MetroFeeder — Privacy Policy
Last updated: 03 May 2026
This Privacy Policy explains how MetroFeeder ("the App") collects, uses, shares, retains, and protects your personal data when you use the MetroFeeder mobile application (iOS / Android) and the related driver, fleet, executive, and admin web portals.
This Policy is issued under the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. For users accessing the App from the European Union or the United Kingdom, the App also adheres to the principles of the GDPR / UK GDPR.
1. Personal data we collect
| Category | Specific fields | Source | Used for |
|---|---|---|---|
| Identity | Full name, gender, age, occupation, profile photo | You (during signup / profile edit) | Account creation, ride matching, KYC |
| Contact | Mobile number, optional email | You | Login, OTP verification, ride notifications, support |
| Authentication | Bcrypt-hashed PIN, biometric template (stored on-device only via expo-secure-store / iOS Keychain / Android Keystore) | You | Sign-in. Biometric data never leaves the device |
| Location | GPS coordinates, accuracy, timestamps; pickup, drop-off, and live ride locations | expo-location (foreground only) | Nearest-station detection, ride matching, ETA, live tracking, safety |
| Ride history | Ride ID, route, fare, vehicle type, timestamps, ratings, driver/passenger ID | Generated server-side | Ride history, dispute resolution, fraud prevention, regulatory reporting |
| Payment | Wallet balance, transaction history, last-4 of saved card / masked UPI VPA, Razorpay/Stripe payment tokens. We do NOT store full card numbers, CVV, or UPI PINs. | Razorpay / Stripe (PCI-DSS compliant processors) | Wallet, ride payment, refunds, payout |
| KYC documents (drivers) | Driving licence number, RC number, vehicle insurance, PAN, photographs of documents | You (during driver onboarding) | Driver onboarding aligned with the Motor Vehicles Aggregator Guidelines 2025; supports any subsequent verification by the Hyderabad RTA |
| Emergency contacts | Names and phone numbers you add | You | SOS escalation only |
| Device & technical | Device model, OS version, app version, IP address, language, timezone, crash logs (without PII) | Captured automatically | Security, crash reporting, fraud prevention |
| Usage analytics | Screens viewed, features used, performance metrics | Captured automatically (Sentry, Replit logs) | Product improvement, crash diagnosis |
| Communications | Support messages, in-app chat (passenger ↔ driver), grievance tickets | You | Customer support, dispute resolution |
We do not collect: contact list (we only show the system contact picker if you tap "Add Emergency Contact"), SMS contents, call logs, sensor or motion data, browsing history, or biometric raw data.
2. Why we process your data — lawful basis
Under DPDP Act § 4, we rely on the following grounds:
- Consent (§ 4(1)(a)): location, profile photo, optional email, marketing communications.
- Certain legitimate uses (§ 4(1)(b) / § 7): provision of the ride-hailing service you requested, payments, safety responses, fraud prevention, compliance with court orders or law-enforcement requests, employment-related processing for our staff.
- Compliance with law: KYC for drivers aligned with the Motor Vehicles Aggregator Guidelines 2025; retention of ride records to respond to lawful regulatory inspection (e.g. by TRAI, the Hyderabad RTA, or under the IT Rules 2021).
You may withdraw consent for any optional processing at any time — in-app at Profile → Privacy Center or by emailing privacy@metrofeeder.app.
3. Third-party SDKs & data processors
The following third parties may receive personal data only for the purposes listed and under contractual processing terms:
| Service | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Razorpay (Razorpay Software Pvt Ltd, India) | UPI / cards / NetBanking checkout, wallet top-up, RazorpayX driver payouts | Payment amount, currency, tokenised payment instrument, your phone, your name, ride ID | razorpay.com/privacy |
| Stripe (Stripe Payments India Pvt Ltd) | Legacy / fallback card processing | Same as Razorpay | stripe.com/in/privacy |
| Twilio (Twilio Inc, USA) | OTP / SMS delivery, SOS escalation calls | Your phone, OTP code, message body | twilio.com/legal/privacy |
| Google Maps Platform (Google LLC, USA) | Map tiles, Places autocomplete, Directions, Geocoding | Pickup / drop-off coordinates, search query string | policies.google.com/privacy |
| Apple (Apple Inc, USA) | Sign in with Apple, Apple Push Notification service, App Store distribution | User-supplied Apple ID identifier (anonymous), device push token | apple.com/legal/privacy |
| Google (Google LLC) | Firebase Cloud Messaging push delivery, Play Store distribution | Device push token | policies.google.com/privacy |
| Sentry (Functional Software Inc, USA) | Crash & error reporting | Stack traces, app version, OS version, your internal database id only (no name/phone/email — automatically scrubbed by beforeSend filter) | sentry.io/privacy |
| OpenAI (OpenAI L.L.C., USA) | (a) Speech-to-text via the Whisper API for the voice-booking feature — the raw audio recording you make in the app is uploaded to https://api.openai.com/v1/audio/transcriptions. The audio may incidentally contain anything you spoke aloud (e.g. station names, a contact name, an address). We do not transmit your phone, account id, name, or location alongside the audio. After transcription the audio buffer is discarded server-side; only the resulting text is retained for matching against the metro-station list. (b) Text-only intent / help responses for the chatbot. | Audio recording (voice booking); message text (chatbot) | openai.com/policies/privacy-policy |
| Anthropic (Anthropic PBC, USA) | In-app chatbot ("Help Assistant"). Text-only — the message you typed. We do not send phone, name, or location in the prompt. | Message text | anthropic.com/legal/privacy |
| Google Identity / OAuth (Google LLC, USA) | Optional "Continue with Google" sign-in option on the login screen. If you tap it, the Google OAuth flow returns an access token; we then call https://www.googleapis.com/userinfo/v2/me once to read your Google profile name and email, which we store on your MetroFeeder account. We do not request Google contacts, calendar, drive, or any other scope. | Google profile name & email | policies.google.com/privacy |
| Replit Hosting (Replit Inc, USA) | Server hosting (Express + Postgres) | All app data flows through Replit infrastructure | replit.com/site/privacy |
| Neon Database (Neon Inc, USA) | Managed Postgres backing the API | All app data | neon.tech/privacy-policy |
We have no agreements with advertising networks or data brokers, and the App does not share your data for advertising or behavioural profiling.
4. Cross-border data transfers
Some of the third parties above (Stripe, Twilio, Google Maps, Google Identity, Apple, Sentry, OpenAI, Anthropic, Replit, Neon) process data outside India, primarily in the United States and the European Union. We rely on:
- DPDP Act § 16 read with the Central Government's notification of permitted countries (the App will follow whichever notification is in force at the time of processing); and
- contractual safeguards, including standard contractual clauses where applicable.
5. How long we keep your data
| Data | Retention |
|---|---|
| Active account profile | Until you request deletion (see § 8) |
| Ride records | 5 years from the date of the ride, per IT Rules 2021 + GST records retention |
| Payment / wallet transactions | 8 years, per Indian Income Tax Act, 1961 |
| KYC documents (driver) | 5 years after the driver's last active ride |
| Crash & error logs | 90 days in Sentry |
| Server access logs | 30 days |
| Backups | 14 days rolling |
| Deleted account audit log | 3 years (only the user id, deletion timestamp, IP, optional reason — see deleted_users_log table) |
6. Security
- All client ↔ server traffic is HTTPS only (
usesCleartextTraffic:falseon Android,NSAllowsArbitraryLoads:falseon iOS). - Passwords / PINs are hashed (bcrypt for users + admin; Node
crypto.scryptfor executive / fleet portals). We never store plaintext credentials. - Database access uses parameterised queries (
pgdriver) — no SQL injection surface. - Webhooks (Razorpay, Stripe) are HMAC-verified with constant-time comparison; settlement is idempotent against the
payment_intent_idUNIQUE constraint. - Helmet middleware applies CSP with per-request nonces, HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, Permissions-Policy.
- Rate limits: 100 req/min/IP+path on
/api/*, 10 req / 15 min on login, 3 req/min on OTP. - Crash reports run through a
beforeSendPII scrubber that strips phone, email, password, PIN, bank account, IFSC, UPI ID, OTP, tokens, authorisation, and cookies before transmission to Sentry.
7. Children
The App is not directed at children under 13 and we do not knowingly collect data from them. If you believe a minor has provided us data, contact privacy@metrofeeder.app and we will delete it.
8. Your rights under DPDP Act 2023
You have the right to:
- Access the personal data we hold about you (§ 11);
- Correction, completion, or updating of inaccurate / incomplete data (§ 12);
- Erasure of your data, subject to legal retention (§ 12);
- Withdraw consent for any processing based on consent (§ 6(4));
- Nominate another individual to exercise these rights on your behalf (§ 14);
- Grievance redressal by contacting our Grievance Officer (§ 13);
- Complain to the Data Protection Board of India.
To exercise these rights: in-app at Profile → Help → Delete Account (passenger) or Profile → Support → Delete Account (driver) for erasure, or Profile → Privacy Center for access / correction / withdrawal. You can also email privacy@metrofeeder.app. See also the dedicated Account & Data Deletion page.
We respond within 30 days of receipt of a valid request.
Account deletion specifically
The "Delete Account" button performs a hard delete of your user record, with cascading deletes of your saved locations, wallet, emergency contacts, profile photo URL, ratings, notifications, and preferences. Ride records are retained in anonymised form (your user id is set to NULL) so that the driver's payment history, regulatory record, and dispute history remain intact. A single audit row in deleted_users_log (user id, timestamp, IP, optional reason) is kept for 3 years for fraud prevention.
9. Grievance Officer
In compliance with Rule 5(9) of the IT Rules 2021 and § 13 of the DPDP Act:
- Name: [TO BE FILLED]
- Designation: Grievance Officer
- Email: grievance@metrofeeder.app
- Phone: [TO BE FILLED]
- Address: [REGISTERED ADDRESS], Hyderabad, Telangana
- Hours: Mon–Fri, 10:00–18:00 IST
- Response SLA: 24 hours acknowledgement, 15 days resolution
10. Changes to this Policy
We may update this Policy from time to time. The "Effective date" at the top reflects the latest revision. Material changes will be notified to you in-app and by email at least 7 days before they take effect.
Questions? privacy@metrofeeder.app