Privacy Policy

SafaiX operates as an aggregator marketplace that connects customers seeking professional car and bike wash services with independent service partners. SafaiX does not itself perform cleaning or detailing services; instead, we provide the technology platform, scheduling infrastructure, payment facilitation, and customer-support framework that enables transactions between customers and partners.

This Privacy Policy applies to all users of the Platform, including customers who book services, partners who fulfil those bookings, and visitors who browse our website. It covers information collected through our Customer PWA, Partner PWA, marketing website, customer-support channels, and any other digital touchpoint operated by SafaiX.

We are committed to protecting your privacy and processing your personal data in accordance with the following Indian legislation and frameworks:

• Information Technology Act, 2000 and the rules framed thereunder, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules").
• Digital Personal Data Protection Act, 2023 ("DPDPA 2023"), which establishes rights for Data Principals and obligations for Data Fiduciaries with respect to the processing of digital personal data.
• Consumer Protection Act, 2019, and the Consumer Protection (E-Commerce) Rules, 2020, which impose transparency and disclosure obligations on e-commerce entities and marketplace platforms.

Under the DPDPA 2023, SafaiX acts as a Data Fiduciary that determines the purpose and means of processing your personal data. You, as a user of the Platform, are a Data Principal whose data is processed by us.

To operate the Platform effectively and deliver a reliable marketplace experience, we collect and process the following categories of information:

We process your personal data for the following specific, explicit, and lawful purposes:

• Service delivery and marketplace operation: Facilitating the connection between customers and partners, processing bookings, confirming service schedules, enabling real-time tracking of partner arrival, and ensuring successful completion of car and bike wash services.
• Partner matching and dispatch: Using your location, service preferences, and vehicle details to match you with the most suitable available partner based on proximity, availability, service capability, and rating.
• Payment processing and invoicing: Processing payments from customers, generating GST-compliant invoices, managing refunds, and disbursing payouts to partners through secure payment channels.
• Customer support and dispute resolution: Addressing your queries, complaints, and service-quality disputes; investigating reported issues using booking history, service media, and communication logs.
• Platform improvement and analytics: Analysing usage patterns to improve user experience, optimise partner allocation algorithms, develop new features, and enhance overall Platform reliability and performance.
• Regulatory compliance: Maintaining records required under the Goods and Services Tax (GST) Act, Income Tax Act 1961, Reserve Bank of India (RBI) guidelines for payment aggregators, and other applicable legislation.
• Fraud prevention and platform security: Detecting and preventing fraudulent transactions, fake accounts, unauthorized access, spam, and abuse of the Platform through automated monitoring systems and manual review.
• Marketing communications (with consent): Sending promotional offers, service updates, seasonal discounts, referral programme details, and newsletters via email, SMS, push notifications, or WhatsApp. You may opt out at any time (see Section 7).

Under the Digital Personal Data Protection Act, 2023, we process your personal data on one or more of the following lawful grounds:

• Consent (DPDPA Section 6): Where you have provided explicit, informed, and freely given consent for a specific purpose. Consent is collected at the point of registration via clear affirmative action (checking an "I agree" checkbox or tapping an "Accept" button). You may withdraw consent at any time through your account settings, and we will cease processing for that purpose within a reasonable timeframe, subject to legal obligations.
• Contractual necessity: Processing that is necessary for the performance of the service agreement between you and SafaiX. This includes processing bookings, facilitating payments, dispatching partners, and delivering the core marketplace services you have requested.
• Legitimate interests (DPDPA Section 7): Processing that is reasonably necessary for certain legitimate uses, including fraud prevention and detection, ensuring platform security and integrity, conducting internal analytics to improve service quality, and enforcing our Terms of Service. We balance these interests against your rights and ensure that such processing does not override your fundamental data protection rights.
• Legal obligations (DPDPA Section 7): Processing required to comply with applicable laws, including maintenance of tax records under the Income Tax Act 1961 and GST Act, compliance with RBI guidelines for payment aggregators, responding to lawful requests from law enforcement agencies, courts, or regulatory authorities, and meeting record-keeping requirements under the IT Act 2000.

We do not sell your personal data. We share your information only in the following circumstances and with the following categories of recipients:

• Service partners: When you place a booking, we share your first name, service address, phone number, and vehicle details (make, model, registration number) with the assigned partner solely to enable service delivery. Partners do not receive your email address, payment details, or complete account information.
• Payment processors: Transaction details (amount, order ID, customer and partner identifiers) are shared with our payment gateway partner for secure payment processing, settlement, and refund handling.
• Cloud and infrastructure providers: Your data is stored on secure cloud infrastructure. Our hosting and storage providers act as Data Processors under contractual agreements that require them to protect your data and use it only as instructed by SafaiX.
• Communication service providers: We use third-party services for sending SMS (including OTPs), transactional emails, and push notifications. These providers receive only the data necessary to deliver the communication (e.g., phone number for SMS, email address for email).
• Analytics providers: We share anonymised and aggregated usage data with analytics services to understand Platform performance and user behaviour. No personally identifiable information is shared for analytics purposes.
• Law enforcement and regulatory authorities: We may disclose your personal data when required by law, in response to valid court orders, subpoenas, or government requests, or when necessary to protect national security, public order, or the rights and safety of individuals.
• Business transfers: In the event of a merger, acquisition, restructuring, asset sale, or bankruptcy, your personal data may be transferred as part of the transaction. We will notify you via email or prominent notice on the Platform before your data is transferred and becomes subject to a different privacy policy.
• Aggregated and anonymised data: We may share aggregated, de-identified data that cannot reasonably be used to identify you for purposes such as industry reports, academic research, marketing materials, and business development.

Your consent is central to how we collect and process personal data. We obtain and manage consent as follows:

• Explicit consent at registration: When you create an account on the Customer PWA or Partner PWA, you are required to review and accept this Privacy Policy and our Terms of Service. Your acceptance constitutes explicit, informed consent to the data processing activities described herein.
• Granular consent for specific features: We request separate, granular consent for (a) access to your device's location services, (b) delivery of push notifications, and (c) receipt of marketing and promotional communications. You may grant or deny each of these permissions independently.
• Right to withdraw consent: You may withdraw your consent for any specific processing activity at any time by adjusting your preferences in the account settings section of the Platform, or by contacting us at grievance@safaix.app. Withdrawal of consent will not affect the lawfulness of processing carried out prior to such withdrawal.
• Consequences of withdrawal: If you withdraw consent for core processing activities (such as location access required for partner dispatch), certain features of the Platform may become unavailable or limited. We will clearly inform you of any functional impact before processing your withdrawal request.
• Parental consent for minors: In accordance with Section 9 of the DPDPA 2023, users under the age of 18 years may only use the Platform with verifiable parental or guardian consent. We implement reasonable age-verification measures and require a parent or legal guardian to provide documented consent before a minor's account can be activated.

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this Policy, or as required by applicable law. Our retention periods are as follows:

• Active accounts: Personal data associated with your account is retained for the duration of your relationship with SafaiX (i.e., while your account remains active) plus an additional 7 years following account closure to comply with tax, financial, and regulatory record-keeping requirements.
• Inactive accounts: If your account has been inactive for 3 years (no login, booking, or other activity), we will either anonymise or delete your personal data, unless retention is required by law. You will receive a notification before any such action is taken.
• Payment and financial records: Transaction records, invoices, payout details, and related financial data are retained for a minimum of 7 years in compliance with RBI guidelines, the Income Tax Act 1961 (Section 44AA), and the GST Act's record-keeping provisions.
• Legal dispute records: Data relevant to legal proceedings, disputes, or complaints is retained until the matter is fully resolved plus the applicable limitation period under the Limitation Act, 1963.
• Anonymised data: Data that has been irreversibly anonymised (such that it can no longer identify any individual) may be retained indefinitely for analytical, statistical, and business-intelligence purposes.

When personal data is no longer required, we securely delete or anonymise it using industry-standard methods to prevent reconstruction or re-identification.

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights with respect to your personal data:

• Right to Access (Section 11): You have the right to request a summary of the personal data we hold about you and the processing activities carried out with that data. Upon receiving a valid request, we will provide this information within 30 days.
• Right to Correction (Section 12): You have the right to request correction of any inaccurate or incomplete personal data we hold about you. You can update most information directly through your account settings, or contact us for changes that cannot be made self-service.
• Right to Erasure (Section 12): You have the right to request deletion of your personal data, subject to our legal obligations to retain certain records (e.g., financial and tax records for 7 years). Where deletion is not possible due to legal requirements, we will restrict processing and inform you of the specific records retained and the legal basis for retention.
• Right to Data Portability: You have the right to receive a copy of your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV) to facilitate transfer to another service provider.
• Right to Withdraw Consent: You may withdraw consent for specific processing activities at any time. Withdrawal will not affect the lawfulness of processing based on consent given before its withdrawal.
• Right to Nominate (Section 14): You have the right to nominate another individual who may exercise your data protection rights on your behalf in the event of your death or incapacity. You can register a nominee through your account settings or by written request to our Grievance Officer.
• Right to Grievance Redressal (Section 13): You have the right to file a complaint with our Grievance Officer regarding any data protection concern. If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India established under the DPDPA 2023.

How to exercise your rights: To exercise any of the rights described above, please send a written request to our Grievance Officer at grievance@safaix.app with the subject line "Data Principal Rights Request." Please include your registered name, phone number or email address associated with your account, and a clear description of the right you wish to exercise. We may require identity verification before processing your request.

SafaiX implements comprehensive technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with the reasonable security practices and procedures mandated under Rule 8 of the SPDI Rules, 2011.

• Encryption: All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS) 1.3. Data stored on our servers is encrypted at rest using Advanced Encryption Standard (AES-256) encryption.
• Access controls: We enforce role-based access controls (RBAC) ensuring that employees and contractors can access only the data necessary for their specific role. All administrative access to production systems requires multi-factor authentication (MFA).
• Infrastructure: Our Platform is hosted on secure cloud infrastructure provided by ISO 27001-certified providers with data centres in India. Our infrastructure includes firewalls, intrusion detection systems, and continuous monitoring.
• Security audits and testing: We conduct regular security audits, vulnerability assessments, and penetration testing performed by qualified third-party security firms to identify and remediate potential vulnerabilities.
• Partner security agreements: All third-party service providers that process personal data on our behalf are required to enter into data processing agreements that mandate equivalent security standards and compliance with applicable data protection laws.
• Employee training: All SafaiX employees and contractors with access to personal data undergo mandatory data protection and information security training during onboarding and at regular intervals thereafter.
• Incident response: We maintain a documented incident response plan. In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals within 72 hours of becoming aware of the breach, as required under the DPDPA 2023. Notification will include the nature of the breach, the data affected, the measures taken to mitigate impact, and recommended steps for affected individuals.

While we strive to protect your personal data using industry-leading security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to taking all reasonable steps to safeguard your information.

Our Platform uses cookies and similar technologies to enhance your experience, remember your preferences, and understand how the Platform is used. The following categories of cookies are employed:

• Essential cookies: These are strictly necessary for the operation of the Platform. They enable core functionality such as session management, authentication (keeping you logged in), security features (CSRF protection), and load balancing. Without these cookies, the Platform cannot function properly. These cookies do not require separate consent as they are essential to service delivery.
• Analytics cookies: We use Plausible Analytics, a privacy-focused analytics tool, to collect anonymised data about how visitors interact with our website. Plausible does not use cookies that track individuals across websites, does not collect personal data, and is fully compliant with privacy regulations. Data collected includes page views, referral sources, browser type, and general geographic region.
• Preference cookies: These cookies remember your choices and settings, such as your preferred language, default service location, display settings (e.g., dark mode), and recently selected vehicle, to provide a personalised experience across sessions.

Managing cookies: You can manage or delete cookies through your browser settings. Most browsers allow you to block or delete cookies, view which cookies are stored, and set preferences for specific websites. Please note that disabling essential cookies may impair the functionality of the Platform, including login, booking, and payment features.

To deliver our services, we integrate with the following categories of third-party service providers:

• Payment gateway — Razorpay: We use Razorpay, a Reserve Bank of India (RBI) authorised payment aggregator, for processing all customer payments and partner payouts. Razorpay is PCI-DSS Level 1 certified, which is the highest level of payment security certification. Your payment card details are processed and stored by Razorpay in accordance with PCI-DSS standards and are never stored on SafaiX's own servers.
• Communication services: We use third-party providers for delivering SMS messages (including OTP codes for authentication), transactional and marketing emails, and push notifications. These providers receive only the minimum data necessary to deliver the communication.
• Cloud infrastructure — AWS Mumbai region: Our Platform infrastructure and data storage are hosted on Amazon Web Services (AWS) in the Mumbai (ap-south-1) region, ensuring that your data is primarily stored within India. AWS maintains ISO 27001, SOC 2 Type II, and other globally recognised security certifications.
• Analytics — Plausible: We use Plausible Analytics, a privacy-focused, open-source web analytics tool that does not use cookies for tracking, does not collect personal data, and does not track users across websites. All analytics data is aggregated and anonymised.

Each third-party service provider operates under its own privacy policy and terms of service. While we select providers that demonstrate strong data protection practices, SafaiX is not responsible for the privacy practices of third-party services. We encourage you to review their respective privacy policies.

The SafaiX Platform is primarily intended for use by individuals who are 18 years of age or older. We take the protection of children's personal data seriously and have implemented the following measures in compliance with Section 9 of the DPDPA 2023:

• Users under the age of 18 may use the Platform only with verifiable consent from a parent or legal guardian. We implement reasonable age-verification mechanisms during the registration process.
• A parent or legal guardian must provide documented consent before a minor's account is activated. This consent may be obtained through verified email confirmation, phone-based verification, or other mechanisms deemed appropriate.
• We do not engage in any form of targeted advertising or behavioural tracking directed specifically at users identified as minors.
• Parents and guardians have the right to access, review, correct, or request deletion of their child's personal data at any time by contacting our Grievance Officer.
• If we become aware that we have collected personal data from a minor without proper parental or guardian consent, we will take immediate steps to delete that data from our systems and deactivate the associated account.

SafaiX is committed to storing and processing your personal data within India to the greatest extent possible. Our data transfer practices are as follows:

• Primary data storage: All personal data is primarily stored on servers located in India (AWS Mumbai region, ap-south-1), in compliance with the data localisation expectations of the DPDPA 2023 and RBI guidelines for payment data.
• International transfers: In limited circumstances, your data may be transferred to servers or service providers located outside India where necessary for the operation of global service providers (e.g., email delivery infrastructure, content delivery networks). Such transfers are made only to countries or territories not restricted by the Central Government under the DPDPA 2023.
• Safeguards: Where cross-border transfers occur, we implement appropriate safeguards including standard contractual clauses, data processing agreements with equivalent protection standards, and adequacy assessments as required by the DPDPA 2023 and any rules notified thereunder.
• Notification: We will notify you via email or in-app notification of any material change to the countries or territories where your personal data is stored or processed.

If you register as a service partner on the SafaiX Partner PWA, we collect additional information beyond what is described for customers. This section outlines the specific data practices applicable to partners.

Additional Data Collected from Partners

• Bank account details: Account number, IFSC code, bank name, branch name, and account holder name for processing service payouts and commissions.
• Government-issued identification: Aadhaar number and PAN (Permanent Account Number) for KYC (Know Your Customer) verification as required under RBI guidelines and the Prevention of Money Laundering Act, 2002.
• Vehicle and equipment details: Details of the vehicle(s) used for service delivery, water tanks, cleaning equipment, and other tools registered on the Platform.
• Insurance documents: Copies of valid business liability insurance or vehicle insurance policies, where applicable.
• Police verification certificate: A valid police verification certificate to ensure the safety and trust of customers who invite partners to their premises.

Purpose of Partner Data Collection

• Identity verification and KYC compliance to onboard legitimate service providers.
• Processing payouts and ensuring accurate financial reconciliation.
• Regulatory compliance with tax authorities (GST registration, TDS deduction under Section 194-O of the Income Tax Act), RBI payment aggregator guidelines, and local business licensing requirements.
• Background verification to maintain Platform safety and customer trust.

Retention of Partner Data

Partner personal data is retained for the duration of the partner relationship with SafaiX plus 7 years following account closure, to meet tax record-keeping obligations under the Income Tax Act 1961 (Section 44AA) and GST Act provisions. KYC documents may be retained for a longer period if required by RBI directions or anti-money laundering regulations.

Partner Rights

Partners have the same rights as customers under the DPDPA 2023, as described in Section 9 of this Privacy Policy, including the right to access, correction, erasure, data portability, consent withdrawal, nomination, and grievance redressal. Partners may exercise these rights by contacting our Grievance Officer at grievance@safaix.app.

In accordance with Section 13 of the DPDPA 2023 and Rule 5(9) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, we have appointed a Grievance Officer to address your concerns regarding personal data processing:

SafaiX reserves the right to modify, update, or replace this Privacy Policy at any time to reflect changes in our data practices, legal requirements, or business operations. We encourage you to review this page periodically. Changes are handled as follows:

• Material changes: For significant changes that affect how your personal data is collected, used, or shared (such as new categories of data collection, new third-party sharing, or changes to data retention periods), we will notify you via email to the address associated with your account and/or through a prominent in-app notification at least 15 days before the changes take effect.
• Non-material changes: Minor changes (such as formatting updates, grammatical corrections, or clarifications that do not substantively alter your rights or our practices) will become effective immediately upon posting the updated policy on the Platform.
• Continued use as acceptance: Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should discontinue use of the Platform and request account deletion.
• Previous versions: Previous versions of this Privacy Policy are available upon request. You may contact us at hello@safaix.app to obtain a copy of any prior version.

The "Last updated" date at the top of this page indicates when this Privacy Policy was most recently revised.

If you have any questions, concerns, or feedback about this Privacy Policy or our data practices, please do not hesitate to contact us:

For data protection and privacy-specific concerns, please contact our Grievance Officer directly at grievance@safaix.app.