Introduction
At Exicube App Solutions (OPC) Private Limited, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy describes how we collect, use, disclose, and protect the information you provide to us when you interact with our website, mobile applications, and services.
Note for Exicube Clients (B2B): When providing our white-labelled platform services, our clients act as the "Data Controller" for their end-users' (riders, drivers, customers, etc.) data. Exicube acts as the "Data Processor," managing and processing this data on Exicube-managed cloud infrastructure solely on behalf of our clients to operate the platform. Our clients are solely responsible for obtaining appropriate consent from their end-users and complying with relevant local privacy laws. B2B clients should review our Data Processing Agreement (DPA) which governs data processing obligations.
Information We Collect
Personal Information
We may collect the following types of personal information from you when you voluntarily provide it to us:
- Contact information: such as your name, email address, phone number, and mailing address.
- Account information: if you create an account with us, we may collect your username and password.
- Payment information: when you subscribe or make a transaction, payment details are collected and processed securely by our third-party payment processors (e.g., Stripe, Square, PayPal). Exicube does not directly store your full credit card or debit card numbers.
- Demographic information: we may collect demographic information, such as your age, gender, and location, to better understand our user base.
Usage Information
We automatically collect certain information about your use of our services, including:
- Device information: such as your IP address, device type, operating system, and browser type.
- Log data: we collect log data, including the pages you visit, the time and date of your visit, the time spent on each page, and other statistics.
- Cookies and similar technologies: we use cookies and similar technologies to enhance your experience and analyse usage patterns. See our Cookie Policy for details.
Location Data
Our platform services collect and process location data to provide core functionality:
- Driver GPS data: real-time GPS coordinates from drivers/delivery personnel using our driver mobile application, used for dispatch, live tracking, route navigation, and delivery verification.
- Customer location: pickup and delivery addresses provided during booking, and device location when using map-based features in our customer applications.
- Location history: historical location data for drivers is retained for trip verification, waiting time calculation, disputes, and operational analytics (heat maps, geo-fencing).
Location data is classified as sensitive personal data. It is collected only when necessary for service delivery and is retained according to our data retention schedule below.
AI & Automated Processing
Our platform may use artificial intelligence and machine learning technologies to improve service quality. This includes:
- Automated dispatch scoring: Our platform uses a daily performance score to rank and prioritise drivers for job offers. The score is calculated based on: job acceptance (+1), delivery completion (+2), five-star ratings (+1), job timeouts (−1), and job cancellations (−4). Scores reset daily at midnight. This score directly influences which drivers receive job offers first, and constitutes automated decision-making that may significantly affect drivers' income.
- Dynamic/surge pricing: Algorithmic pricing models may analyse demand signals (real-time demand, time of day, weather conditions, and geo-fenced zone rules) to adjust pricing. Customers are shown the surge multiplier and estimated fare before confirming any booking.
- Customer support agents: AI-powered chat and voice agents may handle initial customer inquiries, with escalation to human support when needed.
- Voice transcription: Voice interactions with AI support agents are transcribed to text for processing. Raw audio is not permanently stored; only text transcripts are retained per our retention schedule.
- Sentiment analysis: Customer reviews may be automatically analysed for sentiment and theme extraction to improve service quality.
- Business intelligence: Aggregated and anonymised operational data may be processed by AI models to generate analytics and insights for platform administrators.
- CRM and sales outreach (Exicube internal): AI models may generate personalised outreach messages for B2B sales leads using publicly available business information (company name, contact name, industry, location). This processing is conducted by Exicube for its own legitimate business interests under GDPR Article 6(1)(f) and includes an unsubscribe mechanism in all communications.
Third-party AI processors: AI inference may be performed by third-party providers as listed on our Sub-Processor List. For platform AI features (support, analytics, dispatch), PII such as names, phone numbers, and email addresses is automatically stripped before data is sent to third-party inference providers. For CRM outreach by Exicube, business contact information may be included in prompts where it is essential for personalisation; this data is processed under legitimate interest and all providers are contractually prohibited from using input data for model training.
Your rights regarding automated decisions: Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Specifically:
- Drivers: You may request a full explanation of your current dispatch score calculation and request human review of any scoring decision by contacting your platform operator's support or Exicube directly at [email protected].
- Customers: You may request human review of any surge pricing or automated service decision.
- B2B leads: You may opt out of AI-generated outreach at any time by replying "STOP" or using the unsubscribe link included in all communications.
Use of Information
We use the information we collect for the following purposes, with the corresponding legal basis:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and improving our services | Contract performance (Art. 6(1)(b)) |
| Website analytics | Consent (Art. 6(1)(a)) |
| B2B sales outreach | Legitimate interest (Art. 6(1)(f)) |
| Security and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Billing and financial records | Legal obligation (Art. 6(1)(c)) |
| Automated dispatch scoring | Contract performance (Art. 6(1)(b)) with Art. 22 safeguards |
| Marketing communications | Consent (Art. 6(1)(a)) or Legitimate interest with opt-out |
- To provide and improve our services: we use your information to deliver our services, process your transactions, and enhance the user experience.
- To personalise your experience: we may use your information to customise our services and recommend content.
- To communicate with you: we may use your contact information to send you updates, newsletters, promotional materials, and respond to your inquiries.
- To conduct research and analysis: we may use the information to analyse usage patterns, evaluate the effectiveness of our marketing campaigns, and improve our services.
- To protect our rights and interests: we may use the information to detect and prevent fraud, enforce our terms of service, and protect our legal rights.
Disclosure of Information
We may disclose your information in the following circumstances:
- Service Providers & Sub-Processors: we may share your information with trusted third-party service providers who assist us in delivering our services, such as cloud hosting providers, payment processors (e.g., Stripe, Square), mapping services, AI inference providers, SMS/email providers, and analytics providers. These providers are bound by data processing agreements and are only authorised to use your information to perform services on our behalf. A complete list of our sub-processors is maintained on our Sub-Processor List page.
- Legal Requirements: we may disclose your information if required by law or in response to a valid legal request, such as a court order, subpoena, or government inquiry.
- Business Transfers: in the event of a merger, acquisition, or sale of our company assets, your information may be transferred to the acquiring entity or third party involved. We will notify you via email or prominent notice on our website of any such change in ownership or control.
- Consent: we may disclose your information to third parties with your consent or at your direction.
Data Security
We take reasonable measures to protect your personal information from unauthorised access, disclosure, alteration, or destruction. Our security measures include:
- Encryption in transit: all data transmitted between clients and servers is encrypted using TLS (SSL/TLS).
- Encryption at rest: sensitive data stored in our databases is encrypted using AES-256 via infrastructure-level volume/database encryption provided by our cloud hosting provider.
- Access controls: role-based access controls (RBAC) and database-level tenant isolation using Row Level Security (RLS) policies, with
tenant_idscoping enforced by the database engine on all queries. - Payment security: payment processing is handled by PCI-compliant third-party providers. Exicube does not store raw payment card data.
- API security: targeted API rate limiting on security-sensitive endpoints, input validation, parameterised queries (SQL injection prevention), and secure session management.
However, please note that no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.
Data Retention
We retain your personal information according to the following schedule, unless a longer retention period is required or permitted by law:
| Data Category | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion request |
| Voice transcripts | 90 days |
| Chat/support logs | 1 year (configurable for B2B clients) |
| Driver location history | 90 days |
| Billing & financial records | 7 years (legal requirement) |
| AI agent interaction logs | 1 year |
| Analytics/usage data | 2 years (aggregated/anonymised) |
| Cookie data | See Cookie Policy |
We will securely delete or anonymise your information when it is no longer needed. For B2B clients, data associated with a terminated tenant account is cascade-deleted within 30 days of account termination.
Your Rights and Choices
You have certain rights and choices regarding the personal information we collect about you. These include:
- Access and Update: you have the right to access and update your personal information. You can do this by logging into your account or contacting us directly.
- Right to Erasure (Deletion): you have the right to request deletion of your personal information. Upon receiving a verified deletion request, we will delete or anonymise your data within 30 days, except where retention is required by law (e.g., billing records). To request erasure, email [email protected] with the subject line "Data Deletion Request."
- Data Portability: you have the right to receive a copy of your personal data in a structured, commonly used format (CSV or JSON).
- Right to Object: you have the right to object to certain types of processing, including automated decision-making (see AI & Automated Processing section above).
- Opt-out: you have the option to opt-out of receiving promotional communications from us. You can unsubscribe by following the instructions provided in the communication or contacting us.
- Cookies: you can set your browser to refuse all or some cookies or to alert you when cookies are being sent. You may withdraw cookie consent at any time via the cookie banner on our website. See our Cookie Policy for details.
- Global Privacy Control (GPC): we honour Global Privacy Control signals. When we detect a GPC signal from your browser, we treat it as a valid opt-out request for the sale or sharing of personal information, as required by applicable laws such as the CCPA/CPRA.
Your Rights by Region
Depending on your location, you may have additional rights under local privacy laws:
European Economic Area & United Kingdom (GDPR)
If you are in the EEA or UK, you have rights under the General Data Protection Regulation (GDPR), including: access, rectification, erasure, restriction of processing, data portability, and the right to object. Our legal basis for processing is: (a) performance of a contract, (b) legitimate interest for B2B operations, or (c) your consent. You may lodge a complaint with your local supervisory authority.
EU/UK Representative: As Exicube is headquartered in India and offers services to individuals in the EEA and UK, we are in the process of appointing a formal EU/UK representative in accordance with GDPR Article 27. In the interim, all GDPR-related inquiries can be directed to our Data Protection contact at [email protected]. We will update this section once a formal representative has been appointed.
California, USA (CCPA/CPRA)
If you are a California resident, you have rights under the California Consumer Privacy Act, including: the right to know what personal information is collected, the right to delete, the right to opt-out of the sale of personal information, and the right to non-discrimination. We do not sell personal information as defined by the CCPA.
India (DPDP Act 2023)
If you are an Indian resident, you have rights under the Digital Personal Data Protection Act 2023, including: the right to access, correction, and erasure of your personal data, the right to grievance redressal, and the right to nominate a representative. The Director of Exicube App Solutions (OPC) Private Limited serves as the designated data protection point of contact and can be reached at [email protected].
Data Protection Officer
Given the current nature and scale of our processing activities, Exicube has determined that a formal Data Protection Officer (DPO) appointment is not required under GDPR Article 37. The Director of Exicube App Solutions (OPC) Private Limited serves as the designated point of contact for all data protection matters across all jurisdictions and can be reached at [email protected]. We will revisit this assessment as our operations grow and will appoint a formal DPO if required by applicable law.
Australia (Privacy Act 1988)
If you are an Australian resident, we handle your personal information in accordance with the Australian Privacy Principles (APPs). You have the right to access and correct your personal information, and to make a complaint about our handling of your data to the Office of the Australian Information Commissioner (OAIC).
International Data Transfers
Your data may be transferred to and processed in countries other than your own, including India (where Exicube is headquartered) and the locations of our sub-processors (see Sub-Processor List). We ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses (SCCs) where required by GDPR, and compliance with applicable data protection regulations.
Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
- Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
- For B2B clients (where Exicube acts as Data Processor), we will notify the client (Data Controller) within 48 hours of becoming aware of a breach affecting their end-users' data.
Breach notifications will include the nature of the breach, the categories and approximate number of individuals affected, likely consequences, and the measures taken or proposed to address the breach.
Children's Privacy
Our services are not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe we have collected information from a minor, please contact us and we will take steps to delete it.
Changes to the Privacy Policy
We reserve the right to update or modify this Privacy Policy at any time. We will notify you of material changes via email at least 30 days before they take effect. The latest version will always be available on our website.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at: [email protected]
Exicube App Solutions (OPC) Private Limited
3, Sreenagar, Madhyamgram
Kolkata, West Bengal – 700129
India
We appreciate your trust in us and assure you that we will handle your personal information with the utmost care and responsibility.
Version History
| Date | Changes |
|---|---|
| 25 March 2026 | Complete rewrite. Replaces all prior versions. Key additions: AI & automated processing disclosure (dispatch scoring, surge pricing, voice transcription), location data handling, specific data retention periods with table, right to erasure procedure, breach notification protocol, jurisdiction-specific rights (GDPR, CCPA, DPDP Act, Australian Privacy Act), GPC signal support, sub-processor list link, DPA link, cookie policy link. |