP | Mobile + OTP |
| FCM / APNS | Push notifications | Device push token + notification content |
| Mapbox | Maps & routing | Location during active session |
| Cloudflare R2, Supabase | Hosting & storage | All app data, encrypted |
| Government / law enforcement | Legal compliance | Per valid notice / order |
| Auditors, lawyers, accountants | Compliance & operations | As needed, under confidentiality |
#5. Cross-border transfer
Data is primarily processed in India. Some processors (push notifications, optional crash reporting) operate cloud infrastructure outside India per their published terms. We follow Government of India notifications under DPDPA §16 and use standard contractual clauses. Full list of cross-border processors in DPDPA Compliance Notice §7.
#6. Retention
| Data | Retention |
|---|---|
| Account & profile | While account is active; deleted within 30 days of closure |
| Transaction (orders, rides, parcels, payments) | 8 years (Indian Income Tax Act, GST, RBI) |
| Support / grievance logs | 180 days minimum |
| Marketing-consent records | 3 years after withdrawal |
| Backup snapshots | 90 days rolling |
| Court / law-enforcement holds | As long as the hold persists |
See Data Deletion Policy for delete-flow details.
#7. Your rights (DPDPA §11-§14)
You have the right to:
- Access your personal data and a list of purposes / recipients.
- Correct inaccurate or out-of-date data.
- Update addresses, preferences, etc.
- Erase personal data, subject to retention exceptions.
- Nominate a person to exercise your rights if you are incapacitated / deceased.
- Grievance redressal (see §10).
Exercise via:
Profile → Settings → Privacy(in-app, all rights available).- privacy@gatimitra.com (email).
- dpo@gatimitra.com (DPO).
- https://gatimitra.com/account/data-download (web).
Responses within 30 days.
#8. Children
Per DPDPA §9, processing of personal data of children (below 18) requires verifiable parental consent. We do not behaviourally profile minors. See Children's Privacy & Use Policy.
#9. Security
- TLS in transit, AES-256 at rest.
- Role-based access; multi-factor authentication for staff.
- Quarterly external penetration tests; bug-bounty programme.
- Annual ISMS-aligned security review (ISO 27001 target).
- CERT-In Direction 28 Apr 2022 compliance: incidents notified within 6 hours.
- DPDPA breach notification: per §8(6) once Rules are notified.
No system is perfectly secure, but we treat every reasonable measure as our minimum, not maximum.
#10. Grievance redressal
See Grievance Redressal Mechanism. Acknowledgement instantly, first response 48 hours, resolution within 15 days. Escalation to the Grievance Appellate Committee (https://gac.gov.in) available after 30 days.
#11. Cookies & tracking
#12. Notification preferences
Profile → Settings → Notifications — toggle per category (orders, rides, payments, security, marketing). Transactional notifications cannot be turned off without affecting service delivery; marketing requires explicit opt-in.
#13. Third-party links
Some content / links go to third-party services (restaurant menus, partner offers). Their privacy policies apply when you visit them.
#14. Updates
Material changes (new data category, new purpose, new third-party processor outside India) trigger in-app re-consent. Editorial changes are silent. Change history below.
#15. Change history
| Version | Date | Change |
|---|---|---|
| 1.0 | 13 May 2026 | Initial PDF |
| 2.0 | 21 Jun 2026 | DPDPA 2023 expansion, structured rights, named DPO |
#16. Contact
| Concern | Channel |
|---|---|
| Privacy rights | privacy@gatimitra.com |
| DPDPA matters | dpo@gatimitra.com |
| Grievance | grievance.officer@gatimitra.com |
| Data download | https://gatimitra.com/account/data-download |
| Account deletion | https://gatimitra.com/account-deletion |
| Security disclosure | security@gatimitra.com |
Owner: Privacy & Compliance