Privacy Policy

The Ride Sharing is operated by Swenid Private Limited and is committed to protecting your personal information and privacy.

On this page
Version 1Effective: 7 May 2026Last Updated: 7 May 2026DPDP Act 2023 · IT Act 2000 · API Setu

Operator: Swenid Private Limited  |  Platform: The Ride Sharing (web & mobile applications), www.theridesharing.in

1. Introduction

The Ride Sharing (the "Platform") is operated by Swenid Private Limited ("Swenid", "we", "us", "our"), a company incorporated under the Companies Act, 2013, having its registered office at 5, Krishna Park Society, Berna Road, Balwantpura, Himatnagar, Sabarkantha, Gujarat - 383001, India (CIN: U62099GJ2026PTC173653).

This Privacy Policy explains how Swenid collects, uses, shares, retains, and protects personal data when you access the Platform as a Driver, Passenger, or visitor. It is published in compliance with:

  • The Information Technology Act, 2000 (Section 43A) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules");
  • The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021;
  • The Digital Personal Data Protection Act, 2023 ("DPDP Act");
  • The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and the Aadhaar (Authentication and Offline Verification) Regulations, 2021;
  • The Consumer Protection (E-Commerce) Rules, 2020;
  • The Motor Vehicles Act, 1988 and rules thereunder, to the extent applicable.

By using the Platform, you confirm you have read and understood this Policy and consent to the processing of your data as described.

2. Definitions

  • Personal Data: Data about an individual who is identifiable by or in relation to such data.
  • Data Principal: The individual to whom the Personal Data relates.
  • Data Fiduciary: Swenid Private Limited.
  • Sensitive Personal Data or Information (SPDI): As defined in Rule 3 of the SPDI Rules, 2011.
  • API Setu: The Government of India's API exchange platform operated by NeGD/MeitY (apisetu.gov.in).
  • DigiLocker: The digital document service operated by DigiLocker Authority under MeitY.

3. Information We Collect

3.1 Information you provide directly

  • Identity & contact: Name, gender, date of birth, mobile number, email, profile photograph, emergency contact.
  • Account credentials: Password (stored only as a salted hash), MPIN/biometric unlock token (if you enable it; the token is stored on your device, not on our servers).
  • Driver-specific: Driving Licence number and validity, vehicle registration number, RC details, third-party motor insurance details, PUC certificate, vehicle make/model/colour, bank account details for settlement (account number stored in tokenised form by our payment processor).
  • Government ID for verification (Driving Licence, Aadhaar via DigiLocker, RC): See Section 7 for our zero-storage commitments.
  • Trip data: Pickup and drop locations, route, timestamps, fellow co-travellers (for matching), in-app messages with the matched party.
  • Communications & support: Messages you send to support, ratings, reviews, feedback, complaint records.

3.2 Information collected automatically

  • Device & technical data: Device model, OS version, IP address, app version, language, time zone, crash logs, push-notification token.
  • Location data: With your explicit, granular consent, real-time GPS location while the app is running and during an active Ride. Background-location collection (if you enable it) is used solely for live trip tracking and SOS, never for advertising. You may revoke location permission at any time from your device settings.
  • Usage analytics: Pages/screens viewed, features used, error events. We use first-party analytics; we do not enable cross-site advertising profiling.
  • Cookies & similar technologies: See Section 12.

3.3 Information from third parties

  • API Setu / DigiLocker: The verification result and the minimal demographic fields specified in Section 7.
  • Payment gateway (our Payment Aggregator): Transaction status, masked instrument details, dispute/chargeback notifications.
  • SMS / Email providers: Delivery status of OTPs and notifications.

4. Categories, Purpose, and Lawful Basis

CategoryPurposeLawful Basis (DPDP Act)
Identity & contactAccount creation, communications, supportConsent / Performance of contract
Government ID via API Setu / DigiLockerIdentity verification of Drivers and Passengers, fraud prevention, platform integrityConsent + Legitimate use (user safety)
Driver licence, RC, insurance, PUCStatutory compliance under the Motor Vehicles Act, 1988; Driver eligibilityLegal obligation / Performance of contract
LocationMatching, route calculation, live tracking, SOS, fare-share computationConsent
Payment data (handled by our Payment Aggregator)Charging the Contribution, Service Fee, GST; settlement to Drivers; dispute handlingPerformance of contract / Legal obligation
Trip metadata, messages, ratingsOperating the Ride, safety, dispute resolution, auditPerformance of contract / Legitimate use
Device & usage dataSecurity, fraud detection, debugging, service improvementLegitimate use
Communications with supportGrievance redressal, audit trailConsent / Legal obligation
Aggregated/anonymised analyticsService improvement, public interest researchLegitimate use

6. Sharing of Information

We do not sell Personal Data. We share only as follows:

  • Between matched Driver and Passenger: First name, profile photograph, rating, vehicle details (Driver only), masked phone number through a virtual-number proxy service. Full phone numbers are not exchanged.
  • Service Providers (Data Processors), each under a written contract with DPDP-aligned safeguards:
    • Identity verification: API Setu / DigiLocker, Aadhaar User Agencies (AUAs), KYC User Agencies (KUAs), Authentication Service Agencies (ASAs) — only as authorised under the Aadhaar Act and only via Government-authorised channels;
    • Payments: our Payment Aggregator (PCI-DSS compliant);
    • SMS / Email: licensed Indian providers;
    • Cloud hosting: enterprise providers with data centres in India;
    • Mapping & routing: Google Maps / OpenStreetMap services;
    • Analytics & crash reporting: privacy-respecting first-party analytics; we disable advertising-ID collection.
  • Legal disclosure: When required by law, court order, or a valid request from a competent government authority. We notify the Data Principal where lawful.
  • Corporate transactions: In the event of a merger, acquisition, or asset sale, with notice to affected users.
  • Safety: If we have a good-faith belief that disclosure is necessary to prevent imminent harm.

7. Identity Verification — API Setu / DigiLocker / Aadhaar Data Policy

Authorised Verification. The Ride Sharing verifies the identity of every Driver, and may verify Passengers, exclusively through Government of India authorised channels — including API Setu (apisetu.gov.in), DigiLocker, and licensed Aadhaar User Agencies (AUAs) / KYC User Agencies (KUAs) and Authentication Service Agencies (ASAs). We do not collect Aadhaar through any other route (no scanning of physical Aadhaar cards, no manual upload of Aadhaar number, no offline XML received from anywhere other than DigiLocker).

Zero-Storage Policy. Swenid strictly adheres to a "Zero-Storage" policy regarding sensitive identity data. We do not store on our servers, databases, application logs, analytics systems, or backups:

  • Your full 12-digit Aadhaar number;
  • Your Aadhaar biometrics (fingerprint, iris, face);
  • Aadhaar OTPs;
  • Any e-KYC XML / ZIP / PDF responses received from UIDAI or DigiLocker beyond the duration strictly necessary for the authentication transaction (responses are processed in memory and discarded immediately).

Purpose Limitation. Identity data is accessed solely for one-time, real-time authentication of the Data Principal at onboarding (and in limited cases of re-verification). After authentication, only the following are retained:

  • The verification status (Verified / Not Verified) and the verification timestamp;
  • The reference / transaction ID returned by the verifying authority (for audit);
  • Name, photograph, gender, and date of birth (where strictly required for the service);
  • The masked reference ID issued by the Government-authorised KYC provider, where applicable;
  • Last 4 digits of Aadhaar in masked form, only where strictly necessary and with separate explicit consent.

Consent & Display. Before every verification request we display: (a) the purpose, (b) the name of the verifying authority, (c) the data fields requested, (d) the retention statement, and (e) a clear affirmative "I consent" action. We log consent with timestamp, app version, and IP. We do not perform verification without recorded informed consent.

Driving Licence and RC Verification. Driving Licence and Vehicle Registration Certificate verification is performed against the Sarathi/Vahan databases through API Setu. We retain only the verification result, the licence/RC number, validity period, vehicle category, and a tokenised reference. Underlying database documents are not stored.

Compliance. Our verification workflows are designed to comply with the Aadhaar Act 2016, the Aadhaar (Authentication and Offline Verification) Regulations 2021, the IT Act 2000, the DPDP Act 2023, and the published terms of use of API Setu, DigiLocker, and UIDAI.

No Profiling. Aadhaar / DigiLocker / API Setu data is never used for profiling, advertising, credit scoring, or any purpose other than authentication and statutory compliance.

8. Data Security

We implement Reasonable Security Practices and Procedures as required under Section 43A of the IT Act, 2000 and align to ISO/IEC 27001 principles:

  • TLS 1.2+ for all data in transit; AES-256 for sensitive fields at rest;
  • Network segmentation, least-privilege IAM, multi-factor authentication for administrative access;
  • Hashed and salted credentials; tokenised payment instruments;
  • Centralised audit logs, intrusion-detection monitoring, regular vulnerability assessments and penetration testing;
  • Confidentiality obligations and security training for all personnel;
  • A documented incident-response plan with defined severity levels and escalation paths;
  • Periodic third-party security audits.

Breach Notification. In the event of a Personal Data breach likely to result in risk to your rights, we will notify the Data Protection Board of India and the affected Data Principals in the form and within the timelines prescribed under the DPDP Act. Notification will include the nature of the breach, categories and approximate number of Data Principals affected, likely consequences, and the measures taken or proposed.

9. Data Retention

We retain Personal Data only for as long as necessary for the purposes for which it was collected, or as required by applicable law (whichever is longer). Indicative retention:

Data CategoryRetention Period
Active account dataDuration of the account + 3 years thereafter
Trip records (for tax / GST)8 years from end of relevant financial year
Payment records8 years (Income-Tax / GST recordkeeping)
Identity verification status & reference IDsDuration of the account + 3 years
Aadhaar / OTP / biometric / e-KYC payloadNot retained beyond the active transaction (Section 7)
Server access & security logs180 days, longer only for active investigations
Support tickets and complaint records3 years from closure
Marketing preferencesUntil you opt out
Anonymised / aggregated analyticsNo retention limit (does not identify you)

On expiry of the retention period or upon a verified erasure request (subject to statutory retention), data is securely deleted or irreversibly anonymised.

10. Your Rights as a Data Principal

Subject to applicable law, you have the right to:

  • Access: Obtain a summary of the Personal Data we process about you and the identities of Data Processors with whom it has been shared.
  • Correction & Updation: Correct, complete, or update inaccurate or outdated data.
  • Erasure: Request deletion of Personal Data that is no longer necessary for the purpose collected (subject to statutory retention obligations).
  • Withdrawal of Consent: Withdraw any consent previously given.
  • Grievance Redressal: Lodge a complaint with our Grievance Officer; if unresolved, escalate to the Data Protection Board of India and to the Grievance Appellate Committee under Rule 3A of the IT Rules 2021 at gac.gov.in.
  • Nomination: Nominate another individual to exercise your rights in the event of death or incapacity.
  • Account Deletion: Initiate account deletion through Settings > Privacy Centre > Delete Account, or by writing to the Grievance Officer.

To exercise any right, write to the Grievance Officer (Section 15). We respond within the timelines prescribed under the DPDP Act and, in any event, within 30 days. We may need to verify your identity before acting on a request.

11. Children's Privacy

The Platform is intended only for users aged 18 and above. We do not knowingly collect Personal Data of children. If we become aware that a child's data has been collected, we will delete it promptly. A parent or guardian who believes a child has provided data may contact the Grievance Officer.

12. Cookies & Similar Technologies

The Platform uses strictly necessary first-party cookies for session management, security, and language preference. With your consent, we use first-party analytics cookies to understand usage patterns. We do not enable cross-site advertising profiling. You can disable non-essential cookies from the in-app Privacy Centre or your browser; this may affect functionality.

13. Cross-Border Transfers

Personal Data is primarily stored on servers located in India. To the extent any data is processed by service providers in jurisdictions outside India, such transfer is carried out only to jurisdictions permitted under the DPDP Act and subject to contractual safeguards.

14. Third-Party Services and Links

The Platform may integrate or link to third-party services (our payment processor, Google Maps, telecom virtual-number providers, etc.). Their handling of your data is governed by their own privacy notices. We carry out due diligence on each provider but are not responsible for their practices.

15. Grievance Officer & Data Protection Contact

In compliance with Rule 3(2) and Rule 4 of the IT (Intermediary Guidelines) Rules 2021, the Consumer Protection (E-Commerce) Rules 2020, and the DPDP Act 2023:

Grievance Officer / Data Protection Contact

Sweta Nidhil Patel

Swenid Private Limited

5, Krishna Park Society, Berna Road, Balwantpura, Himatnagar, Sabarkantha, Gujarat - 383001, India

Emailinfo@swenid.com
Phone+91-7041325320
HoursMonday – Saturday, 10:00 – 18:00 IST

We acknowledge complaints within 24 hours and resolve them within 15 days, except where law permits a longer period. If you are dissatisfied, you may approach the Data Protection Board of India or the Grievance Appellate Committee at gac.gov.in.

16. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by in-app notice and email at least 7 days before they take effect. The "Last Updated" date at the top reflects the most recent revision. Continued use after the effective date constitutes acceptance.

17. Contact

For all privacy queries, support requests, and grievances:

Email: info@swenid.com  |  Phone: +91-7041325320

Swenid Private Limited  |  CIN: U62099GJ2026PTC173653  |  Directors: Jainam Patel, Sweta Nidhil Patel

Registered Office: 5, Krishna Park Society, Berna Road, Balwantpura, Himatnagar, Sabarkantha, Gujarat - 383001, India

Platform: The Ride Sharing www.theridesharing.in

Terms & Conditions →Cancellation & Refund Policy →Contact / Grievance →