Privacy Policy
Last updated: 29 May 2026
Effective date: 29 May 2026
1. Introduction
This Privacy Policy (“Policy”) describes how Carryoo (“we”, “us”, “our”) collects, uses, stores, shares, and protects personal data when you use our logistics and on-demand delivery platform, including:
- Customer mobile and web applications
- Driver (partner) mobile applications
- Business and enterprise booking tools
- Admin and operations dashboards
- Our websites, APIs, and related services
(collectively, the “Platform” or “Services”).
Carryoo operates a technology platform that connects customers who need goods transported with independent driver partners and, where applicable, business accounts. We are committed to handling your information responsibly and in line with applicable laws, including the Digital Personal Data Protection Act, 2023 (India) (“DPDP Act”), the Information Technology Act, 2000, and rules made thereunder.
By registering for, accessing, or using the Platform, you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Services.
Note for legal review: Replace bracketed placeholders such as
[Legal Entity Name],[Registered Address], and[Grievance Officer Name]with your company’s official details before publication.
2. Account and data deletion (Carryoo)
This section applies to the Carryoo mobile apps listed on Google Play (customer app and driver partner app) and to our developer account Carryoo / [Legal Entity Name]. It explains how you can request deletion of your account and what happens to your data.
2.1 How to request account deletion
Follow these steps to ask us to delete your Carryoo account:
| Step | Action |
|---|---|
| 1 | Use the same phone number or email registered on your Carryoo account. |
| 2 | Send an email to support@nashikflow.app with the subject line: “Carryoo — Account deletion request”. |
| 3 | In the email, include: (a) your full name, (b) registered mobile number, (c) whether you are a customer or driver partner, and (d) a short statement that you want your account and personal data deleted. |
| 4 | If you are a driver partner, complete or cancel any active trips, go offline in the app, and settle any outstanding payouts before we can close your account. |
| 5 | We will reply to confirm receipt and may ask you to verify your identity (e.g., OTP to your registered number). |
| 6 | After verification, we process deletion within 30 days, unless law requires us to keep certain records longer (see Section 2.2). |
In-app option (when available): Open the Carryoo app → Account or Profile → Settings → Delete account, and follow the prompts. If you do not see this option, use the email steps above.
Business / enterprise users: Contact business@nashikflow.app from your corporate admin email; your organisation’s administrator may need to remove you from the business account first.
2.2 Data that is deleted
After a valid deletion request, we delete or anonymise the following from our active production systems (subject to the retention periods in Section 2.3):
| Data category | What happens |
|---|---|
| Account profile | Name, profile photo, email, language preferences removed or anonymised |
| Login credentials | Account disabled; OTP and session tokens invalidated |
| Saved addresses & favourites | Deleted where stored for your account |
| Marketing preferences | Deleted; promotional messages stopped |
| Push notification tokens | Removed from our messaging systems |
| In-app chat (non-dispute) | Deleted or anonymised where technically feasible |
| Wallet / in-app balance | Account closed after settlement of any balance per our terms |
2.3 Data that may be kept (and why)
We do not delete all records immediately. The following may be retained for the periods below for legal, tax, safety, fraud prevention, or dispute reasons:
| Data category | Typical retention after deletion request | Reason |
|---|---|---|
| Trip and order history | 5–8 years (or as required by Indian tax and transport rules) | Accounting, tax, regulatory compliance |
| Payment and invoice records | 5–8 years | Financial and tax law |
| Driver KYC (licence, RC, insurance, PAN, bank details) | As required by law and partner onboarding rules (often 3–8 years after account closure) | Legal obligation, transport and tax compliance |
| Location and route logs (completed trips) | Trip duration + up to 24 months for disputes and safety (unless law requires longer) | Safety investigations, dispute resolution |
| Support tickets & complaints | Up to 3 years after case closure | Customer support and legal claims |
| Fraud, abuse, and security logs | Up to 3 years where an investigation applied | Fraud prevention and network security |
| Backups | Removed on our backup rotation cycle (typically within 90 days of deletion from live systems) | Technical disaster recovery |
After the retention period ends, we delete or irreversibly anonymise the data in line with our retention schedule (see also Section 9).
2.4 Additional retention period
Beyond the periods in Section 2.3, we may keep personal data longer if:
- A court order, regulator, or law enforcement request requires it
- An open dispute, chargeback, insurance claim, or safety investigation involves your account
- Indian law (including the DPDP Act and IT Act) mandates a specific retention period
We will inform you in our response to your deletion request if any of these exceptions apply to your case.
2.5 Questions about deletion
Email support@nashikflow.app or see Section 12 (Grievance Officer) for privacy complaints.
3. Who This Policy Applies To
This Policy applies to personal data we process about:
| User type | Description |
|---|---|
| Customers | Individuals or representatives who book pickups, deliveries, or related services through the customer app or web. |
| Driver partners | Individuals who register to accept and fulfil transport jobs on the Platform. |
| Business partners | Organisations and their authorised users who use Carryoo Business, central billing, or enterprise features. |
| Visitors | Users who browse our website or contact support without creating an account. |
| Other third parties | Referral contacts, emergency contacts, or recipients whose details you provide when placing an order. |
4. Personal Data We Collect
We collect personal data that you provide directly, that is generated through your use of the Services, and that we receive from third parties where permitted by law.
4.1 Data You Provide
| Category | Examples | Typical users |
|---|---|---|
| Identity & profile | Full name, photograph, date of birth (where required), gender (optional), language preference | Customers, drivers, business users |
| Contact information | Mobile number, email address, postal or business address | All user types |
| Account credentials | Phone OTP verification, passwords (hashed), PIN or biometric unlock on device | All user types |
| Booking & order details | Pickup and drop addresses, contact names and numbers at each stop, package description, weight/size, special instructions, scheduled time | Customers, business users |
| Payment & billing | Payment method type, transaction IDs, billing name and address, GST or tax identifiers (for business), wallet balance and ledger entries | Customers, business users |
| Driver & vehicle information | Driving licence number and copy, vehicle registration (RC), insurance, permit, vehicle type and capacity, bank account or UPI details for payouts, PAN (for tax compliance) | Driver partners |
| Business information | Company name, authorised signatory, corporate email, billing entity, employee or sub-user lists | Business partners |
| Communications | Support tickets, in-app chat, call recordings (where disclosed and permitted), feedback and ratings | All user types |
| Referrals & promotions | Referral codes used or shared, promotional participation | Customers, drivers |
4.2 Data Collected Automatically
| Category | Examples | Purpose (summary) |
|---|---|---|
| Precise & approximate location | GPS coordinates, speed, heading, route history during active and background sessions (as permitted by your device settings) | Matching, navigation, safety, ETA |
| Device information | Device model, operating system, unique device identifiers, app version, IP address, mobile network | Security, fraud prevention, compatibility |
| Usage & analytics | Screens viewed, taps, session duration, crash logs, performance metrics | Product improvement, debugging |
| Cookies & similar technologies | Session tokens, preferences on web (see Section 13) | Authentication, analytics |
4.3 Data from Third Parties
We may receive information from:
- Payment gateways and banks — payment status, masked card or UPI references, chargeback data
- Identity & KYC providers — verification results for drivers and high-risk accounts
- Mapping and routing providers — geocoded addresses, traffic-aware routes
- Telecom / OTP services — delivery status of verification messages
- Background verification partners — criminal or driving-record checks (for drivers, where applicable)
- Business administrators — employee details added to a corporate account
We do not intentionally collect sensitive personal data beyond what is necessary for lawful purposes (e.g., financial or identity verification for partners). Where required, we seek explicit consent.
5. How We Use Your Personal Data
We use personal data for the following purposes. Where the DPDP Act requires a lawful ground, we rely on your consent, performance of a contract, legal obligation, or legitimate uses permitted under applicable law (such as fraud prevention or network security).
5.1 Core Service Delivery
- Account creation and authentication — registering you, verifying your phone or email, and securing your account
- Order matching and dispatch — connecting customers with available driver partners based on location, vehicle type, and demand
- Routing and navigation — calculating routes, ETAs, and turn-by-turn guidance for drivers
- Order fulfilment — sharing limited pickup/drop and contact details between customers and assigned drivers
- Payments and settlements — processing customer payments, driver payouts, refunds, invoices, and wallet operations
- Real-time tracking — showing live location of vehicles during active trips to relevant parties
5.2 Safety, Trust, and Compliance
- Verifying driver identity, licences, and vehicle documents
- Detecting fraud, abuse, duplicate accounts, and policy violations
- Investigating accidents, disputes, or safety incidents
- Complying with tax, accounting, transport, and regulatory requirements
- Responding to lawful requests from courts, police, or government authorities
5.3 Customer Support and Communications
- Resolving complaints, lost-item reports, and billing queries
- Sending transactional messages (OTP, booking confirmation, driver assigned, delivery completed)
- Sending service announcements, policy updates, and—where you have opted in—marketing offers
5.4 Product Improvement and Analytics
- Analysing aggregated usage patterns to improve matching algorithms, pricing, and user experience
- Conducting surveys and A/B tests
- Debugging errors and monitoring app performance
5.5 Business and Enterprise Features
- Managing corporate accounts, central billing, usage reports, and authorised sub-users
- Enforcing business-specific pricing, credit limits, and service-level terms
We will not use your personal data for purposes incompatible with those described above without notifying you and, where required, obtaining fresh consent.
6. Location Data — Specific Notice
Location information is essential for a logistics platform like Carryoo.
| When | What we collect | Who sees it |
|---|---|---|
| Customer app | Pickup/drop pin or address; optional live sharing during an active booking | Assigned driver; our systems for support |
| Driver app | Continuous or periodic GPS while online and during trips; background location if enabled | Customers during active trips; dispatch systems; not public |
| Inactive periods | Generally not collected beyond what your OS permits for app functionality | — |
You can control location permissions through your device settings. Disabling location may prevent you from booking rides, going online as a driver, or receiving accurate ETAs.
We retain trip route data only as long as needed for operations, disputes, safety investigations, and legal retention periods (see Section 9 and Section 2.3).
7. How We Share Personal Data
We do not sell your personal data. We share it only as described below.
7.1 Between Platform Users (Service-Necessary Sharing)
| Shared with | Data shared | Why |
|---|---|---|
| Assigned driver | Customer first name, pickup/drop address, contact phone (often masked or click-to-call), package notes, payment mode (not full card details) | Fulfil the trip |
| Customer | Driver name, photo, vehicle number, live location during trip, rating | Safety and tracking |
| Business admin | Trip history and billing for users under their organisation | Enterprise reporting |
7.2 Service Providers and Processors
We engage trusted third parties who process data on our instructions, including:
| Category | Examples of providers |
|---|---|
| Cloud hosting & databases | Infrastructure and backup providers |
| Payment processing | Payment gateways, banks, UPI/ card networks |
| Maps & routing | Mapping, geocoding, and navigation SDKs |
| Communications | SMS, push notification, email, and telephony vendors |
| Analytics & crash reporting | Product analytics and error monitoring tools |
| Identity & KYC | Document verification and background check partners |
| Customer support tools | Ticketing and chat platforms |
These parties are contractually required to protect your data and use it only for the services they provide to us.
7.3 Business Partners and Affiliates
Where you use Carryoo Business or promotional programmes, we may share limited data with the corporate account owner or programme partners as disclosed at sign-up.
7.4 Legal and Safety Disclosures
We may disclose personal data when we believe in good faith that disclosure is necessary to:
- Comply with applicable law, regulation, legal process, or governmental request
- Enforce our Terms of Service or other agreements
- Protect the rights, property, or safety of Carryoo, our users, or the public
- Detect, prevent, or address fraud, security, or technical issues
7.5 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction, subject to confidentiality and continued protection consistent with this Policy.
7.6 Aggregated and De-Identified Data
We may share statistics that do not identify individuals (e.g., average delivery times in our service areas) for research, marketing, or industry reports.
8. International Data Transfers
Our primary systems are located in India. Some service providers may process data on servers outside India. Where personal data is transferred internationally, we implement appropriate safeguards as required under the DPDP Act and applicable rules, such as contractual clauses and assessments of recipient jurisdictions.
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes in this Policy, unless a longer period is required or permitted by law.
| Data type | Typical retention |
|---|---|
| Account profile | While account is active + reasonable period after deletion request |
| Trip and order records | As required for tax, accounting, and transport regulations (often 5–8 years for financial records) |
| Location & route logs | Duration of trip + limited period for disputes and safety (unless law requires longer) |
| Support communications | Up to 3 years after case closure, unless litigation holds apply |
| Marketing consents | Until withdrawn + proof of consent period |
| Driver KYC documents | As required by law and partner onboarding rules |
When retention ends, we delete or irreversibly anonymise data in accordance with our data retention schedule.
10. Security Measures
We implement administrative, technical, and organisational measures designed to protect personal data, including:
- Encryption in transit (TLS/HTTPS) and encryption at rest where appropriate
- Role-based access controls for employees and contractors
- Secure authentication, including OTP and session management
- Regular monitoring, logging, and incident response procedures
- Vendor security assessments for critical processors
No method of transmission or storage is completely secure. You are responsible for safeguarding your device, OTPs, and account credentials. Report suspected unauthorised access immediately to support@nashikflow.app.
11. Your Rights and Choices
Under the DPDP Act and our practices, you may have the following rights in relation to your personal data (subject to applicable exceptions):
| Right | What it means | How to exercise |
|---|---|---|
| Right to access | Obtain a summary of personal data we hold about you and the processing activities | Email support@nashikflow.app or use in-app privacy settings where available |
| Right to correction | Update inaccurate or incomplete personal data | Edit profile in-app or contact support |
| Right to erasure | Request deletion of personal data when it is no longer necessary or consent is withdrawn | Submit a deletion request (see below); some data may be retained where required by law |
| Right to withdraw consent | Stop processing that relies on consent (e.g., marketing, optional location) | Use opt-out links, device settings, or contact support |
| Right to grievance redressal | Raise concerns with our Grievance Officer | See Section 12 |
| Nomination | Nominate another individual to exercise your rights in the event of death or incapacity | Contact support with required documentation |
11.1 Account deletion
For full steps, data deleted or kept, and retention periods required by Google Play, see Section 2 (Account and data deletion) above.
You may also request deletion by emailing support@nashikflow.app from your registered email or phone. We will verify your identity before processing.
11.2 Marketing Opt-Out
You may opt out of promotional SMS, email, or push notifications via message instructions or app settings. Transactional messages related to active bookings cannot be fully opted out while you use the Services.
11.3 Driver Partners
Drivers who wish to stop processing must go offline, close their partner account, and settle outstanding payouts. Certain records (trips, tax, KYC) may still be retained as required by law.
12. Grievance Officer and Contact
In accordance with applicable Indian law, you may contact our Grievance Officer for privacy-related complaints:
| Entity | [Legal Entity Name] — Carryoo |
| support@nashikflow.app | |
| Business enquiries | business@nashikflow.app |
| Grievance Officer | [Grievance Officer Name] |
| Address | [Registered Office Address, Nashik, Maharashtra, India] |
| Response time | We aim to acknowledge complaints within 24–48 hours and resolve them within 30 days, or as prescribed by law |
If you are not satisfied with our response, you may have the right to approach the Data Protection Board of India under the DPDP Act once fully operational.
13. Cookies and Similar Technologies (Web)
When you use our website or web-based admin tools, we and our partners may use cookies, pixels, and local storage to:
- Keep you signed in
- Remember preferences
- Measure traffic and performance
You can control cookies through your browser settings. Disabling essential cookies may affect functionality.
14. Children’s Privacy
The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact support@nashikflow.app and we will take steps to delete it.
15. Third-Party Links and SDKs
The Platform may contain links to third-party websites or integrate third-party SDKs (maps, payments, analytics). Their privacy practices are governed by their own policies. We encourage you to review those policies before providing them information.
16. Changes to This Policy
We may update this Policy from time to time to reflect changes in law, technology, or our Services. We will post the revised Policy with an updated “Last updated” date and, where required, notify you through the app, email, or SMS. Continued use after the effective date constitutes acceptance of the revised Policy, to the extent permitted by law.
17. Definitions
| Term | Meaning |
|---|---|
| Personal data | Data about an identifiable individual as defined under the DPDP Act |
| Processing | Any operation performed on personal data, including collection, storage, use, disclosure, and deletion |
| Data Principal | The individual to whom the personal data relates (you) |
| Data Fiduciary | Carryoo, which determines the purpose and means of processing |
18. Summary Table — Data Uses at a Glance
| Purpose | Data used | Legal basis (typical) |
|---|---|---|
| Create account | Phone, name, email | Contract / consent |
| Match & deliver order | Location, addresses, contacts | Contract |
| Process payment | Payment method, transaction data | Contract / legal obligation |
| Driver onboarding | ID, licence, vehicle, bank details | Contract / legal obligation |
| Support | Communications, order history | Contract / legitimate use |
| Improve app | Usage, device, crash logs | Legitimate use / consent |
| Marketing | Contact, preferences | Consent |
| Legal compliance | Relevant records | Legal obligation |
© [Legal Entity Name]. All rights reserved.
For questions about this Policy: support@nashikflow.app