We respect your privacy. This policy explains what data we collect, why we collect it, how long we keep it, and what rights you have over it — written in plain English.
1. Who We Are
Maaxi Technologies Pvt. Ltd. ("Maaxi", "we", "us", "our") is a company incorporated under the Companies Act 2013, with its registered office in Mumbai, Maharashtra, India. We operate the Maaxi Ride platform — a peer-to-peer intercity ridesharing service — accessible via our website (maaxiride.com) and mobile applications.
For the purposes of India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("IT Rules"), Maaxi Technologies Pvt. Ltd. is the Data Fiduciary.
Contact our Grievance Officer at: privacy@maaxiride.com
2. Data We Collect
2.1 Data you give us directly
| Category | Specific data | When collected |
|---|---|---|
| Identity | Full name, date of birth, gender (optional) | Account registration |
| Contact | Mobile number, email address | Registration / OTP verification |
| Profile | Profile photo, bio (optional) | Profile setup |
| Driver verification | Driving licence number, vehicle registration, Aadhaar-linked video call (Women-Verified tier only) | Driver onboarding |
| Ride data | Origin, destination, travel date, seat count, ride preferences | When publishing or searching rides |
| Communications | In-app messages between riders and drivers | During ride coordination |
| Ratings & feedback | Service ratings, safety ratings, kudos tags | After ride completion |
| Emergency contacts | Name and phone of up to 5 trusted contacts | Safety setup |
2.2 Data we collect automatically
- Device information — device model, OS version, unique device identifiers, browser type.
- Usage data — pages visited, features used, session duration, button clicks.
- Location data — approximate city-level location when you search for rides (we do not continuously track your GPS).
- Log data — IP address, timestamps, error logs.
- Cookies and similar technologies — see our Cookie Policy for details.
2.3 Data from third parties
- Government databases — driving licence validity via the Vahan API (MoRTH); vehicle registration details.
- Identity verification — identity check via Springverify / IDfy (for driver DL verification).
- Spotify — if you connect Spotify for the JAM feature, we receive your Spotify display name and the ability to add songs to a shared queue. We do not store your Spotify credentials.
- Firebase — phone number authentication tokens for OTP login. We receive a Firebase UID; we do not store your raw phone number in Firebase.
3. Why We Collect It — Legal Basis
Under the DPDP Act 2023, we collect and process personal data only for the following lawful purposes:
| Purpose | Legal basis |
|---|---|
| Creating and managing your account | Contract performance (you agree to our Terms when you register) |
| Verifying driver identity and vehicle | Legitimate interest (safety of passengers); legal obligation |
| Matching riders and drivers for rides | Contract performance |
| Sending OTP for authentication | Contract performance; security |
| SOS emergency alert — contacting trusted contacts and emergency services | Vital interest (safety of the data subject) |
| Sending push notifications, booking confirmations, ride reminders | Contract performance |
| Improving our platform (analytics) | Legitimate interest |
| Complying with legal orders, court processes, law enforcement requests | Legal obligation |
| Preventing fraud and misuse | Legitimate interest; legal obligation |
We do not sell your personal data to third parties. We do not use your data for automated profiling that produces legal or similarly significant effects.
4. How We Use Your Data
- To operate the platform — show you relevant ride listings, connect you with drivers, send booking confirmations and reminders.
- To keep you safe — verify driver documents, mask phone numbers until ride day, power the SOS system, alert your trusted contacts in emergencies.
- To maintain trust — display dual ratings (service + safety), facilitate peer reviews, surface "Women Preferred" verified rides.
- To power JAM — maintain a shared music queue for your ride. Your song choices within a JAM session are visible to other ride participants.
- To improve Maaxi — analyse aggregated, anonymised usage data to fix bugs, improve features, and understand which routes are most popular.
- For customer support — access your account information to resolve disputes, answer queries, and investigate complaints.
- For legal compliance — retain records as required under Indian law (IT Act, GST, and any applicable transport regulation).
5. Sharing Your Data
We share your personal data only in the following circumstances:
5.1 With other Maaxi users
- Your first name, profile photo, ratings, and vehicle details are visible to passengers who view your ride listing (if you are a driver).
- Your mobile number is only revealed to confirmed co-travellers, on the morning of the ride day.
- Your Women-Verified badge (if applicable) is shown on your driver profile to indicate Tier-3 verification.
5.2 With service providers
We use trusted third-party processors who act under our instructions and cannot use your data for their own purposes:
| Provider | Purpose | Data shared |
|---|---|---|
| MSG91 / Twilio | SMS OTP delivery | Phone number, OTP |
| Firebase (Google) | Phone authentication, push notifications | Phone number, device token |
| Springverify / IDfy | Driver DL verification | DL number, name, DOB |
| MoRTH Vahan API | Vehicle registration check | Vehicle registration number |
| Spotify | JAM shared playlist | Spotify OAuth token (scoped: playlist-modify-public) |
| Google Maps Platform | Route display, distance calculation | Origin/destination city names |
| AWS / Cloud hosting | Data storage and infrastructure | All platform data (encrypted at rest) |
5.3 Legal and safety disclosures
We may disclose your data to law enforcement, courts, or regulatory bodies when required by law, court order, or to protect the safety of our users or the public — including in SOS emergencies where we may share your location and booking details with emergency services.
5.4 Business transfers
If Maaxi Technologies is acquired, merges with another company, or sells substantially all of its assets, your data may be transferred to the successor entity. We will notify you via email or in-app notification before any such transfer takes effect.
6. How Long We Keep Your Data
| Data type | Retention period | Reason |
|---|---|---|
| Account data (name, phone, email) | Duration of account + 3 years after deletion | Legal obligation, dispute resolution |
| Ride history | 5 years from ride date | GST/tax compliance, dispute resolution |
| Driver verification documents | 5 years from last ride or account deletion | Regulatory compliance, liability |
| SOS event logs | 7 years | Legal obligation, safety investigations |
| In-app messages | 1 year from ride date | Dispute resolution |
| Analytics / usage logs | 13 months (rolling) | Platform improvement |
| Marketing preferences | Until withdrawn or account deleted | Consent |
After these periods, data is securely deleted or anonymised so it can no longer be linked to you.
7. Your Rights
Under the DPDP Act 2023 and IT Rules 2011, you have the following rights:
- Right to access — request a copy of the personal data we hold about you.
- Right to correction — request that inaccurate or incomplete data be corrected.
- Right to erasure — request deletion of your account and personal data, subject to our legal obligations to retain certain records.
- Right to withdraw consent — where we rely on consent (e.g., marketing emails), withdraw it at any time without affecting the lawfulness of prior processing.
- Right to grievance redressal — lodge a complaint with our Grievance Officer (see Section 12) and receive a response within 30 days.
- Right to nominate — under the DPDP Act, nominate a person to exercise your data rights in the event of your death or incapacity.
To exercise any right, email privacy@maaxiride.com with subject line "Privacy Request — [Right Type]". We will respond within 30 days. We may need to verify your identity before acting.
You may also delete your account directly from the app: Profile → Settings → Delete Account. Account deletion is permanent and removes your personal data from active systems within 30 days (backup retention as per the table above).
8. Security
We implement reasonable security practices as required under Rule 8 of the IT Rules 2011, including:
- Encryption in transit — all data between your device and our servers is encrypted using TLS 1.3.
- Encryption at rest — databases and backups are encrypted using AES-256.
- Access controls — employee access to user data is role-based and logged. Production database access requires MFA.
- Phone masking — your mobile number is hidden from other users until ride day, reducing pre-ride contact risks.
- JWT authentication — access tokens expire in 15 minutes; refresh tokens expire in 7 days.
- Regular audits — our platform undergoes periodic security reviews.
Despite these measures, no system is 100% secure. If you believe your account has been compromised, contact us immediately at security@maaxiride.com.
In the event of a data breach that is likely to cause harm to you, we will notify you and the relevant authorities as required by law.
9. Children's Privacy
Maaxi Ride is not intended for children under 18 years of age. We do not knowingly collect personal data from anyone under 18. If we discover that we have inadvertently collected data from a minor, we will delete it promptly. If you believe a minor has registered on our platform, please contact privacy@maaxiride.com.
10. International Data Transfers
Maaxi's primary data infrastructure is hosted on servers located in India. Some of our third-party service providers (e.g., Firebase by Google, Spotify) are located outside India. Where data is transferred outside India, we ensure that:
- The recipient country provides an adequate level of protection, or
- Appropriate safeguards (such as standard contractual clauses) are in place.
Specifically: Spotify processes data in the EU/US under GDPR-compliant terms; Google Firebase processes data on servers in the US and may be governed by Google's Data Processing Terms.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Send you a notification via in-app alert and/or email at least 14 days before the change takes effect (for material changes).
- Ask for fresh consent where required by law.
Continued use of Maaxi after the effective date of a revised policy constitutes your acceptance of the changes.
12. Contact & Grievance Officer
Under Rule 5(9) of the IT Rules 2011, we have designated a Grievance Officer to address complaints about the handling of your personal data:
Grievance Officer — Maaxi Technologies Pvt. Ltd.
Email: privacy@maaxiride.com
Address: Maaxi Technologies Pvt. Ltd., Mumbai, Maharashtra 400001, India
Response time: within 30 days of receipt of your complaint
If you are not satisfied with our response, you may lodge a complaint with the Data Protection Board of India (once constituted under the DPDP Act 2023) or approach the appropriate court.
For general enquiries: hello@maaxiride.com