Privacy Policy

Skyfleet ("Skyfleet", "we", "us", or "our") operates the freight aggregation platform available at skyfleetnow.com and through related APIs and mobile applications (the "Platform"). This Privacy Policy explains how we collect, use, share, and protect personal data when you visit our website, register for an account, or use the Platform.

This policy is published in compliance with:

• The Digital Personal Data Protection Act, 2023 ("DPDPA");
• The Information Technology Act, 2000 ("IT Act") and Rules made thereunder;
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"); and
• The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

By using the Platform, you consent to the collection and use of personal data as described in this policy. If you do not agree, please discontinue use.

For the purposes of the DPDPA, Skyfleet is the Data Fiduciary with respect to personal data of merchants and merchant representatives who register on the Platform. Where Skyfleet processes personal data of end consumers (recipients of merchant shipments), it does so as a Data Processor on behalf of the merchant.

• Legal entity: Skyfleet
• Registered office: Chandigarh, India
• Contact email: support@skyfleetnow.com

We collect the following categories of personal data:

3.1 From merchants (account holders)

• Identity: name, email, phone, designation;
• Business: legal entity name, GSTIN, PAN, registered address, bank account details (for COD remittance);
• Authentication: hashed password, TOTP secret (where 2FA is enabled), session tokens;
• Usage: pages visited, features used, IP address, device/browser metadata, audit-log entries for every action taken in the dashboard.

3.2 From end consumers (shipment recipients)

When a merchant creates a shipment, the merchant provides us with recipient personal data including name, shipping address, phone number, and email (where provided). This data is processed strictly to fulfil the shipment.

3.3 Sensitive Personal Data or Information (SPDI)

Under the SPDI Rules, we treat the following as sensitive: passwords, financial information (bank accounts), and biometric information (we do not collect biometrics). We do not collect Aadhaar numbers, government-issued IDs other than PAN/GSTIN for tax compliance, sexual orientation, medical records, or religious beliefs.

3.4 We do not knowingly collect children's data

The Platform is intended for use by businesses and adults. We do not knowingly collect personal data of individuals under 18 years of age. Where we become aware of such collection, we will delete the data and, where required by law, obtain verifiable parental consent before further processing.

We use personal data only for the following defined purposes:

• Service delivery: creating and managing your account, booking shipments with courier partners, generating labels, processing COD remittance, providing tracking updates;
• Customer communication: sending order confirmations, shipment updates, NDR follow-ups (WhatsApp/SMS via Connect, when enabled by merchant);
• Security: detecting fraud, preventing abuse, investigating incidents, maintaining audit logs;
• Legal compliance: issuing GST invoices, complying with tax laws, responding to lawful requests from courts or government authorities;
• Service improvement: understanding feature usage, troubleshooting bugs, improving performance;
• Marketing (only with explicit consent): product newsletters, feature announcements. You can withdraw consent any time using the unsubscribe link in any email.

We will not use personal data for any purpose materially different from those stated without first obtaining fresh consent.

Under the DPDPA, we rely on the following lawful bases:

• Consent for marketing communications and optional features (e.g. Connect WhatsApp broadcasts);
• Performance of contract for processing required to deliver the services you signed up for;
• Legitimate uses as specified in Section 7 of the DPDPA, including responding to medical emergencies, complying with judgments or orders, and exercising any legal right or claim;
• Legal obligation for tax records, regulatory disclosures, and law enforcement requests.

We share personal data only with the following categories of recipients:

• Courier partners (Delhivery, Bluedart, DTDC, Xpressbees, Ekart, Ecom Express, Shadowfax, Smartr, Amazon Shipping, India Post, FedEx, DHL, Aramex, and others) — to whom we provide recipient name, address, phone, and shipment metadata strictly to fulfil deliveries;
• Payment processors (e.g. Razorpay) — for processing merchant subscription payments and COD remittance;
• Cloud infrastructure providers (Amazon Web Services, MongoDB Atlas, Vercel) — who host our systems under contractual data-protection commitments;
• Communication providers (Meta WhatsApp Business API, SMS gateways) — for sending notifications, only on merchant configuration;
• Tax and regulatory authorities — when required by law (GST returns, IT department requests, court orders);
• Professional advisors (auditors, lawyers) — under confidentiality obligations.

We do not sell personal data to any third party.

We retain personal data only as long as necessary for the purposes set out above:

• Account data: for the duration of your active account, plus 7 years thereafter as required by Indian tax and accounting laws (Income Tax Act, GST Act);
• Shipment data: 7 years from shipment creation for audit and dispute resolution;
• Audit logs: 7 years from the event, in line with statutory record-keeping;
• Marketing data: until consent is withdrawn, plus a short period to honour the withdrawal;
• Session and security logs: 12 months unless required longer for ongoing investigation.

On account closure, we will delete or anonymise personal data outside the statutory retention windows above. Backup copies may persist for up to 60 days.

Under the DPDPA, you have the following rights with respect to your personal data:

• Right to access: request a summary of the personal data we process about you;
• Right to correction and erasure: request correction of inaccurate data, completion of incomplete data, updating of out-of-date data, and erasure of data no longer necessary;
• Right to grievance redressal: contact our Grievance Officer (Section 11) for any concern relating to your personal data;
• Right to nominate: appoint another individual to exercise your rights in the event of death or incapacity;
• Right to withdraw consent at any time, for purposes that rely on consent;
• Right to data portability: receive your personal data in a structured, commonly used, machine-readable format.

To exercise any of these rights, email support@skyfleetnow.com with the subject line "Data Principal Request". We will respond within 30 days, and in any event no later than statutorily required.

In accordance with Section 43A of the IT Act and the SPDI Rules, we implement and maintain reasonable security practices and procedures including:

• Encryption of data at rest using AES-256 and in transit using TLS 1.3;
• Hashed password storage (bcrypt with appropriate cost factor) — we never store plain-text passwords;
• Optional TOTP-based two-factor authentication for every account;
• Role-based access control with least-privilege defaults for our staff;
• Full audit logging of administrative actions, including actor identity, IP, and before/after diff;
• Regular vulnerability scanning of our infrastructure;
• HMAC-SHA256 signing of outbound webhooks;
• Documented incident-response procedures aligned with ISO/IEC 27001 controls.

Despite these measures, no system is perfectly secure. If we become aware of a personal data breach likely to result in risk to data principals, we will notify the Data Protection Board of India and affected data principals as required under the DPDPA.

Personal data is primarily stored on infrastructure located in India (Mumbai region). Some service providers (Vercel, MongoDB Atlas) may process data in other jurisdictions for redundancy and global delivery. We do not transfer personal data to any country notified by the Central Government as restricted under the DPDPA. Cross-border transfers are made only to jurisdictions and recipients that provide an adequate level of data protection, under contractual safeguards including standard contractual clauses.

In compliance with Rule 5(9) of the SPDI Rules and Rule 3(2) of the Intermediary Guidelines 2021, we have designated a Grievance Officer who is the point of contact for any data-related concern.

If you are not satisfied with our response, you may approach the Data Protection Board of India established under the DPDPA, or pursue any other remedy available under law.

We use cookies and similar technologies to maintain your session, remember your preferences, and understand how the Platform is used. You can control cookies via your browser settings. Disabling essential cookies may prevent the Platform from functioning correctly. Non-essential cookies (analytics, preference) are loaded only after consent via our cookie banner.

The Platform may contain links to third-party websites or services. Their privacy practices are governed by their own policies, which we do not control. We encourage you to review the privacy policy of any third party before sharing personal data with them.

We may update this Privacy Policy from time to time to reflect changes in law, our practices, or the Platform. Material changes will be notified to you via email and via an in-app notice at least 7 days before they take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.

This policy is governed by the laws of India. Disputes are subject to the exclusive jurisdiction of the courts at Chandigarh, India.

For any question about this Privacy Policy or our data practices:

• General support: support@skyfleetnow.com
• Privacy / grievance: grievance@skyfleetnow.com
• Address: Skyfleet, Chandigarh, India