Privacy Policy
Privacy Policy — Pattibytes Express
Last updated: April 2026 Effective date: April 2026 Version: 2.0
Pattibytes ("we", "us", or "our") operates the Pattibytes Express mobile application (the "App"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our App.
By creating an account or using the App, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please do not use the App.
Grievance Officer: For any privacy concerns, contact our designated officer at pbexpress38@gmail.com. We will acknowledge your complaint within 48 hours and resolve it within 90 days as required under the DPDP Rules 2025.
1. Who We Are (Data Fiduciary)
Under the Digital Personal Data Protection Act (DPDP Act) 2023 and DPDP Rules 2025, Pattibytes is the Data Fiduciary — the entity that determines the purposes and means of processing your personal data.
Pattibytes Registered Address: Patti, Punjab, India — 143416 Contact Email: pbexpress38@gmail.com
2. What Personal Data We Collect
We collect only the data that is necessary for the purposes stated in this Policy (data minimisation principle).
2.1 Data You Provide Directly
| Category | Specific Data | Purpose |
|---|---|---|
| Account | Full name, email address, phone number, password | Account creation and authentication |
| Profile | Delivery addresses, profile photo (optional) | Order processing and delivery |
| Orders | Items ordered, special instructions | Fulfilling your food orders |
| Payment | Payment method type and transaction reference | Processing payments (full card numbers are never stored by us) |
| Reviews | Text reviews and ratings | Displaying user-generated content |
| Support | Messages and attachments you send us | Resolving your support queries |
2.2 Data Collected Automatically
| Category | Specific Data | Purpose |
|---|---|---|
| Location | GPS coordinates (precise) | Finding nearby restaurants; real-time delivery tracking |
| Device | Device model, OS version, device identifiers, app version | App compatibility, security |
| Usage | Pages visited, features used, session timestamps | App improvement and bug fixing |
| Crash reports | Error logs via Sentry (no personally identifying content) | Diagnosing technical issues |
| Push tokens | Device push notification token | Sending order status notifications |
Location note: We request "when in use" location by default. Background location is requested separately and is only active during an ongoing live delivery. We do not track your location at any other time.
2.3 Data from Third Parties
| Source | Data Received | Why |
|---|---|---|
| Google Sign-In | Name, email address | Account creation / login via Google |
| Apple Sign-In | Name, email address (first sign-in only) | Account creation / login via Apple |
| Payment processor | Transaction status (success/failure), transaction reference | Confirming your payment |
| Supabase (our database) | Session tokens | Maintaining your login session |
3. Legal Basis and Consent
Under the DPDP Act 2023 and DPDP Rules 2025, we process your personal data based on the following lawful grounds:
- Your consent — for account registration, location access, push notifications, and marketing communications. You may withdraw consent at any time (see Section 7).
- Contract performance — to process your food orders, arrange delivery, and handle payments.
- Legal obligation — to comply with Indian laws including the IT Act 2000, GST Act, and DPDP Act 2023.
- Legitimate interests — for fraud prevention, app security, and crash monitoring.
Consent Notice: Before we collect your data, we present a clear, standalone notice describing what data is being collected, the specific purpose, how to exercise your rights, and our contact details. Consent for each processing purpose is obtained separately. Withdrawal of consent is as simple as granting it.
4. How We Use Your Personal Data
We use your personal data only for the purposes for which it was collected:
- Create, maintain, and secure your account
- Process food orders and coordinate delivery
- Send order status updates via push notifications and SMS
- Respond to your support and grievance queries
- Diagnose technical issues and fix bugs
- Comply with legal obligations under Indian law (IT Act 2000, DPDP Act 2023, GST Act)
- Send promotional offers — only with your explicit prior consent; you may opt out at any time via Profile → Notifications or by emailing us
- Prevent fraud and misuse of the platform
We do not use your data for automated profiling that produces legal or similarly significant effects on you without your explicit consent.
5. How We Share Your Personal Data
We do not sell your personal data to any third party.
We share your data only as strictly necessary:
| Recipient | Data Shared | Why |
|---|---|---|
| Restaurant partners | First name, phone number, delivery address | Preparing and handing over your order |
| Delivery partners | First name, phone number, delivery address | Completing your delivery |
| Payment processors | Encrypted payment reference | Processing your transaction |
| Supabase (database) | Account, order, and location data | Secure data storage (EU/US data centres) |
| Sentry | Anonymised crash logs | Technical error monitoring |
| Expo | App version, OTA update status | Delivering app updates |
| Legal / Government authorities | Only what is legally required | Compliance with valid court orders or Indian law |
Food delivery data sharing notice (per DPDP Rules 2025): Your phone number is shared with restaurants and delivery partners only for the purpose of fulfilling your specific order. It is not shared for any marketing or other purposes without your separate, explicit consent.
Cross-border transfers: Supabase stores data in EU and US data centres. All transfers outside India are subject to contractual safeguards equivalent to Indian data protection standards. We will comply with any government-notified restrictions on cross-border data transfers under the DPDP Rules 2025.
6. Data Retention
We retain your personal data only for as long as necessary:
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Account and profile data | Until you delete your account | Consent / Contract |
| Order history | 3 years from order date | GST Act compliance |
| Location data | Not stored after delivery is completed | Minimisation |
| Push notification tokens | Until you uninstall the app or revoke permission | Consent |
| Crash logs (Sentry) | 90 days | Legitimate interest |
| Activity and security logs | 1 year | DPDP Rules 2025, Rule 6 |
| Payment transaction references | 3 years | GST / IT Act |
After the applicable retention period, data is securely deleted or anonymised.
7. Your Rights as a Data Principal
Under the DPDP Act 2023 and DPDP Rules 2025, you have the following rights:
| Right | What It Means | How to Exercise |
|---|---|---|
| Right to Access | Obtain a summary of the personal data we hold about you and how it is processed | Email pbexpress38@gmail.com |
| Right to Correction | Correct inaccurate, incomplete, or outdated personal data | Profile → Edit Profile, or email us |
| Right to Erasure | Delete your account and all associated personal data | Profile → Settings → Delete Account, or email us |
| Right to Withdraw Consent | Withdraw consent for any processing activity at any time | Profile → Notifications (for marketing), or email us |
| Right to Grievance Redressal | Lodge a complaint with our Grievance Officer |
Account Deletion: When you delete your account from within the App (Profile → Settings → Delete Account), we will:
- Immediately revoke your access
- Purge all personal data within 30 days
- Retain only the data we are legally required to keep (e.g., order history for GST — retained in anonymised or pseudonymised form wherever possible)
- Send you a confirmation email once deletion is complete
You may also file a complaint with the Data Protection Board of India if you believe your rights have not been upheld.
8. Children's Privacy
Our App is not directed to children under the age of 18. We do not knowingly collect personal data from minors.
Under the DPDP Rules 2025, if processing involves a child (a person under 18), we are required to obtain verifiable consent from the parent or guardian before collecting any data.
If you believe a child has provided us with personal data without parental consent, please contact us immediately at pbexpress38@gmail.com and we will delete that data promptly.
9. Security
We implement the following measures to protect your personal data:
- TLS/HTTPS encryption for all data in transit
- AES-256 encryption for data at rest in Supabase
- Row-Level Security (RLS) policies on all database tables — each user can only access their own data
- Access controls and activity logs maintained for a minimum of 1 year per DPDP Rules 2025
- Regular security reviews of our infrastructure and code
Data Breach Notification: In the event of a personal data breach that is likely to affect you, we will:
- Notify you without unreasonable delay with details of the breach, its likely consequences, and steps you can take
- Submit an initial report to the Data Protection Board of India immediately upon becoming aware
- Submit a detailed breach report to the Board within 72 hours, as required by Rule 7 of the DPDP Rules 2025
No method of transmission over the internet is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee its absolute security.
10. Third-Party SDKs and Services
Our App integrates the following third-party services. Each has its own privacy policy:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Google Sign-In | Authentication | https://policies.google.com/privacy |
| Apple Sign-In | Authentication | https://www.apple.com/legal/privacy |
| Supabase | Database and authentication backend | https://supabase.com/privacy |
| Sentry | Crash and error monitoring | https://sentry.io/privacy |
| Expo | App distribution and OTA updates | https://expo.dev/privacy |
These third parties are contractually bound to process data only as instructed by us and in accordance with applicable privacy laws.
11. Third-Party Links
Our App may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those external sites. We encourage you to review their privacy policies before providing any personal data.
12. Changes to This Policy
We will notify you of material changes to this Privacy Policy via in-app notification at least 15 days before the changes take effect, and by updating the "Last updated" date above.
For non-material changes (e.g., corrections, formatting), we will update the date only.
Continued use of the App after the effective date of changes constitutes your acceptance of the revised Policy.
13. Governing Law and Jurisdiction
This Privacy Policy is governed by the laws of India, including the DPDP Act 2023, DPDP Rules 2025, and the Information Technology Act 2000. Any disputes shall be subject to the exclusive jurisdiction of the courts in Punjab, India.
14. Contact and Grievance Officer
Pattibytes Email: pbexpress38@gmail.com Address: Patti, Punjab, India — 143416
| Query Type | Contact |
|---|---|
| Data access, correction, or deletion requests | pbexpress38@gmail.com |
| Consent withdrawal | pbexpress38@gmail.com |
| Privacy complaints and grievances | pbexpress38@gmail.com |
| General enquiries | pbexpress38@gmail.com |
We will acknowledge your request within 48 hours and resolve grievances within 90 days as required under the DPDP Rules 2025.
This policy applies to the Pattibytes Express mobile application on iOS and Android. It does not apply to third-party platforms or services accessible through the App.
Questions about this policy?
We're happy to clarify anything. Reach us at legal@pattibytes.com