en

Privacy policy

Effective Date:  31st Dec 2025

Version:  2.0

Governed by:  Digital Personal Data Protection Act, 2023 | IT Act, 2000 | IT (SPDI) Rules, 2011

Data Fiduciary:  Zingato (Managed by Badabajar IT Solution, Phulwari Sharif, Patna, Bihar)

Grievance Officer:  support@zingato.in  |  +91 7979767667

 

1. Introduction and Scope

Zingato (“we”, “us”, or “our”) is a multi-vendor hyperlocal delivery platform operated by Badabajar IT Solution, providing on-demand food, grocery, and daily-essentials delivery services in Patna, Gopalganj, Siwan, Mirganj, and surrounding areas in the State of Bihar, India.

This Privacy Policy (“Policy”) is published in compliance with:

  • Section 43A of the Information Technology Act, 2000 (“IT Act”);
  • The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”);
  • The Digital Personal Data Protection Act, 2023 (“DPDP Act”), to the extent notified and in force;
  • Any other applicable Indian law or regulation as amended from time to time.

This Policy governs the collection, processing, storage, disclosure, and protection of Personal Data of all users (“Data Principals”) who access or use the Zingato mobile application, website (www.zingato.in / panel.zingato.in), or any related services (collectively, the “Platform”). By accessing or using the Platform, you signify your informed and free consent to the practices described herein.

2. Key Definitions

Unless otherwise specified, the following terms shall bear the meanings assigned to them:

  • “Personal Data” means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act, 2023.
  • “Sensitive Personal Data or Information (SPDI)” includes financial information (bank account, debit/credit card, payment instrument details), biometric data, and any other information classified as sensitive under the SPDI Rules, 2011.
  • “Data Fiduciary” (equivalent to ‘Data Controller’ under GDPR) means Zingato / Badabajar IT Solution, which determines the purpose and means of processing Personal Data.
  • “Data Principal” (equivalent to ‘Data Subject’) means the natural person to whom Personal Data relates, including customers, vendors, and delivery partners using the Platform.
  • “Data Processor” means any person or entity that processes Personal Data on behalf of Zingato pursuant to a contract.
  • “Consent” means a free, specific, informed, unconditional, and unambiguous indication of the Data Principal’s wishes by a clear affirmative action.

3. Personal Data Collected

3.1 Information Provided by You

  • Identity Information: Full name, date of birth (optional), gender (optional).
  • Contact Information: Mobile number, email address.
  • Address Information: Delivery address, area pincode, landmark.
  • Account Credentials: Username, encrypted password.
  • Order Information: Order history, preferences, special instructions.
  • Payment Information: Payment method type (UPI, card type). We do not store card numbers, CVV, UPI PINs, or other payment credentials directly; all payment transactions are handled by PCI-DSS compliant third-party payment gateways.

3.2 Information Collected from Vendors

  • Business name, GSTIN (if applicable), business address, and contact details.
  • Bank account details for vendor payouts (treated as SPDI).
  • Product/menu listings, images, and pricing information.

3.3 Information Collected from Delivery Partners

  • Full name, contact details, and address.
  • Government-issued identity documents: Aadhaar number (partially masked), PAN card (as required for KYC and tax compliance under applicable Indian law).
  • Bank account details for remuneration (treated as SPDI).
  • Real-time GPS location during active delivery assignments only.
  • Profile photograph.

3.4 Automatically Collected Information

  • Device information (device model, operating system version) for app compatibility.
  • App usage and interaction data for service improvement.
  • Location data (foreground access only, when the app is in active use).

We expressly do not collect: IP addresses for user profiling, contact lists, SMS content, call logs, or any data unrelated to the delivery service.

4. Purpose of Processing and Legal Basis

Zingato processes Personal Data only for specific, lawful, and legitimate purposes. The table below sets out the primary purposes and their legal basis under Indian law:

 

Order Fulfilment:  Processing and delivering orders placed on the Platform. [Legal Basis: Performance of Contract; Consent]

Account Management:  Creating, maintaining, and securing user accounts. [Legal Basis: Consent; Legitimate Interest]

Payment Processing:  Facilitating secure payment transactions via authorized gateways. [Legal Basis: Performance of Contract; Legal Obligation]

Location Services:  Displaying nearby vendors and enabling real-time delivery tracking. [Legal Basis: Consent]

Customer Support:  Resolving complaints, queries, and disputes. [Legal Basis: Legitimate Interest; Legal Obligation]

Safety & Verification:  KYC verification of delivery partners as required under applicable law. [Legal Basis: Legal Obligation]

Marketing & Offers:  Sending promotional notifications if opted-in by the user. [Legal Basis: Consent — withdrawable at any time]

Legal Compliance:  Compliance with court orders, government directions, or statutory requirements. [Legal Basis: Legal Obligation]

Analytics:  Improving app performance and user experience through aggregated, anonymized data analysis. [Legal Basis: Legitimate Interest]

 

5. Location Data

Location access is a core functionality of the Platform. Zingato accesses your device’s GPS location strictly on a ‘foreground-only’ basis (i.e., only when the application is actively open and in use). Specifically:

  • Customer Location: Used solely to display nearby vendors, calculate estimated delivery time, and confirm the delivery address.
  • Delivery Partner Location: Tracked in real-time only during an active delivery assignment. Location tracking ceases automatically upon completion or cancellation of the delivery.

We do not track, store, or share location data outside the scope of active service delivery. Location permissions can be revoked at any time through your device settings; however, this may limit certain app functionalities.

6. Disclosure and Sharing of Personal Data

Zingato does not sell, rent, trade, or otherwise transfer your Personal Data to any third party for their independent commercial use. Personal Data is disclosed only in the following limited circumstances and on a strictly need-to-know basis:

  • Delivery Partners: Name, delivery address, contact number, and order details are shared with the assigned delivery partner solely for the purpose of completing the delivery.
  • Vendors/Merchants: Order details (excluding payment information) are shared with the relevant vendor to prepare and dispatch the order.
  • Payment Gateways: Transaction-related data is shared with authorized, PCI-DSS compliant payment processors. No raw payment credentials are stored or processed by Zingato.
  • Technology & Cloud Service Providers: Zingato uses third-party cloud infrastructure and analytics providers who process data on our behalf as Data Processors, bound by confidentiality obligations and data processing agreements.
  • Legal and Regulatory Authorities: Personal Data may be disclosed to law enforcement agencies, courts, or government authorities strictly in compliance with a valid legal order, statutory requirement, or to protect the rights, property, or safety of Zingato, its users, or the public.
  • Business Transfers: In the event of a merger, acquisition, or sale of business assets, Personal Data may be transferred to the successor entity, subject to equivalent data protection obligations.

In all cases of data sharing, Zingato ensures that the receiving party is contractually bound to maintain confidentiality and process data only for the specified purpose.

7. Data Security

In compliance with Rule 8 of the SPDI Rules, 2011 and the DPDP Act, 2023, Zingato has implemented and maintains reasonable security practices and procedures, including:

  • End-to-end encryption for data transmitted between users and our servers using industry-standard TLS/SSL protocols.
  • Encrypted storage of sensitive data, including hashed and salted passwords and masked payment identifiers.
  • Role-based access controls (RBAC) ensuring that employees and partners can only access data necessary for their specific functions.
  • Periodic security audits, vulnerability assessments, and penetration testing.
  • Secure cloud infrastructure with firewalls, intrusion detection systems, and regular backups.

Notwithstanding the above, no method of electronic transmission or storage is 100% secure. In the event of a personal data breach that is likely to result in harm to Data Principals, Zingato will notify the affected users and, where required, the Data Protection Board of India, in accordance with applicable law.

8. Data Retention

Zingato retains Personal Data only for as long as is necessary for the purposes outlined in this Policy, or as required by applicable law. The following retention principles apply:

  • Active User Accounts: Data is retained for the duration of the user’s relationship with Zingato.
  • Account Deletion Requests: Upon a verified request, all Personal Data will be permanently deleted within seven (7) working days, except for:
  • Transaction and financial records required to be retained under the Income Tax Act, 1961 and GST laws (typically seven years);
  • Data required to comply with a pending legal dispute, investigation, or court order.
  • Delivery Partner Records: KYC documents (Aadhaar, PAN) and financial records are retained for the period mandated under applicable labour and tax laws.

Upon expiry of the retention period, Personal Data will be securely deleted, anonymized, or de-identified in a manner that prevents re-identification.

9. Rights of Data Principals

In accordance with the DPDP Act, 2023 and applicable law, Data Principals have the following rights with respect to their Personal Data:

  • Right to Access: You may request a summary of your Personal Data processed by Zingato and the purposes for which it is being processed.
  • Right to Correction and Updation: You may request correction of inaccurate, incomplete, or outdated Personal Data held by Zingato.
  • Right to Erasure: You may request deletion of your Personal Data, subject to legal and contractual retention obligations.
  • Right to Grievance Redressal: You have the right to have your grievances pertaining to this Policy addressed in a timely manner (see Section 12).
  • Right to Nominate: You may nominate an individual to exercise your rights in the event of your death or incapacity, as and when such provisions are notified under the DPDP Act, 2023.
  • Right to Withdraw Consent: You may withdraw your consent for non-essential data processing (e.g., marketing notifications) at any time through the in-app settings, without affecting the lawfulness of prior processing.

To exercise any of the above rights, please contact our Grievance Officer at support@zingato.in. We will respond to all verifiable requests within a reasonable timeframe.

10. Cookies and Similar Technologies

The Zingato Platform may use session cookies and similar technologies solely to:

  • Maintain user login sessions and authentication state.
  • Remember user preferences such as language settings and last-used delivery address.
  • Analyse aggregate, anonymized app performance metrics for internal improvement.

We do not use tracking cookies for third-party advertising, behavioural profiling, or cross-site tracking. You may configure your browser or device settings to manage or disable cookies; however, this may affect certain functionalities of the Platform.

11. Children’s Privacy

The Platform is not intended for use by individuals under the age of eighteen (18) years. Zingato does not knowingly collect, process, or store Personal Data of minors. In accordance with the DPDP Act, 2023, if it is brought to our notice that data of a minor has been inadvertently collected, we will take immediate steps to delete such data and, where applicable, notify the concerned guardian.

If you are a parent or guardian and believe that your child has provided us with Personal Data without your consent, please contact us immediately at support@zingato.in.

12. Grievance Redressal Mechanism

In compliance with Rule 5(9) of the SPDI Rules, 2011 and the provisions of the DPDP Act, 2023, Zingato has designated a Grievance Officer to address concerns relating to the processing of Personal Data:

 

Name of Grievance Officer:  Authorised Representative, Badabajar IT Solution

Email:  support@zingato.in

WhatsApp / Phone:  +91 8677992256  |  +91 7979767667

Registered Address:  Nohsa, Phulwari Sharif, Patna — 800001, Bihar, India

Operational Address:  A2 Hospital, Kamla Rai College Road, Gopalganj, Bihar — 841428

Website:  www.badabajaritsolution.com

 

All grievances will be acknowledged within forty-eight (48) hours and resolved within thirty (30) days of receipt, in accordance with applicable law. If your grievance is not resolved to your satisfaction, you may escalate the matter to the Data Protection Board of India upon its establishment under the DPDP Act, 2023.

13. Third-Party Links and Services

The Platform may contain links to third-party websites or integrate with third-party services (e.g., payment gateways, map providers). Zingato is not responsible for the privacy practices or content of such third-party platforms. We encourage you to review the privacy policies of any third-party service you interact with.

14. Cross-Border Data Transfers

Zingato processes and stores all user data primarily within the territory of India. To the extent that any data may be transferred to or accessed from servers located outside India (e.g., cloud service infrastructure), such transfers shall be conducted in compliance with applicable provisions of the DPDP Act, 2023 and any rules or directions issued thereunder, ensuring adequate data protection safeguards are in place.

15. Amendments to this Policy

Zingato reserves the right to modify this Policy at any time to reflect changes in our services, technology, legal requirements, or business practices. In the event of material changes, users will be notified through:

  • An in-app notification displayed prominently before continued use of the Platform;
  • Email notification to the registered email address on record (where applicable).

The updated Policy will be published on the Platform with a revised “Effective Date”. Continued use of the Platform after the effective date of any amendments constitutes acceptance of the revised Policy. We encourage you to review this Policy periodically.

16. Governing Law and Jurisdiction

This Policy shall be governed by and construed in accordance with the laws of the Republic of India. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts located in Patna, Bihar, India.

 

By using the Zingato Platform, you acknowledge that you have read, understood, and agreed to this Privacy Policy.