BojanBox

Privacy Policy

Last updated: 30 April 2026

1. What we collect

Phone number (OTP login), email (optional), name, delivery address with GPS coordinates, dietary preferences, payment metadata (Razorpay handles card details directly — we never see them), profile photo (if uploaded), and device push tokens.

2. KYC for chefs and delivery partners

Chefs upload FSSAI registration, PAN, Aadhaar (front + back), and bank-proof images. Delivery partners upload PAN, Aadhaar, driving licence, and vehicle RC. We retain these for the duration of your account plus a regulatory minimum of 3 years to comply with food-safety and tax record-keeping requirements.

3. Location data

Subscriber addresses include latitude/longitude for delivery routing. Delivery agent positions stream to our servers at approximately 30-second intervals while a delivery is in flight; the location pings are pruned after 14 days. Location is never collected when the app is in the background or when no delivery is active.

4. How we use your data

To operate the marketplace (matching subscribers with chefs, dispatching delivery partners, processing payments, sending order updates), to verify identity, to investigate fraud or safety incidents, and to comply with legal obligations. We do not run advertising networks, run profiling for targeted advertising, or sell data to third parties.

5. Sharing

Counter-party contact details (name + phone) are shared on a need-to-know basis: chefs see subscriber name + phone for active orders; delivery partners see chef + subscriber name + phone for active deliveries; no other personal information is shared. Aggregated, non-identifying data may be published as part of platform metrics.

6. Sub-processors

We use the following service providers to operate BojanBox:

Supabase (database + authentication, hosted in Mumbai region), Razorpay (payments), Resend or Postmark (transactional email), Sentry (crash reporting, with PII redaction for auth headers), Expo (push notification delivery via Apple APNs / Google FCM), AWS (object storage for KYC documents and food photos, Mumbai region). Each sub-processor is bound by their own data-protection agreement.

7. Your rights under the DPDP Act 2023

You can request data access, correction, or deletion at any time via Profile → Delete account in the app, or by emailing privacy@bojanbox.in. We respond within 30 days. You may also nominate a representative to exercise these rights on your behalf in the event of incapacity or death.

8. Data retention

Account data is retained while your account is active and for 7 days after account deletion (cooling-off period). KYC documents are retained for 3 years after your last delivery for tax/regulatory record-keeping. Anonymised order history may be retained indefinitely as platform metrics.

9. Security

Authentication is via one-time SMS code; we never store passwords. Tokens are held in iOS Keychain / Android Keystore. KYC images are encrypted at rest. All network traffic uses TLS 1.2 or higher. Crash reports redact authorisation headers before they leave your device.

10. Children

BojanBox is not intended for users under 18. We do not knowingly collect data from minors. If you believe a child has registered, write to privacy@bojanbox.in and we will delete the account on verification.

11. Changes to this policy

We may update this policy with at least 7 days' notice via in-app push and email. Material changes are highlighted at the top of the policy.

12. Grievance officer

Pursuant to the Information Technology Act 2000 and DPDP Act 2023, the Grievance Officer is:

Rakshith N
Email: privacy@bojanbox.in
Bengaluru, Karnataka 560001

Acknowledgement within 24 hours, resolution within 30 days.