Privacy Policy

Welcome to RidelyGo ("we", "our", "us"). RidelyGo is a medicine delivery and ride-hailing platform operated in Samastipur, Bihar, India. We are committed to protecting your privacy and handling your personal data responsibly in compliance with the Digital Personal Data Protection (DPDP) Act, 2023 of India and all applicable laws.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and store it, and what rights you have over your data. This policy applies to all users of the RidelyGo platform — Customers (Riders), Delivery Partners (Captains), and Pharmacy Partners.

1. Data We Collect

We collect only the data necessary to provide our services. Here is a detailed breakdown:

A. Personal Data

Data Type	Purpose	Required
Full Name	Account identification & delivery labelling	Required
Phone Number	Account login (OTP), order updates, support	Required
Email Address	Account recovery & receipts (pharmacy/admin)	Optional
Delivery Address	Deliver medicines to your location	Required
Profile Photo	Identity verification for delivery partners	Optional

B. Sensitive Personal Data

Data Type	Purpose	Required
Real-Time Location	Route calculation, delivery tracking, ETA	Required
Prescription Images	Legal requirement for prescription-only medicines	Conditional
Aadhaar (last 4 digits only)	Delivery partner identity verification	Captain only

C. Non-Personal / Technical Data

Data Type	Purpose
Device Type & OS Version	App performance optimization, crash reporting
App Version	Feature compatibility, debugging
Firebase Analytics Events	Usage patterns (anonymised) for improving the app
Crash Logs (Firebase Crashlytics)	Bug identification & fix prioritisation
Performance Traces	Loading time optimisation

2. How We Use Your Data

We use the data we collect for the following purposes:

Order Fulfilment: Process medicine orders, assign delivery partners, calculate ETA, and track deliveries in real-time.
Ride-Hailing: Match riders with captains, calculate fares, track rides.
Account Management: Authenticate users via phone OTP, manage profiles, and preferences.
Pharmacy Verification: Verify drug license numbers, license expiry dates, and GST details of partner pharmacies.
Delivery Partner Verification: Verify identity documents, vehicle details, and driving licenses of captains.
Communication: Send order status notifications, delivery OTPs, and critical service updates via push notifications.
Financial Settlements: Process weekly pharmacy settlements, track captain earnings, and reconcile COD payments.
Safety & Compliance: Maintain audit logs for regulatory compliance, manage prescription data per Pharmacy Act, and enforce DPDP Act rights.
Improvement: Analyse anonymised usage patterns to improve app performance, fix bugs, and add features.
Marketing (opt-in only): Send promotional offers and updates — only with your explicit consent, which you can withdraw at any time.

3. Consent Mechanism

In accordance with the DPDP Act 2023, we obtain your explicit consent before processing your personal data:

Required Consent: At signup, you must agree to the processing of your personal data for service delivery. This is mandatory to use RidelyGo.
Optional Consent: Marketing communications require separate opt-in consent. You can opt out at any time from Settings.
Pre-unchecked: All consent checkboxes are unchecked by default — we never assume consent.
Recorded: Your consent timestamp is recorded in our systems for audit purposes.

Withdrawing Consent: You can withdraw your consent at any time by navigating to Settings → Privacy in the app, or by contacting us. Withdrawal of mandatory consent will result in account deactivation.

4. Data Storage & Retention

Where We Store Data

All data is stored on Google Firebase (Google Cloud Platform) servers. Firebase provides enterprise-grade security including encryption at rest and in transit. Some data is cached locally on your device using Hive (encrypted local storage) for offline access.

How Long We Keep Data

Data Type	Retention Period	Reason
Prescription Images	3 years	Pharmacy Act regulatory requirement
Order History	1 year	Customer support & reorder feature
Financial / Settlement Data	7 years	Tax & accounting regulations (Income Tax Act)
Ride History	1 year	Dispute resolution & support
Audit Logs	3 years	DPDP Act compliance & breach notification
Account Data	Until deletion requested	Active service
Analytics Data	14 months	Firebase Analytics default retention

Automatic Deletion

We run automated processes to enforce retention limits:

Prescription images older than 3 years are permanently deleted (monthly automated cleanup).
Abandoned carts are cleaned every 6 hours.
Expired ride data is cleaned automatically.

5. Data Sharing & Disclosure

We do not sell your personal data to third parties. We share data only in these limited circumstances:

Shared With	What Data	Why
Pharmacy Partners	Name, delivery address, prescription (if applicable)	To prepare and dispatch your order
Delivery Partners	Name, delivery address, phone number	To deliver your order
Google Firebase	All data (as data processor)	Cloud infrastructure & services
Google Maps Platform	Location data	Route calculation, ETA, geocoding
Firebase Crashlytics	Device & crash data (anonymised)	Bug fixing
Law Enforcement	As required by law	Legal obligations, court orders

No International Transfer: All data remains within Google Cloud's infrastructure. We do not independently transfer your data outside India.

6. Prescription Data Handling

Prescription data is treated with the highest level of security due to its sensitive medical nature:

Upload: Prescriptions are uploaded directly to Firebase Storage over encrypted HTTPS connections.
Access Control: Only the uploading customer, the assigned pharmacy, and authorised admin staff can access prescription images. Access by admin is logged in the audit trail.
Image Compression: Prescription images are compressed to ≤500KB before upload to minimise data exposure.
Retention: Prescription images are retained for 3 years as required by the Pharmacy Act and then permanently deleted by our automated compliance system.
Audit Trail: Every access to prescription data by admin/support staff is logged with timestamp, user ID, and reason.

7. Your Rights Under the DPDP Act 2023

As a Data Principal, you have the following rights:

Right	Description	How to Exercise
Right to Access	Know what personal data we hold about you	Settings → My Data, or email us
Right to Correction	Update or correct inaccurate data	Edit your Profile in the app
Right to Erasure	Request deletion of your personal data	Settings → Delete Account, or email us
Right to Withdraw Consent	Revoke consent for data processing	Settings → Privacy → Manage Consent
Right to Grievance Redressal	File complaints about data handling	Email our Data Protection Officer
Right to Nominate	Nominate a person to exercise rights on your behalf	Contact our Data Protection Officer

Account Deletion Process

When you request account deletion:

Your personal data (name, phone, email, address) is permanently anonymised.
Your orders and rides are retained with anonymised references ("Deleted User") for legal compliance.
Your prescriptions, cart, favorites, and FCM tokens are permanently deleted.
Financial/settlement data is archived for 7 years as required by tax law, then deleted.
Your Firebase Authentication account is disabled immediately.
The entire process is logged in our audit trail.

Response Time: We will process your data deletion request within 72 hours. A confirmation will be sent to your registered phone number.

8. Data Security

We implement multiple layers of security to protect your data:

Encryption at Rest: All data stored in Firebase/Google Cloud is encrypted at rest using Google-managed encryption keys (AES-256).
Encryption in Transit: All communication between the app and servers uses HTTPS/TLS encryption.
Authentication: Phone-based OTP authentication via Firebase Auth with rate limiting (max 3 requests per 10 minutes).
Firestore Security Rules: Comprehensive role-based access control — users can only read/write their own data. Admin access is logged.
Audit Logging: All sensitive operations (prescription access, status changes, data exports, account deletions) are logged with timestamps.
Local Storage: Offline cached data on your device is stored using Hive encrypted storage.
Rate Limiting: API-level rate limiting on Cloud Functions to prevent abuse.
Breach Notification: In the event of a data breach, we will notify affected users and the Data Protection Board within 72 hours as required by the DPDP Act.

9. Children's Privacy

RidelyGo is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided us with personal data, we will take steps to delete such data promptly. If you are a parent or guardian and believe your child has shared personal data with us, please contact us.

10. Cookies & Device Data

The RidelyGo mobile app does not use browser cookies. However:

Firebase Analytics: Uses anonymous device identifiers to track app usage patterns. No personally identifiable information is sent to analytics.
Firebase Crashlytics: Collects device information (model, OS version) and crash stack traces to help us fix bugs. No personal data is included in crash reports.
Firebase Performance: Collects network latency and screen rendering data to optimise app speed.
Shared Preferences: Stores your language preference (English/Hindi/Bhojpuri) locally on your device.

Our web panels (Pharmacy & Admin) may use essential cookies for session management only.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

We will update the "Last Updated" date at the top of this page.
We will notify you via an in-app notification for significant changes.
Continued use of RidelyGo after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy, your data, or wish to exercise your rights, contact us:

Data Protection Officer	RidelyGo Team
Email	privacy@ridelygo.in
Address	Samastipur, Bihar, India — 848101
Grievance Redressal	Email us at grievance@ridelygo.in — we will respond within 30 days

If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India.

Contents