Privacy Policy

Last Updated: May 10, 2026

At a Glance

We have summarised the key points below. Please read the full Policy for complete details.

What we collect: personal information needed to operate the WayCube platform — account details, orders, location, payments, and product interactions.
What we do with it: we provide and improve the Platform, process orders and payments, enable discovery and delivery, comply with the law, and (with your consent) communicate with you about offers.
Selling data: we do not sell your personal data.
Service providers we rely on: Google Cloud and Firebase (hosted in India.), Google Maps Platform, Google Gemini API for AI-powered features, and Cashfree Payments for payment processing.
Your rights: you can request access, correction, deletion, or withdraw consent at any time by writing to support@thewaycube.com.
Grievance Officer: Mayank Singh Sirohi — full contact details in Section 14.

1. Introduction and Scope

WAYCUBE COMMERCIAL PRIVATE LIMITED ("WayCube," "Company," "we," "our," or "us") is committed to protecting your privacy. This Privacy Policy ("Policy") explains how we collect, use, disclose, retain, and safeguard personal information when you access or use our website, mobile application, and related services (collectively, the "Platform").

This Policy applies to all users of the Platform, including customers, vendors, vendor staff, delivery members, visitors, and other individuals who interact with our services. It does not apply to information you provide directly to third parties such as vendors, third-party tools, or external integrations — please consult their respective privacy notices.

By accessing or using the Platform, you agree to this Policy and our Terms of Service. If you do not agree, please do not use the Platform.

2. Personal Information We Collect

We collect personal information in three ways: directly from you, automatically through your use of the Platform, and from third-party sources.

2.1 Information You Provide Directly

When you create an account, place orders, list products, or otherwise use the Platform, you may provide:

Identity information: name, gender, date of birth, profile photo.
Contact information: email address, mobile number, delivery address.
Account credentials: username and password (passwords are stored in cryptographically hashed form).
Vendor onboarding information: business name, business address, GSTIN, PAN, bank account or UPI details, business registration documents, and signatory KYC.
Transaction information: order history, payments, refunds, ratings, reviews, and dispute records.
Content you create: posts on the community feed, photographs, comments, reactions, and chat messages.

2.2 Information Collected Automatically

When you use the Platform, we automatically collect:

Device information: device model, operating system, unique device identifiers, mobile network details, and app version.
Usage information: pages and screens viewed, features used, search queries, browsing patterns, session duration, and clickstream data.
Location information: approximate or precise geolocation (with your permission) for vendor discovery, order coordination, and live delivery tracking. Live location sharing during active orders is described in Section 5.
Log information: IP address, access times, error logs, and similar technical data.
Cookies and similar technologies: see Section 9.

2.3 Information from Third Parties

We may receive personal information about you from:

Payment partners (such as Cashfree) for transaction verification, settlement, fraud screening, and KYC.
Logistics partners for delivery status and tracking updates.
Authentication providers (such as Google Sign-In, where used) for sign-up convenience.
Other users who refer you, mention you in reviews, or include you in an order.

3. How We Use Your Information

We use personal information for the specific purposes set out below, and only to the extent necessary for each purpose:

Purpose	Categories of Data Used
Creating and managing your account	Identity, contact, credentials
Processing orders, payments, refunds, and settlements	Transaction, payment, vendor, delivery data
Enabling vendor discovery and live delivery tracking	Location, device data
Customer support and Review Chat resolution	Contact, transaction, chat data
Fraud prevention, risk scoring, and dispute investigation	Account, device, transaction, behavioural data
Compliance with applicable laws (GST, TCS, AML, KYC, accounting, tax)	KYC, transaction, payment data
AI-powered features (described in Section 4)	Search queries, product interactions, order context
Service-related communications (transactional emails, SMS, push)	Contact, transaction data
Marketing communications (only with your consent)	Contact, preferences, behavioural data
Improving the Platform, debugging, and security	Usage, device, log data

We process personal information based on (a) your consent, (b) the necessity of providing the services you have requested, and (c) compliance with our legal and regulatory obligations.

4. AI-Powered Features and Automated Processing

We use artificial intelligence services, including Google's Gemini API, to provide enhanced in-app experiences such as:

personalised product and vendor recommendations,
smarter search and natural-language discovery,
content categorisation and moderation,
customer support assistance.

When you use these features, certain interaction data — such as your search queries, product browsing context, and order history — may be processed by these AI services to generate responses, recommendations, or insights. We aim to limit the personally identifying information (such as full name, phone number, or address) shared with such services to what is necessary to fulfil your request.

Under the enterprise terms of Google's Gemini API as applicable to us, customer data sent to the API is not used by Google to train its general-purpose foundation models.

Separately, we may use information about how users interact with our AI-powered features — including which recommendations are clicked, search refinements, and feedback signals — to improve the quality, accuracy, and relevance of these features over time. Where we use such data for improvement purposes, we do so in de-identified or aggregated form to the extent practicable.

We do not make solely automated decisions that produce legal or similarly significant effects on you. Where AI assists in decisions such as fraud screening or risk scoring, a human review is available on request through our grievance channel (Section 14).

Where the Platform offers controls to opt out of personalised recommendations, you may exercise these through your account settings. Core Platform functionality will continue to work without personalisation.

5. Live Location During Active Orders

For active orders, the Platform may enable live location sharing between vendor staff or delivery members and the relevant customer (and vice versa) for the limited purpose of order coordination and tracking. Live location sharing:

starts only when an order is active,
is visible only to the relevant counterparties for that specific order,
stops when the order is marked completed or when tracking is turned off,
is not retained as a precise location trail beyond what is necessary for the order, dispute handling, and platform safety.

You must not misuse location features or share another person's location without their knowledge and a lawful basis.

6. How We Share Your Information

We do not sell your personal data. We share personal information only as described below.

6.1 With Counterparties on the Platform

We share order-related information between the customer, the vendor, and (where applicable) the delivery member, to the extent necessary to fulfil the order and resolve any disputes. This may include name, contact number, delivery address, order details, and live location during active orders.

6.2 With Service Providers

We share personal data with the following service providers, who are bound by confidentiality and data-protection obligations:

Service Provider / Category	Purpose	Location of Processing
Google Cloud Platform / Firebase	Hosting, database, authentication, real-time data sync, file storage	Primary: Mumbai, India (asia-south1). Some sub-services may process globally.
Google Maps Platform	Maps, geocoding, distance and routing	Globally distributed Google infrastructure
Google Gemini API	AI-powered features as described in Section 4	Google infrastructure as defined in Google's Generative AI terms
Cashfree Payments	Payment processing, payouts, KYC verification, settlement	India
SMS, OTP, and email service providers	Transactional communications	India / global, depending on provider
Customer support, analytics, and crash-reporting tools	Support, debugging, product analytics	India / global, depending on provider

6.3 With Legal and Regulatory Authorities

We may disclose personal data if required by law, court order, or governmental authority, or where we believe in good faith that disclosure is necessary to protect rights, property, or safety, or to prevent fraud.

6.4 In Connection with Business Transfers

If WayCube undergoes a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to the successor entity, subject to the same protections set out in this Policy.

7. Cross-Border Data Transfers

Our primary data hosting infrastructure (Google Cloud Platform / Firebase) is configured to store user data in the Mumbai, India region (asia-south1). However, certain service providers — particularly those providing AI services (such as the Gemini API), maps, analytics, and global communications — may process personal data on infrastructure located outside India.

Where such transfers occur, we rely on the contractual terms of our service providers to maintain comparable safeguards. The Government of India has not, as of the date of this Policy, restricted transfers to any specific country under the Digital Personal Data Protection Act, 2023.

8. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy, or for as long as required by applicable law. Indicative retention periods are set out below:

Data Category	Retention Period
Active account data	Until account deletion, plus up to 90 days in backups
Transaction, payment, and invoice records	8 years from the date of transaction (Companies Act, 2013 and GST law)
KYC and vendor onboarding documents	5 years from end of relationship (PMLA norms)
Support tickets and Review Chat records	24 months
Marketing communications and consent records	Until you withdraw consent, plus 12 months for compliance audit
Application logs and analytics data	Up to 12 months
Inactive accounts	Notice followed by deletion after 36 months of inactivity

When data is no longer needed, we delete it or irreversibly anonymise it, except where retention is required by law or for the establishment, exercise, or defence of legal claims.

9. Cookies and Similar Technologies

We use cookies, software development kits (SDKs), and similar tracking technologies on our website and mobile application. These fall into the following categories:

Strictly necessary: required for the Platform to function (authentication, security, session management).
Performance and analytics: to understand how users interact with the Platform and to identify and fix issues.
Functional: to remember your preferences and settings.
Marketing (with consent): to measure campaign performance and personalise communications.

You can manage cookies through your browser settings and tracking permissions through your device settings. Disabling certain cookies may affect Platform functionality.

10. Data Security

We implement industry-standard technical and organisational measures to protect personal data, including:

encryption of data in transit using TLS,
encryption at rest for sensitive fields such as KYC, bank, and payment data,
role-based access controls and the principle of least privilege for our team,
audit logging and monitoring of access to sensitive systems,
periodic review of security configurations and dependencies,
secure development practices and regular code review.

No system is completely secure, however, and we cannot guarantee absolute protection against unauthorised access, loss, or misuse. We rely on you to safeguard your account credentials and to notify us immediately at support@thewaycube.com of any suspected unauthorised use of your account.

11. Data Breach Notification

In the event of a personal data breach affecting your information, we will notify the Data Protection Board of India and affected data principals as soon as practicable in accordance with applicable law, providing details of the breach, the categories of data affected, the likely consequences, and the mitigation measures we are taking.

12. Your Rights

Subject to applicable law (including the Digital Personal Data Protection Act, 2023), you have the following rights in respect of your personal data:

Right to access: to obtain a summary of personal data we hold about you and how we process it.
Right to correction and erasure: to request that inaccurate or incomplete data be corrected, and that data be deleted where it is no longer required.
Right to withdraw consent: to withdraw any consent you have given, at any time, with effect for the future. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right to grievance redressal: to make a complaint about our processing through our Grievance Officer (Section 14), and to escalate to the Data Protection Board of India.
Right to nominate: to nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, please write to support@thewaycube.com. We may need to verify your identity before responding.

We aim to acknowledge requests within seventy-two (72) hours and resolve them within the timelines prescribed by applicable law.

13. Children

The Platform is intended only for users who are at least 18 years of age. We do not knowingly collect or process personal data of individuals under 18. If we become aware that we have inadvertently collected such data, we will take steps to delete it promptly.

If you believe a minor has provided personal data to us, please contact our Grievance Officer (Section 14).

14. Grievance Officer and Contact

In accordance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023, the contact details of our Grievance Officer / contact person for data protection matters are:

Name:Mayank Singh SirohiDesignation:Director and CEOEntity:WAYCUBE COMMERCIAL PRIVATE LIMITEDEmail:support@thewaycube.comAddress:Lucknow, Uttar Pradesh, India

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India established under the Digital Personal Data Protection Act, 2023.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. The "Last Updated" date at the top of this Policy will indicate when it was last revised. Where changes are material, we will notify you through in-app notice, email, or other reasonable means. Continued use of the Platform after the effective date of any changes constitutes your acceptance of the revised Policy.