Privacy Policy

1. Definitions

• “Personal Data” means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act, 2023.
• “Sensitive Personal Data or Information” (SPDI) as defined under the SPDI Rules, 2011, includes passwords, financial information (bank account, credit/debit card details), health data, biometric data, and any other information as specified by the Rules.
• “Data Principal” means the individual to whom the Personal Data relates (i.e., you, the User).
• “Data Fiduciary” means the entity that determines the purpose and means of processing Personal Data (i.e., Rent Aggregator Pvt Ltd / Zymo).
• “Processing” includes collection, storage, use, sharing, modification, erasure, or any other operation performed on Personal Data.

2. Information We Collect

We may collect the following categories of information:

2.1. Personal Data provided by you:

• Full name, email address, mobile number
• Date of birth, gender
• Driving licence details (licence number, validity, state of issue)
• Aadhaar details (for identity verification, where applicable)
• Postal address
• Profile photograph

2.2. Sensitive Personal Data or Information (SPDI):

• Financial information: Payment instrument details are collected and processed by our PCI-DSS compliant payment gateway partner (Cashfree). Zymo does NOT store your full card number, CVV, or expiry date on its servers.
• Passwords and authentication tokens (stored in encrypted form)
• Biometric data (if provided for identity verification through third-party KYC providers)

2.3. Automatically collected information:

• Device information (device type, operating system, browser type, unique device identifiers)
• Usage data (pages visited, features used, search queries, interaction patterns)
• Location data (GPS coordinates, IP-based location — with your consent, for providing location-relevant services)
• Cookies, local storage, and similar tracking technologies
• Log data (IP address, access times, referring URLs)

2.4. Information from third parties:

• Authentication providers (Google, Apple — name, email, profile picture)
• Payment gateways (transaction status, payment confirmation)
• Alliance Partners (booking fulfilment details, vehicle condition reports)

3. Purpose and Legal Basis for Processing

We process your Personal Data for the following purposes and legal bases under the DPDP Act, 2023:

• Contractual necessity: To process your Bookings, facilitate vehicle rentals, process payments, and provide customer support.
• Consent: To send promotional communications, marketing emails, and push notifications (you may withdraw consent at any time).
• Legitimate use: To improve our Platform, conduct analytics, prevent fraud, ensure platform security, and enforce our Terms of Service.
• Legal obligation: To comply with applicable laws, respond to lawful requests from authorities, and maintain records as required by law.
• Vital interest: To respond to emergencies or situations involving threats to the safety of any person.

4. Cookies and Tracking Technologies

We use cookies and similar technologies to improve your experience on our Platform. Cookies help us remember your preferences, enhance security, analyse usage patterns, and prevent misuse. If you disable cookies, some features of the Platform may not function properly.

Cookies do not identify you personally unless you voluntarily share information that can identify you. We use the following types of cookies:

• Essential cookies: Required for the Platform to function (authentication, session management).
• Analytics cookies: Help us understand usage patterns (Google Analytics, Mixpanel).
• Preference cookies: Remember your settings (location, theme, language).

5. Information Sharing and Disclosure

We may share your information with the following categories of recipients, solely for the purposes described in this Policy:

• Alliance Partners / Rental Partners: Name, contact details, driving licence information, and booking details — shared only to fulfil your Booking and provide the rental service.
• Payment gateway providers: Transaction details necessary to process your payment securely.
• Analytics and service providers: Aggregated and anonymised data for platform improvement (Google Analytics, Firebase, Sentry).
• Legal and regulatory authorities: When required by Applicable Law, court order, or governmental directive.
• Professional advisors: Lawyers, auditors, and consultants, subject to confidentiality obligations.

We do NOT sell, trade, or rent your Personal Data to third parties for their marketing purposes.

6. Data Retention

In accordance with the DPDP Act, 2023, we retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, or as required under Applicable Law. Our retention periods are as follows:

• Account data: Retained for the duration of your account and for a period of 3 years after account closure or last activity, to comply with legal and regulatory requirements.
• Booking and transaction records: Retained for a minimum of 8 years from the date of the transaction, as required under applicable tax and financial regulations.
• Identity verification documents: Retained for the duration of the relevant Booking plus 1 year, unless longer retention is required by law.
• Communication logs: Retained for up to 2 years from the date of communication.
• Analytics and usage data: Retained in anonymised or aggregated form and may be retained indefinitely for analytical purposes.

Upon expiry of the retention period, Personal Data shall be securely erased or anonymised, unless retention is required under Applicable Law.

7. Your Rights as a Data Principal

Under the DPDP Act, 2023 and the SPDI Rules, 2011, you have the following rights:

• Right to Access: You may request confirmation of whether we process your Personal Data and obtain a summary of such data.
• Right to Correction: You may request correction or updating of inaccurate or incomplete Personal Data.
• Right to Erasure: You may request erasure of your Personal Data where it is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw such consent at any time. Withdrawal shall not affect the lawfulness of processing carried out prior to the withdrawal.
• Right to Nominate: Under the DPDP Act, you may nominate another individual to exercise your rights in the event of your death or incapacity.
• Right to Grievance Redressal: You have the right to lodge a complaint with our Grievance Officer or with the Data Protection Board of India.

To exercise any of these rights, please contact us at hello@zymo.app. We will respond to your request within a reasonable time, and in any case within 30 days of receipt.

8. Consent

In accordance with the DPDP Act, 2023, we obtain your consent before collecting and processing your Personal Data. Consent may be obtained through:

• Acceptance of this Privacy Policy upon registration or use of the Platform
• Explicit opt-in checkboxes for specific data uses (e.g., marketing communications)
• Continued use of the Platform after being informed of data practices

For Sensitive Personal Data or Information, we obtain explicit consent in writing (including electronic form) before collection, as required under the SPDI Rules, 2011. You have the right to withdraw consent at any time by contacting us.

9. Data Security

In compliance with Section 43A of the IT Act, 2000 and the SPDI Rules, 2011, we implement reasonable security practices and procedures to protect your Personal Data and SPDI, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Access controls and role-based authentication for internal systems
• Regular security audits and vulnerability assessments
• Secure cloud infrastructure (Google Cloud / Firebase) with SOC 2 and ISO 27001 certifications
• PCI-DSS compliant payment processing through certified gateway partners
• Documented information security programme commensurate with the information being protected

However, no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

10. Cross-Border Data Transfer

Your Personal Data may be stored and processed on servers located outside India (including servers operated by Google Cloud Platform and Firebase). Any such transfer shall be in compliance with the provisions of the DPDP Act, 2023 and shall only be made to countries or territories not restricted by the Central Government of India.

We ensure that adequate safeguards are in place to protect your Personal Data during cross-border transfers, including contractual obligations on data processors to maintain equivalent levels of data protection.

11. Data Breach Notification

In the event of a Personal Data breach, we shall: (a) notify the Data Protection Board of India as required under the DPDP Act, 2023; (b) notify affected Data Principals without unreasonable delay; and (c) take immediate steps to contain the breach and mitigate its effects. The notification shall include the nature of the breach, the categories of data affected, and the remedial measures taken.

12. Children’s Data

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect Personal Data from children. In accordance with the DPDP Act, 2023, processing of a child’s Personal Data requires verifiable consent from the child’s parent or lawful guardian. If we become aware that we have inadvertently collected Personal Data from a child without appropriate consent, we will take steps to delete such data promptly.

13. Account Termination and Data Deletion

You can request account closure and deletion of your Personal Data by emailing hello@zymo.app from your registered email with the subject line: “Please close my Zymo account”. Upon verification of your request:

• Your account will be disabled within 30 days
• Personal Data not subject to legal retention requirements will be erased within 90 days
• Transaction records required by law will be retained for the applicable retention period and then securely deleted

14. Grievance Officer

In accordance with Section 5(9) of the SPDI Rules, 2011 and the IT Act, 2000, the details of the Grievance Officer are as follows:

Name: Mr. Manish Pratik
Designation: Grievance Officer
Email: hello@zymo.app

The Grievance Officer shall address your concerns and grievances within 30 days of receipt. If you are not satisfied with the resolution, you may approach the Data Protection Board of India established under the DPDP Act, 2023, or the appropriate Adjudicating Officer under the IT Act, 2000.

15. Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable laws (including amendments to the DPDP Act, SPDI Rules, and IT Act), or for operational reasons. The updated Policy will be posted on this page with a revised “Last Updated” date. Material changes will be notified to you via email or a prominent notice on the Platform.

Your continued use of the Platform after any such changes constitutes your acceptance of the updated Policy. If you do not agree with the changes, you should stop using the Platform immediately.

16. Applicable Law

This Privacy Policy is governed by and shall be construed in accordance with the laws of India, including but not limited to:

• The Information Technology Act, 2000 (as amended)
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• The Digital Personal Data Protection Act, 2023
• Any rules, regulations, or guidelines issued under the above statutes

Any disputes arising out of this Privacy Policy shall be subject to the exclusive jurisdiction of the courts of Mumbai, Maharashtra, India.