Privacy Policy

HyperLocalExpress Pvt. Ltd. ("Company", "we", "us", or "our") operates the HyperLocalExpress hyperlocal delivery platform accessible at app.hyperlocalexpress.in,shop.hyperlocalexpress.in, rider.hyperlocalexpress.in, and related mobile applications (collectively, the "Platform").

Registered Address: [Your Registered Address], Bengaluru, Karnataka – 560001, India.
Data Protection Officer: privacy@hyperlocalexpress.in

2.1 Information You Provide Directly

• Account registration: Name, mobile number, email address, delivery address, profile photo.
• Shop registration: Shop name, owner name, GST number, FSSAI licence, PAN card, bank account details, shop photo.
• Rider registration: Name, mobile, address, Aadhaar card, PAN card, driving licence, vehicle details, RC book, insurance certificate, bank account details.
• Orders: Items ordered, delivery address, special instructions, payment information.
• Communications: Messages sent to support, reviews and ratings, complaint details.

2.2 Information Collected Automatically

• Location data: With your permission, precise GPS location during active deliveries for live tracking. Approximate location for finding nearby shops.
• Device information: Device type, operating system, browser type, IP address, app version.
• Usage data: Pages visited, features used, time spent, clicks, search queries.
• Transaction data: Payment method type (not full card numbers), transaction ID, amount, timestamp.
• Cookies and similar technologies: Session cookies, preference cookies. See Section 8.

2.3 Information from Third Parties

• Payment processors (Razorpay) — transaction status only.
• SMS/OTP providers (Twilio) — delivery confirmation only.
• Maps provider (Google Maps) — for routing and address validation.

We do not sell your personal data. We share it only in these circumstances:

• Between platform users: Customer name and delivery address shared with assigned rider. Customer name and order details shared with the shop. Rider's first name and vehicle type shared with customer for tracking.
• Service providers: Payment processors, SMS providers, cloud storage, mapping services — bound by data processing agreements.
• Legal requirements: Courts, law enforcement, or government authorities when required by law.
• Business transfer: In the event of a merger, acquisition, or sale of assets, with notice to users.
• With your consent: Any other purpose for which you explicitly consent.

• Active accounts: Retained for as long as your account is active.
• Deleted accounts: Personal identifiers deleted within 30 days. Transaction records retained for 7 years per GST and accounting law.
• Order data: Retained for 7 years for GST/tax compliance.
• KYC documents: Retained per RBI/FSSAI guidelines (minimum 5 years after last transaction).
• Audit logs: Retained for 90 days, then deleted.
• Server logs: Retained for 30 days, then deleted.

Under the Digital Personal Data Protection Act, 2023 (DPDPA) and applicable Indian law, you have the right to:

• Access: Request a copy of personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your data (subject to legal retention requirements).
• Grievance redressal: Lodge a complaint with our Grievance Officer (see Section 11).
• Withdraw consent: Opt out of marketing communications at any time via Account → Preferences → Notifications.
• Nominate: Nominate another person to exercise rights on your behalf in case of incapacity or death.

To exercise any right, email us at privacy@hyperlocalexpress.in. We respond within 30 days.

We implement the following security measures:

• All data transmitted over HTTPS/TLS 1.2+.
• Passwords hashed using bcrypt (12 rounds).
• JWT tokens with 15-minute expiry and refresh token rotation.
• Database encrypted at rest (Neon PostgreSQL).
• Sensitive fields (bank account, Aadhaar) encrypted with AES-256.
• Admin panel protected by mandatory Two-Factor Authentication (TOTP).
• Rate limiting and brute-force protection on all login endpoints.
• Regular security audits and penetration testing.

Despite these measures, no system is 100% secure. If you suspect a breach, contact us immediately at security@hyperlocalexpress.in.

We use the following cookies:

• Essential cookies: Session authentication, CSRF protection. Cannot be disabled.
• Preference cookies: Dark mode, language, address preferences. Stored for 30 days.
• Analytics cookies: Anonymous usage analytics to improve the Platform. You may opt out via browser settings.

We do not use third-party advertising cookies or cross-site tracking pixels.

The Platform is not directed to children under 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe a minor has provided us data, contact: privacy@hyperlocalexpress.in.

We may update this Privacy Policy periodically. When we make material changes, we will notify you via in-app notification and SMS at least 15 days before the changes take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.

As required under the IT Act, 2000 and DPDPA, 2023, we have designated a Grievance Officer for privacy complaints: