We are committed to protecting your privacy and handling your personal data responsibly and in accordance with applicable Indian law, including the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”). For the purposes of the DPDP Act, Meubalajied Ki Wa O S Sungoh is the Data Fiduciary that determines how and why your personal data is processed.

By creating an account, placing an order, or otherwise using the Platform, you confirm that you have read and understood this Policy. Where we rely on your consent, we will ask for it clearly and you may withdraw it at any time (see “Your rights” below).

1. Information we collect

We collect only the data we need to deliver water to your door and run our service:

a) Information you give us

• Account details — your name, email address, phone number, password (stored only in encrypted/hashed form) and your selected locality.
• Delivery details — delivery addresses, building/flat number, landmarks, directions for the driver, and the contact name and phone number for a delivery.
• Order & transaction details — the products you order, quantity, delivery slot, order amount, payment method (UPI/card/Cash on Delivery) and order history.
• Communications — messages, ratings, feedback and support requests you send us.

b) Information we collect automatically

• Location data — with your permission, your device’s precise GPS location to set your delivery point, find the nearest available tanker, and show you live delivery tracking. You can turn location access off in your device settings; some features may then stop working.
• Device & usage data — device type, operating system, app version, IP address, and basic diagnostic/log data used to keep the service secure and reliable.
• Cookies & local storage — small files used to keep you signed in and remember preferences (see Section 7).

c) Sensitive personal data

Under the SPDI Rules, your password and payment information are treated as sensitive personal data. We do not collect or store your full card number, CVV, UPI PIN or bank credentials — these are entered directly with our payment gateway (see Section 4).

d) If you are a Delivery Partner

If you register as a delivery partner (tanker operator/driver), we additionally collect your identity & verification documents (a live selfie, and your PAN and driving-licence numbers and images — “KYC”), your vehicle details (vehicle number and tanker capacity), your bank or UPI settlement details, your precise live location while you are online or on a delivery, and your device push token. We use this to verify your eligibility, match and route you to nearby orders, enable live tracking, settle your earnings, and meet legal and tax obligations. While you are delivering, the customer is shown your name, photo, vehicle and live location so they can identify you; your KYC documents are stored privately and encrypted (see Section 8), are never shown to customers, and are used only for verification. The rights in Section 9 and the retention & deletion rules in Section 6 (and our Account & Data Deletion policy) apply to delivery partners too.

2. How we use your information

We use your personal data for the following purposes:

• To create and manage your account and authenticate you.
• To process, fulfil and deliver your orders, and to assign and route the right tanker/driver.
• To enable live order tracking and to share necessary delivery details with the assigned delivery partner.
• To take and confirm payments, issue receipts, and process refunds.
• To send you transactional updates about your order (via email, SMS, WhatsApp or push notification).
• To provide customer support and resolve disputes or complaints.
• To improve, secure and troubleshoot the Platform, and prevent fraud or misuse.
• To comply with legal obligations and enforce our Terms & Conditions.

We process your data on the basis of your consent and, where applicable, for the performance of the service you request, to comply with law, and for our certain legitimate uses as permitted under the DPDP Act.

3. Who we share your information with

We do not sell your personal data. We share it only as needed to run the service:

• Delivery partners (tanker operators/drivers) — the delivery address, location, contact name and phone number, and order details required to complete your delivery.
• Payment gateway — Razorpay Software Private Limited (“Razorpay”), to securely process online payments. Your payment is handled on Razorpay’s PCI-DSS-compliant systems under Razorpay’s own privacy policy.
• Service providers — vendors who help us operate the Platform, such as cloud hosting, mapping & geocoding, email, SMS and WhatsApp messaging, and analytics. They may process data only on our instructions and for these purposes.
• Legal & safety — government authorities, regulators or law-enforcement where required by law, to enforce our terms, or to protect the rights, safety and property of our users, the public or KitUm.
• Business transfers — if our business is merged, acquired or reorganised, your data may be transferred as part of that transaction, subject to this Policy.

Where your data is processed. Your personal data is primarily stored and processed in India. Some service providers (such as mapping, messaging or cloud providers) may process limited data on servers outside India; where they do, we take reasonable steps to keep it protected consistent with this Policy and applicable law. We do not transfer personal data to any country or territory restricted by the Government of India under the DPDP Act.

4. Payments

Online payments are processed by Razorpay Software Private Limited. When you pay online, you are redirected to Razorpay’s secure checkout and your card/UPI/bank credentials are collected and processed by Razorpay, not by us. We receive only a payment confirmation and a transaction reference (such as a Razorpay order and payment ID) so we can mark your order as paid and process any refund. We never store your full card number, CVV or UPI PIN. Please review Razorpay’s Privacy Policy for how they handle your payment data.

5. Location information

KitUm is a location-based delivery service, so location data is central to how it works. We use your location to detect your delivery area, find the nearest available tanker, calculate distance and estimated time of arrival, and show live tracking of your delivery. We collect precise location only with your permission and only when relevant to a delivery. You can disable location access at any time through your device or browser settings.

6. Data retention

We keep your personal data only for as long as needed for the purposes set out in this Policy — typically while your account is active and for a reasonable period afterwards — and as required to comply with legal, tax, accounting and dispute-resolution obligations. Transaction and invoice records may be retained for the period required under applicable tax and commercial laws. When data is no longer required, we delete or anonymise it. See our Account & Data Deletion policy for how to delete your account and exactly what is removed or retained.

7. Cookies & similar technologies

We use cookies and local storage to keep you signed in, remember your preferences (such as your selected locality), and understand how the Platform is used so we can improve it. You can clear or block cookies through your browser settings, but some features may not work properly as a result.

8. How we protect your data

We maintain reasonable security practices and procedures as required under the IT Act, the SPDI Rules and the DPDP Act, including:

• Encryption in transit — all traffic is served over HTTPS/TLS.
• Encryption at rest — sensitive identifiers such as PAN, driver’s licence and bank-account numbers are encrypted in our database using strong authenticated encryption (AES-256-GCM), so they are not readable from the underlying data store.
• Hashed credentials — passwords are stored only as salted hashes (bcrypt) and are never recoverable; session tokens are stored hashed and rotated.
• Private document storage — identity documents (such as a delivery partner’s PAN and licence images) are kept in a private store and are accessible only to authorised staff via short-lived, access-controlled links — never publicly.
• Access controls — access to personal data is restricted to authorised personnel on a need-to-know basis.

While we work hard to protect your data, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

9. Your rights

Subject to applicable law, including the DPDP Act, you have the right to:

• Access — request a summary of the personal data we hold about you and how we process it.
• Correction & updating — correct or update inaccurate or incomplete data (you can edit most details in the app).
• Erasure — delete your account and personal data at any time directly in the app (Account → “Delete my account”), or by contacting us, subject to legal retention requirements (see our Account & Data Deletion policy).
• Withdraw consent — withdraw any consent you gave, at any time, with effect going forward.
• Grievance redressal — raise a complaint about how we handle your data with our Grievance Officer (Section 12).
• Nominate — nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, contact us at meghalayawater@gmail.com. We may need to verify your identity before acting on your request. You also have the right to make a complaint to the Data Protection Board of India.

10. Children’s privacy

The Platform is intended for users aged 18 and above. We do not knowingly collect personal data from children without verifiable consent of a parent or legal guardian as required under the DPDP Act. If you believe a child has provided us personal data, please contact us so we can take appropriate action.

11. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated version here with a revised “Last updated” date and, where appropriate, notify you in the app. Your continued use of the Platform after an update means you accept the revised Policy.

12. Grievance Officer & contact

In accordance with the Information Technology Act, 2000, the Consumer Protection (E-Commerce) Rules, 2020 and the DPDP Act, the contact details of our Grievance Officer are:

Barister Mawrie (Grievance Officer)
Meubalajied Ki Wa O S Sungoh
C/o S W Blah, Umpling, Donglumsurok, Shillong, East Khasi Hills, Meghalaya – 793006
Email: meghalayawater@gmail.com
Phone: +91 76300 03427
Hours: Monday to Sunday, 7:00 AM – 9:00 PM IST

We will acknowledge your complaint within 48 hours and aim to resolve it within one month of receipt, in line with applicable law.

For general queries you can also reach us at meghalayawater@gmail.com or +91 76300 03427.

13. Governing law

This Policy is governed by the laws of India. Any disputes are subject to the exclusive jurisdiction of the courts at Shillong, Meghalaya.