Privacy Policy

1. Scope and Applicability

This Privacy Policy applies to Riding Verse (RV) by EXPLORATIONS AND INNOVATIONS TECHNOLOGIES PRIVATE LIMITED,and covers all users accessing our services (mobile app or web) in India. We handle “digital personal data” as defined under Indian law, i.e. any personal data collected in digital form. Our policy complies with the Information Technology Act 2000 and its 2011 Sensitive Personal Data Rules, as well as the Digital Personal Data Protection Act, 2023 (DPDP Act). In particular, we limit data collection and processing to what is necessary for the purposes described below, in accordance with Indian law’s purpose- and data-minimization principles.

2. Types of Data Collected

We collect the following categories of data to support app features (real-time messaging, events, location, and community):

•Personal Information: User’s name, email address, phone number, and profile photograph.

•User-Generated Content: Photos, videos, or other media that users upload or share within the app (e.g. ride photos, forum posts).

•Device and Usage Data: Device model, operating system version, app usage logs, and IP address (recognizing IP addresses as personal data under Indian law).

•Real-Time Location Data: GPS coordinates and location history, but only when the user has explicitly granted consent (for ride tracking and event coordination).

•Sensor Data: Motion and gyroscope data from the device (used for bike-ride tracking features), subject to user permission.

•Cookies and Tracking Data: If the service is accessed via a web interface, we use cookies or similar technologies to manage sessions and preferences (e.g. a session cookie to stay logged in).All data collected is used solely to provide and improve the app’s functionalities.

We do not collect any additional sensitive personal data (such as health, financial, biometric, and racial or caste data) unless explicitly required and consented to by the user.

3. Legal Basis and Purpose of Processing

We process personal data only on valid legal grounds:

•User Consent: For optional features (e.g. real-time location sharing, push notifications, marketing communications), we obtain explicit user consent before collecting data. The DPDP Act emphasizes consent as the primary lawful basis for personal data processing. Users can withdraw consent at any time (see Section 6).

•Performance of Contract: Processing necessary to provide the service (e.g. account creation, login, order fulfilment of event tickets) relies on contractual necessity. For example, to enable messaging or event coordination, we use the user’s account information.

•Legitimate Interests: We also rely on legitimate interests where appropriate (e.g. analytics for app improvement, fraud detection, security). In line with the DPDP Act’s limited “legitimate use” exemptions, we only process voluntarily provided data for improvements and security, ensuring such processing is proportionate and does not override user rights.

All processing is for the purposes disclosed at collection (e.g. community building, messaging, event planning, ride tracking) and otherwise as permitted by law. We do not use personal data for unrelated or hidden purposes.

4. Data Sharing and Disclosure

We may share personal data with:

•Service Providers: Third-party processors who provide essential services (e.g. cloud hosting, push notifications, analytics, email/SMS delivery). These vendors access data only as needed to provide services to us, under strict contractual and confidentiality obligations.

•Event Partners and Affiliates: Selected third parties who co-sponsor or organize biking events (e.g. event organizers, sponsors, venue partners), for coordinating events or prizes. We only share data with their consent or where required for the event purpose.

•Business Transfers: In the event of a merger, sale, or asset transfer, personal data may be transferred to new owners under obligations to preserve privacy.

We do not sell or rent personal data to third parties. Any disclosure to third parties occurs under strict controls: sensitive personal data can only be shared with third parties with the user’s permission, or as contractually agreed. In all cases, any third-party receiving data is contractually bound to comply with data protection requirements (including the DPDP Act). For example, the law requires that transfers to another data processor or fiduciary must be governed by a valid contract, and that disclosure to third parties generally requires prior permission or contractual authorization. We also comply with legal requests from government or law enforcement agencies as required by law.

5. International Data Transfers

Some of our infrastructure (e.g. cloud servers on AWS or Google Cloud) may be located outside India. When transferring personal data outside India, we will comply with DPDP Act requirements. The DPDP Act permits cross-border transfer to any country except those blacklisted by the Government, and only under appropriate safeguards (e.g. contractual clauses). We ensure any international transfer (e.g. storing backups on overseas servers) is done lawfully, with encryption and contractual protections, and in accordance with any Indian government restrictions (such as blacklists).

6. User Rights and Controls

Under Indian law, users (data principals) have the following rights regarding their personal data:

•Right of Access: You may request a summary of the personal data we hold about you and how it is being processed.

•Right to Rectification/Correction: You may request correction or completion of inaccurate or incomplete personal data.

•Right to Erasure (Deletion): You may request erasure of your personal data that was processed based on consent, unless retention is required by law.

•Right to Withdraw Consent: You may withdraw any previously given consent at any time (the process for withdrawal will not be more difficult than it was to give consent). Upon withdrawal, we will cease processing that data and delete it as required.

To exercise any of these rights, please contact us as provided in Section 10. We will respond to valid requests within the time frame prescribed by law. Please note that under the DPDP Act, these rights apply only to data processed on the basis of consent; data processed on other lawful bases (e.g. legal obligation) may be subject to different rules.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or to comply with legal obligations. In practice:

•Active Accounts: We retain user data during the time your account is active.

•Account Deletion: When you delete your account or withdraw consent, we will generally delete or anonymize your personal data within 90 days by default (unless otherwise required to keep records by law).

•Backups and Archives: We may keep data in backups or archives for up to 90 days beyond account deletion, for recovery or legal compliance purposes; after that period data is permanently erased.

As the DPDP Act requires, we cease retention of personal data once it is no longer needed for our purposes or upon the user’s request for erasure. Similarly, the IT Rules mandate not retaining data longer than required. If specific laws require longer retention (e.g. accounting rules), we will securely store that data only to the extent needed.

8. Security Measures

We implement reasonable technical and organizational measures to protect personal data, as required under Indian law. These include:

•Encryption: We encrypt sensitive data in transit (using industry-standard TLS) and at rest (e.g. AES-256) to prevent unauthorized access.

•Access Control: Data access is limited to authorized personnel and services only. Administrative access uses strong authentication, and we regularly review permissions.

•Standards and Audits: We follow industry security standards (for example, ISO/IEC 27001) as a measure of compliance with “reasonable security practices”. Our servers and providers maintain security certifications and are independently audited.

•Monitoring and Logging: We maintain audit logs and monitoring to detect unauthorized access or anomalies, and retain logs (at least for one year) to investigate any incidents.

•Breach Response: In the event of a data breach, we will take all necessary steps to contain the breach and notify affected users as required. Under the DPDP Act, we are obligated to notify the Data Protection Board and affected individuals in case of a personal data breach.

Overall, our security program is designed to ensure confidentiality, integrity, and availability of personal data. As noted under the DPDP Act, failure to implement reasonable safeguards can incur severe penalties, so we treat data security as a top priority.

9. Children’s Data

We do not permit children under 18 years of age to use the app, in line with international norms (COPPA standards). The DPDP Act defines a child as anyone under 18 years old. If a user is under 18, we require verifiable consent from their parent or legal guardian before collecting any personal data. We will not knowingly market to or accept sensitive information from children without parental consent. We do not use personal data of minors for profiling or targeted advertising.If we become aware that we have collected data from a child under 18 without verifiable parental consent, we will promptly delete that data and close the account, as required by law.

10. Grievance Officer

In accordance with the IT Act and Rules, we have appointed a Grievance Officer to address any privacy or data-related complaints. You may contact our Grievance Officer at:

•Name: Abhimanyu (Data Privacy Officer)

•Email: Abhimanyu.bishnoi@enitechnologies.com

•Address: EXPLORATIONS AND INNOVATIONS TECHNOLOGIES PRIVATE LIMITED, ,GALI SANGAM, WALI,BAGAT SINGH COLONY, Sirsa- 125055, Haryana, India

All grievances will be acknowledged and handled in a timely manner (typically within 30 days). You may also escalate unresolved complaints to the relevant Data Protection Authority once constituted.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we do, we will revise the “Last Updated” date at the top and notify users by in-app notification or email if the changes are significant. We encourage users to review this policy periodically for any updates. Continued use of the app after a policy update constitutes acceptance of the revised terms.

Effective Date: 02/05/2025

EXPLORATIONS AND INNOVATIONS TECHNOLOGIES PRIVATE LIMITED is committed to your privacy and adheres to all applicable Indian laws, including the IT Act 2000 and DPDP Act 2023, in protecting your data.