Privacy Policy

This Privacy Policy explains how Saarathi (“we”, “us”) processes personal data when you use our websites, waitlists, applications, communications, demos, integrations, telemetry captured in-product subject to lawful bases, diagnostics, onboarding tools, moderation stacks, referral flows, CRM touchpoints & related services (“Services”). It complements our Terms & Conditions.

We design for GDPR (UK GDPR + EU GDPR where applicable), Data Protection Act 2018 / Irish Data Protection Acts, ePrivacy norms & emerging UK digital standards. If provisions conflict with mandatory local law, local law prevails.

How we exercise leverage (read this)

We architect data processing to prioritise network safety, fraud containment, service integrity, product evolution, and lawful monetisation within whatever legal bands apply to you. Privacy is a design goal — not an absolute shield against inspection, correlation, model training (where permitted), or disclosure when law, court order, narrowly tailored emergency, or defensible commercial risk management require it.

Operating a carpool network involves inherent confrontation with deception, coercion, illicit finance, impersonation rings, stalking, harassment, grooming patterns, illicit substances transportation attempts, sanctioned persons exposure, insurer fraud, mileage misrepresentation — therefore our monitoring / automation stack may feel assertive versus consumer chat apps optimised for secrecy.

Data controller & contact

Saarathi is the controller for personal data described here unless we state we act as processor for an enterprise customer (uncommon for consumer carpool). Contact: gunjeet@saarathi.club. For privacy-specific requests, include “Privacy Request” in the subject. We verify identity before fulfilling high-risk requests; failure to cooperate terminates the request queue without prejudice to our records posture.

You may lodge a complaint with the ICO (UK) or Data Protection Commission (Ireland) — we encourage you to contact us first so we can attempt resolution. Abusive, weaponised DSAR floods, speculative fishing expeditions masking litigation discovery, or manifestly unsubstantiated defamation dossiers may be denied or invoiced pursuant to GDPR Art.12(5) frameworks.

Scope & children

Services are not directed to anyone under 18. We do not knowingly collect children's data for consumer accounts. If you believe we have, contact us for prompt deletion.

Categories of personal data we process

Depending on how you engage, we may process:

• Identity & account data: name, email, phone (if supplied), profile photo (if supplied), internal user IDs, authentication tokens/hashes, security questions (if any), device identifiers (as permitted), invite codes.
• Organisation / verification data: workplace or institutional email domain, verification tokens, proof artefacts you upload (e.g., payslip redactions if ever requested), HRIS integration metadata for enterprise pilots.
• Commuting & logistics context: route endpoints as you choose them (possibly area-level granularity), timings, recurrence patterns, seating offers, fares, cancellations, ETA-like signals inferred from volunteered context.
• Financial / payments data: payment instrument fingerprints via regulated processors (we generally do not store full PAN), payouts/bank linkage metadata, invoicing payloads, refunds/chargebacks, fraud scores.
• Communications: in-app chats, moderation outcomes, attachments, attachments derived metadata (MIME, size).
• Technical & usage telemetry: IP address, timestamps, coarse geo via IP inference in security contexts, app version, crash logs, diagnostics, feature usage funnels (aggregated cohorts plus limited line-level pseudonymous events), anti-automation fingerprints.
• Safety data: SOS triggers, panic metadata, sharable trip links lineage, investigative case files, lawful authority correspondence references.
• Reputation metrics: ratings, qualitative feedback, anomaly flags, deterministic trust composites.
• Marketing & comms preference data: subscription flags, suppression lists.

Purposes & lawful bases (GDPR Articles 6/9)

Where UK/EU GDPR applies, we rely on one or more of: contract (providing requested Services), legitimate interests (securing Services, analysing reliability, iterating UX subject to balancing tests — detailed on request), legal obligation, vital interests (rare emergency contexts), consent (non-essential analytics/marketing toggles captured in preference centres & cookie flows). High risk processing receives DPIA scrutiny when threshold met.

Representative operational purposes:

• Account onboarding, MFA posture, anomaly detection session hardening.
• Matching commuters, sequencing notifications, powering historical trip recall for legitimate dispute resolution horizons.
• Incident triage after reports; cooperation with lawful authority requests scrutinised for procedural validity scope.
• Payment settlement, AML/sanctions screening overlays where legally compelled or proportionate contractual necessity.
• Product experimentation using aggregated / pseudonymised metrics; flagged high-fidelity analytic cohort joins restricted.
• Fraud deterrent linking device reputation graphs with rate limits balancing privacy minimisation mandates.

We avoid processing special-category data (“sensitive” GDPR Art.9 — e.g., health biometrics revealing conditions) unless you voluntarily overshare in free text chats (we discourage this) — then processing may rely on safeguarding substantial public interest / legal claims groundwork while redacting where feasible.

Automated decision-making & profiling

We may automate risk scoring influencing trip visibility, payouts holds, prompts for additional verification, or moderation quarantining. Actions with material legal/significant comparable effects incorporate human review escalation pathways absent overwhelming emergency automation blocks (e.g., CSAM hashing pipeline compliance).

Profiling may combine device reputation, payment velocity, chat semantic classifiers, geospatial anomaly heuristics, chargeback history, cross-account graph signals, and manual investigator notes. You accept adverse purely automated outcomesimpacting account standing where legally tolerable absent human review — expedited escalation available through support unless safety freeze mandates otherwise.

Communications are not confidential

Anything you voluntarily transmit through our Services — including chats, uploads, SOS flows, telemetry — should be presumed subject to lawful inspection, archival, keyword scanning, machine summarisation, and disclosure to counterparties / insurers / regulators / acquirers in due diligence contexts (redacted/anonymised where feasible) consistent with lawful bases & Policies. Never communicate secrets through in-app chat you would not share with a cautious employer compliance officer.

Recipients & international transfers

We disclose personal data:

• To infrastructure vendors (cloud hosting observability CDN email delivery anomaly detection LLM-assisted moderation tooling).
• Payment processors/acquirers/regulated partners subject to PSD2 overlays (where geography expansion triggers additional registration).
• Professional advisers (counsel auditors insurers) bound by confidentiality.
• To authorities when legally mandated & after proportionality diligence except narrow exigent safeguarding windows.
• Acquirers in corporate transactions under successor privacy obligations continuity.

Transfers outside the UK/EEA rely on ICO-approved IDTA/addendum, EU SCCs (2021) with Transfer Impact Assessments supplemented by supplementary measures (encryption subsets, ephemeral access ladders, organisational policy controls).

Retention philosophy

Account core data persists while active + contractual wind-down horizon. Messaging content may degrade to hashed forensic fragments faster than ledger records. Telemetry rotating hot storage windows slim down to aggregates. Incident investigation archives segmented with legal hold safeguards. Fraud/risk artefacts may linger longer proportional to recurrence exposure.

Regulatory / tax / anti-fraud horizons may impose up to seven (7) years (or locally mandated maxima) ledger & invoicing artefacts. Cybersecurity artefacts (credential breach indicators, cryptographic fingerprints of malware uploads, brute-force IP logs) may persist beyond termination where proportionate indefinite retention shields the network. Derived statistical models may remain after source rows expire.

Derived data & model assets

Irreversibly aggregated or de-identified analytics, embeddings, heatmaps, demand curves, safety classifier weights trained on pseudonymised corpora — once no longer relatable to an identifiable person by reasonable means — may be treated as Saarathi proprietary assets licensable/commercialisable without further obligation to you except where law defines residual rights.

Cookies & similar technologies

We classify cookies/consent-required tech per ePrivacy Directive / PECR & EDPB Opinion alignment. Mandatory session tokens differ from discretionary analytics meshes. Preference centre granularity improves over time rather than regressing lawful status.

Security measures

Measures include TLS in transit segmentation principle-of-least-privilege RBAC KMS-backed secret storage MFA for internal staff administrative surfaces SIEM alerting backup encryption periodic pen-tests vendor security reviews bug bounty backlog grooming.

Absolute security impossible; materially reduce likelihood — yet you must safeguard credentials endpoints devices too.

Your rights

Subject to exemptions, GDPR grants rights including:

• Access (& portability where technically feasible & not disproportionate).
• Rectification, erasure, restriction.
• Object to certain processing anchored in legitimate interests (we assess remaining grounds).
• Withdraw consent anytime for consent-founded processing.
• Complain to supervisory authorities (non-exclusive of escalating to courts where applicable statutory paths exist / injunction windows).

We respond typically within one month (extendable for complex bursts with notice explaining why). Repeated manifestly unfounded volumetric requests attract reasonable administrative fees lawful under Art.12(5).

Erasure (“right to be forgotten”) will be refused where overriding grounds exist — ongoing dispute, AML hold, insurance claim chain, safeguarding investigation, lawful authority preservation order — until the impediment clears. Portable exports exclude proprietary scoring algorithms, moderator workflow templates, forensic chain-of-custody metadata, third-party enrich we cannot sublicense, & any data whose export risks third-party harassment.

U.S., Canada, APPs, other regions

Expansion may trigger supplemental notices (CPRA parallels, Québec Law 25, Canadian PIPEDA, Australian Privacy Principles). Divergences appear in annexes—not replacing core commitments unless logically impossible harmonisation-wise.

Inferred & generated data

Models may synthesise commuter demand heatmaps devoid of attributable rows; raw underlying events minimised aggressively in training snapshot exports.

Messaging monitoring scope

Automated scanners may flag illicit activity patterns triggering human moderators obligated to escalate legally defined harms beyond token privacy vs safety tradeoffs (balanced per documented policy versioning).

Catastrophic outage / ransomware posture

Incident response playbook isolates segmentation blast radii leveraging immutable journaling & secret rotation routines; DPIA appendix references DR RTO/RPO targets not marketing promises merely engineering aims.

No sale of traditional brokerage lists

We don't sell personal data brokerage-style lists resembling vintage ad-tech clearing houses. Monetisation emphasises service fees & adjacent permitted analytics where legally grounded — not gratuitous dossier vending.

That said, corporate transactions, joint ventures, or insight licensing deals may involve transfer or licensed use of data sets already lawfully in our estate — you consent to assignability / successor processing notice where consent is a valid basis; else we rely on Art.6(1)(f) legitimate interest in corporate continuity subject to your objection rights where applicable.

Biometrics & device integrity signals

We may process device attestation tokens, behavioural typing cadence (if enabled), facial liveness only when you explicitly initiate high-assurance verification (not silent background mass capture), audio snippets for fraud voice-match if launched with consent — each surfaced distinctly in consent flows. Refusal may cap feature tier access.

Brexit / divergence monitoring

UK GDPR evolution tracked; divergent adequacy rulings periodically stress-tested impacting transfer scaffolding updates.

Government access transparency

Unless legally barred, aggregated transparency disclosures may enumerate broad request categories without risking ongoing investigations integrity.

Changes

Material substantive changes communicated via email or prominent in-app notice + updated date header. Continued use after effective date where consent not newly required implies acceptance of non-rights-diminishing clarifications; rights-affecting shifts obtain fresh consent or alternative lawful pivot.

Supervisory authority references (non-exhaustive)

• UK ICO: https://ico.org.uk/
• Ireland DPC: https://www.dataprotection.ie/

Return to homepage.