Privacy Policy

Eto Rides is a technology platform connecting passengers with independent electric e-rickshaw captains, operated as a sole proprietorship (“Eto Rides”, “we”, “our”, “us”). Our platform comprises the Eto Rides mobile app (Android) and the website etorides.com.

Registered address: 276/B/I, Lokepur, Kenduadihi, Bankura, West Bengal – 722102, India.
GSTIN: 19DKFPB7926E1Z5

This policy is issued under and governed by the Digital Personal Data Protection Act 2023 (DPDP Act) and other applicable Indian law.

We collect personal data only for the purposes listed below. The legal basis for each category is noted in brackets.

Aadhaar: Captain identity is verified from the Aadhaar card image, collected with the captain's explicit in-app consent. The full Aadhaar number is never stored — we retain only its last 4 digits for reference. Document numbers are encrypted at rest, document images are viewable only by authorised verification staff, and KYC documents are erased on account deletion subject to statutory retention.

Passengers: Location is accessed only during an active booking session to set pickup/destination and to display the captain's live position. We do not collect background location from passengers.

Captains: Background location is collected while the Eto Rides app is running (online or during an active ride). This enables ride dispatch and passenger safety tracking. GPS breadcrumb history is automatically deleted after 30 days. Location data is not sold or shared with advertisers.

We share personal data only in the following circumstances:

• Between ride parties: During a booking, the passenger sees the captain's name, vehicle details, and real-time location. The captain sees the passenger's name and pickup point only.
• Service providers: Firebase (notifications, analytics, crash reporting), Razorpay (subscription payments), Sentry (error tracking), Google Maps (routing), UXCam and Microsoft Clarity (analytics — consent-gated). All are bound by data processing agreements.
• Legal obligations: We disclose data when required by Indian law, court order, a government authority, or to protect safety in an emergency.
• We do not sell, rent, or trade your personal data to advertisers, data brokers, or any third party for commercial gain.

• Active account data is retained for as long as your account is open.
• Trip records are retained for 3 years for dispute resolution and regulatory compliance.
• GPS breadcrumb history is deleted after 30 days.
• Captain KYC documents (licence, Aadhaar card image, PAN, RC, permit, bank details) are retained while the captain account is active and erased on account deletion — including when the 30-day deletion grace period expires — except where retention is required by law or for fraud prevention.
• Upon a verified deletion request, we delete all personal identifiers within 30 days, subject to statutory retention obligations (e.g., GST records for 7 years).

All data in transit is encrypted via TLS 1.2+. Authentication tokens are stored in Flutter Secure Storage (Android Keystore). Captain documents are stored in Firebase Storage with access restricted to authorised admin accounts. No system is 100% secure — if you suspect unauthorised access, contact us immediately at support@etorides.com.

As a data principal under the Digital Personal Data Protection Act 2023, you have the following rights. To exercise any right, email privacy@etorides.com with subject line Privacy Request — [your phone number]. We will acknowledge within 48 hours and respond within 30 days.

• Access (S.11): Request a summary of the personal data we hold about you and a description of the processing activities.
• Correction & Erasure (S.12): Ask us to correct inaccurate or incomplete data, or to erase personal data that is no longer necessary for the purpose collected.
• Grievance redressal (S.13): Raise a complaint about how we handle your data with our Grievance Officer (see Section 11).
• Nominee (S.14): Designate a nominee to exercise your rights in the event of death or incapacity.
• Portability: Request your trip history in machine-readable CSV format.
• Withdraw consent: Where processing is based on your consent (analytics, session recording), you may withdraw it at any time through in-app settings or by emailing us. Withdrawal does not affect the lawfulness of prior processing.

UXCam (in-app): Records in-app interactions to improve UX. UXCam automatically masks sensitive fields (OTP, payment screens). Opt out via App Settings → Privacy → Disable Session Recording.

Microsoft Clarity (website): Analyses website sessions via heatmaps and recordings. Opt out by enabling “Do Not Track” in your browser or by contacting us.

Firebase Analytics / Crashlytics: Used for crash reporting and anonymised usage statistics. Opt out via Android system settings (Google → Ads → Opt out of personalisation).

The Eto Rides platform is intended for users aged 18 and older. We do not knowingly collect personal data from minors. If you believe a person under 18 has registered, please contact us immediately and we will delete the account and all associated data.

We may update this Privacy Policy from time to time. Material changes will be communicated via an in-app notification and require your re-acceptance before they take effect. The “Last updated” date at the top of this page reflects the most recent revision.

Also see our Terms and Conditions, Refund Policy, and Grievance Redressal Policy.