1 Data Fiduciary Identity
DPDP Act 2023 — 13 Compliant · Data Fiduciary Declaration
This Privacy Policy describes how AGBHARATH GLOBAL SUSTAINABILITY ALLIANCE ASSOCIATION ("Association", "we", "us") collects, uses, and protects personal data through the AgYantraa Android application. This policy is issued in compliance with the Digital Personal Data Protection Act 2023 ("DPDP Act"), the Information Technology Act 2000, and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021.
App-Only Platform
AgYantraa is an Android application. This policy applies exclusively to data collected via the App. No website, no browser cookies, no web tracking. See 9A for device identifier details.
2 Consent Notice DPDP ACT 5
By registering on AgYantraa and accepting this Privacy Policy, you provide free, specific, informed, unconditional, and unambiguous consent (as required by DPDP Act 6) for the processing of your personal data as described in this Policy.
What We Collect & Why — Summary
| Data Category | Purpose | Consent Required? |
|---|---|---|
| Mobile number (mandatory) | Account creation, OTP authentication, masked relay for bookings | Yes — at registration |
| Name | Booking records, receipts, dispute resolution | Yes — at registration |
| Location data | Equipment search, booking confirmation, operator tracking (with consent) | Yes — separately, at time of use |
| Equipment photos (Owner) | Listing display, BVS evidence, IP assignment | Yes — at listing creation |
| Profile photo (optional) | Booking screen display only | Yes — optional, at upload |
| Bank account + IFSC (Owner) | Settlement payments, TDS compliance | Yes — at Owner onboarding |
| KYC documents (Owner) | Identity verification, equipment authentication | Yes — mandatory for Owners |
| Aadhaar (optional, Farmer) | Subsidy eligibility verification only | Yes — voluntary |
| Transaction records | Payment processing, TDS, disputes | Implicit in booking |
| App usage / crash data | Platform improvement (anonymised) | Opt-in (analytics) / mandatory (crashes) |
Consent Language — Hindi & Telugu
The Consent Notice at registration is displayed in the user's selected language (EN/HI/TE/MR). By tapping "I Agree & Continue", you confirm you have read and understood this Privacy Policy in your chosen language.
3 What Personal Data We Collect
3.1 All Users (Farmers & Owners)
- Indian mobile number (mandatory — primary identity for OTP authentication)
- Full name
- Village / Taluk / District (location for search relevance)
- Profile photograph (optional — licence only; identifiable use requires separate consent)
- Device information: model, OS version, App version (for technical support)
- In-app activity logs: screens visited, searches performed, bookings made (anonymised analytics)
- Consent records: timestamp, policy version, language of acceptance
3.2 Additional — Equipment Owners
- Equipment photographs — mandatory; copyright assigned per T&C 7.3.1
- RC (Registration Certificate) number and document
- Insurance certificate
- Operator licence (if applicable)
- Government-issued photo ID (for KYC verification)
- Bank account number + IFSC (for settlement and TDS)
- PAN number (for TDS at correct rate)
- Years of experience (onboarding)
- Subscription tier (Standard / Premium)
3.3 Booking-Specific Data
- Dates, acreage, crop type, pickup location
- GPS coordinates — two moments per booking only: (a) dispatch point; (b) delivery confirmation. See 7.
- BVS photographs (4 per booking: dispatch photo, receipt OTP, return photo, return OTP)
- OTP logs (timestamp, device, success/failure status)
- Ratings and reviews submitted
- Booking notes / messages between Farmer and Owner (via App chat)
3.4 Optional Data (Farmers)
- Aadhaar number — voluntary; collected only for subsidy eligibility verification; encrypted at rest and in transit; not shared with third parties except verification API
- Land size and crop type — declared at onboarding; used for subsidy eligibility and search personalisation
3A — Rating Data Visibility
Owner ratings (star score + reviews) submitted by Farmers are published and visible to all platform users as part of the listing. Owner ratings are part of the Owner's public profile on AgYantraa. Farmer ratings submitted by Owners are visible only to the Owner for the purposes of informing their accept/decline decision on future booking requests. Farmer ratings are not publicly displayed.
Takedown of Ratings
If you believe a rating was submitted in bad faith or as a result of review manipulation (6.5.2 T&C), contact the Grievance Officer at dpo@agbharat.org. Ratings submitted under duress or coercion are removed immediately on verification.
4 Legal Basis for Processing
| Legal Basis | DPDP Act Provision | When Applied |
|---|---|---|
| Consent | DPDP Act 5, 6 | Registration, location use, optional analytics, profile photo upload |
| Contract Performance | DPDP Act 7(a) | Processing necessary to fulfil booking, payment, and settlement obligations |
| Legal Obligation | DPDP Act 7(b) | TDS deduction and Form 16A (194I IT Act); KYC retention; CERT-In breach notification; Grievance Officer records (Intermediary Rules 2021) |
| Vital Interests | DPDP Act 7(c) | Safety-critical data processing (e.g., location during active tracked booking with operator consent) |
| Legitimate Use | DPDP Act 7 | See 4.1 — applies only to legal proceedings and compliance with court/authority orders |
4.1 Legal Proceedings Exception
- Legal Proceedings: Processing necessary to institute or respond to legal claims, arbitration proceedings (9.4 T&C), or judicial proceedings involving the Association or any User.
- Government/Court Orders: Processing necessary to comply with lawful orders of courts, government authorities, or the Data Protection Board of India.
5 Data Protection Principles
Purpose Limitation
Data collected for one purpose is not used for an incompatible purpose. Booking data is not used for advertising. Analytics data is anonymised.
Data Minimisation
We collect only what is necessary. Aadhaar is voluntary. Location is captured only at two specific booking moments. No Aadhaar-seeding without consent.
Storage Limitation
Data is retained only as long as legally required or operationally necessary. See 10 for the full retention schedule.
Accuracy
Users may correct their personal data at any time via Profile → Edit. The Association corrects erroneous data upon notification.
Security
TLS encryption for all data in transit. AES-256 encryption at rest for PII. Android Keystore for on-device token storage. See 9.
Freedom to Opt Out
Users may delete their account at any time. See 11B. Statutory data obligations remain per 10.
6 How We Use Your Data
- Account management — creating and managing your user account, authentication via OTP
- Booking facilitation — matching Farmers with available equipment, sending booking notifications
- Payment processing — holding funds in nodal account, releasing to Owner after BVS completion, issuing refunds
- Tax compliance — TDS deduction, Form 16A generation, audit trail maintenance
- KYC verification — authenticating Owner identity and equipment ownership
- Subsidy administration — verifying subsidy eligibility, calculating subsidy amounts, reporting to CSR donors
- Rating and review system — displaying ratings on listings, informing booking decisions
- Safety and dispute resolution — maintaining BVS evidence, OTP logs for dispute resolution
- Legal compliance — responding to court orders, cooperating with regulatory investigations
- Platform improvement — anonymised crash reports and usage analytics to improve App performance
6A — Automated Decision-Making & Profiling
The following decisions are made using automated systems. A human review is mandatory before any adverse action is taken.
| Automated Decision | Basis | Human Review? | Right to Contest? |
|---|---|---|---|
| Subsidy eligibility assessment | Declared land size ≤ 2 acres | Yes — before grant | Yes — email DPO |
| Rating-based account suspension review | 3 consecutive ratings below 3.5 | Yes — mandatory | Yes — Tier 1 grievance |
| Cancellation frequency flag | 5+ cancellations in 30 days | Yes — before action | Yes — Tier 1 grievance |
| Search result ranking | Rating + acceptance rate + subscription tier | No (ranking only) | N/A (not adverse) |
To contest an automated decision: email dpo@agbharat.org with subject "Automated Decision Contest — [Your Mobile Number]". Response within 7 business days.
7 Location Data
When We Access Location
Location is only requested when needed for a specific feature. We do not collect background location or continuous GPS tracking without explicit consent.
| Scenario | Location Used | Stored? |
|---|---|---|
| Equipment search | Approximate location for distance display | No — session only |
| Booking confirmation (Dispatch) | GPS at dispatch point — BVS Step 1 | Yes — with booking record |
| Booking confirmation (Delivery) | GPS at delivery confirmation — BVS Step 2 | Yes — with booking record |
| Operator live tracking | Only after explicit in-booking consent; visible tracking indicator displayed to both parties | No — live stream only |
Location consent can be withdrawn at any time via Android Settings → Apps → AgYantraa → Permissions → Location. Withdrawing location permission will prevent equipment search and BVS dispatch functions but does not affect other App features.
8 Third-Party Disclosure
We do not sell, rent, or trade your personal data. Data is shared with third parties only in the following circumstances:
| Third Party | Data Shared | Purpose |
|---|---|---|
| Payment Gateway (Razorpay / Cashfree / PhonePe) | Transaction amount, booking ID, anonymised user reference | Payment processing and refunds |
| SMS / OTP Provider | Mobile number | OTP delivery for authentication and BVS |
| Google Maps API | Location coordinates (session only) | Map display, distance calculation |
| Income Tax / TDS authorities | Owner name, PAN, income summary | Statutory TDS compliance and Form 16A |
| CERT-In (data breach) | Breach details as required | Mandatory breach notification (DPDP Act 8) |
| Courts / arbitration | Booking records, BVS evidence, OTP logs | Dispute resolution / legal proceedings |
| CSR donors / impact partners | Anonymised and aggregated subsidy data only | Impact reporting — no PII shared |
8A — WhatsApp Business API / FCM / Google Play
- WhatsApp Business API (Meta): Used for booking confirmation messages and support communications. Mobile numbers are shared with Meta's WhatsApp Business API only for message delivery. Data processed under Meta's Business Terms. You may opt out of WhatsApp notifications in App Settings.
- Firebase Cloud Messaging (FCM / Google): Used for push notifications (booking alerts, OTPs). Device token is shared with Google's FCM service. Google's privacy policy applies to FCM data. No personal data beyond device token is shared.
- Google Play Integrity API: Used to verify App integrity and prevent device compromise. No personal data shared — integrity check is anonymous.
9 Data Security
- TLS 1.2+ for all data in transit between App and API servers
- AES-256 encryption at rest for all PII stored on servers
- Android Keystore for on-device storage of JWT tokens and session credentials
- EncryptedSharedPreferences for local App settings containing personal data
- Short-lived signed URLs for all documents and images served from storage
- Role-based access control — backend staff can only access data relevant to their function
- Audit logs for all data access events
- Server infrastructure hosted in India (Microsoft Azure India region) to comply with DPDP Act data localisation requirements
9A — Device Identifiers (Android App — No Browser Cookies)
AgYantraa Does Not Use Browser Cookies
AgYantraa is an Android application. There is no web browser involved and no browser cookies are set, read, or transmitted at any time.
Device Identifiers Used
| Identifier | Purpose | Opt-out? |
|---|---|---|
| Firebase Instance ID | Delivering push notifications (booking alerts, OTPs). Reset if App is uninstalled. | Disable push notifications in App Settings → Notifications |
| Firebase Analytics App Instance ID | Anonymised crash reporting and App usage analytics. Cannot be linked to your identity. | Opt out via App Settings → Analytics → Off |
| Android Advertising ID | NOT collected. We do not serve ads and do not use GAID for any purpose. | N/A |
| Device hardware IDs (IMEI, IMSI) | NOT collected. We do not request device hardware identifiers. | N/A |
10 Data Retention Schedule
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Account / profile data (active users) | Duration of account + 2 years | DPDP Act, contractual |
| Transaction records / booking history | 8 years from transaction date | Income Tax Act 1961 — 209 (books of account) |
| OTP logs | 2 years | IT Act 2000, Intermediary Rules 2021 |
| KYC documents (Owner) | 5 years from last active booking | PMLA 2002, KYC Directions |
| BVS photographs | 2 years from booking completion | Dispute resolution, contractual |
| Consent records | 3 years from consent event | DPDP Act 5 |
| TDS / Form 16A records | 8 years | Income Tax Act 1961 |
| Grievance / dispute records | 3 years from closure | Consumer Protection Act, IT Rules 2021 |
| Anonymised analytics data | Indefinite (not personal data) | Statistical use |
| Deleted account data | Anonymised within 7 days; legal data retained per above | DPDP Act |
11 Your Rights Under DPDP Act 2023
Right to Access (11)
Request a summary of personal data held about you. Response within 15 business days. Available via Profile → Request My Data.
Right to Correction (12)
Request correction of inaccurate data. Update directly in Profile → Edit, or email dpo@agbharat.org.
Right to Erasure (12)
Request deletion of personal data (subject to statutory retention obligations). Exercised via account deletion. See 11B.
Right to Grievance (13)
Raise grievances with the Data Protection Officer. V N Kumar at dpo@agbharat.org. Response within 15 business days.
Right to Nominate (14)
Nominate a person to exercise data rights in the event of death or incapacity. See 11A.
Right to Withdraw Consent
Opt out of AgYantraa entirely by deleting your account. See 11B. Statutory data obligations under 10 remain.
To exercise any right: email dpo@agbharat.org with subject "[Right] Request — [Your Mobile Number]". We will verify your identity and respond within 15 business days.
11A — Nomination Right (DPDP Act 14)
You may nominate another individual to exercise your data protection rights in the event of your death or incapacity. To submit a nomination:
- Email dpo@agbharat.org with subject "Data Nomination — [Your Mobile Number]"
- Provide the nominee's name, relationship to you, and mobile number
- Attach a copy of your government-issued photo ID
The nominee will be contacted by the Association to verify their identity before any data rights are exercised on your behalf.
11B — Opting Out of AgYantraa
If you wish to stop using AgYantraa and have your account deleted:
- In the App: go to Profile → Settings → Delete Account and confirm.
- Alternatively, email dpo@agbharat.org with subject: "Account Deletion Request — [Your Mobile Number]"
Requests are processed within 7 working days. Your active profile will be removed. Active bookings must be completed before deletion. A 7-day cooling-off period applies — you may reactivate your account within this window.
Statutory Retention Obligations
Certain data (transaction records, KYC documents, OTP logs) must be retained for the periods in 10 to comply with Indian law. Account deletion removes your active profile but does not erase legally mandated records within their statutory retention period.
12 Children's Data
AgYantraa is not intended for use by persons under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has registered, email dpo@agbharat.org immediately. The account will be suspended and data deleted within 7 working days of verification. Reference: T&C 2.1.1.
13 Data Breach Notification
In the event of a personal data breach, the Association will:
- Notify CERT-In within 6 hours of discovery (as required by CERT-In Directions 2022)
- Notify the Data Protection Board of India as required under DPDP Act 8
- Notify affected users via in-App notification and SMS within 72 hours, describing: nature of the breach; data categories affected; likely consequences; remedial steps taken
A designated CERT-In SPOC (Single Point of Contact) is responsible for breach reporting. Contact: dpo@agbharat.org for breach-related queries.
14 Grievance Officer
The Grievance Officer is appointed under Rule 3(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 and serves as the Data Protection Officer under the DPDP Act 2023. All privacy complaints, data rights requests, and breach notifications should be directed to the above contact.
15 Amendments to This Policy
This Privacy Policy may be amended from time to time to reflect changes in law, our data practices, or platform features. Material changes will be communicated via in-App notification and will require fresh consent (click-wrap acceptance) before continued use of the App. Non-material changes (typographical corrections, clarifications) may be made without notification.
The effective date of the current version is displayed in the page header. Prior versions are available on request from dpo@agbharat.org.
Summary — What We Collect & Why (Plain Language)
Phone number — to create your account and verify your identity via OTP. Name & location — to connect you with nearby equipment. Payment data — to process bookings and refunds. KYC documents (Owners) — to verify equipment ownership. Location (bookings only) — to confirm equipment dispatch and delivery. We do not sell your data. We do not show you ads. We are a Section 8 not-for-profit platform.