Introduction
Transolux Transport (operating the Voder platform — “Voder”, “we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you access or use the Voder mobile application, website, and related services.
This Policy applies to all Platform users — Customers and Drivers — and has been prepared in compliance with:
- Digital Personal Data Protection Act, 2023 (DPDP Act)
- Information Technology Act, 2000 and IT (SPDI) Rules, 2011
- Micro, Small and Medium Enterprises Development Act, 2006
- Consumer Protection Act, 2019
- Payment and Settlement Systems Act, 2007
Definitions
| Term | Meaning |
|---|---|
| Personal Data | Any information that identifies or can identify a natural person, directly or indirectly |
| Sensitive Personal Data (SPDI) | Passwords, financial information, biometric data, and other data specified under IT (SPDI) Rules, 2011 |
| Data Principal | The natural person to whom the personal data relates (i.e. you, the user) |
| Data Fiduciary | Transolux Transport (Voder), which determines the purpose and means of processing your personal data |
| Processing | Any operation on personal data including collection, storage, use, sharing, or deletion |
| MSME | A Micro, Small or Medium Enterprise as defined and registered under the MSMED Act, 2006 |
Personal Data We Collect
From customers
| Category | Data collected |
|---|---|
| Identity | Full name, profile photograph |
| Contact | Mobile phone number (OTP-verified), email address (optional) |
| Location | Pickup address, drop-off address, saved addresses (max 5), real-time GPS during active trips |
| Package details | Description, weight, dimensions, fragility flag, special instructions |
| Payment | Payment method preference; transactions processed by Razorpay / PhonePe (card numbers never stored by Voder) |
| Emergency contacts | Name, phone, relationship of up to 3 emergency contacts (SOS feature only) |
| Behavioural | Trip history, ratings given, reviews written, support tickets raised |
| Consent records | Timestamped logs of consents granted or revoked, with policy version reference |
Additional from drivers
| Category | Data collected |
|---|---|
| Government documents | Driving licence (number, expiry), Vehicle RC, Vehicle insurance, PAN card; Aadhaar (optional) |
| Vehicle information | Registration number, make, model, year, colour, vehicle type/category |
| Banking details | Bank account number, IFSC code, account holder name (for payout via Razorpay Route) |
| Real-time location | GPS coordinates, bearing, speed transmitted every 15 seconds while in 'Online' mode |
| Date of birth | For age and licence-category verification |
| Performance metrics | Acceptance rate, completion rate, average rating, cancellation history |
Aadhaar is collected only with the Driver's voluntary consent and is not mandatory for Platform access where alternative legally valid identity documents are available.
Collected automatically
| Category | Data collected |
|---|---|
| Device information | Device type (iOS / Android), model, OS version |
| App metadata | App version, Firebase Cloud Messaging (FCM) token |
| Network data | IP address at login or API access |
| Usage data | Session timestamps, screen navigation patterns, feature interactions |
| Location metadata | GPS coordinates, bearing, speed (Drivers while online; Customers during active trips only) |
Proof of delivery & SOS data
- POD: delivery photo, recipient digital signature, OTP confirmation log, GPS coordinates and timestamp at delivery moment
- SOS: incident record with timestamp, GPS, and trip reference; optional audio recording if microphone permission is granted; SMS to nominated emergency contacts
How We Use Your Personal Data
Service delivery
- Creating and managing your account; verifying identity and (for Drivers) verifying documents
- Matching Customers with nearby available Drivers via the dispatch algorithm
- Enabling real-time GPS tracking between Customer and Driver during active trips
- Processing payments, issuing GST-compliant receipts and invoices, managing Driver payouts
- Enabling COD reconciliation and Driver earnings ledger management
Safety & security
- Operating the SOS emergency feature and notifying emergency contacts
- Preventing fraud, misuse, and unauthorised account access
- Verifying Driver documents to ensure public safety
Legal & regulatory compliance
- Complying with DPDP Act 2023, MSMED Act 2006, IT Act 2000, GST Act 2017, and all applicable Indian laws
- Retaining financial and transaction records as required by Indian law (7 years)
- Responding to valid lawful requests from government authorities or courts
- Resolving insurance claims, disputes, and consumer complaints
Communication
- Sending OTP for authentication
- Sending trip confirmations, payment receipts, and status notifications
- Responding to support queries, disputes, and insurance claims
- Sending promotional offers (only with explicit opt-in consent)
Location Data — Special Notice
Location data is essential to the functioning of the Platform and is treated with heightened care as it may constitute Sensitive Personal Data under the IT (SPDI) Rules, 2011.
Customers
- Location accessed only when you explicitly tap 'Use My Current Location' at booking
- Platform does not track your location continuously in the background
- Pickup/drop coordinates shared with your assigned Driver for navigation only
Drivers
- Location tracked every 15 seconds while in 'Online' mode — essential for dispatch and customer tracking
- Cached temporarily in Redis (30-second TTL) and stored in the trip tracking database for completed trips
- Going 'Offline' stops continuous location tracking immediately
Trip sharing
- 'Share Trip' generates a time-limited link showing Driver's live location — phone number, saved addresses, and payment details are never exposed
- Links auto-expire 6 hours after trip completion and can be manually revoked
- Only share with trusted recipients
Data Retention
| Category | Retention period |
|---|---|
| Active account profile and contact data | While the account is active |
| Trip records and receipts | 3 years after trip completion |
| Financial and transaction records | 7 years (Income Tax Act, 1961 and Companies Act, 2013) |
| GST tax invoices | 5 years (GST Act, 2017) |
| TDS certificates (Form 16A) | 7 years from the relevant assessment year |
| MSME vendor payment records | 7 years (MSMED Act compliance) |
| Driver documents (licence, RC, insurance, PAN) | Duration of account + 1 year after closure |
| SOS audio recordings | 90 days, longer if under active investigation |
| Consent and audit logs | Minimum 7 years (DPDP Act 2023) |
| Support tickets and dispute records | 3 years after closure |
| Deleted account data | 30-day soft-delete grace; hard-deleted thereafter except legally retained |
Data Security
| Measure | Description |
|---|---|
| Encryption in transit | All communication secured via HTTPS / TLS 1.2+ |
| Encryption at rest | Sensitive data encrypted at database level; AWS S3 files use server-side encryption |
| Authentication | JWT-based with OTP verification and secure refresh token mechanism |
| Access control | Role-based access control — staff access only data required for their role |
| Payment security | PCI-DSS compliant gateways; Voder does not store card numbers, CVVs, or UPI PINs |
| Rate limiting | API rate-limiting to prevent brute-force attacks |
| Input sanitisation | All inputs validated and sanitised against SQL injection and XSS |
| Audit logging | All administrative actions on personal data logged with timestamp and actor ID |
Enterprise Business & MSME Data Compliance
MSME-registered enterprise customers
If you are a Micro, Small, or Medium Enterprise registered under the Udyam Registration portal, you may declare your MSME status during enterprise account setup. Voder collects and retains your Udyam Registration Number solely for GST-compliant invoicing, prioritising dispute resolution timelines, and any preferential commercial terms.
Voder's MSMED Act obligations as a buyer
- Payments to MSME suppliers will be made within 45 days of acceptance of goods or services
- If payment is delayed beyond the statutory limit, Voder pays compound interest at three times the RBI bank rate
- Outstanding dues to MSME vendors are disclosed in Voder's annual financial statements
Your Rights Under the DPDP Act 2023
Right to access (Section 11)
- Profile → Privacy Settings → Export My Data
- Export delivered as an encrypted ZIP file within 72 hours to your registered email
- Download link valid for 48 hours and requires re-authentication
- Maximum 2 export requests per calendar month, unless required by law
Right to correction (Section 12)
- Edit profile fields directly in Profile → Edit Profile
- For document corrections (Drivers), contact the Grievance Officer
Right to erasure / account deletion (Section 13)
- Profile → Privacy Settings → Delete Account
- 30-day soft-delete grace period allows recovery by logging in
- Hard deletion after 30 days removes profile, contacts, photos, chat history, analytics
- Excluded from deletion: financial records, tax invoices, data tied to active disputes or claims
- Re-registration with same phone number blocked for 90 days after hard deletion
Right to withdraw consent (Section 6)
- Profile → Privacy Settings → Consent Preferences
- Optional consents (Marketing, Analytics) may be revoked any time
- Required consents (Location, Terms, Privacy Policy): revocation triggers account deactivation
Right to grievance redressal
File a complaint with our Grievance Officer (see contact card below). Acknowledgement within 5 business days; resolution within 30 days.
Consent Management
| Consent category | Type | Purpose |
|---|---|---|
| Terms of Service | Required | Access to and use of the Platform |
| Privacy Policy | Required | Collection and processing of personal data |
| Location sharing | Required | Core service delivery (dispatch, tracking, navigation) |
| Marketing communications | Optional | Promotional offers, news, platform updates |
| Analytics | Optional | Platform usage analysis and improvement |
- Each consent record is timestamped with user ID, type, policy version, and IP address
- Material policy updates trigger a re-consent prompt on your next app launch
- No dark patterns — optional consents default to OFF
- Consent records are immutable audit entries; revocation creates a new event record
Children's Privacy
The Voder Platform is strictly intended for individuals who are 18 years of age or older. We do not knowingly collect, store, or process personal data of any person under 18. If we become aware that personal data of a minor has been collected, we will take immediate steps to delete such data. Please notify us at grievance@voderapp.com if you believe a minor has registered.
Changes to This Privacy Policy
We may update this Policy from time to time. Material changes will be communicated via in-app push notification, in-app banner on next launch, and email (if provided). Your continued use of the Platform after the effective date constitutes acceptance. Where required by applicable law — including the DPDP Act 2023 — Voder will obtain fresh consent before processing personal data for materially different purposes.
Grievance Officer
In accordance with the DPDP Act 2023, IT Act 2000, and Consumer Protection Act 2019, Voder has appointed a Grievance Officer. Reach them using the contact card below.
Contact Us
| Channel | Address |
|---|---|
| Privacy email | privacy@voderapp.com |
| General support | support@voderapp.com |
| Security concerns | security@voderapp.com |
| Finance / TDS | finance@voderapp.com |
| Grievance Officer | grievance@voderapp.com |
| Phone | +91 94830 20256 |
| In-app | Profile → Help & Support |
| Support hours | Monday – Saturday, 9:00 AM – 6:00 PM IST |