Privacy Policy

How Turrant collects, uses, stores, and protects your personal data.

Effective: 26 May 2026 Version: 1.0 Governing law: India

Short version. Turrant collects only the personal data we need to operate an intercity ride-sharing platform safely. Your data stays in India by default. We don't sell it. You can read it, correct it, or delete it anytime by contacting our grievance officer below.

1. Who we are

"Turrant" refers to Turrant Mobility Pvt. Ltd. (the "Company", "we", "us"), the operator of the Turrant intercity ride-sharing platform at turrant.taxi. We are a Motor Vehicle Aggregator licensed under the Motor Vehicle Aggregator Guidelines, 2025 ("MVAG 2025") and process personal data as a Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP 2023").

This policy applies to: passengers, drivers, fleet owners, and anyone who visits turrant.taxi or uses our apps.

2. What data we collect

For passengers

Phone number + name (mandatory) — to create your account, identify you to the driver, and let us contact you about your trip.
Pickup + drop addresses + live GPS during a trip — to match you with a driver, calculate the fare, and let your emergency contacts share your trip.
Payment information processed by our payment partner (currently Razorpay) — we don't store full card numbers.
Optional: email address — for receiving GST invoices and trip summaries.
Optional: emergency contact phone numbers — only used when you explicitly share an active trip.

For drivers + fleet owners

Identity documents required by MVAG 2025: Aadhaar, PAN, driving licence, vehicle registration, insurance, fitness, PUC certificate, police verification.
Bank account details for payment settlement, verified via penny-drop.
Background-verification reports commissioned via licensed agencies (e.g. OnGrid).
Trip-history + GPS trails during active assignments.

What we don't collect

Contact lists from your phone (we don't ask for permission to read them).
Photos from your gallery (only what you explicitly upload).
Microphone or camera access except during an active SOS event.
Browsing history or activity outside the Turrant app.

3. How we use your data

We use personal data only for these specific purposes:

Operating the ride. Matching passenger to driver, calculating fare, recording the trip, dispute resolution, GST invoicing.
Safety + compliance. Live GPS tracking, panic-button SOS, MVAG 2025 reporting, complying with police / court orders served on us.
Account security. Detecting fraud, preventing account takeover, rate-limiting abuse.
Service improvements. Looking at anonymised, aggregated patterns to improve matching, pricing, and reliability — never individual-level analysis without your consent.
Required communications. Trip OTPs, booking confirmations, document-expiry reminders, dispute notifications — sent via SMS, WhatsApp, email, or in-app push.

We do not use your data for behavioural advertising, sell or rent it to third-party brokers, or share it with any party except the limited list in section 6 below.

4. Where your data lives

By default, all personal data is stored on servers physically located in India. We use AWS Mumbai (ap-south-1) as our primary infrastructure, in line with the spirit of DPDP 2023's localisation guidance.

AI-assisted services — limited cross-border processing

Some platform features use AI services that may process your data outside India. Here is the current, accurate picture of who processes what, and where:

Provider	Used for	Where data goes
AWS Bedrock (Mumbai)	Aadhaar, PAN and bank-proof document verification	India (ap-south-1) — these documents do not leave India. While this India service is being provisioned, Aadhaar / PAN / bank-proof OCR is done manually rather than routed abroad.
Anthropic (Claude)	Driving-licence / RC / insurance field extraction, driver-identity face match and number-plate reading (safety check at pickup), customer-support drafts, reported-issue triage, marketing copy suggestions	USA — opt-out of training; short retention; SOC 2. We are migrating the face-match and plate-reading steps to AWS Bedrock Mumbai (India).
Google AI Studio	Marketing campaign image generation only — never your personal data	USA / EU — opt-out of training; short retention

Your most sensitive documents (Aadhaar, PAN, bank account) are never processed outside India — they are handled exclusively through AWS Bedrock Mumbai once provisioned, and manually until then. Other verifications and the pickup safety check may currently use Anthropic's API (USA) while we complete the migration to India-based processing. You can disable AI-assisted verification on your account by writing to our grievance officer (section 8) — we will verify your documents manually instead.

5. How long we keep it

Active accounts: for as long as your account is active + 12 months thereafter, to handle disputes.
Trip data: 7 years, as required by the Income Tax Act + GST law for tax records. Personal identifiers are anonymised after the active retention window.
Identity documents: retained while you operate on the platform + 12 months, then deleted unless required for ongoing legal proceedings.
Login + audit logs: 12 months for security / fraud investigation.
Marketing data: deleted within 30 days of you opting out.

You can request earlier deletion of personal identifiers by writing to the grievance officer; we will comply unless a specific law requires us to retain the data longer.

6. Who we share data with

We share your personal data only with the following categories of third parties, and only as needed:

Category	Example partners	What we share
Identity verification	UIDAI / DigiLocker, Parivahan, NSDL PAN, OnGrid (BGV), Karza / Idfy	Driver/owner Aadhaar, PAN, driving licence, RC numbers — for verification only
Messaging	Meta (WhatsApp Business), MSG91, Amazon SES, SendGrid, Resend	Your phone / email + the message content (OTPs, trip updates, invoices)
Payments	Razorpay	Trip amount + your phone/email for invoice; never raw card data
Mapping + GPS	Google Maps, Mappls (planned)	Pickup + drop coordinates for route calculation
Cloud infrastructure	AWS (ap-south-1, Mumbai)	All platform data — processed under AWS's standard data-processing terms
One-tap login (passengers)	WhatsApp (Meta), Truecaller	Your phone number + display name, only at the moment you tap the login button
AI assistance	Anthropic (Claude), AWS Bedrock (Mumbai), Google AI Studio	Per section 4 above — document text, pickup safety-check images, and (never personal data) marketing image prompts
Government + law-enforcement	Police, RTO, traffic authorities, GST authority, courts	Only when served with a valid legal order, or to investigate a safety incident on the platform

Each of these parties processes your data under their own privacy obligations + a written contract with Turrant requiring them to use it only for the agreed purpose.

7. Your rights under DPDP 2023

You can, at any time, ask us to:

Show you the personal data we hold about you and how we use it.
Correct any data that is wrong or out of date.
Delete your account + personal identifiers (subject to legal retention requirements in section 5).
Withdraw consent for any specific use (e.g. WhatsApp messages, AI-assisted verification).
Get a copy of your data in a machine-readable format.
Object to automated decisions that have a significant effect on you (e.g. account suspension).

To exercise any of these rights, write to our grievance officer below. We respond within 30 days (often faster).

8. Grievance officer + contact

Grievance Officer

Per Rule 5 of the IT Rules 2021 + DPDP 2023, we maintain a named grievance officer who handles all privacy-related requests and complaints.

Email: grievance@turrant.taxi
Subject line: "DPDP request — <your phone number>"
Response time: within 30 calendar days (typically 3–7).

If you are not satisfied with our response, you may escalate to the Data Protection Board of India (once it is functional) or the Ministry of Electronics and IT.

9. Children's data

Turrant is not intended for children under 18. We do not knowingly collect personal data from anyone we believe to be a minor. If a parent or guardian becomes aware that a minor has created a Turrant account, please email grievance@turrant.taxi and we will delete the account within 7 days.

10. Cookies + tracking

Our website (turrant.taxi) uses only essential first-party cookies for session management and security. We do not use third-party advertising cookies, behavioural-targeting pixels, or cross-site trackers. The site also does not embed Google Analytics, Facebook Pixel, or similar trackers.

11. Changes to this policy

When we update this policy, the new "Effective" date at the top will change. Material changes will trigger an in-app + email notification asking you to re-consent before continuing to use Turrant. Minor wording changes (clarifications, typo fixes) will not trigger a re-consent.

Historical versions are archived; on request the grievance officer will share the version that was in effect on any specific date.