Privacy Policy

1. Definitions

For the purposes of this Privacy Policy:

• "Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under the Digital Personal Data Protection Act, 2023 ("DPDP Act").
• "Sensitive Personal Data" includes financial information, health data, biometric data, passwords, and such other categories as specified under applicable Indian law.
• "Data Fiduciary" means ZentPeople (operating as Trakxi), which determines the purpose and means of processing Personal Data.
• "Data Principal" means the individual to whom the Personal Data relates (you, the user).
• "Data Processor" means any person or entity that processes Personal Data on behalf of the Data Fiduciary.
• "Processing" includes collection, storage, use, disclosure, sharing, transfer, modification, or deletion of Personal Data.
• "Services" means the Trakxi platform, including the Customer Booking App, Driver App, Management Portal, and website.
• "Consent" means free, specific, informed, unconditional, and unambiguous indication of the Data Principal's wishes by a clear affirmative action.

2. Introduction and Scope

Trakxi is a product of ZentPeople ("we," "our," "us," or the "Company"). As a Data Fiduciary under the Digital Personal Data Protection Act, 2023, we are committed to protecting your privacy and ensuring the security of your Personal Data in accordance with applicable Indian laws, including:

• The Digital Personal Data Protection Act, 2023 (DPDP Act)
• The Information Technology Act, 2000
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our fleet management platform, including our Customer Booking App, Driver App, and Management Portal (collectively, the "Services").

By using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, please do not use our Services.

3. Data Fiduciary Information

The Data Fiduciary responsible for your Personal Data is:

4. Legal Basis for Processing

We process your Personal Data based on the following lawful grounds:

4.1 Consent

We obtain your explicit consent before collecting and processing your Personal Data. Consent is obtained through:

• Clear affirmative action during app registration and account creation
• Granular consent options for specific processing activities (marketing, location tracking, etc.)
• Separate consent for processing Sensitive Personal Data
• Consent records are maintained with timestamps for audit purposes

4.2 Contractual Necessity

Processing necessary to perform the contract between you and Trakxi, including:

• Facilitating ride bookings and trip management
• Processing payments and settlements
• Providing customer support

4.3 Legal Obligation

Processing required to comply with legal obligations, including:

• Tax and accounting requirements
• Responding to lawful requests from authorities
• Maintaining records as required by law

4.4 Legitimate Interests

Processing necessary for our legitimate interests, provided such interests do not override your fundamental rights:

• Fraud prevention and security
• Service improvement and analytics
• Enforcing our Terms of Service

5. Information We Collect

5.1 Information from Travel Business Owners

• Business name, registration details, and GST information
• Contact information (name, email, phone number, business address)
• Bank account or payment details for settlement (Sensitive Personal Data)
• Fleet information (vehicle details, registration numbers, insurance)
• Login credentials and account settings
• KYC documents (PAN, Aadhaar, business registration certificates)

5.2 Information from Drivers

• Personal identification (name, date of birth, photograph)
• Contact information (phone number, email, address)
• Government-issued identification (Aadhaar, PAN) - Sensitive Personal Data
• Driving license details and validity
• Vehicle documents (registration, insurance, fitness certificate)
• Real-time GPS location during active duty
• Trip history, earnings, and performance metrics
• Device information and app usage data
• Facial photograph for identity verification (Biometric Data - Sensitive Personal Data)

5.3 Information from Customers (Riders)

• Contact information (name, phone number, email)
• Pickup and drop-off locations
• Trip history and booking preferences
• Payment information (processed securely via PCI-DSS compliant payment gateways)
• Ratings and feedback provided
• Device information and app usage data
• Emergency contact details (optional)

5.4 Sensitive Personal Data

We collect the following categories of Sensitive Personal Data with your explicit consent:

• Financial Information: Bank account details, UPI IDs for payment processing and settlements
• Government Identifiers: Aadhaar number (with masking), PAN for KYC verification
• Biometric Data: Facial photographs for driver identity verification
• Location Data: Precise GPS coordinates during trips

Sensitive Personal Data is processed with enhanced security measures and is only accessible to authorized personnel on a need-to-know basis.

5.5 Automatically Collected Information

• Device type, operating system, and unique device identifiers
• IP address and browser type (for web portal)
• App version and crash reports
• Usage patterns and feature interactions
• Cookies and similar tracking technologies

6. Data Minimization

We adhere to the principle of data minimization and only collect Personal Data that is necessary, relevant, and limited to what is required for the specified purposes. We do not collect excessive data and regularly review our data collection practices to ensure compliance with this principle.

7. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: To facilitate ride bookings, connect customers with drivers, and enable fleet management
• Real-time Operations: To provide GPS tracking, navigation, and estimated arrival times
• Payment Processing: To process payments, calculate fares, and manage driver payouts through PCI-DSS compliant payment processors
• Communication: To send booking confirmations, trip updates, receipts, and support messages
• Safety & Security: To verify user identities, prevent fraud, and ensure safe transportation
• Analytics & Improvement: To analyze usage patterns and improve our Services (using anonymized/aggregated data where possible)
• Customer Support: To respond to inquiries, complaints, and resolve disputes
• Legal Compliance: To comply with applicable laws, regulations, and legal processes
• Marketing: To send promotional communications (only with explicit opt-in consent)

8. Automated Decision-Making

We use automated systems for certain processing activities:

• Driver-Rider Matching: Algorithms match available drivers with ride requests based on proximity, vehicle type, and availability
• Fare Calculation: Automated fare computation based on distance, time, and applicable rates
• Fraud Detection: Automated systems flag suspicious activities for review
• Driver Performance Scoring: Ratings and metrics calculated based on trip data and customer feedback

Your Rights: You have the right to request human review of any automated decision that significantly affects you. To request a review, contact us at hello@trakxi.com.

9. Location Data

Location data is essential for our ride-booking services. Here's how we handle it:

• Driver Location: We collect real-time GPS data when drivers are online/active. This enables ride matching, navigation, and fleet tracking for business owners. Location tracking stops when drivers go offline.
• Customer Location: We collect location data when you book a ride to determine pickup location and calculate routes. Location access can be granted temporarily for each booking or persistently based on your preference.
• Trip Routes: Complete trip routes are stored for billing accuracy, dispute resolution, and safety purposes.
• Retention: Location data associated with completed trips is retained for 3 years. Real-time location data is not stored when drivers are offline or when customers are not on an active trip.
• Your Control: You can disable location services through your device settings, though this may limit the functionality of our Services.

10. How We Share Your Information

10.1 Between Users

• Customers can see driver name, photo, vehicle details, and real-time location during a trip
• Drivers can see customer name, pickup/drop locations, and contact number for the trip
• Business owners can see driver and trip data for their fleet through the Management Portal

10.2 With Data Processors (Service Providers)

We share data with trusted third parties who process data on our behalf under strict contractual obligations:

• Payment Processors: Razorpay, PhonePe Business (PCI-DSS compliant) for secure transaction handling
• Cloud Infrastructure: Amazon Web Services (AWS) India Region / Google Cloud Platform for data storage and processing
• Communication Services: MSG91, Firebase Cloud Messaging for SMS and push notifications
• Map Services: Google Maps Platform for navigation and mapping
• Analytics: Google Analytics, Firebase Analytics (anonymized data)

All Data Processors are bound by data processing agreements that require them to:

• Process data only on our documented instructions
• Maintain confidentiality and security
• Assist with Data Principal rights requests
• Delete or return data upon termination

10.3 For Legal Purposes

We may disclose information when required by law or to:

• Comply with legal obligations or valid legal processes (court orders, summons)
• Respond to requests from law enforcement or government authorities
• Protect our rights, privacy, safety, or property
• Investigate potential violations of our Terms of Service
• Support insurance claims related to accidents

10.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your Personal Data may be transferred to the acquiring entity. We will provide notice before your Personal Data is transferred and becomes subject to a different privacy policy.

11. International Data Transfers

Your Personal Data is primarily stored and processed in India. However, some of our service providers may process data in other jurisdictions:

• Cloud Services: AWS and Google Cloud may replicate data across regions for reliability (Singapore, Mumbai regions primarily)
• Analytics: Aggregated analytics data may be processed in the United States

Safeguards: When transferring data internationally, we ensure appropriate safeguards through:

• Standard Contractual Clauses approved by relevant authorities
• Data Processing Agreements with all international processors
• Ensuring recipients maintain adequate data protection standards
• Compliance with the DPDP Act requirements for cross-border transfers

12. Data Security

We implement appropriate technical and organizational measures to protect your Personal Data as required under the DPDP Act and IT Rules:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Secure authentication with multi-factor authentication for sensitive operations
• Role-based access controls limiting data access to authorized personnel only
• Regular security assessments, penetration testing, and vulnerability scanning
• Employee training on data protection and security practices
• Physical security measures for infrastructure
• Incident response procedures for potential breaches
• Regular backups with encryption
• Audit logs for data access and modifications

Payment Security: We do not store complete credit/debit card numbers. All payment processing is handled by PCI-DSS Level 1 compliant payment processors. We only store tokenized references for recurring transactions.

While we strive to protect your information using industry-standard measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly addressing any security incidents.

13. Data Breach Notification

In the event of a Personal Data breach that is likely to result in a risk to your rights and freedoms:

• We will notify the Data Protection Board of India within 72 hours of becoming aware of the breach, as required under the DPDP Act
• We will notify affected Data Principals without undue delay through email, SMS, or in-app notification
• The notification will include: nature of the breach, categories of data affected, likely consequences, and measures taken to address the breach
• We maintain a breach register documenting all incidents and remedial actions

14. Data Retention

We retain your information only for as long as necessary to fulfill the purposes for which it was collected:

Upon expiration of the retention period, data is securely deleted or anonymized. You may request earlier deletion of your data subject to legal retention requirements.

15. Your Rights as a Data Principal

Under the DPDP Act 2023 and applicable laws, you have the following rights:

• Right to Access: Request confirmation of whether we process your Personal Data and obtain a copy of such data. We will respond within 15 days of receiving your request.
• Right to Correction: Request correction of inaccurate, incomplete, or misleading Personal Data. Updates will be made within 15 days.
• Right to Erasure: Request deletion of your Personal Data where it is no longer necessary for the purpose collected, or where you withdraw consent. Subject to legal retention requirements. We will respond within 30 days.
• Right to Data Portability: Request your data in a structured, commonly used, machine-readable format (JSON/CSV).
• Right to Withdraw Consent: Withdraw consent for processing at any time. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
• Right to Grievance Redressal: Lodge a complaint with our Grievance Officer or the Data Protection Board of India.
• Right to Nominate: Nominate another individual to exercise your rights in case of your death or incapacity.

How to Exercise Your Rights: Submit requests to hello@trakxi.com with subject line "Data Principal Rights Request". We may verify your identity before processing requests.

16. Consent Management

We obtain and manage your consent as follows:

• Initial Consent: Obtained during registration through clear, affirmative action by clicking "I Agree" to our Terms and Conditions and Privacy Policy
• Granular Consent: Separate consent options for different processing activities (essential services, marketing, analytics)
• Consent Records: We maintain timestamped records of all consents provided
• Easy Withdrawal: You can withdraw consent at any time through:
  • Emailing hello@trakxi.com
  • Contacting our Grievance Officer at grievance@zentpeople.com
• Consequences of Withdrawal: Withdrawing consent for essential processing may result in inability to use certain Services

17. Cookies and Tracking Technologies

Our web portal uses cookies and similar technologies:

• Essential Cookies: Required for website functionality (session management, security). Cannot be disabled.
• Analytics Cookies: Help us understand how visitors use our website (Google Analytics). Can be disabled.
• Preference Cookies: Remember your settings and preferences. Can be disabled.
• Marketing Cookies: Used only with explicit consent for targeted advertising. Disabled by default.

Your Choices: You can manage cookie preferences through the cookie consent banner on our website or through your browser settings. Note that disabling certain cookies may affect website functionality.

18. Third-Party Links

Our Services may contain links to third-party websites or services (e.g., payment gateways, social media). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any Personal Data. This Privacy Policy applies only to information collected through our Services.

19. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect Personal Data from children. If you are a parent or guardian and believe your child has provided us with Personal Data, please contact us immediately at hello@trakxi.com. Upon verification, we will delete such information within 72 hours.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

• Notification: We will notify you of material changes via email, in-app notification, or prominent notice on our website at least 15 days before changes take effect
• Version History: Previous versions are available upon request
• Continued Use: Your continued use of our Services after the effective date constitutes acceptance of the updated policy
• Objection: If you do not agree to the changes, you must stop using our Services and may request deletion of your data

21. Governing Law and Dispute Resolution

This Privacy Policy is governed by and construed in accordance with the laws of India, including but not limited to:

• The Digital Personal Data Protection Act, 2023
• The Information Technology Act, 2000
• The Indian Contract Act, 1872

Dispute Resolution: Any disputes arising from this Privacy Policy shall be resolved through:

1. First, by contacting our Grievance Officer for internal resolution (response within 30 days)
2. If unresolved, by filing a complaint with the Data Protection Board of India
3. Courts in Erode, Tamil Nadu, India shall have exclusive jurisdiction for any legal proceedings

22. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices:

23. Grievance Officer

In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer to address your concerns: