Privacy Policy

Unispeed Technologies Private Limited ("Pluto", "We", "Us", "Our") operates the Pluto Driver App in Haryana under an Aggregator Licence (Haryana Motor Vehicles (Amendment) Rules, 2026, notified May 21, 2026).

As a Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDPA") and DPDP Rules, 2025 (notified November 14, 2025), we determine the purposes and means of processing your personal data and are accountable for its protection.

This Policy applies to all Delivery Drivers ("You", "Data Principal") registered on the Pluto Driver App. It is compliant with:

• DPDPA, 2023 — partially operative from November 13, 2025; full compliance required by May 13, 2027
• DPDP Rules, 2025 — notified November 14, 2025
• IT Act, 2000, and SPDI Rules, 2011
• Social Security (Central) Rules, 2026 — in force from May 8, 2026
• Haryana Motor Vehicles (Amendment) Rules, 2026 — notified May 21, 2026
• Occupational Safety, Health and Working Conditions Code, 2020 — notified November 21, 2025
• Code on Social Security, 2020
• Income Tax Act, 1961

⚠  Note: Pluto launches in August 2026. This Policy is designed to be fully compliant from launch and ready for the DPDPA full-compliance deadline of May 13, 2027.

2.1 Identity & Contact Information

• Full legal name (as per government-issued ID)
• Aadhaar Card number and details
• PAN Card number
• Driving Licence number
• Primary mobile number
• Minimum 1 year driving experience confirmation

2.2 Biometric & Sensitive Personal Data

We collect the following Sensitive Personal Data under the SPDI Rules, 2011, and DPDPA, 2023:

• Facial biometric data: live photograph, facial geometry, and feature vectors captured at onboarding
• KYC document images: scanned copies of all government-issued identity, address, licence, insurance, and PUC documents submitted at onboarding or re-verification

‍❗Important: Biometric and medical data are Sensitive Personal Data. Explicit informed consent is obtained before collection. We do not sell, rent, or use this data for advertising or profiling.

2.3 Financial Information

• Bank account number, account holder name, and IFSC code
• Payslips, deductions, and payment records

2.4 Location & Vehicle Telematics Data

• Real-time GPS location during active delivery shifts collected through the App
• Delivery route and trip history
• Vehicle location, speed, acceleration, braking, cornering, idle data collected continuously by the Vehicle's IoT/telematics system while the Vehicle is powered on
• Geofencing alerts if the Vehicle exits authorised zones or NCR boundaries
• Odometer readings and shift distance data

⚠  Note: App-based location: only while logged in. Vehicle IoT data: continuously while the Vehicle is powered on, regardless of App status. You acknowledge this as part of the Vehicle Lending Agreement.

2.5 Device & App Usage Data

• Device model, make, OS version, and unique device identifiers
• App version, session timestamps, and feature usage logs
• Crash reports and diagnostic data
• Login history and security events (retained minimum 1 year, DPDP Rules, 2025)
• In-App activity logs
• Working hour logs (shifts, rest periods, 12-hour cap compliance)  collected under OSH Code, 2020

2.6 Vehicle Riding Performance Data

• Speed profiles and speeding events vs Haryana road speed limits
• Harsh braking, acceleration
• Riding safety score from telematics
• Vehicle battery health, charge status, and maintenance data

2.7 Communications & Monitoring Data

• In-App messages with Pluto support
• Call recordings with Pluto support (notified at start of call and consented to in these Terms)
• Grievance and dispute records

2.8 Training & Compliance Data

• Induction training completion records (30-hour programme)
• Medical fitness examination results and dates
• Refresher training completion records

2.9 Social Security & Statutory Data

• e-Shram UAN and Shram Suvidha portal registration details
• Engagement dates and earnings data for Social Security Fund contribution and eligibility tracking (90-day threshold)
• Vehicle insurance and PUC certificate details
• Appointment Letter details as required under OSH Code, 2020

• Directly from you: at onboarding, during KYC, training and when you update your profile or contact support
• From the App: automatically ( location, usage data, working hours,)
• From the Vehicle: IoT and telematics data from devices in the Vehicle, continuously while powered on
• From verification partners and authorised sources: We may verify information provided by you through IDfy and other authorised verification partners. These partners may validate information using permitted sources such as DigiLocker, UIDAI-enabled verification mechanisms, government or statutory databases, background-verification agencies, police-verification records, insurance providers, and labour/social-security portals such as Shram Suvidha and e-Shram, where applicable and legally permitted. 
• From calls: recordings of calls between you and Pluto support, where notified

4.1 Onboarding, Identity Verification & KYC

Purpose: Verify identity and eligibility; conduct background, police verification, and driving record checks; perform biometric face verification; verify medical fitness; prevent fraudulent onboarding.

Legal Basis: Consent (biometric and medical data); Contractual Necessity (identity checks required under the Delivery Driver Agreement); Legal Obligation (KYC and background check requirements).

4.2 Vehicle Lending & Safety Monitoring

Purpose: Verify Vehicle assignment eligibility; authenticate Driver identity before Vehicle use; monitor Vehicle location and usage; detect unauthorised use and theft; assess riding safety; provide safety feedback.

Legal Basis: Contractual Necessity; Consent (Vehicle IoT monitoring acknowledged in Vehicle Lending Agreement); Legitimate Use (safety and fraud prevention).

4.3 Working Hours Compliance (OSH Code, 2020)

Purpose: Monitor working hours and rest periods to ensure compliance with the 12-hour daily cap and 48-hour weekly cap under the OSH Code, 2020; prevent fatigue-related safety incidents.

Legal Basis: Legal Obligation (OSH Code, 2020, notified November 21, 2025).

4.4 Delivery Operations

Purpose: Assign delivery orders; share real-time location with customers during active deliveries; manage performance ratings and tiers; process earnings and deductions; resolve customer complaints.

Legal Basis: Contractual Necessity; Legitimate Use.

4.5 Payments, Tax & Financial Compliance

Purpose: Process payment disbursements; generate digital payslips (as required under Code on Wages, 2019); deduct TDS; comply with GST obligations; maintain financial and tax records.

Legal Basis: Contractual Necessity; Legal Obligation (Income Tax Act, 1961; GST laws; Code on Wages, 2019).

4.6 Social Security Compliance (SS Central Rules, 2026)

Purpose: Register Drivers on Shram Suvidha portal; report engagement and exit details in real time; calculate and remit Social Security Fund contributions; track 90-day eligibility threshold; facilitate access to government welfare schemes.

Legal Basis: Legal Obligation (Code on Social Security, 2020; Social Security (Central) Rules, 2026 — Rules 48 and 49).

4.7 Haryana Regulatory Compliance

Purpose: Comply with Haryana Motor Vehicles (Amendment) Rules, 2026; CAQM Direction No. 94; Haryana Transport Commissioner directives; mandatory insurance reporting; OSH Code requirements.

Legal Basis: Legal Obligation.

4.8 Communications & Training Quality

Purpose: Monitor and record calls for training, quality assurance, and legal compliance; track induction and refresher training completion.

Legal Basis: Consent (provided via Terms acceptance); Legitimate Use.

4.9 Fraud Prevention & Platform Security

Purpose: Detect and prevent fraud, Vehicle theft, account misuse, delivery manipulation, illegal item carriage, and street hailing; investigate accidents and misconduct.

Legal Basis: Legitimate Use; Legal Obligation (law enforcement cooperation).

4.10 Analytics & Platform Improvement

Purpose: Analyse operational efficiency; generate anonymised aggregated reports; conduct internal audits.

Legal Basis: Legitimate Use.

5.1 Collection & Verification

When you submit KYC and compliance documents (Aadhaar, PAN, DL, insurance, PUC, medical fitness certificate), we:

• Digitise and store in encrypted form immediately upon receipt
• Verify against government databases (UIDAI/Digilocker or equivalent licensed services) — you authorise this by submitting documents
• Store in access-controlled, AES-256 encrypted systems on servers in India only
• Restrict access to authorised Pluto personnel and licensed verification service providers
• Log all access in a full audit trail
• Share only with: (a) licensed KYC/verification services for authentication; (b) insurance providers for claims processing; (c) Shram Suvidha portal as required under Social Security (Central) Rules, 2026; (d) law enforcement or government authorities when legally required

5.2 Retention Schedule

• KYC identity documents (Aadhaar, PAN, DL, PUC, insurance): Duration of engagement + 3 years minimum (DPDP Rules, 2025 presumptive period), or longer if required by law or proceedings
• Medical fitness records: Duration of engagement + 3 years
• Biometric (face) data: Duration of engagement + 30 days after account deletion, unless required by ongoing legal proceedings
• Financial records (earnings, TDS, GST, payslips): 7 years (Income Tax Act, 1961)
• Vehicle Lending and accident/incident records: Duration + 5 years, or until resolution of any claim
• Social security compliance data (UAN, engagement records): As required under Social Security (Central) Rules, 2026 — provisionally 5 years
• Location and telematics data: 2 years from date of collection
• Working hour logs: 1 year minimum (OSH Code, 2020)
• App usage, device data, and security logs: 1 year minimum (DPDP Rules, 2025)
• Training records: Duration of engagement + 3 years
• Support, grievance, and call recordings: 2 years from date of resolution/recording
• Legal and dispute records: Until final resolution + 2 years

⚠  Note: DPDP Rules, 2025 Rule 8: we will notify you at least 48 hours before final erasure of data subject to the 3-year presumptive deletion period, giving you the opportunity to engage with us to preserve specific data.

6.1 How to Request Deletion

Request account deletion at any time by:

• Using 'Settings > Delete My Account' in the App
• Submitting a written request to the Grievance Officer (contact in Section 15)
• Emailing from your registered address with 'Account Deletion Request' in the subject line

6.2 The Deletion Process — Step by Step

• Step 1 — Identity Verification (within 2 business days): We verify your identity before processing.
• Step 2 — Pre-Conditions Check (within 3 business days): Deletion cannot proceed if: (a) active Vehicle Lending Agreement or Vehicle not returned; (b) outstanding disputes, COD amounts, or deductions under review; (c) active legal dispute, investigation, or legal hold; (d) statutory obligation to retain data.
• Step 3 — Processing (within 7 days of pre-conditions cleared): Account deleted; App access deactivated.
• Step 4 — Data Deletion: Active-use data deleted or anonymised. Statutory retention data moved to restricted archive — not accessible for any operational purpose.
• Step 5 — 48-Hour Erasure Notice (DPDP Rules, 2025): We notify you at least 48 hours before final erasure of data subject to the presumptive 3-year deletion timeline, with option to engage us to preserve specific data if you have a lawful reason.
• Step 6 — Confirmation: Deletion confirmation sent to your registered contact details.
• Step 7 — Social Security Reporting: Your exit details filed with Shram Suvidha portal in real time as required under Social Security (Central) Rules, 2026, Rule 49.

6.3 What Data Is Retained After Deletion

After deletion, retained in a restricted archive (not used operationally):

• KYC, medical fitness, and identity records: 3 years minimum
• Financial records: 7 years (Income Tax Act)
• Vehicle Lending and accident records: 5 years or until claim resolution
• Social security data: as required under Social Security (Central) Rules, 2026
• Legal/dispute records: until final resolution + 2 years
• Biometric (face) data: deleted within 30 days of account deletion, except for ongoing proceedings
• Location and telematics data: deleted within 90 days of account deletion
• Working hour logs: deleted within 1 year of account deletion (OSH Code requirement satisfied)

7.1 Biometric Data

• Collected only for: onboarding identity verification, daily liveness check, and in-shift anti-impersonation checks
• No secondary use: never used for advertising, profiling, or any purpose not in this Policy
• No sale: not sold, rented, or traded to any third party
• Secure storage: AES-256 encrypted, access-restricted; only authorised personnel and licensed KYC service providers
• Data minimisation: only what is strictly necessary is collected and retained
• Consent: explicit, informed consent obtained before collection; withdrawal prevents App access
• Deletion: within 30 days of account deletion; 48-hour notice before erasure

7.2 Medical Fitness Data

• Collected only for the purpose of verifying your fitness to operate the Vehicle as required by Pluto's Aggregator Licence and the OSH Code, 2020
• Not shared with any third party except: (a) Pluto's insurance provider where fitness status is relevant to a claim; (b) Haryana Transport Department or CAQM if required by applicable law
• Retained for duration of engagement + 3 years; deleted on account deletion (subject to lawful retention obligations)

8.1 App-Based Location

The App collects your real-time GPS location only while you are logged in. Used for assigning delivery routes, sharing your location with customers during active deliveries (delivery session only), NCR zone compliance, and operational safety. Location access cannot be disabled while using the App as it is essential to Delivery Services.

8.2 Vehicle IoT Monitoring (Continuous)

The Vehicle assigned to you is equipped with IoT/telematics devices that collect data continuously while the Vehicle is powered on — regardless of App status:

• GPS coordinates and movement data
• Speed, acceleration, braking, and cornering behaviour
• Battery health, charge status, and odometer
• Geofencing alerts (NCR zone and authorised area compliance)

You acknowledge and consent to this continuous monitoring as part of the Vehicle Lending Agreement. Used for: safety monitoring; theft prevention; maintenance; CAQM/Haryana zone compliance; and riding performance assessment. Alerts (e.g., Vehicle outside authorised zone or used outside shift hours) are investigated before any action is taken against your account.

8.3 Working Hours Monitoring

The App monitors your login/logout times to track compliance with the 12-hour daily and 48-hour weekly caps mandated by the OSH Code, 2020. If your active session approaches the 12-hour limit, the App will alert you. This data is retained for a minimum of 1 year as required by the OSH Code. It will not be used for any purpose other than working hours compliance and safety.

9.1 Service Providers (Data Processors)

Trusted, contractually bound processors acting on our behalf:

• Licensed KYC and background verification platforms (UIDAI-certified, Digilocker, police verification agencies)
• Medical examination facilities (for fitness verification)
• Cloud infrastructure providers (data stored in India only)
• Payment processing and banking partners
• Vehicle telematics and IoT service providers
• Map, navigation, and GPS providers
• Insurance providers (mandatory insurance under Haryana Rules and claims processing)

All processors are contractually obligated to: process data only for specified purposes; implement adequate security; comply with DPDPA and applicable law; not transfer data outside India without our authorisation and lawful basis.

9.2 Government Portals (Social Security — Legal Obligation)

Under Social Security (Central) Rules, 2026, we share with Shram Suvidha portal or other designated government portals:

• Your identity data and UAN registration
• Engagement start and exit dates (in real time)
• Quarterly engagement updates
• Annual Social Security Fund contribution data

This sharing is a Legal Obligation and cannot be opted out of.

9.3 Customers (Limited & Temporary)

Your name, profile photo, and real-time GPS location are shared with customers through the customer-facing App during active delivery sessions only — for order tracking. This sharing ceases automatically when the delivery is completed.

9.4 Law Enforcement & Government Authorities (Haryana)

We disclose your data when required by applicable law, court order, or valid legal process; for cooperation with the Haryana Transport Department under Pluto's Aggregator Licence; to investigate Vehicle theft, fraud, or a serious safety threat; in connection with any FIR or police complaint; or for CAQM or social security regulatory compliance.

9.5 Business Transfers

In a merger, acquisition, or sale of Pluto's business, your data may transfer to the successor entity subject to the same protections. You will be notified before such transfer.

9.6 No Sale of Data

Pluto does not sell, rent, or commercially trade your personal data — including biometric or medical data — to any third party for their own commercial purposes. This is an absolute commitment.

We implement these technical and organisational security measures:

• Encryption in transit: TLS 1.2+ for all data transmitted to/from the App and our servers
• Encryption at rest: AES-256 or equivalent for all stored personal, biometric, and medical data
• Role-based access controls: only authorised personnel with a specific need can access your sensitive data
• Multi-factor authentication for all Pluto internal systems
• Regular security audits, vulnerability assessments, and penetration testing
• Separate, access-restricted storage for biometric, medical, and KYC data
• Full audit trail for all access to sensitive personal data
• Minimum 1-year retention of security and access logs (DPDP Rules, 2025)
• Employee data handling training and confidentiality obligations
• Data backup and disaster recovery procedures

Data Breach Response: Under DPDP Rules, 2025, Pluto must report ALL personal data breaches to the Data Protection Board of India — regardless of severity. If a breach is likely to affect your rights, we will notify you within 72 hours including: a plain-language description of the breach; what data was exposed; protective measures you can take; and our contact details. Penalties for failure to notify: up to ₹200 crore under the DPDPA.

As a Data Principal, you have:

• Right to Access (Section 11): Request what data we hold and why — we respond within 7 days of a valid request
• Right to Correction (Section 12): Request correction of inaccurate or incomplete data — corrected within 7 days
• Right to Erasure (Section 12): Request account and data deletion — processed as described in Section 6
• Right to Withdraw Consent (Section 6): Withdraw consent for consent-based processing at any time; does not affect lawfulness of prior processing; withdrawal of consent for essential processing (e.g., liveness verification) prevents App use
• 48-Hour Erasure Notice Right (DPDP Rules, 2025): You will be notified at least 48 hours before scheduled data erasure with the option to preserve specific data
• Right to Grievance Redressal (Section 13): Complain to our Grievance Officer; if unresolved, escalate to the Data Protection Board of India
• Right to Nominate (Section 14): Nominate another person to exercise your data rights in the event of your death or incapacity

To exercise any right: use 'Help & Support > Privacy Request' in the App or contact the Grievance Officer (Section 15). We acknowledge within 48 hours and respond within 7 days (DPDP Rules, 2025, Rule 14).

All personal data including KYC documents, biometric data, location data, working hour logs, and financial records is stored on servers in India only, in compliance with DPDPA, 2023, and DPDP Rules, 2025. Pluto does not currently transfer personal data outside India. Any future cross-border transfer will require: (a) 7 days' Policy update notice; (b) your consent where required; (c) compliance with DPDP Rules approved country list.

The Pluto Driver App is for adults (18+) only. We do not knowingly collect data from anyone under 18. If we discover data from a minor has been collected, we will delete it immediately and take appropriate action.

You consent (through acceptance of the Terms and Conditions) to Pluto monitoring and recording calls between you and Pluto's support team for training, quality assurance, and legal compliance. Call recordings are retained for 2 years from the date of the recording. You will be notified at the start of any monitored call. These recordings are not shared with any third party except as required by law or for legal proceedings.

In compliance with IT Act, 2000, SPDI Rules, 2011, and DPDPA, 2023:

Grievance Officer

Unispeed Technologies Private Limited

Haryana, India | Aggregator Licence: Haryana Motor Vehicles (Amendment) Rules, 2026

Website: https://www.plutomobility.in/

In-App: Help & Support > Privacy Grievance

We acknowledge within 48 hours and resolve within 30 days. Unsatisfied with our response? Escalate to the Data Protection Board of India (operational from November 2025).

We update this Policy when required by changes in law (including as DPDPA substantive obligations come fully into force by May 13, 2027), regulation, or our services. Material changes notified through the App with at least 7 days' notice. Continued use after the effective date = acceptance. Review this Policy periodically.