This Privacy Policy (“Policy”) describes how Bodha AI Labs Pvt. Ltd. (“Bodha”, “we”, “us”, or “our”), a company incorporated under the laws of India, collects, uses, discloses, stores, and protects personal information when you access or use the Bodha Route Planner website at bodharouteplanner.com, the Bodha Fleet web application at fleet.bodharouteplanner.com, the Bodha Route Planner mobile applications available on the Apple App Store and Google Play Store, and any related services, integrations, or APIs (together, the “Services”).
By creating an account, downloading our mobile application, subscribing to a plan, or otherwise using the Services, you acknowledge that you have read and understood this Policy. If you do not agree with any part of this Policy, please do not use the Services.
1. Who We Are
Bodha Route Planner is a product of Bodha AI Labs Pvt. Ltd., the parent company operating at bodhalabs.ai. For the purposes of applicable data protection laws (including the EU General Data Protection Regulation, the UK GDPR, the California Consumer Privacy Act, and India’s Digital Personal Data Protection Act, 2023), Bodha AI Labs Pvt. Ltd. is the data controller for personal information you provide directly to us as an account owner or visitor.
When customers (e.g., delivery businesses, dispatchers, or fleet operators) upload information about their own end-customers, drivers, or recipients into the Services, the customer is the data controller and Bodha acts as a data processor on the customer’s behalf in accordance with our Data Processing Addendum and the customer’s instructions.
2. Information We Collect
2.1 Information You Provide Directly
- Account & Profile Data: Full name, work email address, password (stored as a hashed value), phone number, company name, role, country, time zone, and profile photo.
- Billing & Subscription Data: Billing name, billing address, GSTIN/VAT number where applicable, plan tier, subscription history, invoices, and the last four digits and expiry of payment cards. Full card details are processed by our PCI-DSS compliant payment partners (Chargebee, Stripe) and are never stored on Bodha servers.
- Operational Data You Upload: Delivery addresses, stop notes, customer names, customer phone numbers, customer email addresses, package details, depot locations, vehicle information, driver names and contact details, route plans, and any other content you input or import into the Services.
- Proof-of-Delivery (POD) Data: Photos, signatures, delivery reasons, timestamps, and free-text notes captured by drivers using the Bodha mobile application.
- Communications: Support tickets, emails to [email protected], feedback, survey responses, testimonials, and any other content you choose to share with us.
2.2 Information We Collect Automatically
- Device & Technical Data: IP address, device type, mobile operating system version, browser type and version, screen resolution, device identifiers, language preference, time zone, and crash logs.
- Location Data (Mobile App): Where the driver has granted permission, the Bodha mobile application collects precise GPS location to enable navigation, real-time tracking, geo-stamping of proof-of-delivery, and accurate route execution analytics. Location collection can be limited or revoked at any time through your device settings; doing so may disable certain features.
- Usage & Analytics Data: Pages viewed, features used, clicks, session duration, referring URLs, search queries within the product, and event-level telemetry. We use Mixpanel and Contentsquare for product analytics and user experience analysis.
- Cookies & Similar Technologies: See Section 7 below.
2.3 Information We Receive From Third Parties
- Authentication providers (Google Sign-In, Apple Sign-In) provide us your name, email address, and a unique provider identifier when you choose to sign in using them.
- Payment processors (Chargebee, Stripe, Apple App Store, Google Play Store) provide us subscription status, transaction identifiers, and renewal events.
- Mapping & geocoding providers (Google Maps Platform) return geocoded addresses, distance matrix calculations, and place details that we associate with your routes.
- Marketing partners may provide referral, UTM, or campaign attribution data, where lawful.
3. How We Use Your Information
We use personal information for the following purposes and on the following legal bases:
- To provide the Services — creating and authenticating your account, optimising and dispatching routes, syncing data across the web and mobile apps, generating proof of delivery, and sending operational notifications. (Legal basis: performance of a contract.)
- To process payments and manage subscriptions — invoicing, applying credits, recording renewals, handling failed payments, and producing tax documents. (Legal basis: performance of a contract; legal obligation.)
- To communicate with you — service announcements, security alerts, product updates, billing receipts, customer support responses, and (where permitted) marketing emails about features and offers. You can opt out of marketing communications at any time. (Legal basis: legitimate interests; consent where required.)
- To improve and develop the Services — analysing aggregated usage patterns, identifying bugs, training and improving our route-optimisation algorithms, and prioritising new features. Where feasible we use aggregated, de-identified, or pseudonymised data for this purpose. (Legal basis: legitimate interests.)
- To ensure security and prevent fraud — detecting unauthorised access, abuse of the Services, chargeback fraud, and breach of our Terms. (Legal basis: legitimate interests; legal obligation.)
- To comply with law — responding to lawful requests from public authorities, enforcing our agreements, and protecting our legal rights. (Legal basis: legal obligation; legitimate interests.)
4. How We Share Your Information
We do not sell your personal information. We share personal information only in the following limited circumstances:
- Service providers (sub-processors): Cloud hosting (Amazon Web Services), database services (MongoDB Atlas), authentication (Google, Apple, Firebase), email delivery (Amazon SES, Customer.io), product analytics (Mixpanel, Contentsquare), customer-engagement messaging (Customer.io), payments (Chargebee, Stripe), maps and geocoding (Google Maps Platform), push notifications (Firebase Cloud Messaging, Apple Push Notification service), and similar vendors. Each sub-processor is bound by written contractual obligations to handle personal data only on our instructions and to maintain appropriate security.
- Within your organisation: Account administrators and other authorised users in your workspace can access route, driver, and customer data that you upload. You are responsible for managing access within your own workspace.
- With drivers and recipients: If you enable customer notifications, share-tracking links, or proof-of-delivery emails, the relevant recipient contact details and limited shipment information will be transmitted to drivers or end-customers as configured.
- Business transfers: If Bodha is involved in a merger, acquisition, financing, reorganisation, or sale of assets, personal information may be transferred as part of that transaction, subject to the receiving party honouring this Policy.
- Legal & safety: When we have a good-faith belief that disclosure is necessary to comply with a subpoena, court order, or other legal process; to enforce our Terms; to protect the rights, property, or safety of Bodha, our users, or the public; or to investigate fraud.
- With your consent: For any other purpose disclosed to you at the point of collection or with your separate consent.
5. International Data Transfers
Bodha is headquartered in India and uses cloud infrastructure that may store and process data in India, the United States, the European Union, and other regions where our sub-processors operate. Where personal data is transferred outside your country of residence, we rely on lawful transfer mechanisms — including the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Addendum, and adequacy decisions — and apply additional safeguards (encryption in transit and at rest, access controls, contractual restrictions) where appropriate.
6. Data Retention
We retain personal information only as long as necessary for the purposes set out in this Policy, including to provide the Services, comply with our legal, accounting, or reporting obligations, resolve disputes, and enforce our agreements.
- Account data: retained for as long as the account is active, plus 90 days after closure to enable account recovery and to satisfy billing reconciliation. Thereafter, account data is deleted or anonymised.
- Route, stop, and POD data: retained for the lifetime of your subscription. After cancellation, this data is retained for 90 days (to enable reactivation) and is then deleted.
- Invoices and tax records: retained for a minimum of 8 years to comply with Indian tax and corporate law.
- Backups: retained on a rolling 35-day cycle and then overwritten.
- Support communications: retained for up to 3 years from the date of last contact.
You may request earlier deletion by writing to [email protected]. We will honour the request to the extent permitted by applicable law.
7. Cookies & Tracking Technologies
We use the following categories of cookies and similar technologies on our website and web application:
- Strictly necessary cookies — required for authentication, session management, security, and load balancing. These cannot be disabled without breaking the Services.
- Functional cookies — remember user preferences such as language, time zone, distance unit, and time format.
- Analytics cookies — Mixpanel and Contentsquare cookies that help us understand how the product is used.
- Marketing cookies — set by us or our advertising partners on the public marketing website to measure campaign effectiveness. These are not set inside the Bodha Fleet application.
You can control cookies through your browser settings and, where applicable, through the consent banner on the marketing site.
8. Mobile Application & Permissions
The Bodha Route Planner mobile application may request the following device permissions on iOS and Android:
- Location (foreground and, on Android, background) — to power navigation, live driver tracking, automatic stop arrival detection, and geo-stamped proof of delivery.
- Camera — to capture proof-of-delivery photos.
- Photos / Media Library — to upload existing photos as proof of delivery.
- Notifications — to send route assignments, dispatch updates, and delivery alerts.
- Microphone (optional, where supported) — for voice notes attached to stops.
All permissions can be revoked at any time in your device settings; revoking a permission may reduce the functionality available to you.
9. Data Security
We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorised access, alteration, disclosure, or destruction. These include TLS encryption in transit, AES-256 encryption at rest for production databases and object storage, role-based access controls, least-privilege principles for staff access, password hashing using industry-standard algorithms, regular security reviews, vendor due diligence, and incident response procedures. No method of transmission or storage is completely secure; we cannot guarantee absolute security.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the affected users and the competent supervisory authority without undue delay, in accordance with applicable law.
10. Your Rights
Depending on where you reside, you may have the following rights with respect to your personal data:
- Access — request a copy of the personal data we hold about you.
- Correction — request that inaccurate or incomplete personal data be corrected.
- Deletion / erasure — request that we delete personal data, subject to legal retention obligations.
- Portability — receive your personal data in a structured, commonly used, machine-readable format.
- Restriction — request that we restrict processing of your personal data.
- Objection — object to processing based on our legitimate interests, including direct marketing.
- Withdraw consent — where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
- Lodge a complaint — with your local data protection authority, including (where applicable) the Indian Data Protection Board, the EU national supervisory authorities, or the UK Information Commissioner’s Office.
To exercise any of these rights, email us at [email protected]. We will respond within the timeframes required by law (typically within 30 days). We may need to verify your identity before responding.
California Residents (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect and how it is used and shared, the right to delete personal information, the right to correct inaccurate information, the right to opt out of any “sale” or “sharing” (Bodha does not sell or share personal information for cross-context behavioural advertising), and the right not to be discriminated against for exercising these rights.
11. Third-Party Services & Links
The Services may integrate with or link to third-party platforms, including Google Maps, the Apple App Store, the Google Play Store, Chargebee, Stripe, and various integration partners. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies before interacting with them.
12. Children’s Privacy
The Services are designed for businesses and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe that a child has provided us with personal information, please contact [email protected] and we will take prompt steps to delete the information.
13. Marketing Communications
We may send you marketing emails about new features, customer stories, and offers. You can unsubscribe at any time using the link at the bottom of any marketing email or by emailing [email protected]. Transactional and account-related emails (billing receipts, password resets, security alerts) cannot be unsubscribed from while your account is active.
14. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email or by posting a prominent notice in the Services at least 15 days before the change takes effect. The “Last Updated” date at the top of this Policy indicates when it was last revised. Your continued use of the Services after the effective date constitutes your acceptance of the revised Policy.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us: