Privacy Policy

1. About Elgomart

Elgomart is a hyperlocal delivery platform connecting customers with nearby stores. Our platform includes a customer-facing shopping app, a partner/driver app for delivery agents, a packer app for warehouse staff, and an admin panel. Different categories of users interact with our services, and we collect different types of data depending on your role.

2. Information We Collect

2.1 Customers

• Name, phone number, and email address (for account registration)
• Delivery addresses and saved locations
• Order history, cart contents, and product preferences
• Device identifiers (device model, OS version, app version)
• FCM push notification tokens
• Real-time location when the app is in use (for order tracking and delivery coordination)

2.2 Delivery Partners (Drivers)

• Full name, phone number, and email
• Government-issued ID (PAN Card, Voter ID, or Driving Licence number and photographs)
• Driving licence number and photographs
• Vehicle type, registration number, vehicle photograph, insurance, and PUC certificate
• Selfie photograph for KYC identity verification
• Real-time GPS location during active delivery shifts
• Shift check-in photographs (selfie at shift start)
• Payout details — UPI ID or bank account details (encrypted at rest)

2.3 Packer Staff

• Full name and phone number
• Government-issued ID (PAN Card, Voter ID, or Driving Licence)
• Selfie photograph for identity verification
• Emergency contact name, phone number, and relationship
• Shift check-in selfie photograph and geolocation at shift start/end

2.4 Automatically Collected Information

• IP address, browser type, and operating system
• Pages visited, time spent, and navigation paths (website analytics)
• App crash reports and error logs (anonymised)
• Session cookies for authentication and preference management

3. How We Use Your Information

Purpose	Data Used
Processing and delivering orders	Name, address, phone, location
Account registration and authentication	Phone number, email, OTP
KYC verification for delivery partners and packers	Government ID, selfie, licence documents
Processing payments and refunds	Order amount, payment method (via Razorpay)
Disbursing earnings to delivery partners and packers	UPI ID or bank account details (encrypted)
Real-time delivery tracking	Driver GPS location
Attendance and shift management	Shift selfie, geolocation
Customer support and dispute resolution	Order history, communication logs
Platform security and fraud prevention	Device data, IP address, activity logs
Regulatory compliance	KYC documents, transaction records

4. Financial Data & RBI Compliance

Elgomart processes financial transactions and handles sensitive financial information in strict adherence to the guidelines issued by the Reserve Bank of India (RBI). The following measures are in place:

4.1 Payment Processing

All customer payments (including online payments via UPI, cards, and net banking) are processed through Razorpay, a Payment Aggregator licensed and regulated by the Reserve Bank of India under the Payment and Settlement Systems Act, 2007. Elgomart does not directly store, process, or transmit card numbers, CVV codes, or net banking credentials.

4.2 Bank Account Details — Encrypted Storage

Bank account information collected from delivery partners and packer staff for the purpose of earnings disbursement (payout processing) is handled with the following security controls:

• Encryption at rest: All bank account numbers, IFSC codes, and account holder names are stored in encrypted form in our database. Encryption is applied using industry-standard algorithms (AES-256) before data is persisted.
• Encryption in transit: All data transmitted between our mobile apps, website, and backend servers is secured using TLS 1.2 / TLS 1.3 (HTTPS). No bank data is ever transmitted over unencrypted channels.
• Access control: Bank account details are accessible only to authorised personnel and automated payout systems on a strict need-to-know basis. Access is logged and audited.
• No unnecessary retention: Bank details are retained only as long as the partner or packer maintains an active account. Upon account deletion, financial data is purged in accordance with applicable laws.

4.3 UPI IDs

UPI IDs registered by delivery partners for earnings withdrawal are stored securely in encrypted form and are never shared with third parties other than our authorised payout processing partner.

4.4 RBI KYC Norms

The KYC (Know Your Customer) process for delivery partners and packer staff is conducted in accordance with the RBI Master Direction — Know Your Customer (KYC) Direction, 2016 (as amended). Specifically:

• We accept Officially Valid Documents (OVDs) as defined by RBI: PAN Card, Voter Identity Card, and Driving Licence.
• KYC documents (photographs of ID cards, selfies) are stored on secure, access-controlled cloud storage (AWS S3) with server-side encryption enabled.
• KYC records are retained for the minimum period required by applicable law and then securely deleted.
• KYC information is reviewed only by authorised admin personnel and is never sold or shared with third parties.

4.5 Transaction Records

Transaction records (order payments, refunds, earnings, payout requests) are retained for a minimum of 5 years from the date of the transaction, in compliance with the requirements of the RBI Payment Aggregator guidelines and the Prevention of Money Laundering Act (PMLA), 2002.

4.6 Refunds

Refunds for cancelled orders paid online are processed back to the original payment method through Razorpay. Refund timelines follow the RBI's guidelines for failed or disputed transactions (typically 5–7 business days depending on the issuing bank).

5. KYC Document Storage & Security

All KYC-related documents (selfie photographs, government ID front/back images, driving licence images, vehicle photographs) are:

• Uploaded and stored on Amazon Web Services (AWS) S3 with server-side encryption (SSE-S3/SSE-KMS) enabled at the bucket level.
• Accessible only via time-limited, signed URLs. Direct public access to raw S3 objects is disabled.
• Subject to access logging. All access to stored documents is recorded with timestamp, IP address, and user identity.
• Never used for any purpose other than identity verification and regulatory compliance.

6. Location Data

Elgomart collects real-time location data from delivery partners during active shifts and from customers when placing orders (for delivery address resolution and ETA calculation). Location data is:

• Used solely for delivery coordination and order tracking.
• Not shared with third parties except as required for delivery fulfilment.
• Not retained after the completion of the relevant delivery or shift.
• Collected only when the app is active and location permission has been granted by the user.

7. Sharing of Information

We do not sell, rent, or trade your personal information. We may share your data only in the following limited circumstances:

• Service providers: Payment processors (Razorpay), cloud infrastructure (AWS), and push notification services (Firebase/FCM) — all bound by strict data processing agreements.
• Delivery coordination: Your name and contact number may be shared with the assigned delivery partner solely for the purpose of completing your order delivery.
• Legal requirements: When required by law, court order, or regulatory authority (including RBI, SEBI, or law enforcement agencies) we may disclose information as mandated.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy protections.

8. Data Security

Our security measures include:

• TLS encryption for all data in transit between clients and our servers
• AES-256 encryption for sensitive data at rest (bank details, payout information)
• Server-side encryption on all cloud storage buckets containing KYC documents
• JWT-based authentication with short-lived tokens and secure refresh mechanisms
• Role-based access control (RBAC) ensuring staff access only the data necessary for their role
• Access audit logs for sensitive data operations
• Firewall and intrusion detection on all backend infrastructure
• Regular security reviews and vulnerability assessments

9. Data Localisation

In compliance with RBI's guidelines on storage of payment system data, all payment transaction data, KYC records, and related financial information of Indian users are stored exclusively on servers located within the territory of India.

10. Data Retention

Data Type	Retention Period
Customer account and order data	Duration of account + 3 years after deletion
Payment transaction records	Minimum 5 years (per RBI / PMLA requirements)
KYC documents (ID photos, selfies)	Duration of active partner/packer account + 5 years
Bank account / UPI payout details	Duration of active account; purged on account deletion
Delivery GPS logs	90 days from date of delivery
Shift attendance records & photos	1 year from date of shift
System and access logs	6 months on a rolling basis

11. Your Rights

You have the following rights with respect to your personal data held by Elgomart:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Deletion: Request deletion of your account and associated personal data (subject to legal retention obligations).
• Withdrawal of consent: Withdraw consent for data processing where consent is the legal basis (e.g., marketing communications).
• Portability: Request your data in a structured, machine-readable format where technically feasible.

To exercise any of these rights, please contact us at support@elgomart.com. We will respond within 30 days.

12. Cookies

Our website uses essential session cookies for authentication and basic website functionality. We do not use tracking cookies or third-party advertising cookies. You may disable cookies in your browser settings, though this may affect certain website features.

13. Children's Privacy

Elgomart's services are not directed at children under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have inadvertently collected data from a person under 18 without parental consent, we will delete it promptly. Please contact us if you believe this has occurred.

14. Third-Party Services

Elgomart integrates with the following third-party services. Each operates under its own privacy and security policies:

• Razorpay — Payment processing (RBI-licensed Payment Aggregator). Privacy Policy: razorpay.com/privacy
• Amazon Web Services (AWS) — Cloud infrastructure and encrypted document storage
• Google Firebase / FCM — Push notifications and crash analytics
• Google Maps Platform — Location and maps services

15. Grievance Officer

In accordance with the Information Technology Act, 2000, and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have designated a Grievance Officer for addressing privacy-related complaints:

• Name: Grievance Officer, Elgomart
• Email: grievance@elgomart.com
• Response time: We will acknowledge grievances within 24 hours and resolve them within 15 days of receipt.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you via the app or email and update the "Last Updated" date at the top of this page. Continued use of our services after the effective date constitutes your acceptance of the revised policy.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: support@elgomart.com
• Grievance / Legal: grievance@elgomart.com