CarrumConnect Privacy Policy¶
Effective Date: 1 January 2025 · Last Updated: 15 May 2026
1. Introduction¶
This Privacy Policy describes how Carrum Mobility Solutions Private Limited ("Carrum", "we", "us", or "our") collects, uses, stores, and shares information when you use the CarrumConnect mobile application (the "App") available on Google Play and the Apple App Store.
CarrumConnect is a workplace communication application that allows authorised drivers, fleet operators, and support staff associated with Carrum to:
- Send and receive messages with the Carrum operations team
- Receive and identify work-related incoming phone calls through a Caller ID feature
- Receive operational notifications
This Policy is published in accordance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 ("DPDP Act"). By installing or using the App, you confirm that you have read and understood this Policy.
2. Who We Are (Data Fiduciary)¶
| Entity | Carrum Mobility Solutions Private Limited |
| Registered office | 3rd Floor, 46IP, Sector 42, Gurugram, Haryana, India – 122002 |
| CIN | U77100HR2024PTC121463 |
| Contact email | support@carrum.co.in |
| Grievance Officer | Karan Jain — support@carrum.co.in |
The Grievance Officer is designated under the Information Technology Rules, 2021 and the DPDP Act, 2023. You may contact the Grievance Officer regarding any concerns about your personal data or this Policy.
3. Information We Collect¶
3.1 Information You Provide Directly¶
- Mobile phone number — used to authenticate you via a One-Time Password (OTP) sent over SMS. We do not store a password because the App does not use passwords.
- Profile information — name, email address, work avatar, hub or branch assignment, and personal phone number. These are provisioned by your Carrum administrator and may be updated by you within the App.
- Messages and attachments — text, images, audio recordings, video, files, and location coordinates that you choose to send through the App.
3.2 Information Collected Automatically¶
- Device information — operating system, OS version, device model and brand, App build number, App package name, and a randomly generated installation identifier.
- App permission status — whether you have granted Camera, Microphone, Notifications, Caller ID overlay, and battery-optimisation permissions.
- Usage events — limited analytics such as app launch, screen views, "call clicked", "WhatsApp clicked", and security events such as detection of a rooted or jailbroken device. Collected only in production builds.
- Crash and error data — stack traces, breadcrumbs, the device state at the time of an error, and your user identifier attached to errors for triage.
- Push notification token — issued by Firebase Cloud Messaging so we can deliver push notifications.
3.3 Information Accessed on Your Device (With Your Permission)¶
- Camera — only when you tap to attach a photo or video to a message. Media is uploaded only after you confirm sending.
- Microphone — only when you tap to record a voice message.
- Phone state and call log — used by the Caller ID feature to identify incoming work-related calls and overlay caller information on your screen. We do not read, copy, transmit, or store the contents of your call log or contacts on our servers. Call-log access is used only locally on your device to display caller information in real time.
- Location — only when you tap the location-sharing button inside a chat. We do not collect background or continuous location. Location is sent as a single coordinate inside the message you choose to send.
3.4 What We Do NOT Collect¶
- We do not upload your device contact list to our servers.
- We do not read your SMS messages.
- We do not track your background location.
- We do not collect financial information, payment details, credit or debit card numbers, bank accounts, PAN, Aadhaar, or driving licence information through the App.
- We do not sell your personal data to third parties.
- We do not use your data for behavioural advertising.
4. Why We Collect This Data¶
| Purpose | Data Used |
|---|---|
| Authenticate you and secure your account | Phone number, OTP, device ID |
| Deliver messages and calls | Profile, message content, push token |
| Show Caller ID for incoming work calls | Phone state, call log (on-device only) |
| Crash and error diagnostics | Crash logs, device info, user ID |
| Product analytics and improvement | App events, screen views |
| Customer support | Profile, conversation history |
| Legal compliance | Any of the above as required |
| Prevent fraud, abuse, and unauthorised access | Device integrity signals, security events |
5. Third Parties and SDKs We Use¶
We share limited data with the following service providers strictly for the purposes described above. Each provider acts as a Data Processor under our instructions.
| Provider | Purpose | Data Shared |
|---|---|---|
| Google Firebase Analytics | Usage analytics | App events, screen views, pseudonymous app instance ID |
| Google Firebase Crashlytics | Crash reporting | Crash logs, device state, installation ID |
| Google Firebase Cloud Messaging | Push notifications | Push token, notification payloads |
| Google Firebase Remote Config | Feature flags / config | App instance ID |
| Sentry (Functional Software Inc.) | Error tracking | Stack traces, user ID, breadcrumbs |
| Chatwoot (self-hosted by Carrum) | Messaging backend | Messages, attachments, conversation metadata |
These services may store data on servers located outside India (primarily in the United States and the European Union). Where personal data is transferred internationally, we rely on the safeguards offered by the provider's standard contractual terms.
6. Sensitive Permissions — Specific Disclosures¶
Per Google Play's User Data and Permissions policies, we provide the following specific disclosures:
6.1 Phone (READ_PHONE_STATE) and Call Log (READ_CALL_LOG)¶
These permissions power the in-app Caller ID feature, which displays who is calling when you receive a work-related phone call routed through Carrum. Call-log entries are read on-device only, are not transmitted to our servers, and are not shared with any third party. You may disable Caller ID at any time from the App settings or by revoking the permission in your device settings.
6.2 Foreground Service (FOREGROUND_SERVICE_SPECIAL_USE)¶
We run a short-lived foreground service to display Caller ID information during an active call. This service runs only while a call is in progress and stops automatically once the call ends.
6.3 System Alert Window (SYSTEM_ALERT_WINDOW)¶
Used to overlay the Caller ID card on your screen when a work call is incoming. The overlay is shown only during incoming-call events.
6.4 Battery Optimisation Exemption¶
On some Android device manufacturers (Samsung, Xiaomi, Vivo, Oppo, Realme), background processes are restricted aggressively. We may ask you to exempt CarrumConnect from battery optimisation so that incoming-call detection works reliably. This is optional; declining only affects Caller ID reliability and not other App features.
7. Data Retention¶
| Data Category | Retention Period |
|---|---|
| Account and profile data | Duration of your account with Carrum |
| Messages and attachments | 12 months |
| Call log server-side metadata only | 12 months |
| Crash data (Crashlytics) | Up to 90 days (provider default) |
| Analytics data (Firebase) | Up to 14 months (provider default) |
| Backups and audit logs | Up to 12 months after source data is deleted |
When retention expires, data is deleted or irreversibly anonymised.
8. Your Rights¶
Under the DPDP Act, 2023 and applicable law, you have the right to:
- Access the personal data we hold about you.
- Correct or update inaccurate or incomplete data.
- Erase your personal data, subject to legal retention obligations.
- Withdraw consent at any time. Withdrawal does not affect processing carried out before the withdrawal.
- Nominate another individual to exercise these rights in case of death or incapacity.
- Grievance redressal by contacting the Grievance Officer named in Section 2.
Exercising Your Rights
Email support@carrum.co.in to exercise any of these rights. We will respond within 30 days.
To delete your account, see our Data Deletion Policy.
9. Security¶
- TLS 1.2+ encryption for all data in transit
- Encryption at rest for messages, attachments, and authentication tokens
- Hardware-backed Keychain / Keystore for sensitive credentials on your device
- Role-based access controls for internal systems
- Routine security review of dependencies and third-party SDKs
- Detection of rooted or jailbroken devices and blocking authentication on compromised devices
No system is perfectly secure. You are responsible for keeping your device, lock screen, and SIM secure.
10. Children's Privacy¶
CarrumConnect is intended for use by adult drivers, fleet operators, and support staff associated with Carrum. The App is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If we learn that we have collected data from a child, we will delete it promptly.
11. Changes to This Policy¶
We may update this Policy from time to time. Material changes will be notified inside the App or by email at least seven (7) days before they take effect. The "Last Updated" date at the top reflects the most recent revision. Continued use of the App after the effective date constitutes acceptance of the revised Policy.
12. Contact¶
For any questions, requests, or grievances regarding this Policy or your personal data:
Carrum Mobility Solutions Private Limited 3rd Floor, 46IP, Sector 42, Gurugram, Haryana, India – 122002
Privacy: support@carrum.co.in Grievance Officer: Karan Jain — support@carrum.co.in