Privacy Policy
How we collect, use, store, and protect your personal information.
At Pickrbox Technologies Pvt. Ltd. ("Pickrbox", "we", "us", or "our"), we are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your information when you use the Pickrbox mobile application, website, and associated services (collectively, the "Platform"). This policy is designed to help you understand your privacy rights and choices. By using the Platform, you consent to the data practices described in this policy.
1. Information We Collect
We collect various types of information to provide, maintain, improve, and personalize our services:
(A) INFORMATION YOU PROVIDE DIRECTLY:
• Account Information: Phone number (required for registration and OTP verification), full name, email address, date of birth, gender, profile photo, bio or description.
• Address Information: Delivery and billing addresses, GPS coordinates, location labels (e.g., "Home", "Office", "Other"), landmark descriptions.
• Payment Information: Credit/debit card details (last 4 digits only; full card data is stored by PCI-DSS compliant payment partners), UPI IDs, net banking details, digital wallet information, billing addresses, payment preferences.
• KYC Documents: For high-value rentals, government-issued identity documents including Aadhaar Card (front and back), PAN Card, Driving License, Passport, Voter ID, and live selfie or photo for identity verification.
• Booking Information: Product selections, rental dates and times, fulfillment methods (pickup or delivery), quantity, add-ons, pricing snapshots, special instructions, extension requests.
• Communications: Messages sent through in-app chat with Store Owners, customer support tickets, feedback submissions, reviews and ratings, survey responses, social media interactions.
• User-Generated Content: Photos or videos uploaded with reviews, profile pictures, product inquiry messages.
(B) INFORMATION COLLECTED AUTOMATICALLY:
• Device Information: Device model, manufacturer, operating system (iOS, Android), OS version, unique device identifiers (IMEI, Android ID, IDFA), app version, screen resolution, device language settings, time zone.
• Usage Data: App features accessed, pages or screens viewed, time spent on each screen, search queries, filters applied, products viewed or wishlisted, bookings initiated but not completed, tap/click events, session duration, session frequency, feature adoption metrics, error logs, crash reports.
• Location Data: Precise GPS coordinates (with your explicit permission), approximate location based on IP address or cellular network, location history when the app is in use or in the background (for delivery tracking), distance calculations for delivery fee estimation.
• Network and Connection Information: IP address, mobile carrier name, connection type (Wi-Fi, 4G, 5G), network quality, latency, ISP details.
• Referral and Attribution Data: Source of app installation (Google Play, App Store, referral link), marketing campaign identifiers, referrer information.
(C) INFORMATION FROM THIRD PARTIES:
• Social Media: If you choose to link your social media accounts (Facebook, Google, Apple) for authentication or profile enrichment, we may receive basic profile information (name, email, profile picture) as permitted by those platforms.
• Payment Partners: Transaction status, payment method verification, fraud risk scores, billing address validation.
• Analytics Providers: Aggregated usage metrics, demographic information, device trends, app performance data.
• Store Owners: Feedback about your rental transactions, product return conditions, dispute details.
2. How We Use Your Information
We use the information we collect for the following purposes:
(A) SERVICE DELIVERY AND CORE FUNCTIONALITY:
• Process and fulfill rental bookings, including order confirmation, preparation, delivery coordination, and returns. • Facilitate secure payments through third-party payment partners. • Enable communication between you and Store Owners via in-app messaging. • Provide real-time booking status updates, delivery tracking, and notifications. • Calculate rental pricing, delivery fees, taxes, and generate invoices. • Process booking extensions, cancellations, and refunds. • Manage security deposits and damage claims. • Verify product availability and inventory status.
(B) ACCOUNT MANAGEMENT:
• Create and maintain your user account. • Authenticate your identity using OTP verification and session management. • Store your preferences, saved addresses, payment methods, and booking history. • Enable features like wishlist, favorites, and personalized recommendations.
(C) LOCATION-BASED SERVICES:
• Display nearby stores and products based on your current location. • Calculate distance-based delivery fees and delivery time estimates. • Verify delivery addresses and provide navigation assistance to delivery personnel. • Show location-specific search results and filter options. • Track delivery status in real-time.
(D) IDENTITY VERIFICATION (KYC):
• Verify your identity for high-value rentals as required by Store Owners. • Prevent fraud, identity theft, and unauthorized bookings. • Comply with regulatory requirements and anti-money laundering (AML) obligations. • Maintain trust and security in the rental ecosystem.
(E) COMMUNICATION AND NOTIFICATIONS:
• Send transactional notifications: booking confirmations, payment receipts, delivery updates, return reminders, extension approvals, refund status. • Send service announcements: Platform updates, policy changes, maintenance schedules, security alerts. • Send marketing communications: promotional offers, discounts, new features, personalized recommendations, re-engagement campaigns (with your consent). • Respond to customer support inquiries, complaints, and feedback. • Request reviews and ratings after completed bookings.
(F) PERSONALIZATION AND RECOMMENDATIONS:
• Analyze your browsing and booking behavior to provide personalized product recommendations. • Customize search results based on your preferences, location, and past activity. • Suggest relevant stores, categories, and rental durations. • Tailor marketing messages and promotional offers to your interests.
(G) PLATFORM IMPROVEMENT AND ANALYTICS:
• Monitor app performance, identify bugs, and fix technical issues. • Analyze usage patterns to understand feature adoption and user behavior. • Conduct A/B testing to optimize user experience and conversion rates. • Measure the effectiveness of marketing campaigns and user acquisition channels. • Develop new features and enhancements based on user feedback and data insights.
3. Information Sharing and Disclosure
We share your information only as necessary to provide our services and as described below. We do NOT sell your personal information to third parties for their marketing purposes.
(A) WITH STORE OWNERS:
When you make a booking, we share the following information with the relevant Store Owner:
• Your name, phone number, and profile photo (for identification). • Delivery address and GPS coordinates (if delivery is selected). • Booking details: product, rental dates, quantity, add-ons, fulfillment method. • Special instructions or messages sent via in-app chat. • KYC documents (if required by the Store Owner for high-value rentals).
Store Owners do NOT have access to:
• Your email address (unless you explicitly share it). • Your full payment information (card numbers, CVV, bank details). • Your other bookings or account activity. • Your usage data or browsing history.
Store Owners are contractually obligated to use your information solely for fulfilling bookings and must comply with data protection obligations.
(B) WITH PAYMENT PROCESSORS:
We share payment information with our PCI-DSS Level 1 certified payment partners (Razorpay, Stripe, Cashfree, Paytm, PhonePe) to process transactions securely. These partners handle:
• Credit/debit card processing and authorization. • UPI, net banking, and wallet transactions. • Payment authentication (3D Secure, OTP verification). • Fraud detection and risk assessment. • Refund processing.
We do NOT store your full card details (card number, CVV, expiry date) on our servers. Only the last 4 digits and card brand are stored for display purposes. Full payment data is encrypted and securely stored by our payment partners in compliance with PCI-DSS standards.
(C) WITH DELIVERY PARTNERS:
If a Store Owner uses third-party delivery services (e.g., Dunzo, Shadowfax, Porter, local courier partners), we share:
• Your delivery address and GPS coordinates. • Your phone number (for delivery coordination). • Delivery time slot and special instructions. • Product details (for package handling).
Delivery partners are bound by confidentiality agreements and may not use your information for purposes other than fulfilling the delivery.
(D) WITH SERVICE PROVIDERS AND TECHNOLOGY PARTNERS:
We engage third-party service providers to support our operations. These providers process data on our behalf under strict contractual obligations and confidentiality agreements:
• Cloud Hosting: Google Cloud Platform (GCP), Amazon Web Services (AWS) – for application infrastructure, database storage, and backups. • Media Storage: Cloudinary – for secure storage and optimization of images and videos. • Analytics: Google Analytics, Firebase Analytics, Mixpanel – for usage analytics, user behavior tracking, and app performance monitoring. • Push Notifications: Firebase Cloud Messaging (FCM), Apple Push Notification Service (APNs) – for sending real-time notifications. • SMS and Communication: Twilio, MSG91, Exotel – for sending OTPs, booking confirmations, and transactional SMS. • Email Services: SendGrid, Amazon SES – for sending transactional and marketing emails. • Customer Support: Freshdesk, Zendesk – for managing support tickets and customer inquiries. • Crash Reporting: Sentry, Firebase Crashlytics – for monitoring app stability and debugging errors. • Security and Fraud Prevention: Third-party fraud detection and prevention tools.
4. Data Security and Protection
We implement robust technical, organizational, and administrative security measures to protect your personal information from unauthorized access, disclosure, alteration, loss, or destruction:
(A) ENCRYPTION:
• Data in Transit: All data transmitted between your device and our servers is encrypted using industry-standard TLS/SSL protocols (Transport Layer Security) with 256-bit encryption. • Data at Rest: Sensitive data stored in our databases is encrypted using AES-256 encryption, including passwords, payment tokens, KYC documents, and security deposit information. • End-to-End Encryption: In-app messages between Users and Store Owners are encrypted to protect privacy.
(B) AUTHENTICATION AND ACCESS CONTROLS:
• Multi-Factor Authentication (MFA): We use OTP-based verification to secure account access. • JWT Tokens: Secure, short-lived JSON Web Tokens (JWT) for session management and API authentication. • Role-Based Access Control (RBAC): Access to personal data is restricted to authorized personnel on a strict need-to-know basis. Employees and contractors undergo background checks and sign confidentiality agreements. • Audit Logs: We maintain detailed access logs to track who accessed what data and when, enabling security audits and incident response.
(C) PAYMENT SECURITY:
• PCI-DSS Compliance: Our payment partners (Razorpay, Stripe, Cashfree) are certified as PCI-DSS Level 1 compliant, the highest level of payment security standards. • Tokenization: Payment card data is tokenized, meaning sensitive information is replaced with non-sensitive tokens that cannot be reverse-engineered. • No Storage of Full Card Data: We do NOT store complete card numbers, CVV codes, or PINs on our servers.
(D) INFRASTRUCTURE SECURITY:
• Cloud Security: Our infrastructure is hosted on secure cloud platforms (Google Cloud Platform, AWS) with enterprise-grade security features, including firewalls, intrusion detection systems (IDS), and DDoS protection. • Network Segmentation: Production databases are isolated from public-facing servers to prevent unauthorized access. • Regular Security Audits: We conduct periodic security assessments, vulnerability scans, and penetration testing to identify and remediate security weaknesses. • Automated Monitoring: Real-time monitoring and alerting systems detect suspicious activities, anomalies, and potential security incidents.
(E) APPLICATION SECURITY:
• Secure Coding Practices: Our development team follows OWASP (Open Web Application Security Project) guidelines and secure coding standards to prevent common vulnerabilities (SQL injection, XSS, CSRF, etc.). • Rate Limiting and Throttling: API rate limits prevent abuse, brute-force attacks, and denial-of-service attacks. • Input Validation: All user inputs are sanitized and validated to prevent injection attacks and malicious code execution. • Regular Updates: We promptly apply security patches and updates to our software, libraries, and dependencies.
5. Data Retention and Deletion
We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are outlined below:
(A) ACCOUNT DATA:
• Active Accounts: Account information (name, email, phone, profile) is retained as long as your account is active. • Deleted Accounts: Upon account deletion request, your account is deactivated immediately. Personal data is retained for a 30-day grace period (to allow account recovery), then permanently deleted. • Exception: Certain data may be retained beyond deletion for legal compliance (see below).
(B) BOOKING RECORDS:
• Booking History: Rental transaction records (product, dates, pricing, Store Owner, delivery address, booking status) are retained for 3 years from the booking date for business, accounting, dispute resolution, and legal purposes. • After 3 years, booking records are either anonymized (stripped of personally identifiable information) or securely deleted.
(C) PAYMENT RECORDS:
• Payment Transactions: Payment history, invoices, receipts, and transaction logs are retained for 7 years as required by Indian financial regulations, tax laws, and the Goods and Services Tax (GST) Act. • This includes details such as payment method, amount, transaction ID, GST invoices, and refund records.
(D) KYC DOCUMENTS:
• Identity Verification Documents: KYC documents (Aadhaar, PAN, Driving License, Passport, selfies) are retained for 1 year after the last associated rental booking, then securely deleted. • Exception: If required for ongoing legal disputes, regulatory investigations, or compliance audits, KYC documents may be retained for longer periods as legally mandated.
(E) COMMUNICATIONS AND MESSAGES:
• In-App Messages: Chat conversations between you and Store Owners are retained for 1 year after the booking completion date to resolve disputes and improve service quality. • Customer Support Tickets: Support inquiries, complaints, and feedback are retained for 2 years after resolution for training, quality assurance, and compliance purposes. • After retention periods, messages are anonymized or deleted.
(F) USAGE LOGS AND ANALYTICS:
• App Usage Data: Logs of app interactions, search queries, page views, and feature usage are retained in anonymized or aggregated form for up to 2 years for analytics, product development, and business intelligence. • Personally identifiable information is removed from usage logs after 90 days.
(G) LOCATION DATA:
• Precise GPS Coordinates: Location data collected during active sessions (store discovery, delivery tracking) is retained for 90 days, then deleted. • Anonymized Location Data: Aggregated, anonymized location trends (e.g., popular rental areas) may be retained indefinitely for analytics.
6. Your Privacy Rights and Choices
You have significant control over your personal data. Under Indian data protection laws and our commitment to privacy, you have the following rights:
(A) RIGHT TO ACCESS:
• You can access your personal data at any time through the App: - Profile Information: View and manage your name, email, phone, date of birth, gender, profile photo. - Address Book: View, edit, and delete saved delivery addresses. - Booking History: Access past and active bookings, invoices, and receipts. - Payment Methods: View saved payment instruments (last 4 digits of cards, UPI IDs). - Reviews and Ratings: View your reviews and ratings. - Notification Preferences: Manage communication settings.
• Data Export: You may request a copy of your personal data in a machine-readable format (JSON or CSV) by contacting privacy@pickrbox.com. We will provide the data within 30 days.
(B) RIGHT TO CORRECTION AND UPDATE:
• You can update your personal information at any time through the App: - Navigate to Profile > Edit Profile to update name, email, date of birth, gender, profile photo, and bio. - Navigate to Profile > Address Book to add, edit, or delete addresses. - Navigate to Profile > Payment Methods to add or remove payment methods.
• Phone Number Changes: To change your registered phone number (used for account authentication), contact customer support at support@pickrbox.com with identity verification.
(C) RIGHT TO DELETION (RIGHT TO BE FORGOTTEN):
• Account Deletion: You may request permanent deletion of your account and associated personal data through: - App: Navigate to Profile > Privacy & Security > Delete Account. - Email: Send a deletion request to privacy@pickrbox.com.
• Pre-Deletion Requirements: Before deletion, you must: - Complete or cancel all active bookings. - Settle any outstanding payments or damage charges. - Resolve pending disputes.
• Grace Period: After initiating deletion, your account will be deactivated immediately, but data will be retained for 30 days to allow account recovery. After 30 days, data is permanently deleted (subject to legal retention requirements).
• Selective Deletion: You may request deletion of specific data (e.g., individual reviews, addresses, KYC documents) by contacting privacy@pickrbox.com.
(D) RIGHT TO DATA PORTABILITY:
• You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON, CSV) and to transmit it to another service provider. • Data portability includes: account information, booking history, reviews, addresses, and communication preferences. • Request data portability by emailing privacy@pickrbox.com.
(E) RIGHT TO OPT OUT OF MARKETING COMMUNICATIONS:
• Email Marketing: Unsubscribe from promotional emails by clicking the "Unsubscribe" link in any marketing email or by managing preferences in Profile > Notifications. • Push Notifications: Disable promotional push notifications through Profile > Notifications > Marketing Notifications. • SMS Marketing: Reply "STOP" to any promotional SMS or manage preferences in-app. • WhatsApp Marketing: Opt out of WhatsApp promotional messages by replying "STOP" or updating preferences.
7. Cookies and Tracking Technologies
As a mobile application, Pickrbox does not use traditional browser cookies. However, we use similar tracking technologies to enhance user experience, measure app performance, and deliver personalized services:
(A) DEVICE IDENTIFIERS:
• Android ID (Android) and IDFA (iOS): Unique identifiers assigned to your device, used to recognize your device across sessions and provide personalized experiences. • Firebase Instance ID (FID): A unique identifier generated by Firebase for app installations, used for push notifications and analytics.
(B) ANALYTICS AND PERFORMANCE TRACKING:
We use third-party analytics software development kits (SDKs) to collect usage data, app performance metrics, and user behavior insights:
• Google Analytics for Firebase: Tracks app usage, screen views, user demographics, session duration, and feature adoption. • Mixpanel: Analyzes user behavior, conversion funnels, retention cohorts, and A/B test results. • Firebase Crashlytics: Monitors app crashes, errors, and performance issues to improve app stability. • Sentry: Tracks application errors and exceptions for debugging and quality assurance.
• Data Collected: Page views, feature usage, session duration, user flows, crash logs, device information, OS version, app version.
• Purpose: Understand how Users interact with the Platform, identify bugs, measure feature effectiveness, optimize user experience, and inform product development.
• Control: You can opt out of analytics tracking through: - App Settings: Profile > Privacy > Analytics Tracking > Toggle Off. - Device Settings: Limit Ad Tracking (iOS) or Opt Out of Ads Personalization (Android).
(C) ADVERTISING AND MARKETING PIXELS:
• Facebook Pixel: Tracks conversions from Facebook ads, measures campaign effectiveness, and enables retargeting. • Google Ads Conversion Tracking: Measures the effectiveness of Google Ads campaigns. • Branch.io: Tracks app install attribution, deep linking, and referral sources.
• Data Collected: App installs, in-app events (e.g., bookings, searches), ad impressions, ad clicks, conversion events.
• Purpose: Measure advertising ROI, optimize marketing campaigns, deliver personalized ads, retarget Users who have shown interest in our Platform.
• Control: Opt out of personalized advertising through: - iOS: Settings > Privacy > Tracking > Toggle Off "Allow Apps to Request to Track". - Android: Settings > Google > Ads > Opt Out of Ads Personalization.
(D) PUSH NOTIFICATION TOKENS:
• Firebase Cloud Messaging (FCM) for Android and Apple Push Notification Service (APNs) for iOS generate unique push notification tokens to deliver real-time notifications.
• Purpose: Send booking confirmations, delivery updates, payment receipts, promotional offers, and other notifications.
8. Third-Party Services, Links, and Integrations
The Pickrbox Platform integrates with and links to third-party services, websites, and applications. This section explains how we interact with third parties and their data practices:
(A) PAYMENT GATEWAYS:
• We integrate with third-party payment processors (Razorpay, Stripe, Cashfree, Paytm, PhonePe, Google Pay) to facilitate secure transactions. • When you make a payment, you are directed to the payment partner's interface or API, which collects and processes payment information. • Payment partners have their own privacy policies and terms of service, which govern how they handle your payment data. • We do NOT store your full credit/debit card details. Payment partners tokenize and encrypt payment data in compliance with PCI-DSS standards.
(B) MAP AND LOCATION SERVICES:
• We use Google Maps Platform (Google Maps API, Places API, Geocoding API) to provide: - Store location display on maps. - Address autocomplete and search. - Distance calculation for delivery fees. - Navigation and route optimization for deliveries.
• When you use map features, Google may collect location data, IP addresses, and usage information as per their privacy policy. • Google's Privacy Policy: https://policies.google.com/privacy
(C) CLOUD STORAGE AND MEDIA SERVICES:
• We use Cloudinary and AWS S3 for secure storage and delivery of media content (product images, profile photos, KYC documents, review images). • These providers process data on our behalf under strict data processing agreements and confidentiality obligations. • Media is encrypted both in transit and at rest.
(D) COMMUNICATION SERVICES:
• SMS and OTP Services: Twilio, MSG91, Exotel send OTPs, booking confirmations, and transactional SMS on our behalf. • Email Services: SendGrid, Amazon SES send transactional and marketing emails. • These providers have access to your phone number or email address only for the purpose of delivering messages and do not use your information for their own purposes.
(E) SOCIAL MEDIA AND AUTHENTICATION:
• If you choose to link your social media accounts (Facebook, Google, Apple Sign-In) for authentication or profile enrichment, we receive limited profile information (name, email, profile picture) as permitted by those platforms. • Social media platforms may track your interactions with Pickrbox content (e.g., if you share a product link on Facebook). • Social Media Privacy Policies: - Facebook: https://www.facebook.com/privacy/explanation - Google: https://policies.google.com/privacy - Apple: https://www.apple.com/legal/privacy/
(F) ANALYTICS AND MONITORING TOOLS:
• We use Google Analytics, Firebase, Mixpanel, and Sentry to analyze app usage, user behavior, and app performance. • These tools collect device information, usage data, and interaction patterns as described in Section 7 (Cookies and Tracking Technologies). • Analytics providers process data on our behalf and are bound by data processing agreements.
9. Children's Privacy
The Pickrbox Platform is not intended for use by individuals under the age of 18. We do not knowingly collect, store, process, or solicit personal information from children under 18, and we do not knowingly allow children under 18 to create accounts or use our services.
(A) AGE RESTRICTION:
• By creating an account, you represent and warrant that you are at least 18 years of age and have the legal capacity to enter into binding agreements under Indian law. • If you are under 18, you must not use the Platform, create an account, or provide any personal information to Pickrbox.
(B) PARENTAL CONSENT:
• If you are a parent or legal guardian and discover that your child under 18 has created an account or provided personal information to Pickrbox without your consent, please contact us immediately at privacy@pickrbox.com. • We will take prompt steps to delete such information and terminate the account.
(C) VERIFICATION:
• While we require Users to confirm they are 18+ during registration, we do not routinely verify ages through identity documents unless required for KYC purposes. • If we become aware that we have inadvertently collected information from a child under 18, we will: - Immediately delete the account and all associated personal data. - Notify the parent or guardian (if contact information is available). - Take steps to prevent future access by the child.
(D) SCHOOL OR EDUCATIONAL USE:
• The Platform is not designed for use in educational settings, schools, or institutional environments involving children.
(E) REPORTING UNDERAGE ACCOUNTS:
• If you become aware of an underage User on the Platform, please report it to privacy@pickrbox.com or through the in-app reporting feature. • We will investigate and take appropriate action, including account termination and data deletion.
(F) COMPLIANCE WITH CHILD PROTECTION LAWS:
• We comply with applicable child protection laws, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and international standards such as the Children's Online Privacy Protection Act (COPPA) where applicable.
10. International Data Transfers
Pickrbox is based in India, and your personal data is primarily stored and processed within India using cloud infrastructure provided by Google Cloud Platform (GCP) and Amazon Web Services (AWS) in Indian data centers (Mumbai, Bangalore regions).
(A) DATA LOCALIZATION:
• In compliance with Indian data localization requirements and best practices, sensitive personal data (payment information, KYC documents, biometric data) is stored within India. • Core user data (account information, booking history, addresses) is also stored in Indian data centers.
(B) CROSS-BORDER DATA TRANSFERS:
In some cases, your data may be transferred to, processed, or accessed from countries outside India, including:
• Service Providers: Some third-party service providers (analytics tools, customer support platforms, email services) may process data on servers located in the United States, European Union, or other jurisdictions. • Cloud Backups: Disaster recovery backups may be stored in geographically distributed cloud regions for redundancy and business continuity. • Global Support Teams: Customer support or technical support teams located outside India may access data to resolve issues or provide assistance.
(C) SAFEGUARDS FOR INTERNATIONAL TRANSFERS:
When data is transferred internationally, we ensure appropriate safeguards are in place to protect your privacy:
• Standard Contractual Clauses (SCCs): We use data processing agreements based on European Commission-approved Standard Contractual Clauses (SCCs) or similar frameworks to ensure adequate data protection. • Data Processing Agreements (DPAs): Third-party service providers sign DPAs that require them to implement technical and organizational measures to protect data. • Adequacy Decisions: Where possible, we transfer data to countries recognized as providing adequate data protection (e.g., EU/EEA countries under GDPR adequacy decisions). • Encryption: All data transferred internationally is encrypted in transit using TLS/SSL protocols.
(D) COMPLIANCE WITH INTERNATIONAL LAWS:
• We comply with applicable international data protection laws, including: - General Data Protection Regulation (GDPR) for Users in the European Union. - California Consumer Privacy Act (CCPA) for Users in California, USA. - Personal Data Protection Act (PDPA) for Users in Singapore (if applicable).
(E) YOUR RIGHTS REGARDING INTERNATIONAL TRANSFERS:
• If you are located in a jurisdiction with specific data transfer requirements (e.g., EU), you have the right to: - Object to international data transfers. - Request information about the safeguards in place. - Lodge a complaint with your local data protection authority.
• Contact privacy@pickrbox.com for more information about international data transfers and safeguards.
11. Automated Decision-Making and Profiling
Pickrbox uses automated decision-making and profiling technologies to enhance user experience, personalize services, and improve platform efficiency. This section explains how we use these technologies and your rights regarding them:
(A) WHAT IS AUTOMATED DECISION-MAKING?
• Automated decision-making refers to decisions made by algorithms, machine learning models, or artificial intelligence (AI) systems without human intervention.
(B) HOW WE USE AUTOMATED DECISION-MAKING:
• Personalized Recommendations: Machine learning algorithms analyze your browsing history, search queries, booking patterns, and preferences to recommend products, stores, and rental durations tailored to your interests.
• Smart Pricing Engine: Our pricing algorithm automatically calculates the most cost-effective combination of hourly, daily, weekly, and monthly rental rates based on your selected rental duration.
• Fraud Detection and Risk Scoring: Automated systems analyze transaction patterns, device information, behavioral signals, and payment data to detect fraudulent activities, assess risk, and prevent unauthorized transactions.
• Search Ranking and Relevance: Algorithms determine the ranking and order of search results based on relevance, popularity, availability, pricing, location proximity, and user preferences.
• Dynamic Inventory Management: Automated systems update product availability, pricing snapshots, and inventory counts in real-time based on bookings and cancellations.
• Delivery Fee Calculation: Algorithms calculate delivery fees based on distance, zone-based pricing, Store Owner settings, and demand patterns.
(C) WHAT IS PROFILING?
• Profiling involves analyzing your personal data to evaluate, predict, or categorize your characteristics, preferences, behavior, or interests.
(D) HOW WE USE PROFILING:
• User Segmentation: We group Users into segments based on demographics, location, booking behavior, and preferences for targeted marketing and personalized experiences.
• Behavioral Analysis: We analyze app usage patterns, session duration, and feature interactions to understand user behavior and optimize the Platform.
• Predictive Analytics: We use historical data to predict future behavior, such as likelihood of booking, churn risk, or preferred product categories.
• Personalized Marketing: We tailor promotional offers, email campaigns, and push notifications based on your profile, interests, and past interactions.
(E) YOUR RIGHTS REGARDING AUTOMATED DECISION-MAKING:
• Right to Human Review: For decisions with significant legal or financial effects (e.g., account suspension, fraud flagging, booking rejections), you have the right to request human review and challenge the decision.
12. Changes to This Privacy Policy
Pickrbox reserves the right to modify, amend, or update this Privacy Policy at any time to reflect changes in our data practices, legal requirements, business operations, or Platform features.
(A) NOTICE OF CHANGES:
We will notify you of material changes to this Privacy Policy through:
• In-App Notifications: A prominent banner or notification within the App alerting you to the updated Privacy Policy. • Email: An email to your registered email address summarizing the key changes. • Push Notifications: A push notification highlighting significant updates. • App Login Screen: A notice displayed when you log in, requiring acknowledgment before proceeding.
(B) ADVANCE NOTICE PERIOD:
• Material Changes: For significant changes affecting how we collect, use, share, or protect your data, we will provide at least 7 days' advance notice before the changes take effect. • Non-Material Changes: Minor changes (e.g., clarifications, formatting updates, contact information changes) may be made without prior notice.
(C) WHAT CONSTITUTES A MATERIAL CHANGE:
Material changes include:
• Expanding the types of personal data we collect. • Using or sharing data for new purposes not previously disclosed. • Changing data retention periods significantly. • Transferring data to new third parties or jurisdictions. • Reducing your privacy rights or choices.
(D) ACCEPTANCE OF CHANGES:
• Your continued use of the Platform after the effective date of the updated Privacy Policy constitutes your acceptance of the revised terms. • If you do not agree with the updated Privacy Policy, you must stop using the Platform and may request account deletion before the changes take effect.
(E) VERSION HISTORY AND EFFECTIVE DATE:
• The "Last Updated" date at the top of this Privacy Policy indicates when the most recent changes were made. • We recommend reviewing this Privacy Policy periodically to stay informed of any updates. • Previous versions of the Privacy Policy may be available upon request by contacting privacy@pickrbox.com.
(F) HOW TO STAY INFORMED:
• Check the "Last Updated" date regularly. • Enable notifications to receive alerts about policy updates. • Bookmark this page and review it periodically.
(G) CONTACT US FOR CLARIFICATIONS:
• If you have questions about changes to this Privacy Policy or need clarification on how updates affect you, contact privacy@pickrbox.com.
13. Security Breach Notification
Despite our robust security measures, data breaches can occur. This section explains our commitment to transparency and our obligations in the event of a security incident:
(A) INCIDENT DETECTION AND RESPONSE:
• We have a dedicated security team and incident response plan to detect, investigate, contain, and remediate security breaches. • Automated monitoring systems, intrusion detection, and security audits help identify suspicious activities and potential breaches.
(B) NOTIFICATION OBLIGATIONS:
If a data breach occurs that affects your personal information, we will:
• Investigate the Breach: Assess the scope, nature, and severity of the breach, including what data was accessed, by whom, and how. • Notify Affected Users: If the breach poses a risk to your rights and freedoms, we will notify you promptly via: - Email to your registered email address. - In-app notification. - SMS (if email is unavailable).
• Notification Timeframe: We will notify affected Users within 72 hours of becoming aware of the breach, as required by applicable data protection laws.
(C) INFORMATION PROVIDED IN BREACH NOTIFICATIONS:
Our breach notification will include:
• Nature of the Breach: What happened, how the breach occurred, and when it was detected. • Data Affected: Types of personal information compromised (e.g., names, emails, payment tokens, KYC documents). • Potential Consequences: Risks associated with the breach (e.g., identity theft, financial fraud, privacy violations). • Remediation Steps: Actions we have taken to contain and remediate the breach. • Protective Measures for Users: Recommended steps you should take to protect yourself (e.g., change passwords, monitor accounts, report suspicious activity). • Contact Information: How to reach our security team or support for assistance.
(D) REGULATORY REPORTING:
• In addition to notifying affected Users, we will report the breach to relevant regulatory authorities, including: - Indian Computer Emergency Response Team (CERT-In). - Data Protection Authority (if applicable under future data protection laws). - Payment Card Industry (PCI) Security Standards Council (for payment data breaches).
(E) THIRD-PARTY BREACH NOTIFICATION:
• If a third-party service provider (payment partner, cloud provider, analytics tool) experiences a breach affecting Pickrbox Users, we will: - Coordinate with the third party to assess the impact. - Notify affected Users if required. - Take corrective actions, including terminating the relationship with the third party if necessary.
(F) YOUR RESPONSIBILITIES AFTER A BREACH:
If you receive a breach notification, we recommend:
• Change your Pickrbox account password immediately. • Enable device-level security (PIN, fingerprint, face recognition). • Monitor your bank statements and payment accounts for unauthorized transactions. • Report suspicious activity to your bank, payment provider, or Pickrbox support. • Be cautious of phishing emails or messages claiming to be from Pickrbox (verify authenticity before clicking links).
14. Data Protection for Store Owners
Store Owners using the Pickrbox Platform have access to limited customer data necessary to fulfill rental bookings. This section outlines Store Owners' data protection obligations:
(A) DATA ACCESS AND USE RESTRICTIONS:
Store Owners may access:
• Customer name, phone number, delivery address, and booking details. • KYC documents (if required for high-value rentals).
Store Owners MUST:
• Use customer data solely for fulfilling bookings on the Pickrbox Platform. • Not contact customers for marketing, solicitation, or purposes unrelated to active bookings. • Not share, sell, or disclose customer data to third parties without consent. • Handle all personal data in compliance with applicable data protection laws, including the Information Technology Act, 2000. • Delete or return customer data upon request from Pickrbox or when no longer needed for booking fulfillment.
(B) DATA SECURITY OBLIGATIONS:
Store Owners must:
• Implement reasonable security measures to protect customer data from unauthorized access, loss, or disclosure. • Restrict access to customer data to authorized employees only. • Securely delete customer data after the rental period and retention requirements.
(C) BREACH NOTIFICATION:
• If a Store Owner experiences a data breach affecting Pickrbox customer data, they must immediately notify Pickrbox at security@pickrbox.com. • Pickrbox will coordinate breach response and user notification.
(D) CONSEQUENCES OF VIOLATIONS:
• Violation of data protection obligations may result in: - Store account suspension or termination. - Legal action and claims for damages. - Reporting to regulatory authorities.
(E) DATA PROCESSING AGREEMENT:
• Store Owners are considered Data Processors acting on behalf of Pickrbox (the Data Controller). • By registering as a Store Owner, you agree to the Store Owner Data Processing Agreement, which governs your obligations as a Data Processor.
15. Compliance with Indian Data Protection Laws
Pickrbox is committed to complying with Indian data protection laws and regulations, including:
(A) INFORMATION TECHNOLOGY ACT, 2000:
• We comply with the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. • Sensitive Personal Data (SPD): We collect and process sensitive personal data (passwords, financial information, biometric data, KYC documents) with your explicit consent and implement reasonable security practices.
(B) DATA PROTECTION BILL (FUTURE COMPLIANCE):
• We are preparing for compliance with the proposed Digital Personal Data Protection Act (DPDPA) and any future Indian data protection legislation. • We are implementing data protection by design and by default principles, data minimization, and privacy-enhancing technologies.
(C) CONSENT MANAGEMENT:
• We obtain explicit, informed, and freely given consent for collecting and processing personal data, especially sensitive personal data. • Consent is obtained through clear, plain-language notices and opt-in mechanisms. • You may withdraw consent at any time through app settings or by contacting privacy@pickrbox.com.
(D) DATA LOCALIZATION:
• In compliance with Indian data localization requirements, we store sensitive personal data (payment information, KYC documents) within India. • One copy of personal data is retained in Indian data centers even when data is transferred internationally.
(E) GRIEVANCE REDRESSAL MECHANISM:
• We have appointed a Grievance Officer to address privacy complaints and concerns in accordance with the Information Technology Act, 2000. • The Grievance Officer is responsible for: - Receiving and acknowledging privacy complaints. - Investigating and resolving complaints within 30 days. - Coordinating with internal teams and regulatory authorities.
(F) TRANSPARENCY AND ACCOUNTABILITY:
• We maintain records of data processing activities, consent logs, and data breach incidents. • We conduct regular privacy impact assessments (PIAs) and data protection audits. • We provide transparency reports upon request to regulatory authorities.
(G) RIGHTS OF INDIAN USERS:
In addition to the rights outlined in Section 6, Indian Users have:
• Right to access personal data held by Pickrbox. • Right to correct inaccurate or incomplete data. • Right to withdraw consent to data processing. • Right to data portability in machine-readable format. • Right to deletion (right to be forgotten) subject to legal retention requirements. • Right to lodge complaints with the Grievance Officer or regulatory authorities.
16. Global Data Protection Compliance (GDPR, CCPA)
For Users located outside India, we comply with applicable international data protection laws:
(A) GDPR COMPLIANCE (EUROPEAN UNION USERS):
If you are located in the European Union (EU), European Economic Area (EEA), or United Kingdom (UK), you have additional rights under the General Data Protection Regulation (GDPR):
• Legal Basis for Processing: - Consent: For marketing communications, location tracking, analytics. - Contractual Necessity: For account creation, booking fulfillment, payment processing. - Legitimate Interests: For fraud prevention, platform improvement, security. - Legal Obligation: For tax compliance, regulatory reporting, law enforcement requests.
• GDPR Rights: - Right to Access: Obtain a copy of your personal data. - Right to Rectification: Correct inaccurate or incomplete data. - Right to Erasure (Right to Be Forgotten): Request deletion of personal data. - Right to Restriction of Processing: Limit how we use your data. - Right to Data Portability: Receive data in a machine-readable format. - Right to Object: Object to processing based on legitimate interests or for direct marketing. - Right to Withdraw Consent: Withdraw consent at any time without affecting prior processing. - Right to Lodge a Complaint: File complaints with your local Data Protection Authority (DPA).
• International Data Transfers: - Data may be transferred from the EU to India under Standard Contractual Clauses (SCCs) approved by the European Commission. - We ensure adequate safeguards for international transfers.
• Data Protection Officer (DPO): - For GDPR-related inquiries, contact our Data Protection Officer at dpo@pickrbox.com.
(B) CCPA COMPLIANCE (CALIFORNIA USERS):
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):
• Right to Know: Request information about personal data collected, sources, purposes, and third-party sharing. • Right to Delete: Request deletion of personal data (subject to exceptions). • Right to Opt-Out of Sale: We do NOT sell personal information, so this right does not apply. • Right to Non-Discrimination: You will not be discriminated against for exercising CCPA rights.
• Categories of Personal Information Collected: - Identifiers (name, email, phone, device ID). - Commercial information (booking history, payment records). - Internet activity (app usage, search queries, clickstream data). - Geolocation data (GPS coordinates, delivery addresses). - Biometric data (selfies for KYC verification).
• How to Exercise CCPA Rights: - Submit a verifiable consumer request to privacy@pickrbox.com or through the in-app privacy request form. - We will respond within 45 days.
(C) OTHER JURISDICTIONS:
• We comply with applicable data protection laws in other jurisdictions, including: - Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. - Personal Data Protection Act (PDPA) in Singapore. - Privacy Act 1988 in Australia.
17. Grievance Officer and Contact Information
In accordance with the Information Technology Act, 2000, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Pickrbox has appointed a Grievance Officer to address privacy concerns, complaints, and data protection inquiries.
(A) GRIEVANCE OFFICER DETAILS:
Name: Pickrbox Grievance Officer Designation: Chief Privacy Officer Email: grievance@pickrbox.com Alternate Email: privacy@pickrbox.com Phone: +91-XXXX-XXXXXX (Business hours: Monday-Friday, 10:00 AM - 6:00 PM IST) Address: Pickrbox Technologies Pvt. Ltd., Bangalore, Karnataka, India
(B) HOW TO FILE A COMPLAINT:
You may file a privacy complaint or grievance by:
• Email: Send a detailed complaint to grievance@pickrbox.com with: - Your full name, registered email, and phone number. - A description of the issue or concern. - Relevant evidence (screenshots, booking details, communication records). - The resolution or outcome you seek.
• In-App: Navigate to Profile > Help & Support > Privacy Complaint.
• Postal Mail: Send a written complaint to the address above.
(C) GRIEVANCE REDRESSAL TIMELINE:
• Acknowledgment: We will acknowledge receipt of your complaint within 24 hours. • Investigation: We will investigate the matter and may request additional information from you. • Resolution: We will respond with a resolution or explanation within 30 days of receiving the complaint. • Escalation: If you are not satisfied with the resolution, you may escalate to: - Senior management at legal@pickrbox.com. - Relevant regulatory authorities (CERT-In, Data Protection Authority, Consumer Forums).
(D) ADDITIONAL CONTACT INFORMATION:
• General Privacy Inquiries: privacy@pickrbox.com • Data Protection Officer (GDPR): dpo@pickrbox.com • Security Incidents: security@pickrbox.com • Legal Notices: legal@pickrbox.com • Customer Support: support@pickrbox.com • Website: www.pickrbox.com
(E) REGULATORY AUTHORITIES:
If you believe your privacy rights have been violated and are not satisfied with our response, you may lodge a complaint with:
• Indian Computer Emergency Response Team (CERT-In): https://www.cert-in.org.in/ • Ministry of Electronics and Information Technology (MeitY): https://www.meity.gov.in/ • National Consumer Helpline: 1800-11-4000 or https://consumerhelpline.gov.in/ • Local Consumer Forum or District Consumer Disputes Redressal Commission.
(F) LANGUAGE OF COMMUNICATION:
• Complaints and inquiries may be submitted in English or Hindi. • We will respond in the same language in which the complaint was filed.
(G) CONFIDENTIALITY:
• All complaints and grievances are handled confidentially. • Personal information disclosed in complaints will be used solely for the purpose of investigation and resolution.