Privacy Policy

Effective Date: December 11, 2025
Last Updated: December 11, 2025

Giryug (“We,” “Us,” “Our,” or “Company”) is committed to protecting the privacy of Indian users. This Privacy Policy (“Policy”) explains our data practices for collecting, using, and managing your personal information through the Giryug mobile application (“App”).

This Policy applies to all Indian users (“You,” “User,” or “Customer”) of the Giryug App. The Digital Personal Data Protection Act, 2023 (DPDP Act) and related regulations form the foundation of our data protection practices.

By accessing or using the Giryug App, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

2. Legal Framework and Compliance

2.1 Applicable Indian Laws

This Privacy Policy is governed by and complies with the following Indian legislation:

Digital Personal Data Protection Act, 2023 (DPDP Act):

India’s comprehensive data protection law governing digital personal data processing
Enforced through the Digital Personal Data Protection Rules, 2025
Establishes rights for Data Principals (users) and obligations for Data Fiduciaries (Giryug)
Administered by the Data Protection Board of India

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011:

Rules 3 and 4 govern the protection of sensitive personal data
Requires reasonable security practices and data handling procedures

Reserve Bank of India (RBI) Guidelines:

Master Direction on Digital Payment Security Controls (for payment-related data)
Know Your Customer (KYC) norms and data localization requirements
All data must be stored within Indian territory unless specifically exempted

Telecommunications (Processing of Sensitive Personal Data) Rules, 2021:

Governs collection and processing of telecom-related sensitive data
Includes contact numbers and communication preferences

Other Applicable Laws:

Information Technology Act, 2000 (ITA 2000)
Indian Penal Code (cybercrime and data theft provisions)
Bharatiya Nyaya Sanhita, 2023 (criminal law framework)
State-specific privacy and data protection regulations

2.2 DPDP Act Compliance Framework

Under the DPDP Act, Giryug acts as a “Data Fiduciary” and you are the “Data Principal.”

Key Principles:

Consent must be free, specific, informed, and unambiguous
Consent provided through clear affirmative action (explicit opt-in only)
Data collection limited to specified and lawful purposes only
Processing limited to minimum necessary data
Complete transparency in all data handling practices

3. Information We Collect

3.1 Information You Provide Directly

Contact Information:

Phone number (sensitive personal data)
Email address (sensitive personal data)
Full name
Residential address
Identification document details (Aadhar, PAN, Driving License if required)

Account Information:

Username and password
Profile picture or avatar
Personal preferences and settings
Account verification documents

Communication Data:

Messages and correspondence
Customer support requests and responses
Feedback, reviews, and complaints
Communication preferences

3.2 Location Information (Sensitive Personal Data)

Precise Location Data:

GPS coordinates from your mobile device
Real-time location during app usage
Location history accessed through the application
Device-based geolocation data

Collection Mechanism:
We collect location data ONLY when you explicitly grant permission through your device’s location settings. A clear permission request will appear before any location access.

Control Over Location:

Disable location through App settings
Disable through device operating system settings
Withdraw location permission at any time
Clear location history on demand

Usage of Location Data:

Location-specific service delivery
Proximity-based recommendations
Route optimization and navigation
Safety and security purposes

Location data is treated as highly sensitive under Indian law and receives enhanced protection.

3.3 Device Information

Device type, model, and unique identifier
Operating system version
Device settings and specifications
Mobile network operator information
Unique device identifiers (IMEI, UDID)

3.4 Usage Information

Features and functions accessed within the App
Pages and sections viewed
Frequency and duration of App usage
Search queries and preferences
Technical logs and crash reports
Interactions with content and other users

3.5 Payment Information

Data Collected:

Transaction history and receipts
Payment method details (processed securely through third-party gateways)
Billing address information
UPI and card transaction references

Storage Compliance:

All payment-related data stored exclusively in India (RBI requirement)
No cross-border transfer of payment data
Processed through certified payment gateways
PCI-DSS compliance maintained

Card Details:

Card information NOT retained by Giryug
Securely processed through trusted payment processors only

3.6 Automatically Collected Information

IP address and internet service provider information
Server logs and timestamps
Cookies and similar tracking technologies
Analytics data for App improvement and performance

4. Legal Basis for Data Processing

4.1 Consent-Based Processing

Primary Legal Basis:
Processing of your personal data is based on your freely given, specific, informed, and unambiguous consent provided through clear affirmative action.

How Consent is Obtained:

Explicit opt-in through checkboxes (never pre-ticked)
Separate consent for each processing purpose
Clear, plain-language consent notices
Withdrawal mechanism available at any time
No bundled or forced consent

Consent Notice Content:
Before collecting sensitive data (contact number, email, location), we provide a clear notice containing:

What data will be collected
Purpose of collection
How data will be processed
Duration of storage
Your rights as Data Principal
Grievance redressal mechanism

4.2 Lawful Processing Without Explicit Consent

In specific circumstances, we may process data without explicit consent:

Providing contracted services (fulfilling your explicit request)
Complying with legal obligations (law, court orders, RBI directives)
Preventing fraud and financial crimes
Protecting against unauthorized access
Maintaining App security and preventing abuse

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We may share your information with trusted service providers, but ONLY for purposes specified in our consent notice and only when necessary.

Categories of Service Providers:

Cloud hosting and data storage providers (data stored in India only)
Payment processors and payment gateway operators
Customer support and ticketing platforms
Analytics and monitoring services
SMS and email delivery service providers (telecom-regulated)
Map and navigation services

Contractual Safeguards:

Service providers bound by strict Data Processing Agreements
Cannot use your data beyond specified purpose
Must implement security measures equivalent to ours
Must be certified to handle sensitive data in India
Regular audits and compliance checks

5.2 Sensitive Data Restrictions

Contact Number, Email, and Location Data:

NOT shared with third parties for marketing or profiling
Shared only with service providers absolutely necessary for App functionality
Never sold to data brokers or marketing agencies
NOT transferred outside India without explicit legal requirement
Enhanced protection and audit trails

5.3 Legal Compliance and Law Enforcement

We may disclose your information when:

Required by court order or legal process
Directed by RBI, CERT-In, or law enforcement authorities
Necessary to prevent fraud, cybercrime, or financial crimes
Required to comply with anti-money laundering (AML) or Know Your Customer (KYC) norms
Ordered by government agencies authorized under Indian law

Notification:
We will attempt to notify you of such disclosure unless legally prohibited from doing so.

5.4 Business Transfers

If Giryug undergoes merger, acquisition, bankruptcy, or asset sale, your data may be transferred as part of that transaction. Your privacy rights remain unchanged, and you will be notified. If privacy terms significantly change, you have the right to withdraw consent.

5.5 No Data Selling or Profiling

Under DPDP Act principles, we explicitly do NOT:

Sell personal data to other companies
Engage in unauthorized profiling or behavioral analysis
Share data with unrelated third parties without consent
Permit data brokers to access your information
Share sensitive data for commercial purposes

6. Data Retention

6.1 Retention Periods

We retain your personal information for the minimum period necessary:

Contact Information (Phone, Email):

Retained as long as your account is active
6 months after account deletion (for legal and tax compliance)
Longer if legally required by RBI or tax authorities

Location Data:

Real-time location: Deleted immediately after session ends
Location history: Retained for 90 days maximum unless longer retention needed for service
Precise location: Not retained beyond operational necessity

Payment Data:

Transaction records: 7 years (as per RBI and tax compliance requirements)
Card and UPI details: NOT retained (processed through secure gateways only)
Billing information: 7 years (for audit and compliance)

Usage and Analytics Data:

Aggregated, anonymized data: Retained indefinitely
Identifiable usage data: Deleted after 12 months

Customer Support and Communication:

Support tickets: Deleted after 2 years
Email correspondence: Deleted after 3 years
Chat logs: Deleted after 1 year

6.2 Data Deletion (Right to Erasure)

You have the right to request deletion:

Submit deletion request through App settings or help@giryug.in
We will delete your data within 30 days (or as required by law)
Some data retained only if legally mandated (RBI KYC, tax compliance)
Deletion confirmation provided with reference number

Automatic Deletion:

Inactive accounts: Deleted after 24 months of inactivity
Temporary data: Automatically purged after retention period expires
Cookies: Cleared automatically after session ends

7. Your Privacy Rights Under DPDP Act

7.1 Right to Access

You have the right to:

Access all personal data Giryug holds about you
Receive a copy of your data in a portable, machine-readable format
Know what data is being processed and for what purpose
Request confirmation of processing activities
Understand the legal basis for processing

How to Exercise:

Contact: privacy@giryug.in
Provide proof of identity (government-issued ID)
Response time: 30 days maximum
Format: Structured, commonly used format

7.2 Right to Correction (Right to Rectification)

You may:

Correct inaccurate or incomplete information
Update your profile details through App settings
Request we verify accuracy of sensitive data
Have corrections logged and traceable
Know who accessed the data

Process:

Self-service corrections: Immediate through App
Correction requests: Processed within 30 days
Confirmation provided with timestamp

7.3 Right to Erasure (Right to Be Forgotten)

You can request deletion of your personal information except where:

Legally required to retain (RBI KYC, tax law, court orders)
Necessary for stated contractual purpose
Retention mandated by regulatory authorities
Essential for security or fraud prevention
Needed for legal defense or compliance

Exceptions to Erasure:

Transaction records (7 years – RBI requirement)
KYC and verification documents (as long as account active)
Data required by law enforcement (with proper authorization)
Aggregated, anonymized data (not personal)

Process:

Submit deletion request through App or email
Provide reason for deletion (optional)
Response within 30 days

7.4 Right to Data Portability

You have the right to:

Receive your data in structured, machine-readable format (CSV, JSON, PDF)
Transfer data to another service provider
Data provided within 30 days at no cost
Format suitable for re-use

Included Data:

Personal profile information
Transaction history
Communication records
Usage data

Not Included:

Derived or inferred data
Data shared by other users
Aggregated data

7.5 Right to Withdraw Consent

You may withdraw consent at any time by:

Clicking “Withdraw Consent” in App settings
Disabling location permissions
Unsubscribing from communications
Contacting privacy@giryug.in
Disabling specific data processing categories

Effect of Withdrawal:

Future processing stops immediately
Past processing remains valid and lawful
You may be unable to use certain App features
No penalty or discrimination for withdrawal

7.6 Right to Grievance Redressal

If you believe your privacy rights are violated:

Contact: privacy@giryug.in with detailed complaint
Internal review within 15 days
If unsatisfied, escalate to Data Protection Officer
Right to approach Data Protection Board of India
Right to legal recourse through Indian courts

DPO Contact:

Email: dpo@giryug.com
Response: Within 30 days

8. Data Security

8.1 Security Measures

We implement industry-leading security controls to protect your information:

Encryption:

End-to-end encryption for sensitive data transmission
AES-256 encryption for data at rest
TLS 1.2 or higher for all data in transit
Contact numbers, emails, and location encrypted with secure protocols
Regular encryption key rotation

Access Controls:

Multi-factor authentication (MFA) for account access
Role-based access controls (RBAC) for staff
Principle of least privilege
Regular access audits and monitoring
Staff authorization reviews

Infrastructure Security:

Firewalls and intrusion detection systems
Data stored exclusively within India (RBI compliance)
Secure cloud infrastructure (ISO 27001 certified)
Network segmentation and monitoring
DDoS protection and mitigation

Regular Security Practices:

Penetration testing by certified security professionals (quarterly)
Annual comprehensive security audits
Vulnerability assessment and timely patching
Malware scanning and real-time protection
Security staff training (annual, mandatory)

8.2 Data Breach Notification

In case of a security breach affecting your data:

Timeline:

Notification to Data Protection Board: Within 72 hours (as required)
Notification to affected users: Without unreasonable delay (typically within 7 days)
Details provided: Nature of breach, data affected, steps taken

Notification Content:

Description of the data breach
Which personal data was compromised
Date and time of breach discovery
Actions you should take to protect yourself
Contact information for support and questions
Available remedies and assistance

Support Provided:

Free credit monitoring (if financial data involved)
Identity theft protection services (up to 2 years)
Assistance in filing complaints with authorities
Regular updates on investigation status

8.3 Security Limitations

While we employ robust security measures, no online system is 100% secure. Internet transmission carries inherent risks. We cannot guarantee absolute security of your information, but we maintain industry-standard protections and continuously improve our security posture.

8.4 Employee and Vendor Training

All staff handling personal data receive mandatory DPDP Act training
Annual refresher training on data protection and privacy practices
Vendors and service providers certified for data handling
Non-Disclosure Agreements (NDA) signed by all personnel
Background checks for employees with data access
Termination procedures include data access removal

9. Location Data Handling

9.1 Location Permissions and Controls

Permission Request:

Clear, plain-language permission request before accessing location
Separate requests for precise versus approximate location
You control permissions entirely through device settings
No location access without explicit permission

Granular Controls:

Enable/disable location anytime through App settings
Switch between “Always,” “While Using App,” “Never”
Clear location history through App settings
Disable location tracking in background
Manage frequency of location updates

9.2 Usage of Location Data

Permitted Uses:

Showing nearby services and opportunities
Route optimization and navigation
Delivery and pickup location verification
Safety features (emergency location sharing if enabled)
Service quality improvement in specific geographic areas

NOT Used For:

Behavioral profiling or tracking patterns
Selling to third-party marketers or data brokers
Sharing with unrelated service providers
Mass surveillance or continuous tracking
Creating movement profiles
Discriminatory purposes

9.3 Location Data Sharing

Strict Sharing Limitations:

Never shared with third parties without your explicit consent
Not sold to data brokers or marketing agencies
Shared only with service providers absolutely necessary:
- Map and navigation providers
- Delivery and logistics partners (with your consent)
- Customer support (only if you report location-based issue)

Law Enforcement Exception:

Shared only with court order or legal authority
You will be notified when possible (unless legally prohibited)

9.4 Disabling Location Services

You can disable location tracking at any time:

Through App: Settings → Privacy → Location Services
Through device: Device Settings → Location → Giryug
Immediately stops location data collection
Does not affect other App features

10. Cookies and Tracking Technologies

10.1 Types of Tracking Technologies Used

Cookies:

Session cookies (temporary, deleted after session ends)
Persistent cookies (remember preferences across sessions)
Third-party cookies (limited, only necessary vendors)

Other Technologies:

Web beacons and pixels (for analytics)
Local storage (device-level preference storage)
Software development kits (SDKs) for analytics
Device fingerprinting (limited use)

10.2 Purpose of Tracking Technologies

Remembering your preferences and settings
Analyzing usage patterns for App improvement
Detecting fraudulent activities and unauthorized access
Delivering relevant features and notifications
Measuring feature performance and user engagement

10.3 Limiting Tracking

You may:

Disable cookies through App Settings → Privacy
Clear cookies from your device
Opt-out of analytics through App settings
Use device’s “Do Not Track” feature
Withdraw consent for tracking anytime

11. Children’s Privacy

11.1 Age Restrictions

The Giryug App is NOT intended for persons under 18 years of age.

We do not knowingly collect personal information from children under 18 without verifiable parental/guardian consent.

11.2 Parental Consent and Controls

If a minor uses the App with parental consent:

Parents may request access to child’s data
Parents may request data deletion
Parents may withdraw consent
Contact: privacy@giryug.in

Safeguards for Minors:

No behavioral profiling of minors
No targeted advertising to minors
Limited data retention for minors
Special safeguards for location data
No sale of minor’s data

11.3 Rights of Parents and Guardians

Parents or guardians may:

Request details of their child’s data
Request data deletion
Withdraw consent for processing
Escalate concerns to Data Protection Officer
Request audit of child’s data usage

Contact for Parental Rights:

Email: privacy@giryug.in
Reference: Parental Rights Request
Response time: 30 days

12. International Data Transfers

12.1 Data Localization (Data Residency)

Data Storage Location:
Your personal data is stored exclusively within India in strict compliance with RBI and DPDP Act requirements.

Commitment to India-Only Storage:

Personal data stored on servers located in India
Contact numbers, emails, location data remain in India
Payment data stored in India (RBI mandate, non-negotiable)
No international data centers for personal data

Exception:

Transfer abroad only if legally authorized by:
- Court order
- Government directive
- Regulatory authority (RBI, CERT-In)
You will be notified of any such transfer

12.2 Restrictions on Prohibited Countries

As per DPDP Act and government directives, we do not transfer personal data to countries designated on the “negative list” notified by the Indian government or for restricted purposes.

13. Regulatory Authorities and Grievance Escalation

13.1 Data Protection Board of India

If we fail to redress your privacy complaint, you have the right to escalate to:

Data Protection Board of India:

Established under DPDP Act, 2023
Independent authority to handle privacy complaints
Authority to issue corrective orders and penalties
Website: www.dataprotectionboard.gov.in

How to File Complaint:

Access board portal at official website
Submit complaint with details of violation
Include attempts to resolve with Giryug (if any)
Provide supporting documentation
Board will investigate and issue decision

13.2 RBI Complaints (Payment and Financial Data)

For issues related to payment or financial data:

Reserve Bank of India:

Complaint Portal: https://www.rbi.org.in
Contact your bank’s grievance department
File complaint for unauthorized transactions
Escalate payment security concerns

13.3 CERT-In (Cybersecurity Issues)

For data breaches or cyber security incidents:

Indian Computer Emergency Response Team (CERT-In):

Website: www.cert-in.org.in
Report security breaches affecting multiple users
Notify of critical security vulnerabilities

13.4 Other Regulatory Authorities

Telecom Regulatory Authority of India (TRAI):

Complaints regarding misuse of contact numbers
Spam and unsolicited communications
Website: www.trai.gov.in

State Consumer Protection Authorities:

For consumer protection violations
Unfair trade practices
Local jurisdiction protection

14. Contact Us

14.1 Privacy Inquiries and Requests

Primary Contact:

Email: help@giryug.com
Phone: +91 79 0003 9191
Response Time: Within 30 days

Mailing Address:
Giryug
Dombivli East 421201
Maharashtra
India

14.2 Data Protection Officer

For DPDP Act-related concerns and formal requests:

Email: dpo@giryug.in
Response Time: Within 30 days

14.3 Escalation Process

If unsatisfied with our response:

First Escalation: Contact Data Protection Officer (DPO) with reference to initial response
Second Escalation: File formal complaint with Data Protection Board of India
Third Escalation: Legal recourse through Indian courts (appropriate jurisdiction)
Concurrent: File complaint with relevant regulatory authority (RBI, TRAI, CERT-In)

15. Privacy Policy Updates

15.1 Changes to This Policy

We may update this Privacy Policy to:

Reflect changes in our data practices
Comply with new DPDP Act updates or RBI circulars
Introduce new features or services
Respond to user feedback and concerns
Address regulatory developments

15.2 Notification of Changes

Material changes will be notified via email and in-App notification
“Last Updated” date will be prominently displayed
You will be given 30 days to review changes
Continued use after notice period constitutes acceptance
Previous versions archived and accessible upon request

15.3 Effective Date

This version is effective as of December 11, 2025. Please review periodically for updates.

16. Sensitive Personal Data Categories

We classify the following as Sensitive Personal Data requiring enhanced protection:

Contact Numbers: Phone data under telecom regulations, restricted sharing
Email Addresses: Communication and identity data, protected from marketing
Location Data: Precise GPS and location history, special consent requirements
Payment Information: Card, UPI, bank details, exclusive RBI protection
Identity Documents: Aadhar, PAN, Driving License copies, highest security
Biometric Data: Fingerprints, facial recognition, if collected
Health Information: Medical records or health data (if applicable)
Financial Records: Bank statements, transaction history beyond 7 years retention

Enhanced Safeguards for Sensitive Data:

Explicit, specific consent required before collection
Stored with AES-256 encryption minimum
Limited sharing (only with necessary service providers)
Separate, extended retention schedule
Annual security audits
Enhanced access controls
Audit trails for all access

17. Complaint Redressal Mechanism

17.1 Internal Grievance Process

Step 1: Contact Us

Email: privacy@giryug.in with subject “Privacy Complaint”
Provide: Your details, specific complaint, supporting evidence
Include: Reference to data or date of incident

Step 2: Acknowledgment

We acknowledge receipt within 5 working days
Assign unique reference number
Provide timeline for resolution

Step 3: Investigation

Internal review conducted within 15 days
Gather facts, documents, and evidence
Interview relevant staff
Assess severity and DPDP Act compliance

Step 4: Resolution

Provide response with findings
Propose remedial action if violation found
Timeline: 30 days maximum from receipt

Step 5: Escalation (if needed)

If unsatisfied, escalate to Data Protection Officer
DPO conducts independent review
Final response with appeal rights
DPO response: 30 days

17.2 External Complaint (Data Protection Board)

If internal resolution unsatisfactory:

File complaint with Data Protection Board of India
Include documentation of our response and complaint details
Board investigates violation
Board issues orders and may impose penalties on us
You receive copy of board’s decision

17.3 Compensation for Violations

If we are found to have violated your privacy rights:

You may claim compensation for damages
Board may order us to pay compensation
Amount determined based on harm suffered
Legal remedies available through courts

18. Acknowledgment and Consent

18.1 Your Acknowledgment

By using the Giryug App, you confirm:

You have read this entire Privacy Policy
You understand our data practices and procedures
You consent to data processing as described
You are at least 18 years old
You agree to comply with this Policy
You are authorized to use the App

18.2 Changes to Terms

We may update this Policy periodically
Material changes require your re-consent
Continued use after notification = acceptance
You may withdraw consent and stop using the App

Version 1.0 (India-Specific, English Only) | Effective: December 11, 2025

Appendix: Key Definitions

Personal Data: Any information that directly or indirectly identifies an individual.

Digital Personal Data: Personal data in digital form or converted to digital form.

Sensitive Personal Data: Contact numbers, emails, location data, payment information, biometric data, health data, identity documents.

Data Fiduciary: Giryug, who determines purposes and means of data processing.

Data Principal: You, the individual whose data is being processed.

Data Processor: Third parties who process data on Giryug’s behalf under contract.

Processing: Any operation on data – collection, storage, use, analysis, sharing, or deletion.

Consent: Free, specific, informed, and unambiguous agreement to data processing.

Data Breach: Unauthorized access, disclosure, loss, or alteration of personal data.

Data Localization: Requirement to store data within Indian territory.

Opt-Out: User choice to decline certain data processing activities.

Right to Erasure: The right to have your data deleted (“Right to Be Forgotten”).

Data Portability: Right to receive your data in portable, machine-readable format.

Withdrawal of Consent: Revoking your permission for data processing at any time.

DPDP Act: Digital Personal Data Protection Act, 2023.

Data Protection Board: Independent authority established to handle privacy complaints and disputes in India.

For Further Clarification:

Giryug Privacy Team
Email: privacy@giryug.in
Data Protection Officer: dpo@giryug.in
Response Time: 30 days maximum

Last reviewed and updated: December 11, 2025