Privacy Policy

1. Scope & Controller

This Privacy Policy ("Policy") governs the collection, processing, storage, and transfer of personal data and operational telemetry by RyderBuddy Technologies ("RyderBuddy", "we", "us", or "our") in connection with our enterprise mobility coordination platform, APIs, mobile applications, and related infrastructure services (collectively, the "Platform").

RyderBuddy Technologies is the data controller for personal data processed through the Platform. Our registered correspondence address is available upon written request to compliance@ryderbuddy.com.

By accessing or using the Platform, enterprise clients and their authorised end-users ("Users") acknowledge and agree to the practices described in this Policy. This Policy applies to all data processed in connection with our Platform, regardless of the device or interface used.

2. Data We Collect

RyderBuddy collects the minimum data necessary to deliver, secure, and continuously improve enterprise-grade coordination infrastructure. Data categories include:

2.1 Account & Identity Data

• Full name, enterprise email address, job title, and organisational affiliation provided during account registration or waitlist enrollment.
• Authentication credentials (stored as cryptographically hashed values; plaintext passwords are never retained).
• Fleet size, operational region, and infrastructure deployment tier selected during onboarding.

2.2 Operational & Coordination Data

• Tour plan structures, route node sequences, checkpoint timestamps, and associated metadata created by enterprise administrators.
• Participant presence events, synchronisation acknowledgements, and state-transition records generated during active coordination sessions.
• Fuel telemetry inputs, vehicle mileage parameters, and stop-recommendation acceptance events.
• In-session communication records where the Platform provides coordination messaging features.

2.3 Device & Network Data

• Device identifiers (anonymised), operating system version, app version, and crash diagnostics.
• IP address (truncated for analytics), approximate geolocation derived from network signals, and GPS coordinates when location permissions are explicitly granted.
• Network quality indicators and connectivity state transitions used to activate offline resilience layers.

2.4 Usage & Analytics Data

• Feature interaction events, session duration, navigation paths, and error events collected for product improvement.
• API request logs retained for security auditing and SLA observability.

3. Telemetry & Operational Usage

The Platform relies on operational telemetry to maintain infrastructure continuity and deliver accurate coordination intelligence. This includes:

3.1 Real-Time Coordination Telemetry

Participant location events, node-state transitions, and synchronisation signals are processed in real time to maintain presence continuity across distributed travel cohorts. This data is ephemeral in nature; precise GPS coordinates are retained only for the duration of an active session unless the enterprise account holder configures extended audit logging.

3.2 Aggregated Operational Intelligence

De-identified and aggregated telemetry — including anonymised route patterns, refuelling demand signals, and crowd-density indicators — is used to improve Buddy AI recommendations and enhance the accuracy of route intelligence systems. Aggregated data cannot be used to identify individual users.

3.3 Infrastructure Performance Monitoring

System health telemetry including API latency distributions, error rates, and infrastructure node availability is collected continuously for SLA monitoring, capacity planning, and proactive anomaly detection. This data does not include personal identifiers.

4. Legal Bases for Processing

Where applicable privacy legislation requires us to identify a lawful basis for processing, we rely on the following:

• Contractual Necessity: Processing required to deliver the Platform services agreed under an enterprise subscription or accepted terms.
• Legitimate Interests: Security monitoring, fraud prevention, infrastructure performance analysis, and product improvement, where these interests are not overridden by individual rights.
• Consent: Precise GPS tracking and optional marketing communications, where consent is obtained explicitly and can be withdrawn at any time.
• Legal Obligation: Compliance with applicable law, regulatory orders, and law enforcement requests made through lawful process.

5. Third-Party Sharing

RyderBuddy does not sell personal data. We do not share personal data with third parties for their independent marketing purposes. Data may be disclosed to the following categories of recipients under strict contractual controls:

5.1 Infrastructure Providers

Cloud hosting, content delivery, and database infrastructure providers (including Hetzner Cloud, Cloudflare, and DigitalOcean) operate as data processors under Data Processing Agreements that restrict their use of data to service delivery only.

5.2 Payment Processors

Razorpay processes payment transactions on our behalf under PCI-DSS compliance. RyderBuddy does not retain full card numbers or financial credentials.

5.3 Communication Infrastructure

Push notification delivery services (including Firebase Cloud Messaging) receive anonymised device tokens solely to route operational notifications. These providers are prohibited from using token data for any secondary purpose.

5.4 Legal & Regulatory Disclosure

We may disclose data to competent authorities, courts, or regulatory bodies when required by applicable Indian law, including the Information Technology Act 2000 and any successor legislation, provided such requests are made through lawful process and we are not otherwise prohibited from notifying the affected user.

5.5 Corporate Transactions

In the event of a merger, acquisition, or asset transfer, user data may be transferred to a successor entity subject to the same or stronger privacy protections, with advance notice to enterprise account holders where legally permissible.

6. Data Retention

Retention periods are determined by operational necessity, contractual obligation, and applicable legal requirements:

• Active session data (real-time GPS coordinates, presence signals): Purged within 24 hours of session close unless audit logging is enabled.
• Tour plan records and route archives: Retained for the lifetime of the enterprise account, then deleted within 90 days of account termination.
• Account and identity data: Retained for the duration of the contractual relationship plus 7 years for tax and compliance purposes.
• API access logs: Retained for 12 months for security audit purposes, then automatically purged.
• Aggregated, de-identified analytics: Retained indefinitely for infrastructure planning and product development.

7. Security Protocols

RyderBuddy implements enterprise-grade security controls designed to protect personal data against unauthorised access, disclosure, alteration, and destruction:

7.1 Encryption

All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 with key management systems designed to prevent unauthorised key access. Authentication tokens are signed using industry-standard asymmetric cryptography.

7.2 Access Control

Access to production systems is governed by role-based access control (RBAC), principle of least privilege, and mandatory multi-factor authentication for all engineering personnel. Privileged access events are logged and subject to quarterly review.

7.3 Infrastructure Resilience

The Platform is architected with geographic redundancy, automated failover, and continuous availability monitoring. Our infrastructure is designed to maintain 99.97% uptime SLA, with incident response procedures documented and tested on a quarterly basis.

7.4 Vulnerability Management

We conduct regular penetration testing, dependency audits, and security code reviews. Critical vulnerabilities are patched within 72 hours of confirmed discovery. A responsible disclosure programme is available at compliance@ryderbuddy.com.

7.5 Incident Response

In the event of a data breach affecting personal data, RyderBuddy will notify affected enterprise account holders within 72 hours of confirmed discovery, consistent with applicable regulatory obligations, and will provide a detailed incident report within 30 days.

8. Your Rights

Subject to applicable law, Users and enterprise account holders have the following rights with respect to personal data we hold:

• Right of Access: Request a copy of personal data we hold about you.
• Right of Rectification: Request correction of inaccurate or incomplete data.
• Right of Erasure: Request deletion of personal data, subject to retention obligations under applicable law.
• Right to Restrict Processing: Request that we limit processing of your personal data in certain circumstances.
• Right to Data Portability: Receive personal data you have provided in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests, including profiling.
• Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, submit a written request to compliance@ryderbuddy.com. We will respond within 30 days. Identity verification may be required before processing access or deletion requests.

9. Cookies & Tracking Technologies

The RyderBuddy web platform uses the following categories of cookies and local storage mechanisms:

• Strictly Necessary: Session tokens and authentication state. Cannot be disabled without impairing core functionality.
• Performance & Analytics: Anonymised usage event collection for infrastructure and product improvement. Consent-governed; may be disabled via cookie preference settings.
• Functional: User interface preferences including language, timezone, and notification settings. Consent-governed.

The Platform does not use third-party advertising cookies or cross-site tracking pixels. Cookie preferences can be managed through your browser settings or by contacting compliance@ryderbuddy.com.

10. Contact & Data Protection Officer

For all privacy-related enquiries, data subject rights requests, and compliance matters, contact us at:

RyderBuddy reserves the right to update this Policy at any time. Material changes will be communicated to enterprise account holders via the registered contact email with a minimum of 30 days notice prior to the effective date of the change. Continued use of the Platform following such notice constitutes acceptance of the revised Policy.