Privacy Policy

Account & tenant data: name, email, phone number, password hash, profile photo, organisation name, GST/PAN identifiers, registered address, and your role in the workspace.

Fleet operating data: vehicle registration numbers, insurance / RC / permit / fitness / PUC / FASTag records, EMI plans, debit accounts (masked), expense entries, challan records, driver profiles, and uploaded documents. Some of this data is fetched on your behalf from government and third-party data providers (for example, Surepass).

Driver data:for drivers added to a workspace — name, contact details, licence records, identity documents, photo, and assignment history. You are responsible for obtaining each driver's consent before adding them.

Communications: emails we send (renewals, OTPs, alerts), in-app notifications, and WhatsApp messages dispatched via our messaging provider.

Technical & usage data: IP address, browser, device information, log timestamps, pages visited, and activity-log entries generated when you act in the Service.

We use the information to:

• Provide, operate, and maintain the Service.
• Authenticate users, send one-time passwords (OTPs) for sensitive actions, and protect against unauthorised access.
• Send transactional emails (renewal reminders, compliance alerts, payment receipts, OTP codes, account notifications).
• Process subscription payments and issue GST-compliant invoices.
• Generate aggregate, de-identified analytics to improve the Service.
• Comply with applicable law, respond to lawful requests, and enforce our Terms.

We process personal data on one or more of the following lawful bases: your consent (e.g. when you sign up or add a driver), performance of the contract between you and us, our legitimate interests in operating and securing the Service, and compliance with legal obligations.

We do not sell personal data. We share it only with the third-party service providers we need to operate the Service:

• Vercel — application hosting and file storage (Vercel Blob).
• MongoDB Atlas — primary database, hosted in an Indian region where available.
• Surepass — RC and document lookups against government registries.
• Gmail / Google Workspace SMTP — transactional email delivery.
• ChatBox.biz — WhatsApp Business message dispatch.
• Payment processors — secure handling of card / UPI / netbanking transactions for subscription billing.

Each sub-processor is bound by confidentiality obligations and is only permitted to process your data for the limited purposes described above.

Some of our sub-processors operate infrastructure outside India. Where this is the case, we rely on the safeguards permitted under the DPDP Act and applicable rules, and require sub-processors to maintain protections consistent with this Policy.

We retain Customer Data for as long as your account is active. After cancellation, we keep data for up to 90 days to allow for re-activation or export, and then we permanently delete it from production systems. Encrypted database backups roll over within an additional 30 days. Statutory records (e.g. GST invoices) are retained for the period required by law.

We implement reasonable security practices in line with the IT Act, 2000 and the rules made thereunder, including TLS in transit, encrypted credentials at rest, OTP-gated destructive actions, tenant-scoped access controls, and audit logging of sensitive events. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

Subject to applicable law, you have the right to access, correct, update, export, and delete the personal data we hold about you. You may also withdraw consent at any time where processing is based on consent. To exercise any of these rights, write to hello@theyellowtrack.com from the email registered on your account.

Where you upload personal data about a driver or other individual (the "Data Principal"), you remain responsible for honouring that individual's rights; we will support you in doing so on request.

The Service is not intended for children under 18. We do not knowingly collect personal data of children. If we learn that we have collected such data, we will delete it.

We use a small number of essential cookies and local-storage entries to keep you signed in and remember your preferences. We do not use advertising cookies. You can clear these at any time through your browser's settings; doing so will sign you out.

The Service exposes a small number of public, unguessable URLs (e.g. /public/vehicle/[id] QR landing pages and /public/driver/verify/[token] verification pages). These render limited information you have chosen to share — sharing the URL is how access is granted. Do not share these URLs more widely than you intend.

We may update this Policy from time to time. When we do, we will update the "Last updated" date at the top and notify the account owner by email if the changes are material.

For privacy questions or grievances under the IT Act / DPDP Act, write to us at hello@theyellowtrack.com. The Grievance Officer's details will be provided on written request.