Carsavaar
Get Quote

Privacy Policy

Last updated: January 2025

Carsavaar ("we", "our", "us") is an Indian self-drive car rental aggregator operating across 833+ cities. This Privacy Policy explains exactly what personal information we collect when you submit a quote inquiry on https://carsavaar.com, complete a booking, or interact with our team — and how we store, use, share, and dispose of that information. This policy is written in compliance with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000.

1. Information We Collect

a) Information you provide directly

  • Inquiry form data: Full name, 10-digit Indian mobile number, email address (optional), pickup city, drop city, pickup/return dates, number of passengers, luggage requirement, and trip notes (e.g., baby seat needed, automatic preference, outstation destination).
  • Booking confirmation data: Driving licence number, photo of driving licence (front and back), photo of one government ID (Aadhaar masked, Passport, Voter ID, or PAN), home address, and emergency contact.
  • Payment data: UPI ID, bank account number for refunds, and transaction reference numbers. We do not store card numbers, CVVs, or net-banking passwords — these are handled by payment gateways at the point of transaction.
  • Communication records: WhatsApp messages, email threads, recorded customer service calls (recorded with announced consent), and complaints raised through book@carsavaar.com.
  • Account data (optional): If you set a password to track inquiries on our customer dashboard, we store a bcrypt-hashed password (never plaintext).

b) Information collected automatically

  • Device & browser data: IP address (truncated for privacy), user agent string, device type (desktop/mobile/tablet), operating system, screen resolution, and browser language.
  • Usage analytics: Pages visited, scroll depth, time spent per page, click events, search terms used in our city/car search, and form-fill funnel position. This data is collected by our first-party analytics (no Google Analytics by default — purely server-side).
  • Marketing attribution: UTM parameters (utm_source, utm_medium, utm_campaign), referrer URL, and landing page so we can understand which channels (Google search, WhatsApp, blog, social media) drove your visit.
  • Cookies & storage: Authentication cookies (httpOnly, secure, signed with JWT for logged-in customers), preference cookies (city pre-fill), and PWA service-worker cache. We do not use third-party advertising cookies.

c) Information from third parties

  • If you log in via an external sign-in (when offered in future), we receive name and email from that provider only — never password or contacts.
  • For long-term outstation rentals, we may verify your driving record against the public Parivahan / mParivahan portal — only the licence number is queried.

2. How We Use Your Information

  • To respond to your inquiry within 5 minutes with a personalised quote based on your trip parameters (city, dates, car preference).
  • To contact you via phone, WhatsApp, or email about your specific quote, booking confirmation, vehicle handover, and return logistics.
  • To verify driver eligibility (age 21+, licence 1+ year old) before vehicle handover.
  • To process security deposit refunds within 24-48 hours after vehicle return — we use the bank/UPI details you provided for the original deposit.
  • To check for outstanding traffic challans on the rented vehicle during your rental window via the Parivahan portal — these are deducted from your security deposit if found.
  • To analyse aggregate booking patterns (not individual behaviour) — e.g., "30% of Mumbai bookings in monsoon are for SUVs" — for fleet planning and content improvement.
  • To prevent fraud — flagging inquiries with mismatched IP/phone country codes, repeated cancellations, or suspicious patterns for manual review.
  • To comply with statutory obligations including KYC for hire-purchase agreements, GST invoicing, and tax reporting.
  • For service-related transactional emails only (booking confirmations, refund updates) — not marketing, unless you explicitly opt in.

3. Who We Share Your Information With

  • We do NOT sell, rent, or trade your personal data with third-party marketers, advertisers, data brokers, or affiliate networks under any circumstance.
  • Verified rental partners (car owners and fleet operators): We share your name, phone number, driving licence copy, and ID proof with the specific rental partner fulfilling your booking — only after you confirm. They sign data processing agreements with us limiting use to the rental fulfilment.
  • Payment processors: When you pay via UPI/NEFT/IMPS, your bank handles transaction routing. We see only the transaction reference number, not your account credentials.
  • Cloud infrastructure: Customer data is stored on TiDB Cloud (AWS Singapore region) and Vercel (US data centres). These providers are SOC 2 / ISO 27001 certified.
  • Email delivery: Transactional emails are sent via Gmail SMTP — Google's privacy practices apply.
  • Government and legal requests: We disclose data only on receipt of valid Indian court orders, warrants, or written requests from authorised law enforcement under the IT Act 2000 / DPDP Act 2023. We do not voluntarily share with foreign agencies.
  • Acquisitions: If Carsavaar is acquired, sold, or merged, customer data may transfer — affected customers will be notified 30 days in advance with an opt-out option.

4. Data Retention Periods

  • Inquiry data (no booking made): 2 years from inquiry date. Used for service improvement, re-engagement, and to recognise return customers.
  • Booking, payment and rental records: 8 years (as required under Indian Income Tax rules and GST audit retention).
  • Driving licence and ID copies: Encrypted and retained for 3 years post-rental for dispute resolution and challan reconciliation, then permanently deleted.
  • Analytics & usage logs: 14 months in raw form, then aggregated and anonymised.
  • Customer service call recordings: 6 months from call date.
  • Cookies: Authentication cookies expire in 30 days. Preference cookies in 1 year. Session cookies on browser close.

5. Data Security Measures

  • All website traffic is encrypted using HTTPS/TLS 1.3. We use HSTS headers to force HTTPS.
  • Customer database connections are encrypted in transit. Database is hosted on TiDB Cloud with point-in-time backups.
  • Driving licence and ID images are stored in private object storage with signed-URL access (each access expires in 5 minutes).
  • Passwords are hashed using bcrypt with 12 salt rounds — even our database admins cannot read them.
  • Authentication uses signed JWT tokens stored in httpOnly cookies, protecting against XSS-based theft.
  • Admin access is limited to Carsavaar employees and is logged for audit. Two-factor authentication is required.
  • We perform quarterly security reviews. In case of a data breach affecting your personal data, you will be notified within 72 hours as required by the DPDP Act, along with steps you can take.
  • While we take reasonable precautions, no electronic transmission or storage is 100% secure. Use strong unique passwords on your account and notify us immediately at book@carsavaar.com if you suspect unauthorised access.

6. Your Rights Under the DPDP Act

  • Right to access: You can request a copy of all personal data we hold on you. We respond within 30 days at no cost.
  • Right to correction: If any data is inaccurate (wrong phone number, misspelt name, outdated address), email us and we correct it within 7 working days.
  • Right to erasure: You can request deletion of your account and personal data. We will delete inquiry-only data immediately, but booking records subject to tax-retention rules will be deleted after the 8-year statutory period.
  • Right to data portability: You can request your data in machine-readable JSON format for transfer to another service.
  • Right to withdraw consent: You can opt out of any non-essential data processing. Some processing (booking fulfilment, tax compliance) cannot be withdrawn while a rental is active or within statutory retention.
  • Right to grievance: Complaints about data handling can be escalated to our Data Protection Officer at book@carsavaar.com. If unresolved within 30 days, you may approach the Data Protection Board of India under the DPDP Act.

To exercise any right, email us at book@carsavaar.com from your registered email address. Identity verification (driving licence number + last booking reference) may be requested before processing access/deletion requests.

7. Cookies & Tracking Technologies in Detail

  • Strictly necessary cookies (cs_admin, cs_customer): Authentication tokens for admin and customer dashboards. Cannot be disabled — site won't function for logged-in users.
  • Functionality cookies: Remember pickup city pre-fill, recent searches, language preference. You can clear these from your browser anytime.
  • Analytics cookies: Anonymous session ID for our first-party analytics. No cross-site tracking. No third-party analytics by default.
  • You can disable cookies in your browser, though logged-in features (booking dashboard, password reset, notifications) will stop working.

8. Third-Party Links & Embedded Content

Our pages link to third-party platforms (WhatsApp, Google Maps for directions, government portals like Parivahan for licence verification). When you click these links, the third party's privacy policy applies. We do not embed advertising trackers, social media pixels, or chatbot tools that share data with third parties.

9. Children's Privacy

Carsavaar services are intended for adults aged 21 and above (the minimum legal age to rent a self-drive vehicle in India). We do not knowingly collect personal information from individuals under 18. If we discover such data has been collected inadvertently, we will delete it immediately. Parents who believe a minor has submitted data should email book@carsavaar.com.

10. Changes to This Policy

Carsavaar may update this Privacy Policy as services evolve or laws change. The "Last updated" date at the top reflects the most recent version. Material changes (e.g., new data sharing partners, new processing purposes) will be communicated via email to registered customers and a banner on the homepage 30 days before they take effect. Minor edits (typo fixes, clarifications) take effect immediately.

11. Contact Us & Grievance Redressal

For privacy-related questions, data access requests, or grievances under the DPDP Act:

  • Email (Data Protection Officer): book@carsavaar.com
  • Phone: +91 6261755976 (Mon-Sat, 10 AM - 7 PM IST)
  • Registered office: 49, Prahari Complex, BSF Colony, Airport Road, DD Nagar, Gwalior, Madhya Pradesh, India

We aim to acknowledge all privacy queries within 48 hours and resolve them within 30 days.