PRIVACY POLICY

Vega Transport India Pvt Ltd

Version: 1.0

Effective Date: February 11, 2026

Last Updated: February 11, 2026

 

1. INTRODUCTION

Vega Transport India Pvt Ltd (hereinafter referred to as “Vega Transport,” “the Company,” “we,” “us,” or “our”), including its affiliates, successors and assigns, maintains its registered office at 16-152(53) Industrial Area, Shivalli Village, Manipal, Udupi, Karnataka, India, 576104.

The Company provides technology-enabled logistics solutions to Indian transporters and truck owners through a comprehensive digital platform. Our services include Full Truck Load (FTL) booking, Part Load (PTL) management, fleet coordination, and integrated digital payment facilities, all delivered through a network of mobile applications and web-based platforms designed to connect customers requiring freight transportation with vendors who provide such services.

This Privacy Policy has been formulated to provide transparency regarding our practices concerning the collection, usage, storage, disclosure, and protection of personal information obtained through our platforms. We are committed to safeguarding user privacy and maintaining the confidentiality of all information entrusted to us, utilizing such data solely for legitimate business purposes and service delivery.

Our data handling practices are designed in full compliance with applicable Indian legislation, including the Information Technology Act, 2000 and its amendments (“IT Act”), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“IT Rules”), and the Digital Personal Data Protection Act, 2023 (“DPDP Act”) along with the Digital Personal Data Protection Rules, 2025.

2. SCOPE AND APPLICABILITY

2.1 Protected Parties

This Privacy Policy protects the personal information of all individuals whose data is processed through the Vega Transport platform, including:

• Customers, whether retail clients or enterprise entities, who utilize our platform to book freight transportation services
• Vendors, including truck owners and fleet operators, who register on our platform to provide transportation services
• Drivers whose credentials and information are submitted by vendors for service delivery purposes
• Point of Contact (POC) persons whose details are provided by customers for coordination of pickup and delivery operations

Each individual whose personal information is processed through our platform is recognized as a Data Principal under the Digital Personal Data Protection Act, 2023, entitled to equal rights and protections regardless of their role or relationship with the platform.

2.2 Key Definitions

Personal Information (PI) refers to any data relating to a natural person which, either directly or when combined with other available information, enables the identification of such person. This encompasses basic identifiers, contact details, location information, and transactional data.

Sensitive Personal Data or Information (SPDI) constitutes a protected category of personal information requiring enhanced safeguards, specifically including:

• Authentication credentials, passwords, and security codes
• Financial information including bank account numbers, credit card details, debit card information, and other payment instrument data
• Physical, physiological, and mental health conditions and medical history
• Sexual orientation
• Biometric information used for identification purposes
• Information related to any of the above categories provided to the Company for service delivery
• Information received under lawful contract or legal obligation
• Photographs uploaded during registration or verification processes
• Government-issued identification documents including PAN Cards, Passports, Aadhaar Cards, and Driving Licenses
• Vehicle documentation including Registration Certificates (RC), Insurance policies, Operating Permits, Emission Certificates, and Tax Receipts

Information that is freely available in the public domain or accessible under the Right to Information Act, 2005, or any other applicable law mandating public disclosure, is specifically excluded from the definition of Sensitive Personal Data or Information.

2.3 Platform Users

Our platform serves three distinct categories of users, each fulfilling specific roles within the transportation ecosystem:

Customers comprise both individual shippers and corporate entities that require freight transportation services and utilize our platform to raise service inquiries, obtain quotations, book transportation services, and manage their logistics requirements.

Vendors consist of truck owners, fleet operators, and transport companies that register their vehicles and drivers on our platform, respond to customer inquiries with service quotations, and execute transportation services upon assignment.

Administrators are internal Vega Transport personnel responsible for platform operations, including vendor verification, inquiry management, customer-vendor coordination, documentation generation, payment processing, and dispute resolution.

3. COMMITMENT TO EQUAL PRIVACY PROTECTION

3.1 Neutral Platform Operation

Vega Transport operates as a neutral intermediary platform, facilitating connections between customers requiring transportation services and vendors capable of providing such services. We maintain an unwavering commitment to protecting the privacy of all platform users with equal diligence and without discrimination or preferential treatment.

Both customers and vendors are recognized as Data Principals under the Digital Personal Data Protection Act, 2023, possessing identical rights concerning their personal information. This Privacy Policy applies uniformly to all user categories, ensuring balanced protection and equitable treatment in all data processing activities.

3.2 Customer Privacy Protections

Customer personal information, including inquiry details, contact information, billing data, and transaction history, is protected from unauthorized access by vendors or other third parties. Information sharing with vendors is strictly controlled and limited to the minimum data necessary to fulfill specific transportation requests. Vendors receive customer contact information only after formal assignment to a booking and solely for the purpose of coordinating the specific service for which they have been engaged.

3.3 Vendor Privacy Protections

Vendor business information, including verification documents, pricing strategies, competitive quotations, bank account details, and proprietary business data, is protected from unauthorized access by customers and competing vendors. Customers receive only the vendor’s designated operations coordinator contact information necessary for service coordination. Verification documents, financial information, and competitive pricing submissions remain confidential and accessible only to authorized administrators for legitimate operational purposes.

3.4 Controlled Information Exchange

Neither customers nor vendors are provided with bulk access to databases containing the other party’s information. All information sharing is transaction-specific, administrator-controlled, and strictly limited to legitimate service delivery purposes. We implement technical and organizational measures to prevent unauthorized data harvesting, bulk information extraction, or misuse of shared contact details.

 

4. DATA MINIMIZATION PRINCIPLE

Vega Transport adheres to the principle of data minimization in all information collection activities. We collect only that personal information which is demonstrably necessary, directly relevant, and proportionate to the specific purposes of operating our transportation booking platform and delivering related services.

We do not engage in speculative data collection, do not gather information for potential future uses, and do not request data that is excessive relative to our stated purposes. Every data element we collect serves a specific, clearly defined, legitimate business purpose that is directly related to facilitating freight transportation services, ensuring legal compliance, or protecting the security and integrity of our platform.

Users are informed of the specific purposes for which each category of data is collected, and we restrict our processing activities to those purposes unless additional consent is obtained for new or expanded uses.

5. INFORMATION COLLECTION FROM CUSTOMERS

5.1 Registration and Account Information

When customers register on our platform to access transportation booking services, we collect minimal essential information required for account creation and authentication. The primary registration requirement is a valid mobile telephone number, which serves as the unique account identifier and is used exclusively for One-Time Password (OTP) based authentication, ensuring secure access to customer accounts without requiring traditional password management.

Customers may optionally provide additional billing information, specifically a billing address and Goods and Services Tax (GST) registration number, if they require formal tax-compliant invoices for their transportation bookings. This information is entirely optional and is collected only upon customer initiative when such documentation is necessary for their accounting or compliance purposes.

5.2 Service Inquiry and Booking Information

When customers create transportation service requests through our platform, we collect specific details necessary to match their requirements with appropriate vendors and facilitate service delivery. This includes the service category (Full Truck Load or Part Load), precise source and destination locations, approximate cargo weight and characteristics, preferred pickup date and time window, and any special handling requirements or delivery instructions pertinent to the shipment.

For coordination of actual pickup operations, customers designate a Point of Contact person at the origin location, providing that individual’s name and mobile contact number. This information is essential for enabling the assigned vendor to coordinate directly with the appropriate person at the pickup site, ensuring smooth commencement of transportation services.

5.3 Transaction and Payment Information

Our platform processes payment information through Razorpay Payment Gateway, a certified third-party payment processor. When customers authorize payments for transportation services, whether advance payments requested before service commencement or final settlements upon completion, payment credentials are transmitted directly to Razorpay’s secure infrastructure.

We retain limited transaction metadata including payment reference numbers, transaction amounts, processing dates and timestamps, transaction status indicators, and the Lorry Receipt (LR) number associated with each booking. This information is maintained for purposes of accounting reconciliation, invoice generation, dispute resolution, tax compliance, and audit trail maintenance.

5.4 Communication and Support Records

All communications between customers and our administrative team are recorded and retained. This includes messages exchanged through our platform’s messaging system, service-related inquiries submitted through contact forms or email, feedback provided regarding service quality, and any complaints or dispute-related communications. These records serve important functions in service delivery coordination, quality improvement, dispute resolution, and legal compliance.

5.5 Platform Usage and Technical Data

Our systems automatically collect certain technical information when customers access our platform. This includes login timestamps, device information (operating system, device type, browser version), IP addresses, and basic usage analytics. This data is utilized for security monitoring, fraud detection, platform performance optimization, and user experience improvement through aggregated, anonymized analysis.

5.6 Limitations on Vendor Access to Customer Information

Vendors cannot view customer personal information during the inquiry and quotation phases. When administrators post customer inquiries to selected vendors for competitive bidding, vendors see only service requirements (origin, destination, cargo type, service level) without any customer identifying information or contact details.

Only after a vendor is formally assigned to fulfill a specific booking does that vendor receive the customer’s designated Pickup Point of Contact information, and this sharing is strictly limited to coordination of the specific assigned service. Vendors never receive access to customer personal mobile numbers, billing addresses, GST registration details, payment information, or historical booking records.

5.7 Purpose Specification

Customer information is collected and processed exclusively for the following legitimate purposes: authenticating user identity and securing account access; processing and coordinating transportation service requests; matching customer requirements with qualified and verified vendors; generating Lorry Receipts and other required transportation documentation; processing payments securely through our certified payment gateway; generating invoices, receipts, and tax documents; sending transactional SMS and email notifications regarding booking status and service updates; resolving service disputes and addressing customer support inquiries; complying with legal obligations under tax, transport, and commercial laws; maintaining records as required by applicable regulations; and improving service quality through anonymized data analysis.

6. INFORMATION COLLECTION FROM VENDORS

6.1 Vendor Registration and Verification

Vendors seeking to provide transportation services through our platform must complete a comprehensive verification process designed to ensure legal compliance, service quality, and platform integrity. This verification is mandatory and non-negotiable for platform participation.

The Owner’s Permanent Account Number (PAN) Card is a mandatory requirement for all vendors, serving purposes of identity verification, tax compliance under the Income Tax Act, and enabling proper Tax Deducted at Source (TDS) processing. For vendors registered under the Goods and Services Tax regime, submission of a valid GST Certificate is optional but recommended for proper tax treatment of transactions.

We collect business identification information including the vendor’s business name, trading name if different from the registered name, complete registered business address, primary mobile number for account login and OTP authentication, designated operations coordinator contact details, and complete bank account information including account number, IFSC code, branch details, and account holder name for payment processing purposes.

6.2 Vehicle Documentation and Verification

For each truck or commercial vehicle that a vendor wishes to register on our platform for assignment to customer bookings, our administrators collect and verify comprehensive documentation ensuring legal compliance and operational readiness.

Mandatory vehicle documentation includes a valid Operating Permit authorizing the vehicle for commercial freight transportation on the routes and categories for which it will be deployed; a current Emission Certificate or Pollution Under Control (PUC) Certificate demonstrating compliance with environmental standards; a comprehensive Insurance Policy covering commercial operations and third-party liability with adequate coverage limits; the original Registration Certificate (RC) proving legal ownership or authorized operation; and valid Tax Receipts evidencing payment of road tax, entry tax, and other applicable vehicle taxes.

Beyond documentation, we collect detailed vehicle specifications including make and model, year of manufacture, engine capacity and specifications, maximum loading capacity, vehicle dimensions, fuel type and transmission characteristics, and the vehicle’s unique identification including registration number, chassis number, and engine number. Vehicle photographs capturing exterior views are also collected for identification and verification purposes.

6.3 Driver Documentation and Verification

For each driver that a vendor wishes to register for assignment to transportation jobs through our platform, our administrators collect and verify essential credentials ensuring proper qualification and legal compliance.

Required driver documentation includes a valid Commercial Driving License appropriate for the class and weight category of vehicles to be operated, and the driver’s Permanent Account Number (PAN) Card for identification and potential income tax purposes. We also collect the driver’s full legal name, current contact mobile number, a recent photograph for identification purposes, and emergency contact details for safety and incident management purposes.

6.4 Application and Quotation Information

When vendors respond to customer inquiries posted by our administrators, they submit applications expressing interest and capability to fulfill the transportation requirement. Each application contains specific selections and commercial terms that form the basis for potential assignment.

Application data includes the vendor’s selection of which specific vehicle or vehicles from their verified fleet they propose to assign to the job; designation of which verified driver or drivers will operate the assigned vehicle; a commercial quotation specifying service charges for the complete transportation from origin to destination; estimated transit time and delivery schedule; and any special conditions, terms, or requirements relevant to the proposed service.

6.5 Route Availability Communications

Vendors may proactively communicate with administrators regarding their fleet availability on specific routes and during particular time periods. This includes information about routes where trucks currently have available capacity, dates and times when vehicles will be available for assignment, opportunities for return load optimization, and regular route patterns that represent the vendor’s typical operational geography.

6.6 Transaction and Payment Records

For each completed transportation service, we maintain comprehensive transaction records including advance payment amounts received (if applicable), final payment amounts processed, Tax Deducted at Source (TDS) amounts withheld and remitted to government authorities, platform commission or service fees deducted as per applicable agreements, net amounts credited to the vendor’s registered bank account, payment processing dates and methods, TDS certificates issued, and payment advice documentation.

6.7 Limitations on Customer Access to Vendor Information

Customers cannot access vendor verification documents, financial information, or competitive business data. When customers view inquiries assigned to them, they receive only the vendor’s designated operations coordinator contact number and general information about the assigned vehicle’s registration number and type.

Customers do not receive access to vendor PAN Cards, GST Certificates, bank account details, personal or residential addresses, complete fleet inventories, pricing histories with other customers, document copies of RC, Insurance, Permits, or Licenses, business financial information, or performance metrics with other clients.

6.8 Purpose Specification

Vendor information is collected and processed exclusively for the following legitimate purposes: verifying vendor identity and eligibility to provide commercial transportation services; ensuring vehicle compliance with legal, safety, and environmental requirements; verifying driver qualifications and valid licensing; posting relevant customer inquiries to appropriate vendors based on capability and availability; processing vendor applications and facilitating price negotiations; assigning qualified vendors to confirmed customer bookings; generating service documentation including Lorry Receipts and trip sheets; processing payments to vendors including TDS deduction and remittance; maintaining compliance records as required by Motor Vehicles Act, Income Tax Act, and transport regulations; evaluating vendor performance for quality assurance and continuous improvement; and sending inquiry notifications, application status updates, and payment confirmations.

7. ADMINISTRATOR DATA HANDLING AND OBLIGATIONS

7.1 Administrator Information Collection

Our internal administrators, who are employees or authorized contractors of Vega Transport, access and process user information as necessary to perform their designated operational functions. We maintain comprehensive records of administrator activities including employee identification credentials, system login timestamps and session duration, specific actions performed on the platform such as inquiry creation, vendor selection, price negotiation, assignment execution, LR generation, and payment processing, IP addresses and device information from which platform access occurred, and all communications exchanged with customers and vendors.

This data collection serves critical purposes of maintaining platform security, ensuring accountability for all data processing activities, creating comprehensive audit trails for regulatory compliance and dispute resolution, monitoring administrator performance for quality assurance and training purposes, and enabling thorough investigation and analysis in the event of security incidents or policy violations.

7.2 Administrator Obligations to Customers

Administrators bear specific responsibilities to ensure fair and appropriate treatment of customer data and interests. These include conducting thorough verification of vendor credentials before posting customer inquiries to them, ensuring that only compliant vendors with properly verified vehicles and drivers participate in the bidding process, negotiating in good faith to achieve fair and competitive pricing on behalf of customers, maintaining strict confidentiality of customer contact information until formal vendor assignment occurs, processing payments securely through approved channels and maintaining accurate financial records, generating accurate and timely service documentation including Lorry Receipts and invoices, resolving disputes with impartiality and based solely on facts and applicable terms, and providing prompt service updates and responsive communication throughout the booking lifecycle.

7.3 Administrator Obligations to Vendors

Administrators also bear specific responsibilities to ensure fair treatment of vendor data and business interests. These include providing equal opportunity for all qualified vendors to participate in relevant inquiries based on objective criteria of capability and availability, maintaining strict confidentiality of vendor pricing quotations during competitive bidding processes, ensuring timely payment processing after successful service completion and proper documentation, protecting vendor verification documents and business-sensitive information from unauthorized disclosure, posting inquiries to vendors that genuinely match their registered vehicle types and stated operational routes, providing clear and complete communication about customer requirements and booking terms, resolving disputes with impartiality based solely on facts and applicable agreements, and never favoring particular vendors based on considerations other than merit and suitability.

7.4 Administrator Obligations to Both Parties

Certain administrator obligations apply equally to the protection and fair treatment of both customers and vendors. These include maintaining platform security through implementation of appropriate technical and organizational safeguards, complying fully with all obligations imposed by the DPDP Act and other applicable data protection legislation, providing transparent, accessible, and timely grievance resolution mechanisms with responses within the legally mandated seven-day period, acting as an honest, impartial intermediary without conflicts of interest or favoritism, continuously improving privacy protections and data security measures in response to evolving threats and best practices, and maintaining comprehensive documentation of all decisions and actions for accountability and audit purposes.

7.5 Administrator Access Controls and Accountability

While administrators necessarily access all categories of information on the platform to perform their operational functions, this access is subject to stringent controls and oversight. Access is limited based on role-specific permissions, with each administrator granted only those access rights genuinely necessary for their designated job functions. All access to personal data and sensitive business information is logged comprehensively and subject to regular review and audit. Administrators operate under binding confidentiality obligations extending beyond the term of their employment or engagement. Regular security and privacy training ensures administrators understand their obligations and the importance of data protection. Clear disciplinary procedures and potential legal liability provide consequences for unauthorized access, disclosure, or misuse of platform data.

 

8. INFORMATION SHARING AND DISCLOSURE PRACTICES

8.1 Fundamental Non-Disclosure Principle

Vega Transport does not engage in the sale, rental, or lease of personal information to third parties under any circumstances. Our business model does not depend upon monetization of user data, and we maintain an absolute commitment to keeping personal information confidential except where sharing is necessary for service delivery, required by law, or explicitly authorized by the affected individual.

8.2 Customer-Vendor Information Exchange

Limited information sharing between customers and vendors occurs at specific stages of the service lifecycle, always controlled by administrators and limited to what is strictly necessary for service coordination.

During Inquiry Posting Phase: When administrators post customer inquiries to selected vendors for competitive quotation purposes, vendors are provided with service specifications including freight type (FTL or PTL), origin and destination locations, approximate cargo characteristics and weight, preferred pickup date and time window, and any special handling or delivery requirements. Vendors at this stage do not receive customer names, customer contact numbers, Pickup Point of Contact details, customer billing information, or information identifying other vendors competing for the same inquiry.

After Vendor Assignment: Once a vendor has been formally assigned to fulfill a customer booking following negotiation and agreement, the assigned vendor receives the customer’s designated Pickup Point of Contact name and mobile number to enable direct coordination for the scheduled pickup. Simultaneously, the customer receives the assigned vendor’s operations coordinator contact number, the registration number and basic specifications of the assigned vehicle, and the assigned driver’s name for identification purposes.

During Service Execution: Throughout the transportation service period, both parties have access to real-time booking status information, the Lorry Receipt (LR) number serving as the official document reference, GPS tracking information if such functionality is enabled, pickup confirmation and delivery milestone updates, and communication channels for coordination and issue resolution.

After Service Completion: Upon completion of the transportation service, both parties can view final billing amounts as determined by the negotiated agreement, payment status and confirmation details, service completion confirmation, and historical records for reference purposes within the limitations of our data retention policies.

8.3 Payment Gateway Information Sharing

All monetary transactions on the Vega Transport platform are processed exclusively through Razorpay Payment Gateway, a third-party payment service provider maintaining Payment Card Industry Data Security Standard (PCI-DSS) certification. When customers initiate payments through our platform, their payment credentials including credit card numbers, debit card numbers, card verification values (CVV), net banking credentials, and UPI PINs are transmitted directly to Razorpay’s secure infrastructure using encrypted communication channels.

Vega Transport’s servers do not receive, process, or store complete payment card numbers, CVV codes, card expiry dates, or banking authentication credentials. We retain only limited transaction metadata necessary for legitimate business purposes, specifically transaction reference numbers assigned by the payment gateway, transaction amounts and currency, transaction processing dates and timestamps, transaction status indicators (successful, failed, pending, refunded), and the booking reference or LR number associated with each payment.

This limited payment information is retained exclusively for legitimate purposes including accounting reconciliation and financial reporting, invoice generation and tax documentation, payment dispute resolution and chargeback management, compliance with tax regulations including GST and TDS requirements, and statutory audit and regulatory examination purposes.

8.4 SMS Service Provider Sharing

For delivery of transactional text messages essential to service coordination, customer and Point of Contact mobile numbers are shared with our contracted SMS service provider. This sharing is strictly limited in scope and purpose. Mobile numbers are provided to the SMS provider solely and exclusively for the purpose of delivering text messages on our behalf, and the provider is contractually prohibited from retaining numbers beyond delivery completion, using numbers for any purpose other than message delivery for Vega Transport, sharing numbers with any third parties, or engaging in any form of marketing or promotional activity using these numbers.

SMS notifications are sent for essential transactional purposes including One-Time Password (OTP) delivery for secure authentication, service inquiry submission confirmations, vendor assignment notifications, payment request and payment confirmation messages, pickup scheduled and delivery milestone updates, and critical service alerts or issues requiring immediate attention.

8.5 Third-Party Service Provider Sharing

We engage carefully selected third-party service providers to support specific aspects of our platform operations. Information shared with these providers is strictly limited to what is necessary for them to perform their designated functions, and all providers operate under comprehensive data protection agreements.

Cloud Infrastructure Providers: We utilize ISO 27001 certified cloud data centers for platform hosting and data storage. These providers receive personal information stored on our platform but are contractually prohibited from accessing, processing, or using such data except as necessary to provide infrastructure services, and are required to implement security measures equivalent to or exceeding our own standards.

Identity Verification Services: Third-party services may be engaged to verify the authenticity of PAN Cards, GST Certificates, Driving Licenses, and vehicle Registration Certificates submitted during vendor verification. These services receive document images and details solely for verification purposes and are prohibited from retaining information or using it for purposes beyond providing verification results.

Analytics and Monitoring Services: We utilize analytics tools to understand platform usage patterns, identify technical issues, and improve user experience. These services receive aggregated and anonymized data only, from which individual users cannot be identified. No personal information or identifiable data is shared with analytics providers.

Communication Platforms: Email delivery services and in-app messaging infrastructure providers may process communication content to enable message delivery. All such providers operate under confidentiality obligations and are prohibited from reading, analyzing, or using message content for any purpose other than delivery.

Technical Support and Security Vendors: IT service providers, cybersecurity firms, and technical consultants may require limited access to our systems for maintenance, security monitoring, incident response, and infrastructure optimization purposes. All such access is provided on a need-to-know basis, is logged and monitored, and is governed by strict confidentiality agreements.

All third-party service providers are required to maintain security standards equivalent to or better than our own requirements, sign comprehensive data processing agreements specifying their obligations and prohibitions, submit to regular audits and compliance verification procedures, promptly notify us of any security incidents or data breaches, coordinate incident response in the event of any security compromise affecting platform data, and accept contractual liability for any data breaches or unauthorized processing occurring within their systems or control.

8.6 Legal and Regulatory Disclosures

We may disclose personal information when such disclosure is mandated by applicable law, required in response to valid legal process, or necessary for public interest purposes.

Statutory Compliance: We disclose information as required to comply with obligations under the Income Tax Act including responding to tax assessment notices and providing transaction records to tax authorities, GST Act including providing invoices and transaction records for tax audits, Motor Vehicles Act including providing vehicle and driver records to transport authorities, Companies Act requirements for corporate compliance and statutory audits, Carriage by Road Act 2007 requirements for goods receipt documentation, and other applicable legislation imposing disclosure obligations on businesses in our sector.

Legal Process Response: We respond to valid court orders, judicial summons, search warrants, subpoenas issued by competent authorities, notices issued by regulatory agencies within their jurisdiction, and other formal legal processes issued through appropriate channels. We verify the legitimacy of such requests and limit disclosure to what is specifically required by the legal process.

Law Enforcement Cooperation: We cooperate with legitimate law enforcement investigations including inquiries related to suspected criminal activity, fraud investigations involving platform transactions or users, accident investigations requiring trip records or vehicle details, national security matters when properly authorized, public safety emergencies requiring immediate action, and efforts to locate missing persons or stolen vehicles where our records may be relevant.

Platform Protection and Safety: We may disclose information when necessary for enforcement of our Terms and Conditions or other platform policies, investigation of suspected fraud, security breaches, or illegal activities affecting the platform, protection of our legal rights, property, operations, or reputation, protection of user safety and prevention of physical harm, defense against legal claims or lawsuits, or investigation of policy violations such as data misuse by platform users.

Dispute Resolution: In cases where disputes arise between customers and vendors regarding service quality, payment, damage claims, or contract terms, we may share relevant information with both parties and potentially with courts, arbitrators, or mediators engaged to resolve the dispute. Such sharing is limited to information directly relevant to the disputed matter.

8.7 Notification of Legal Disclosures

We endeavor to notify affected users before disclosing their information to legal authorities or in response to legal process, except where providing such notification is legally prohibited by court order or statute, would impede or obstruct an ongoing law enforcement investigation, would create risk of harm to individuals or public safety, or is rendered impractical due to emergency circumstances requiring immediate disclosure.

8.8 Business Transfer Disclosures

In the event of corporate restructuring, merger, acquisition, asset sale, bankruptcy proceedings, or other transactions affecting ownership or control of Vega Transport, personal information may be transferred to the acquiring or successor entity as part of the business assets.

Any such transfer would be subject to requirements that the receiving entity honor the commitments made in this Privacy Policy or provide equivalent or superior privacy protections, continue to comply with all obligations imposed by the DPDP Act and other applicable data protection laws, and respect users’ data principal rights including consent withdrawal and data portability.

We would provide affected users with at least thirty days’ advance notice before any such transfer of their personal information occurs, including information about the acquiring entity and any changes to data handling practices. Users would have the opportunity to withdraw consent and request account deletion before the transfer is completed, and could exercise data portability rights to obtain their information for transfer to alternative service providers.

8.9 Absolute Prohibitions

To provide complete certainty regarding practices we will never engage in, we explicitly state the following absolute prohibitions:

We will never sell personal information to third parties for monetary consideration or any other form of value. We will never share user information with third parties for their independent marketing purposes without obtaining explicit, informed, separate consent for such sharing. We will never publicly disclose personal information on websites, forums, social media, or any other public platforms. We will never sell or provide contact databases to marketers, data brokers, or other entities seeking bulk access to user information. We will never provide customers with bulk access to vendor contact lists, or vendors with bulk access to customer contact lists, or either party with access to the other’s databases. We will never use personal information for purposes incompatible with those disclosed in this Privacy Policy without obtaining explicit consent for the new purpose.

 

9. MUTUAL OBLIGATIONS AND PROHIBITED DATA USES

9.1 Legitimate Use Requirements

When customers and vendors receive each other’s contact information for purposes of coordinating specific transportation bookings, both parties assume enforceable obligations regarding proper and lawful use of that information.

Permitted Uses: Contact information shared for a specific transaction may be used only for legitimate purposes directly related to coordinating and executing that particular transportation service, including scheduling and confirming pickup appointments, providing or receiving delivery instructions, coordinating access to pickup or delivery locations, resolving issues or delays during transit, confirming successful delivery and obtaining necessary documentation, and communicating about payment or invoicing related to the specific completed service.

Mandatory Practices: Parties receiving contact information must maintain confidentiality and not share such information with third parties unless legally required, communicate in a professional and respectful manner during reasonable business hours, use information only for the specific transaction purpose and delete or destroy it upon completion, and promptly report to our Grievance Officer any misuse of their contact information by the other party.

9.2 Prohibited Data Uses

Certain uses of shared contact information are expressly prohibited and constitute violations of this Privacy Policy and potentially applicable law.

General Prohibitions Applicable to Both Parties: Using contact information for unsolicited marketing or promotional purposes unrelated to the original transaction. Sharing received contact information with third parties including competitors, marketers, other platforms, or business associates. Storing contact information in external databases, customer relationship management systems, or marketing platforms for future use. Contacting the other party for purposes unrelated to the specific booking for which contact was shared. Engaging in harassment, sending spam messages, making excessive contact attempts, or communicating abusively. Selling, trading, renting, or otherwise monetizing contact information in any manner. Using contact information to directly solicit business outside the Vega Transport platform in an attempt to avoid platform fees. Recording phone conversations without obtaining explicit consent from all parties as required by applicable law. Sharing contact information on social media platforms, public forums, review websites, or any public channel.

Specific Customer Prohibitions: Customers must not contact vendors from previously completed bookings to negotiate future transportation deals directly outside the platform. Customers must not share vendor contact information with competing shippers or other businesses. Customers must not use vendor contact details to research their business operations for competitive intelligence purposes. Customers must not harass vendors with excessive inquiries outside reasonable business hours or engage in abusive communication. Customers must not post vendor contact information publicly on social media, review sites, or forums. Customers must not create or maintain vendor directories or contact lists for distribution to others. Customers must not use vendor information to attempt to recruit or poach drivers or employees. Customers must not send unsolicited marketing communications about their own products or services to vendors.

Specific Vendor Prohibitions: Vendors must not contact customers from past bookings for unsolicited marketing of transportation services or other offerings. Vendors must not share customer contact information with other transporters, logistics brokers, or competitors. Vendors must not use customer information to solicit direct business relationships that bypass the platform and avoid applicable fees. Vendors must not contact the customer’s designated Pickup Point of Contact for any purposes unrelated to the specific booking for which that contact was provided. Vendors must not build customer databases or contact lists for independent marketing campaigns. Vendors must not sell, share, or trade customer contact information with third parties under any circumstances. Vendors must not send promotional SMS messages, WhatsApp messages, or other marketing communications to customers without explicit prior consent. Vendors must not use customer information to conduct credit checks, background investigations, or other inquiries without explicit customer authorization.

9.3 Consequences for Policy Violations

Violations of these mutual obligations and prohibited use provisions result in progressive disciplinary action proportionate to the severity and frequency of violations.

First or Minor Violations: Formal written warning issued via email and documented in the user’s account record. Educational notice explaining privacy obligations and proper information handling practices. Enhanced monitoring of the account for a period of thirty days. Requirement to acknowledge understanding of obligations before continued platform access.

Second Violations or Moderate Severity Violations: Temporary account suspension for a period of fifteen to thirty days during which no platform access is permitted. Requirement to complete privacy compliance training and demonstrate understanding before account reactivation. Mandatory video conference or telephone meeting with the Grievance Officer to discuss the violation and prevention measures. Written undertaking required committing to policy compliance as a condition of account reactivation. Permanent notation placed on the account record regarding the violation and remedial actions.

Severe or Repeated Violations: Permanent account termination with no possibility of reinstatement or future registration. Information about the violation provided to the affected party whose privacy was compromised. Forfeiture of any pending payments, outstanding balances, or security deposits held in the account. Formal report filed with the Data Protection Board of India documenting the violation and actions taken. Cooperation with law enforcement if the violation involves criminal conduct such as stalking, harassment, fraud, identity theft, or other illegal activities. Potential civil legal action for damages, recovery of costs, and other remedies available under law. Public notice of account termination posted on the platform (without disclosing specific personal details) if necessary to warn and protect other users from similar violations.

9.4 Reporting and Remediation Process

Users who believe another platform participant has misused their contact information or violated their privacy should immediately report the incident for investigation and appropriate action.

Reporting Procedure: Send detailed complaint via email to [email protected] with subject line “Privacy Violation Report – [Your Account Email]”. Include your complete account details (full name, registered mobile number, account identification number if known). Provide identity of the alleged violator (name, mobile number, account identification if known, or any other identifying information available). Give detailed description of the specific violation including exact dates and times when prohibited contact occurred, nature of the prohibited communication or use, and impact on you. Attach supporting evidence including screenshots of messages or emails, call logs showing unwanted contact attempts, recordings if legally obtained, forwarded messages demonstrating prohibited use, and witness statements if available.

Investigation and Resolution Timeline: We acknowledge receipt of your complaint within twenty-four hours, providing a unique complaint tracking number and contact details for the assigned investigating officer. Investigation is conducted over three to five business days during which we review all communication records stored on our platform, contact both parties to obtain their statements and explanations, examine all evidence provided by the complainant, verify that prohibited conduct occurred and violated specific policy provisions, and determine appropriate disciplinary action. Resolution is delivered by the seventh day through written decision via email explaining findings of fact, specific policy violations identified if any, disciplinary action imposed on the violator, protection measures implemented for the complainant, and advice on additional steps available to the complainant including legal remedies.

Complainant Protections: We can implement immediate protective measures including permanent blocking preventing the violator from contacting you through any platform channel, commitment that your information will never be shared with that specific user again regardless of future transactions, priority handling for any future complaints or concerns you raise, and potential assignment of a dedicated account manager if circumstances warrant enhanced support.

 

10. DATA RETENTION PERIODS

10.1 Retention Policy Foundation

Vega Transport retains personal information only for as long as reasonably necessary to fulfill the purposes for which it was collected or as required by applicable law. Our retention periods are based on careful analysis of legal requirements, industry standards, operational necessities, and user interests. We have selected retention periods that balance operational and compliance needs with data minimization principles.

10.2 Customer Data Retention

Customer personal information is retained for eight years following the end of the financial year in which the last transaction occurred. This eight-year retention period is mandated by Section 128(5) of the Companies Act, 2013, which requires companies to preserve their books of account for a minimum period of eight financial years immediately preceding a financial year.

Account and Profile Information: Customer mobile numbers, registered email addresses, profile details, billing addresses where provided, and GST registration numbers where provided are all retained for eight years following the financial year of the customer’s last transaction. This ensures we can properly respond to tax inquiries and audits throughout the retention period mandated by the Companies Act.

Service Inquiry and Booking Records: All service inquiries created by customers, booking confirmations and assignments, pickup and delivery location data, Point of Contact information provided for coordination purposes, cargo details and special requirements, and service execution records including timestamps and milestones are retained for eight years after service completion. This retention is necessary for potential tax audits, dispute resolution even years after service, and compliance with transport documentation requirements under the Carriage by Road Act, 2007.

Financial and Transaction Records: Payment transaction records including advance and final payments, invoice copies and billing documentation, Lorry Receipt (LR) copies and trip documentation, payment method records (excluding complete card details), TDS deduction records where applicable, and complete audit trails for all financial movements are retained for eight years after the financial year in which they occurred. This lengthy retention is mandated by Section 128(5) of the Companies Act, 2013 for business accounts and records.

Communication Records: All messages exchanged between customers and administrators, service-related inquiries and support tickets, feedback submissions and service reviews, and complaint or dispute communications are retained for eight years after the last message in the communication thread. Extended retention of communications supports potential dispute resolution and demonstrates the company’s due diligence in handling customer relationships.

Platform Usage Data: Login records and authentication logs are retained for one year, then anonymized. Device information, IP addresses, and basic analytics are retained for one year to support security monitoring and fraud detection, after which they are permanently anonymized such that individual users can no longer be identified.

10.3 Vendor Data Retention

Vendor business information and verification documents are retained for eight years following account closure or eight years after the last service provided through the platform, whichever is later, pursuant to Section 128(5) of the Companies Act, 2013.

Verification and Identity Documents: Vendor Owner PAN Cards, GST Certificates where provided, business registration and licensing documents, bank account details and payment information, and proof of business address are all retained for eight years after the vendor’s account is closed or their last service is completed. This extended retention protects against potential tax assessments, TDS disputes, and regulatory inquiries that may arise years after the business relationship ends.

Vehicle Documentation: Registration Certificates (RC) for all trucks registered on the platform, Insurance policy copies and renewal records, Operating Permit copies, Emission Certificates and PUC documents, Tax Receipt copies, vehicle specifications and identification details, and vehicle photographs are retained for eight years after the vehicle’s last assignment through our platform. The Carriage by Road Act, 2007 and general transport regulations require maintenance of vehicle records, and our eight-year retention under the Companies Act ensures comprehensive compliance.

Driver Documentation: Driving License copies for all drivers registered by vendors, Driver PAN Cards, driver photographs and identification details, emergency contact information, and driver performance records are retained for eight years after the driver’s last assignment through the platform. This retention period ensures we can respond to inquiries from transport authorities, insurance companies investigating claims, or law enforcement agencies even years after a driver’s active period on our platform.

Quotation and Application Records: All vendor quotations submitted in response to customer inquiries, application details including truck and driver selections, negotiation communications and pricing discussions, final agreed pricing for executed services, and route availability communications are retained for eight years after service completion. This information is crucial for contract enforcement, dispute resolution regarding payment terms, and audit purposes under the Companies Act.

Financial and Payment Records: Records of all payments made to vendors, TDS deductions and TDS certificates issued, platform commission calculations and deductions, bank transfer confirmations and payment references, and complete audit trails for all financial transactions involving vendors are retained for eight years after the financial year in which they occurred, consistent with Section 128(5) of the Companies Act, 2013.

Performance and Service Records: Vendor performance ratings and customer feedback, service completion rates and delivery timeliness metrics, complaint records and resolution outcomes, and quality assessment data are retained for eight years after collection. This historical performance data may be relevant to disputes about vendor competence or contract breaches even years after the events in question.

10.4 Transaction and Service Documentation

Comprehensive records of all completed transportation services are retained for eight years under the Companies Act, ensuring we can fully reconstruct any transaction for audit, legal, or dispute resolution purposes.

Core Service Documents: Lorry Receipts (LR) and associated documentation are retained for eight years after the trip date, as required for compliance with, with the eight-year period mandated by Companies Act Section 128(5) superseding any shorter retention periods. Trip sheets recording vehicle movements and driver assignments are retained for eight years. Pickup confirmation records and proof of delivery documentation are retained for eight years. GPS tracking logs and route data are retained for ninety days after trip completion, then deleted to minimize storage of location data while retaining sufficient records for immediate dispute resolution.

Financial Service Records: Invoices issued to customers for transportation services are retained for eight years from the financial year end as required by Section 128(5) of the Companies Act, 2013 and for GST audit purposes. Payment receipts acknowledging customer payments and vendor payments are retained for eight years. GST return records, input tax credit documentation, and tax compliance records are retained for six years as specifically required by GST Act Section 36, though our broader eight-year policy under the Companies Act provides an additional buffer. TDS certificates issued to vendors and TDS payment records to government are retained for eight years. Bank reconciliation statements matching our records to bank records are retained for eight years for audit purposes.

10.5 Communication and Support Records

Direct Communications: SMS notifications sent to users and Point of Contact persons are retained for two years, providing a reasonable window for service issue resolution while not indefinitely maintaining communication records. In-app messages between customers and administrators, and between vendors and administrators, are retained for eight years as they form part of the contractual relationship and service record under Companies Act requirements. Email communications for customer support purposes are retained for eight years to provide complete history for recurring issues or escalated complaints.

Grievance and Complaint Records: Formal complaints filed with our Grievance Officer, investigation notes and evidence collected, resolution decisions and communications, and follow-up correspondence are all retained for eight years after final resolution. This extended retention enables us to demonstrate our compliance with grievance redressal obligations under the DPDP Act, identify patterns of complaints indicating systemic issues, and defend against allegations of improper complaint handling.

Platform Activity Logs: User login records and authentication logs are retained for one year, sufficient for security monitoring and recent fraud investigation while minimizing long-term tracking. System access logs showing administrator actions are retained for three years to enable security audits and accountability reviews. IP address logs are retained for one year, then permanently anonymized.

10.6 Special Retention Scenarios

Active Litigation or Disputes: When any booking, transaction, or relationship is subject to pending litigation, arbitration, regulatory investigation, or formal dispute, all related records are retained beyond the standard eight-year period until one year after final resolution of all proceedings, appeals, and enforcement actions. This extended retention ensures availability of evidence and documentation throughout the legal process.

Foreign Income Reporting: In the rare circumstance that transactions involve customers or vendors with foreign income or assets that must be reported under the Income Tax Act, relevant records may be retained for sixteen years as permitted under provisions governing foreign asset disclosure.

Data Breach Documentation: If any security incident or data breach affects user information, comprehensive records of the breach investigation, notification actions, remediation measures, and regulatory reporting are retained for eight years after incident resolution under Companies Act requirements. This enables long-term monitoring for recurring vulnerabilities and demonstrates our compliance with breach notification obligations.

Deceased Users: When a user passes away, their nominated representative may access the deceased’s data for one year after death for estate administration purposes. After this access period or if no nominee was designated, the deceased user’s data remains subject to the standard eight-year retention period for legal compliance under the Companies Act, then is permanently deleted.

Minors’ Data: In the unlikely event that data is inadvertently collected from a person under eighteen years of age without proper parental consent, such data is deleted within forty-eight hours upon discovery. However, investigation records documenting the incident, our discovery of it, and our corrective actions are retained for eight years under Companies Act requirements to demonstrate compliance with children’s privacy protections.

10.7 Secure Deletion Procedures

Upon expiration of applicable retention periods, data is not merely marked as deleted but is subject to comprehensive secure deletion procedures ensuring it cannot be recovered.

Technical Deletion Methods: Data overwriting involves writing random data over the storage locations multiple times, making original data unrecoverable. Database records are permanently deleted from all tables and indexes, not merely marked as inactive. Backup tapes and archived storage media are securely destroyed through certified destruction services. Cloud storage is subjected to cryptographic erasure where encryption keys are destroyed, rendering encrypted data permanently inaccessible.

Deletion Documentation: We maintain deletion logs recording what data was deleted, when deletion occurred, and what method was used. Deletion certificates from third-party destruction services are retained to prove physical media destruction. Audit trails of the complete data lifecycle from collection through retention to deletion demonstrate compliance with data minimization principles and support data protection impact assessments.

Third-Party Data Deletion: When retention periods expire, we instruct all third-party service providers holding copies of user data to delete such data from their systems. We obtain written confirmation that third parties have completed deletion as instructed. We exercise audit rights where available to verify that third parties have properly deleted data rather than continuing to retain it beyond our instructions.

10.8 User Control Over Retention

Access During Retention: Throughout the retention period, users can access their retained data by submitting access requests to our Grievance Officer, with responses provided within seven days as required by the DPDP Act. Users can correct inaccurate data that remains in retention. Users can request restricted processing, limiting use to storage only without active processing for other purposes.

Early Deletion Requests: Users may request account deletion before the eight-year retention period expires. Upon such request, we immediately deactivate the account to prevent further login or platform use. We restrict all processing of the user’s data to storage only, with no active use for marketing, analytics, or other purposes. We maintain the data in secure, access-restricted archive storage until the eight-year legal retention requirement under Companies Act Section 128(5) expires. We cannot delete data earlier than eight years when retention is mandated by the Companies Act, 2013, as premature deletion would constitute violation of statutory obligations.

Post-Retention Confirmation: After retention periods expire and data is deleted, users can request written confirmation that their data has been permanently deleted. We provide such confirmation explaining what was deleted, when deletion occurred, and our deletion methodology. Users can verify that no backup copies or residual data remains.

11. DATA SECURITY MEASURES

11.1 Technical Safeguards

We implement comprehensive technical controls to protect personal information from unauthorized access, modification, disclosure, or destruction throughout its lifecycle.

Encryption: All data transmission between user devices and our servers is protected by Transport Layer Security (TLS) version 1.3 or higher, the current industry standard for encrypted communications. Sensitive personal data stored in our databases is encrypted at rest using Advanced Encryption Standard (AES) 256-bit encryption, a military-grade cipher. Payment credentials are never stored on our servers; complete card details are handled exclusively by Razorpay Payment Gateway using end-to-end encryption. Encryption keys are stored separately from encrypted data in hardware security modules with strict access controls. Regular encryption key rotation according to cryptographic best practices ensures that even if a key is compromised, the exposure window is limited.

Access Controls: Role-based access control (RBAC) restricts employee access to personal data based on job function, with each role granted only the minimum permissions necessary. Multi-factor authentication (MFA) is mandatory for all administrative system access, requiring both password and one-time code. Individual user accounts are assigned to each employee; shared credentials are prohibited to ensure accountability. Automatic session timeout logs users out after periods of inactivity, preventing unauthorized access from unattended workstations. Comprehensive access logs record every instance of personal data access, including user identity, timestamp, data accessed, and actions performed. Quarterly access reviews verify that access permissions remain appropriate for current job responsibilities. Immediate access revocation procedures ensure that terminated employees lose all system access within hours of termination.

Network Security: Enterprise-grade firewalls protect our infrastructure from unauthorized network access and malicious traffic. Intrusion Detection Systems (IDS) continuously monitor network traffic for patterns indicating potential attacks. Intrusion Prevention Systems (IPS) automatically block detected attack attempts in real-time. Distributed Denial of Service (DDoS) protection prevents service disruption from volumetric attacks. Network segmentation isolates sensitive data systems from less critical systems, limiting potential attack surface. Virtual Private Networks (VPN) with strong authentication are required for all remote administrative access. Regular penetration testing by certified ethical hackers identifies vulnerabilities before they can be exploited. Automated vulnerability scanning runs continuously, with critical vulnerabilities patched within defined timeframes.

Application Security: Secure coding practices following OWASP (Open Web Application Security Project) guidelines are mandatory for all development. Input validation and sanitization prevent injection attacks where malicious code is inserted through user inputs. Output encoding prevents cross-site scripting (XSS) attacks where malicious scripts are injected into web pages. Cross-Site Request Forgery (CSRF) tokens protect against unauthorized actions performed in authenticated user sessions. Security headers including Content Security Policy, HTTP Strict Transport Security, and X-Frame-Options defend against various web-based attacks. Regular security code reviews by senior developers identify vulnerabilities in code before deployment. Automated security testing integrated into our development pipeline scans every code change for security issues.

Infrastructure Security: We utilize ISO 27001 certified data centers that maintain comprehensive information security management systems. Physical security controls include biometric access systems, 24/7 surveillance cameras, and professional security personnel. Environmental controls include fire suppression systems, temperature and humidity monitoring, and uninterruptible power supplies and backup generators. Geographic redundancy distributes our infrastructure across multiple availability zones, ensuring service continuity even if one data center fails. Encrypted backups occur regularly, with backup copies stored securely in geographically separate locations. Disaster recovery procedures are tested quarterly to verify our ability to restore operations after catastrophic events.

11.2 Organizational Safeguards

Technical controls are complemented by comprehensive organizational policies and procedures governing how personnel handle personal data.

Personnel Security: Background verification including criminal record checks is completed before hiring employees with data access. Police verification is obtained for roles involving access to sensitive personal data or financial information. Confidentiality and non-disclosure agreements are signed by all employees and contractors, creating legal obligations to protect data. These confidentiality obligations survive for five years beyond employment termination, preventing disclosure even by former employees. Regular security awareness training occurs quarterly for all personnel, covering current threats, social engineering tactics, and proper data handling. Phishing simulation exercises test employee ability to identify and resist deceptive messages attempting to steal credentials. Clean desk and clear screen policies require employees to lock computers when unattended and secure physical documents.

Vendor Management: Security assessment of third-party vendors occurs before engagement, evaluating their security controls and compliance posture. Data Processing Agreements impose contractual security requirements on vendors and establish liability for data breaches. We maintain rights to audit vendor security practices, either through our own auditors or by reviewing independent security audit reports. Annual security compliance verification confirms vendors continue meeting security standards throughout our relationship. Incident response coordination procedures ensure vendors notify us immediately of any security incidents affecting our data.

Incident Response: Our documented Security Incident Response Plan defines roles, responsibilities, and procedures for detecting and responding to security incidents. 24/7 security monitoring through Security Information and Event Management (SIEM) systems analyzes logs and alerts on suspicious activity. A designated incident response team includes IT security personnel, legal counsel, communications specialists, and senior management. Incident classification procedures determine severity and appropriate response based on the nature and scope of each incident. Containment, eradication, and recovery procedures guide restoration of secure operations after incidents. Post-incident analysis identifies root causes and systemic improvements to prevent recurrence.

11.3 Security Limitations and Shared Responsibility

While we implement comprehensive security measures, we must provide transparent disclosure of inherent limitations and emphasize user responsibilities.

Inherent Security Limitations: No method of transmitting data over the internet is completely secure against all possible attacks, particularly sophisticated nation-state actors with substantial resources. No electronic storage system can guarantee absolute immunity from all security threats, as previously unknown “zero-day” vulnerabilities exist in all software. Determined adversaries with sufficient time, resources, and expertise may eventually find ways to compromise even well-secured systems. Insider threats from rogue employees, while we minimize this risk through access controls and monitoring, cannot be entirely eliminated. Social engineering attacks that deceive users into divulging credentials or bypassing security controls remain a persistent threat. Users’ own devices or home networks may be compromised, exposing credentials or session information despite our server-side security.

User Security Responsibilities: Users must create strong passwords with at least twelve characters including uppercase and lowercase letters, numbers, and special symbols. Each service should use a unique password; reusing the Vega Transport password on other websites creates risk if those sites are breached. Passwords must never be shared with anyone, including family members, colleagues, or anyone claiming to be our support staff. Suspected password compromise requires immediate password change through account settings. Devices used to access our platform should have updated operating systems and security patches, current antivirus or anti-malware software, and device lock screens with PIN, fingerprint, or face recognition. Public or shared computers should be avoided for accessing our platform, but if necessary, users must log out completely and clear browser history. Login credentials should never be saved in browsers on public or shared devices. Users should be vigilant against shoulder surfing where others observe password entry in public places. OTPs sent to registered mobile numbers must never be shared with anyone; we will never ask for your OTP. Suspicious activity including unauthorized login attempts, transactions not initiated by the user, receipt of unrequested OTPs, or lost/stolen devices logged into the platform must be reported immediately to [email protected].

11.4 Our Security Commitments

Despite inherent limitations, we commit to maintaining security standards that meet or exceed industry best practices. We continuously improve security based on evolving threat landscape and emerging best practices. We promptly address identified vulnerabilities through systematic patch management and remediation. We maintain transparency about security incidents, notifying affected users as required by law and good practice. We learn from both actual incidents and near-misses, implementing improvements to prevent recurrence. We invest substantially in security technology, expertise, and infrastructure. We maintain cyber liability insurance to support breach response and compensate affected parties. We cooperate fully with law enforcement for investigation of serious security incidents involving criminal activity.

 

12. DATA BREACH NOTIFICATION

12.1 Notification to Data Protection Board

In the event of a data breach affecting personal information, we are legally obligated to notify the Data Protection Board of India within seventy-two hours of becoming aware of the breach, as mandated by the Digital Personal Data Protection Act, 2023. Our notification will comprehensively describe the nature and extent of the breach, including affected systems and the attack vector or vulnerability exploited. We will identify categories of personal data affected, specifying whether Personal Information, Sensitive Personal Data, financial information, or other categories were compromised. We will provide the approximate number of affected data principals to enable the Board to assess the incident’s scope and significance. We will assess likely consequences and potential harm to affected individuals, including risks of identity theft, financial fraud, or other damages. We will describe measures we have taken to address the breach and mitigate harm, including containment actions, security improvements, and user support. We will provide contact information for our designated point of contact who can provide additional information to the Board.

12.2 Notification to Affected Users

We will notify affected users immediately upon breach confirmation, without unreasonable delay and in clear, accessible language. Our notification will be sent through multiple channels including email to registered email addresses, SMS to registered mobile numbers, in-app notifications appearing when users next access the platform, and prominent notices on our website homepage and app login screen. Our user notification will clearly explain in non-technical terms what happened, describing the security incident in language accessible to non-technical users. We will specify when the breach occurred and when we discovered it, providing the timeline of events. We will identify what specific personal data was affected, such as names, mobile numbers, PAN Cards, payment information, or other categories. We will clarify what data was not affected to prevent unnecessary alarm about uncompromised information. We will assess potential consequences and risks to affected individuals, helping them understand what harm might result from the breach. We will explain what actions we are taking to address the breach, including security improvements, law enforcement cooperation, and ongoing investigation. We will advise what actions users should take to protect themselves, such as changing passwords, monitoring accounts, or being alert for phishing attempts. We will provide contact information for users with questions or concerns, including a dedicated hotline and email address for breach inquiries. We will explain users’ rights and available remedies under the DPDP Act and other applicable law.

12.3 Immediate Response Actions

Upon discovering a security breach, we implement immediate containment and remediation measures. We isolate affected systems to prevent further unauthorized access or data exfiltration. We shut down compromised services if necessary to protect user data, even if this causes temporary service disruption. We change all administrative credentials and access keys that may have been compromised. We deploy emergency patches or configuration changes to close exploited vulnerabilities. We block attacker access by banning IP addresses and blocking malicious traffic patterns. We preserve forensic evidence through careful logging and system imaging to support investigation and potential prosecution.

12.4 Investigation and Remediation

Following containment, we conduct thorough investigation to understand the breach fully. We engage external cybersecurity forensic experts with specialized breach investigation experience. We determine how the breach occurred, identifying the specific attack vector, vulnerability exploited, or procedural failure that enabled unauthorized access. We identify all affected systems and data, ensuring our scope of notification is accurate and complete. We determine the timeline of compromise, establishing when unauthorized access began and when it ended. We assess whether attackers still have any access or whether the breach has been fully contained. We document all findings comprehensively for regulatory reporting and potential legal proceedings. We permanently fix vulnerabilities that enabled the breach through software patches, configuration changes, or architectural improvements. We implement additional security controls to prevent similar breaches, potentially including enhanced monitoring, additional access restrictions, or new security technologies. We conduct third-party security audit of our entire infrastructure to identify any other vulnerabilities. We perform penetration testing to verify that fixes are effective and no similar vulnerabilities remain. We update incident response procedures based on lessons learned from the breach. We retrain personnel on security practices, addressing any procedural gaps that contributed to the breach.

12.5 Support for Affected Users

We provide comprehensive support to users affected by data breaches. We establish a dedicated breach response hotline staffed with knowledgeable personnel who can answer questions. We provide priority customer support to affected users, ensuring their concerns receive immediate attention. If financial data was compromised, we provide free credit monitoring services for one year through reputable credit monitoring companies. If identity documents were compromised, we provide free identity theft protection services for one year. We conduct extended fraud monitoring on affected user accounts, watching for suspicious activity. We provide regular updates on our investigation and remediation progress, maintaining transparency throughout the response. We maintain an FAQ document addressing common questions about the breach and recommended protective actions.

12.6 User Rights After Breach

Data breaches trigger specific rights for affected data principals. Users can request detailed information about how the breach affected their specific data, beyond the general notification. Users can withdraw consent and request immediate account deletion if they no longer trust our security. Users can request compensation for damages under the DPDP Act, 2023, if they suffered harm from the breach. Users can file complaints with the Data Protection Board if they believe we failed to implement appropriate security measures or properly respond to the breach. Users can seek independent legal remedies through civil courts for damages, injunctive relief, or other appropriate relief.

 

13. RIGHTS OF DATA PRINCIPALS

Under the Digital Personal Data Protection Act, 2023, both customers and vendors possess comprehensive rights regarding their personal information. These rights are exercisable without discrimination, meaning all data principals enjoy identical entitlements regardless of their role on the platform.

13.1 Right to Information and Access

Scope of Access: Users can request comprehensive information including a complete inventory of all personal information we hold about them, categories of data being processed with clear descriptions of what each category encompasses, purposes for which each category of data is being used, recipients or categories of recipients with whom their data has been shared, applicable retention periods for each category of data, sources from which we obtained the data if not collected directly from them, and the logic involved in any automated decision-making or profiling affecting them.

Exercise Procedure: Submit written request via email to [email protected] with subject line “Data Access Request – [Your Registered Email]”. Include your full name, registered mobile number, account identification number if known, and specific information sought or request for all data. Verify your identity by responding to an OTP sent to your registered mobile number.

Our Response: We acknowledge your request within twenty-four hours and provide complete response within seven days as mandated by the DPDP Act. Data is provided in structured format, typically as a PDF report with organized tables, or CSV/JSON format if requested for technical purposes. No charge applies for the first access request in any twelve-month period; reasonable fees may apply for excessive or repetitive requests.

13.2 Right to Correction

Data principals can request correction of personal information that is inaccurate, incomplete, outdated, or misleading.

Scope of Correction: Users can correct profile information including name, email address, postal address, contact numbers, billing information including billing address and GST number, bank account details for vendors, and vehicle specifications or driver information for vendors.

Exercise Procedure: For straightforward corrections, users can update information directly through self-service account settings. For corrections requiring verification or assistance, email [email protected] with subject line “Data Correction Request – [Your Email]”, specify what data is incorrect and provide correct information, and attach supporting documents if relevant such as updated address proof, renewed licenses, or updated certificates.

Our Response: Immediate updates occur for self-service corrections upon saving. For assisted corrections, we verify the corrected information within three business days and implement corrections within seven days total. Confirmation email is sent once correction is completed. If the corrected information has been shared with third parties, we notify those recipients of the correction where feasible.

Verification Requirements: Certain corrections require enhanced verification to prevent fraud. Mobile number changes require OTP verification to both the old and new numbers to prevent account takeover. Bank account changes for vendors require penny drop verification or bank statement submission to prevent payment fraud. Identity document changes require submission and verification of the updated document. Business registration changes require updated certificates or government records.

Limitations: Historical transaction records are generally immutable for audit integrity and cannot be altered, though we can annotate them with correction notes. Data required for pending legal proceedings cannot be modified in ways that would compromise evidence integrity. System-generated data such as transaction IDs, timestamps, and automated calculations cannot be manually edited. Data owned or controlled by third parties such as payment gateway records are not within our power to correct, though we can facilitate your contact with the data controller.

13.3 Right to Data Portability

Data principals can receive their personal information in structured, commonly used, machine-readable formats that enable transmission to another service provider.

Scope of Portability: This right applies to personal data you provided to us through your own actions, such as registration information, inquiry details you entered, and documents you uploaded. It does not extend to data we derived or generated from your activities, such as analytics scores, system-generated identifiers, or aggregated statistics.

Available Formats: CSV (Comma-Separated Values) format compatible with Microsoft Excel, Google Sheets, and other spreadsheet applications. JSON (JavaScript Object Notation) format suitable for technical users and developers who need structured data for migration to other systems. PDF format providing human-readable reports with all your information organized in tables and sections. XML format for compatibility with enterprise systems and legacy applications.

Exercise Procedure: Email [email protected] with subject line “Data Portability Request – [Your Email]”. Specify your preferred format or request all formats. Verify identity via OTP to registered mobile.

Our Response: Acknowledgment within twenty-four hours. Data package prepared and secure download link sent within seven days. Download link secured with password sent through separate channel (SMS to registered mobile).

Limitations: This right applies only to data you have actively provided to us, and not to derived metrics, risk scores, or aggregated analytics. We may decline portability where it would adversely affect the rights or freedoms of other individuals (for example, where communications contain personal data of other users).

13.4 Right to Erasure (Right to Deletion)

You may request deletion of your personal data where:

• The data is no longer necessary for the purposes for which it was collected.
• You withdraw consent and there is no other legal basis for processing.
• Processing is unlawful under applicable law.
• You no longer wish to use the platform and have settled all outstanding obligations.

How to Exercise: Use in-app settings: “Account Settings → Privacy & Data Management → Delete Account”; or write to [email protected] with the subject line “Account Deletion Request – [Your Email]” and verify your identity via OTP.

Process and Timelines: Your account is deactivated immediately after confirmation. We complete deletion of data that is not subject to statutory retention within 7 days, which is aligned with the DPDP Act’s maximum timeframe for fulfilling such requests. Data which must be retained under tax and company law (for example, invoices, LR copies, accounting and GST records) is retained for up to 8 years as required by Section 128(5) of the Companies Act, 2013.

What Cannot Be Deleted Immediately: Statutory financial and tax records under Companies Act Section 128(5) requiring 8 years retention. GST records under Section 36 requiring at least 6 years from the due date of annual return (we retain 8 years for consistency with Companies Act requirements). Income Tax records under Section 44AA requiring 6 years (exceeded by our 8-year Companies Act obligation). Records required in connection with ongoing audits, disputes, investigations, or legal proceedings (retained until 1 year after final closure, or longer where law so requires). In such cases, processing is restricted to storage and legal/compliance use only.

13.5 Right to Restriction of Processing

You may request that we restrict the processing of your personal data where:

• You contest the accuracy of the data, for a period enabling us to verify its accuracy.
• Processing is unlawful, but you oppose deletion and request restriction instead.
• We no longer need the data for our purposes, but you require it for the establishment, exercise, or defence of legal claims.
• You have objected to certain processing and the objection is under review.

Effect of Restriction: Data subject to restriction will be stored but not used for active processing, analytics, product improvement, or marketing. It will only be processed for legal claims, compliance obligations, or with your further explicit consent.

Requests may be made by writing to [email protected]. We implement justified restrictions within 7 days, consistent with DPDP timelines.

13.6 Right to Object to Automated Decision-Making

Where automated tools contribute to decisions that significantly affect you (for example, in vendor ranking, fraud flags, or routing suggestions), you have the right to:

• Request an explanation, in clear terms, of the principal factors and logic used.
• Object to such automated processing where you believe it is unfair or inappropriate.
• Request a human review of a decision to which automated tools have contributed.

To exercise this right, you may write to [email protected] with “Automated Decision Review Request” in the subject line. A reasoned response or manual review outcome will be provided within 7 days.

13.7 Right to Nominate

You may designate a nominee to exercise your data protection rights in the event of your death or incapacity.

Nomination: Can be configured via “Account Settings → Privacy & Data Management → Nominee”. Requires providing nominee’s name, relationship, contact details, and the nominee’s confirmation via OTP.

After Activation: The nominee may, upon providing evidence of death or incapacity, request access, correction, deletion, or closure of the account. Such rights are exercisable for 1 year from the date of establishing the event, after which the data continues to be retained or deleted according to the standard retention rules described earlier.

13.8 Timelines for Rights Fulfilment

For all data principal rights under this Section:

• Acknowledgment is provided as promptly as practicable (typically within 24–72 hours).
• Substantive resolution, whether fulfillment or reasoned refusal, is provided within 7 days from receipt of a complete and verified request, as required under the DPDP Act and Rules.

Where a lawful and documented exception applies (for example, ongoing investigation, conflict with statutory retention requirements under Companies Act Section 128(5), or disproportionate technical burden), we will communicate the legal basis and practical implications of such an exception.

 

14. CONSENT FRAMEWORK

14.1 Nature of Consent

All consent obtained by Vega Transport is designed to be:

• Free: not tied to coercive conditions or disguised as mandatory where it is not.
• Specific: limited to clearly defined purposes communicated at the point of collection.
• Informed: accompanied by a clear description of what data is collected and why.
• Unambiguous: captured through an affirmative action (such as ticking a box or pressing “I Agree”), never via pre-ticked boxes or silence.
• Revocable: capable of being withdrawn at any time, without affecting prior lawful processing.

14.2 Consent for Customers

By registering as a customer and using the platform, you provide consent for:

• Use of your mobile number for OTP-based authentication and account security.
• Processing of service inquiries (origin, destination, cargo, preferences).
• Controlled sharing of Pickup POC details with the assigned vendor for the specific booking.
• Processing of payments through Razorpay and retention of transaction metadata for statutory durations.
• Issuance and retention of invoices, LR copies, and related documents for up to 8 years, as required by Section 128(5) of the Companies Act, 2013.

Marketing Consent: Is obtained separately, by distinct checkboxes for email, SMS, push notifications, and surveys. Is not a precondition to using the core booking services. Can be withdrawn at any time via profile settings or by using “unsubscribe”/STOP mechanisms; withdrawal is honoured within 48 hours.

14.3 Consent for Vendors

By registering as a vendor and onboarding vehicles and drivers, you consent to:

• Collection and verification of your PAN and, where applicable, GST registration.
• Collection, verification, and secure storage of vehicle and driver documents for compliance and safety.
• Receiving enquiry notifications and participating in the quotation and assignment workflow.
• Sharing your operations contact and assigned vehicle details with customers for execution of accepted bookings.
• Processing of payments to your bank account, including TDS deduction and issuance of TDS certificates.
• Retention of business, transactional, and compliance records for up to 8 years, as mandated by Section 128(5) of the Companies Act, 2013, with GST records retained for at least 6 years under GST Act Section 36.

Any participation in broader marketing (such as newsletters, training invitations, or market insights) is based on separate, optional consent.

14.4 Withdrawal of Consent

Withdrawal of Marketing Consent: May be executed via “Account Settings → Communication Preferences” by disabling specific channels; or via reply instructions (for example, sending “STOP” to a marketing SMS or clicking “Unsubscribe” in a marketing email). Takes effect within 48 hours and does not affect essential transactional communications.

Withdrawal of Core Processing Consent and Account Closure: May be initiated through in-app “Delete Account” flows or by writing to [email protected]. Requires identity verification and acknowledgment of consequences, including loss of access and irreversible deletion of non-statutory data. Leads to account deactivation immediately and deletion of deletable data within 7 days, with statutory records retained for the legally mandated 8-year period under Companies Act Section 128(5).

15. CHILDREN’S PRIVACY

The Vega Transport platform is intended for use by individuals and entities with legal capacity to enter into commercial transport arrangements. It is not designed for, or targeted at, persons under 18 years of age.

• We do not knowingly collect personal data from children.
• If we become aware that data relating to a person under 18 has been collected without appropriate parental or legal guardian consent, we will suspend the relevant account and permanently delete such data within 48 hours, subject only to any overriding legal obligation to retain limited records (for example, in case of fraud or misuse).
• Parents or guardians who believe their child’s data has been processed may contact [email protected] with supporting details to request prompt investigation and deletion.

16. CROSS-BORDER DATA TRANSFERS

As a matter of design, data is primarily stored and processed within India. However, limited cross-border transfers may arise where:

• Cloud infrastructure, security monitoring, or specialist support functions are operated from jurisdictions outside India; or
• Global service providers engaged by Vega Transport use distributed teams and infrastructure.

In such cases:

• Transfers are restricted to what is necessary for the specified service.
• Contractual safeguards are implemented, including data protection clauses and security obligations.
• Transfers are made only to jurisdictions or entities that can provide an adequate level of data protection, and in accordance with any conditions prescribed under the DPDP Act and related rules.

17. COOKIES AND ONLINE TRACKING

Where our services are accessed through web interfaces, we may use cookies and similar technologies.

• Essential cookies: required for core site and app functionality (such as session management and security). These cannot be disabled without impairing basic service.
• Functional cookies: support preferences like saved settings. These may be disabled, though certain conveniences may be lost.
• Analytics cookies: help us understand usage patterns at an aggregated level, without directly identifying individuals. These can be declined where technically feasible, and we ensure any such analytics are either anonymised or pseudonymised.
• Marketing cookies: used only where explicit consent is given and can be withdrawn at any time.

Cookie choices can typically be managed through browser settings and, where implemented, through a cookie banner or preference centre on our site.

18. AUTOMATED DECISION-MAKING

Certain limited aspects of our operations may use algorithmic or rules-based systems, for example to:

• Suggest potentially suitable vendors for a given enquiry.
• Flag transactions or accounts with characteristics typical of fraud or misuse.
• Propose route optimisations based on operational constraints.

All such tools are designed to assist human decision-making, not to fully replace it, particularly in cases where an outcome would significantly affect a user’s rights or obligations. You may request a human review where you believe an automated assessment has adversely impacted you, as set out in Section 13.6 above.

19. GRIEVANCE REDRESSAL

In accordance with the DPDP Act and Rules, Vega Transport has appointed a Grievance Officer to address queries and grievances relating to personal data processing.

Grievance and Data Privacy Officer:

Name: Satish Patil; Email: [email protected]; Alternate legal contact: [email protected]

Postal address: Vega Transport India Pvt Ltd, 16-152(53) Industrial Area, Shivalli Village, Manipal, Udupi, Karnataka, India, 576104

Process:

• Submit your grievance by email with sufficient detail to identify your account and the issue.
• You will receive an acknowledgment, including a reference number and indicative timeline, as soon as reasonably practicable (generally 7 days).
• A substantive response, resolution, or reasoned refusal (with legal basis) will be provided within 90 days from receipt of a complete grievance, which aligns with the maximum period prescribed under the DPDP Act and associated guidance.

If you remain dissatisfied after receiving our response, you may:

• Seek further internal review by clearly stating the grounds for disagreement; and/or
• Escalate the grievance to the Data Protection Board of India in the manner and form prescribed by law

20. POLICY UPDATES

We may revise this Privacy Policy from time to time to reflect:

• Changes in law or regulatory guidance.
• Modifications to our services or business model.
• Enhancements to our data protection and security practices.

When material changes are made:

• The “Last Updated” date at the top of the policy will be revised.
• Where appropriate, users will be informed through in-app notices, website banners, email notifications, or SMS, particularly where changes materially affect rights or obligations.
• Continued use of the platform after notice of such changes will be treated as acceptance of the revised policy, without affecting your underlying rights under law.

21. CONTACT INFORMATION

For any questions, clarifications, or requests relating to this Privacy Policy or our handling of personal data, you may contact:

• General information:
•  
•  
•  

Postal address: Vega Transport India Pvt Ltd16-152(53) Industrial Area, Shivalli Village, Manipal, Udupi, Karnataka, India – 576104

22. ACCEPTANCE

By creating an account on the Vega Transport platform, accessing our applications or websites, or using our services in any manner, you acknowledge that:

• You have read and understood this Privacy Policy.
• You understand how and why your personal data is collected, used, stored, and disclosed.
• You agree to the terms and practices described herein, to the extent permitted by applicable law.

If you do not agree with any part of this Privacy Policy, you should refrain from using the platform and may exercise your rights, including account deletion and withdrawal of consent, as described above.

Approved By:

 

 

[Authorized Director Signature]

Name: [Director Name]

Designation: Director

Date: February 11, 2026

Place: Manipal, Karnataka

Vega Transport India Pvt Ltd

 

END OF PRIVACY POLICY

 

 

Please create these email IDs