Data Controller
Kalmbyte Technologies Private Limited is the Data Fiduciary (as defined under the Digital Personal Data Protection Act, 2023) and Data Controller (as defined under GDPR) responsible for your personal data collected through the Zrido Platform.
For data protection enquiries, contact our Data Protection Officer (DPO) at privacy@zrido.com.
Data We Collect
We collect the following categories of personal data:
| Category | Data Points | Mandatory? |
|---|---|---|
| Identity | Full name, date of birth, profile photo | Yes |
| Contact | Mobile number, email address | Yes |
| Location | Real-time GPS location (pickup/drop), route history, home/work saved addresses | Yes (during rides) |
| Device | Device ID, OS, app version, IP address, mobile network info | Automatic |
| Payment | Payment method type, last 4 digits of card, UPI ID, transaction IDs | For digital payments |
| Usage | Ride history, search history, app interaction logs, feature usage | Automatic |
| Communications | In-app chat messages with drivers, support tickets, feedback and ratings | When submitted |
| Verification | KYC documents (for Drivers), emergency contact (optional for Riders) | Driver only |
We do not collect sensitive personal data such as financial account passwords, biometric data, or data related to political opinions, religion, or health — unless explicitly required and consented to by you.
How We Use Your Data
We use your personal data for the following purposes:
- Platform Operation: To match Riders with Drivers, process bookings, calculate fares, and facilitate ride completion.
- Account Management: To create and manage your account, authenticate your identity, and communicate with you.
- Payment Processing: To process and record fare payments, refunds, and transaction receipts.
- Safety & Security: To monitor for fraudulent activity, investigate disputes, verify Driver credentials, and provide emergency assistance.
- Customer Support: To respond to your queries, complaints, and support requests.
- Service Improvement: To analyze usage patterns, conduct research, and improve our Platform's features and performance.
- Marketing & Promotions: To send you promotional offers, updates, and newsletters — only with your explicit consent, which you may withdraw at any time.
- Legal Compliance: To comply with applicable laws, court orders, and regulatory requirements, including responding to law enforcement requests.
Legal Basis for Processing
Under the Digital Personal Data Protection Act, 2023, and where applicable, the GDPR, we process your personal data on the following lawful grounds:
- Consent
- For marketing communications, push notifications, and optional features such as saving payment methods. You may withdraw consent at any time via app settings or by contacting us.
- Contractual Necessity
- To fulfill our obligations under these Terms and the User Agreement — including ride matching, fare calculation, and payment processing.
- Legitimate Interests
- For fraud detection, platform security, service analytics, and improving user experience, where such interests are not overridden by your rights.
- Legal Obligation
- Where processing is required to comply with applicable Indian laws, including the IT Act 2000, DPDP Act 2023, Prevention of Money Laundering Act, and orders of competent authorities.
Data Sharing & Disclosure
We do not sell your personal data to third parties. We may share your data in the following limited circumstances:
- With Drivers: Your name, pickup/drop location, and phone number (masked) are shared with the matched Driver to enable your ride.
- With Payment Processors: Payment data is shared with PCI-DSS compliant third-party payment gateway providers (e.g., Razorpay, Stripe India) for transaction processing.
- With Service Providers: We engage trusted vendors for SMS, email, cloud infrastructure, analytics, and customer support — all bound by strict data processing agreements.
- With Law Enforcement: We will disclose data to government or regulatory authorities when required by law, court order, or to prevent fraud, harm, or illegal activity.
- In Corporate Transactions: In connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections.
- With Your Consent: For any other purpose with your explicit, informed consent.
Location Data
Location data is essential to the Zrido service. When you use the app:
- Foreground Location: Collected when the app is open, to show your position, match you with nearby Drivers, and track your ride in real-time.
- Background Location: Collected only during an active ride for continuous tracking. We do not collect background location when you are not in an active ride.
- Location History: Past ride pickup/drop points are stored to enable "Saved Places", improve fare estimation, and for safety investigations.
You may revoke location permissions via your device settings. Note that revoking location access will prevent you from using core ride-booking features.
Data Retention
We retain personal data only for as long as necessary for the purposes outlined in this Policy or as required by law:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 3 years after deletion |
| Ride history & receipts | 7 years (for tax/legal compliance) |
| Payment transaction records | 8 years (as per PMLA requirements) |
| Support & complaint records | 3 years from resolution |
| Marketing consent records | Until withdrawn + 1 year |
| Security & fraud logs | 2 years |
After the retention period, data is securely deleted or anonymized. You may request earlier deletion subject to legal obligations (see Your Rights below).
Your Rights as a Data Principal
Under the Digital Personal Data Protection Act, 2023 and applicable laws, you have the following rights regarding your personal data:
- Right to Access: Request a copy of the personal data we hold about you.
- Right to Correction: Request correction of inaccurate or incomplete personal data.
- Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data, subject to legal retention obligations.
- Right to Withdraw Consent: Withdraw consent for marketing, push notifications, or optional data processing at any time, without affecting the lawfulness of prior processing.
- Right to Grievance Redressal: Lodge a complaint with our Data Protection Officer and receive a response within 15 business days.
- Right to Nominate: Nominate an individual to exercise your rights in the event of death or incapacity (as provided under the DPDP Act, 2023).
To exercise any of these rights, email privacy@zrido.com with subject line "DATA REQUEST – [Your Name]". We will respond within 30 days.
Cookies & Tracking Technologies
The Zrido website (zrido.com) uses cookies and similar tracking technologies to enhance your browsing experience, analyze traffic, and deliver relevant content. The following cookie categories are used:
- Essential Cookies: Required for the website to function (e.g., session management). Cannot be disabled.
- Analytics Cookies: Used to understand how visitors interact with our site (e.g., Google Analytics). Can be opted out.
- Marketing Cookies: Used to serve relevant advertisements. Only activated with your explicit consent.
You may manage cookie preferences via the cookie banner displayed on your first visit or through your browser settings. For more details, see our Cookie Policy.
Data Security
Kalmbyte implements industry-standard technical and organizational security measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction:
- End-to-end encryption for sensitive data in transit (TLS 1.2+).
- AES-256 encryption for data at rest.
- Role-based access controls limiting employee access to personal data.
- Regular security audits, penetration testing, and vulnerability assessments.
- Multi-factor authentication for internal systems.
- PCI-DSS compliant payment handling through certified gateways.
Children's Privacy
The Zrido Platform is not directed to children under the age of 13 years. We do not knowingly collect personal data from children under 13. If a parent or guardian believes their child has provided us with personal data without consent, please contact us immediately at privacy@zrido.com and we will delete such data promptly.
Users aged 13–17 may use the Platform only with verifiable parental consent and under adult supervision during ride use.
Cross-Border Data Transfers
Your personal data is primarily stored on servers located within India. Where data is transferred outside India (e.g., to cloud service providers operating global infrastructure), such transfers are governed by:
- Standard Contractual Clauses (SCCs) where required by GDPR.
- Compliance with the cross-border transfer provisions of the DPDP Act, 2023, as notified by the Government of India from time to time.
- Data processing agreements with third-party processors that meet Indian data protection standards.
India DPDP Act 2023 Compliance
Kalmbyte Technologies Pvt. Ltd. is committed to full compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"). Key compliance measures include:
- Lawful Basis: All data processing is based on consent or legitimate use as defined under Section 4 of the DPDP Act.
- Notice & Consent: Clear, specific, and informed consent is obtained before processing personal data, in compliance with Section 5 of the DPDP Act.
- Data Minimization: We collect only such personal data as is necessary for the stated processing purposes.
- Data Fiduciary Obligations: As a Data Fiduciary, Kalmbyte maintains a privacy notice, processes data only for declared purposes, and implements security safeguards as required under Section 8.
- Data Principal Rights: We honor all rights conferred on Data Principals under Chapter III of the DPDP Act including access, correction, erasure, grievance, and nomination rights.
- Significant Data Fiduciary (SDF): If designated as an SDF by the Government of India, Kalmbyte will undertake additional obligations including DPIA and audit requirements.
GDPR – Rights for EU/EEA Users
If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation (GDPR) 2016/679:
- Right to Restriction of Processing: Request that we limit how we use your data while a complaint is pending.
- Right to Data Portability: Request your data in a structured, machine-readable format.
- Right to Object: Object to processing based on legitimate interests or for direct marketing.
- Right to Complain: Lodge a complaint with your local Data Protection Authority (DPA).
Please note that Zrido currently operates in India. GDPR rights will be honored to the extent applicable to any EU-resident user who accesses the Platform.
Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or applicable law. We will notify you of material changes via in-app notification or email at least 15 days before the changes take effect.
Your continued use of the Platform following the effective date of any revised Policy constitutes your acceptance of such changes. The date of last update is displayed at the bottom of this page.
Contact & Data Protection Officer
- Data Protection Officer
- Kalmbyte Technologies Private Limited — privacy@zrido.com
- General Grievances
- support@zrido.com
- Response Time
- Acknowledgement within 24 hours; resolution within 30 days as per DPDP Act requirements.
- Postal Address
- Kalmbyte Technologies Pvt. Ltd., India. (Full address available on request.)