Privacy Policy

Plain-language summary. Delv Express is a logistics platform operated by Lazyfoxs Logistics Pvt Ltd. To run the platform we collect Personal Data about (1) the businesses that book Shipments with us (and people inside them), (2) the people who receive those Shipments, and (3) the delivery partners and hub managers who operate our network. For delivery partners we also collect Aadhaar, PAN and Driving Licence details, which are sensitive — we explain in section 3 exactly what each field is used for.

We do not sell Personal Data. We do not share it with advertisers. We do not allow third-party tracking pixels on tracking pages we serve on behalf of Customers.

If you only read one part of this policy, read section 11 (Your rights) and section 13 (How to contact our Grievance Officer).

1. Who we are (the Data Fiduciary)

1.1 Legal entity. Personal Data described in this policy is processed by Lazyfoxs Logistics Pvt Ltd ("Delv Express", "we", "us", "our"), a company incorporated under the Companies Act, 2013 (Corporate Identification Number as recorded with the Ministry of Corporate Affairs and displayed at /contact), with:

• Registered office: Haripur Siho, Muzaffarpur, Bihar 843119, India
• Corporate office: Plot 63, Udyog Vihar Extension, Ecotech-II, Surajpur, Greater Noida, Uttar Pradesh 201306, India

1.2 Status under the DPDP Act. In respect of Personal Data we determine the purpose and means of processing for, we act as the Data Fiduciary under section 2(i) of the Digital Personal Data Protection Act, 2023. In respect of Personal Data that a Customer uploads to our platform for the limited purpose of executing a Shipment booked by that Customer, we act as the Data Processor of the Customer, who is the Data Fiduciary.

1.3 Will Delv Express be designated a Significant Data Fiduciary? The Central Government may designate any Data Fiduciary or class of Data Fiduciaries as a Significant Data Fiduciary under section 10 of the DPDP Act. If we are so designated, this policy and our internal governance will be updated to reflect the additional obligations (independent Data Protection Officer based in India, periodic Data Protection Impact Assessments, independent audits and algorithmic-impact assessments).

2. Scope and to whom this policy applies

This policy applies to Personal Data processed in connection with the Services, where "Services" has the meaning given in the Terms of Service at /terms. It applies to:

• Customer Account Administrators and authorised users — individuals who set up or use a Customer's dashboard, control tower or API account;
• Senders and Recipients — individuals whose addresses or telephone numbers appear on Shipments tendered through the platform;
• Delivery Partners — independent riders onboarded through the Delv Partner mobile application;
• Hub Managers — individuals authorised to operate our hubs and admin dashboard;
• Website visitors — anyone who visits https://delvexpress.com or our marketing pages;
• Recipients of marketing communications — individuals who have opted in to our updates;
• Job applicants, suppliers and other counterparties in the course of business; and
• Recipients of grievance acknowledgements and responses.

A separate policy applies to our employees and is provided through the Human Resources information system.

3. What Personal Data we collect, why, and on what legal basis

This is the "itemised description of Personal Data" required by rule 3(2) read with section 5 of the DPDP Act and the DPDP Rules, 2025. Each row identifies a category of Personal Data, the purpose we collect it for, the legal basis under sections 4, 6 and 7 of the DPDP Act, and the typical retention period.

3.1 Personal Data of Customer Account Administrators and authorised users

3.2 Operational Shipment data (relating to Senders, Recipients, end customers)

We do not use this data to build profiles of Recipients for marketing purposes. We do not embed third-party tracking pixels on tracking pages we serve on behalf of a Customer.

3.3 Personal Data of Delivery Partners (collected through the Delv Partner app)

This category includes sensitive identifiers. Collection is voluntary in the sense that no Delivery Partner is compelled to onboard, but each field is required to be eligible for onboarding because we cannot lawfully deploy or remunerate a Delivery Partner without verified identity. Express, informed consent is captured at the time of submission through the Aadhaar / KYC Consent Notice.

Aadhaar collection is governed by the Aadhaar / KYC Consent Notice. We do not perform Aadhaar biometric authentication. We collect Aadhaar in physical / image form for offline visual verification only. We do not store Aadhaar numbers in clear in application logs, error reports, support tickets or analytics events.

3.4 Personal Data of Hub Managers

The categories collected mirror clause 3.3 to the extent required for identity verification, statutory eligibility and payroll. Additional information may be collected if a Hub Manager is engaged on an employment rather than independent-contractor basis, in which case the employment-specific HR privacy notice applies.

3.5 Personal Data of Website Visitors

3.6 Recipients of marketing communications

If you opt in to newsletters or product updates we collect your name, email and any topical preferences solely to send those communications. You can withdraw consent at any time using the unsubscribe link or by writing to admin@delvexpress.com.

3.7 Data we do not collect

We do not collect: biometric Aadhaar authentication data; financial-account passwords; health data unrelated to the Motor Vehicles Aggregator Guidelines medical fitness assessment; precise indoor location; data from your contact list, calendar, SMS, call logs or media library; or audio from your microphone.

4. How we use Personal Data

For each purpose listed in clause 3 we use Personal Data only to the extent reasonably necessary, applying the data-minimisation principle in section 4(1)(b) of the DPDP Act. Specifically:

• Run the platform — register accounts, book pickups, generate shipping labels and e-Way Bills, dispatch, route, hand-off, deliver, capture proof-of-delivery, settle Cash-on-Delivery, process refunds, calculate payouts.
• Authenticate and secure accounts — verify phone OTP via Firebase Authentication, issue session tokens, detect abuse, mitigate fraud.
• Provide support — respond to e-mails, chat messages, support tickets and grievance escalations.
• Bill and reconcile — issue GST-compliant invoices, process payments, settle COD, generate Form 26AS / TDS certificates.
• Improve the platform — model courier success-rates by pin-code, predict return-to-origin risk, validate addresses, optimise lanes. We use Aggregated Data wherever practicable; where individual records are required, we pseudonymise.
• Comply with law — provide e-Way Bills to the GST portal, customs declarations to DGFT, TDS to the Income Tax Department, statutory disclosures to UIDAI, requests by competent law-enforcement on valid legal process.
• Send transactional communications — delivery updates, exception alerts, OTP confirmations, payment receipts, KYC reminders, grievance acknowledgements.
• Send promotional communications — only with your express opt-in consent.

We will not use Personal Data for any new purpose that materially differs from those disclosed in this clause 4 without obtaining fresh consent or another lawful basis.

5. Legal bases under the DPDP Act

We process Personal Data on one or more of the following bases set out in sections 4, 6 and 7 of the DPDP Act:

(a) Consent (section 6) — for marketing communications, optional analytics cookies, Aadhaar / PAN / DL processing, location processing during shifts, and any other processing not covered by another basis. Consent is captured at the point of collection through a clear affirmative action, with a contemporaneous notice in plain language.

(b) Certain legitimate uses (section 7) — including (i) processing necessary to perform a service you have requested (clause 7(a)), (ii) compliance with judgments, decrees or orders (clause 7(c)), (iii) responding to a medical emergency involving threat to life (clause 7(d)), (iv) safety during a disaster (clause 7(f)), and (v) prevention or investigation of an offence (clause 7(g)).

(c) Compliance with legal obligation — including GST Act 2017, Income Tax Act 1961, Companies Act 2013, Motor Vehicles Act 1988, Aadhaar Act 2016, Foreign Trade (Development and Regulation) Act 1992, the Customs Act 1962, and rules and notifications under them.

Where consent is the basis, you may withdraw it at any time per section 11 of this policy. Withdrawal does not affect the lawfulness of past processing or processing that continues under a different basis (such as a statutory retention obligation).

6. With whom we share Personal Data

We share Personal Data only as described below. We do not sell Personal Data. We do not share Personal Data with advertisers. We do not engage in cross-context behavioural advertising.

6.1 Categories of recipients

• Authorised personnel of Delv Express — employees, officers and contractors with role-based need-to-know access, bound by confidentiality.
• Courier and freight partners — the assigned courier or freight carrier receives only the data necessary to perform pickup, transit and delivery.
• Hubs and Delivery Partners — Recipients' names, addresses and one-time delivery OTPs are surfaced to the assigned Delivery Partner; only the minimum needed to deliver.
• Payment aggregators and banks regulated by the Reserve Bank of India — for invoice settlement, COD remittance and rider payouts.
• Identity-verification vendors — for PAN verification (Income Tax Department database), Aadhaar OVSE workflow with UIDAI, or DL verification (Sarathi).
• Cloud-infrastructure providers — see section 6.2 below.
• Professional advisers — legal, accounting, audit and consulting advisers under confidentiality and only as needed.
• Insurers and claims administrators — for processing Delivery Partner health / term cover claims and for Shipment loss / damage claims.
• Acquirers / successors — in connection with a merger, acquisition, reorganisation, financing or sale of assets, subject to confidentiality and equivalent privacy protections.
• Government, regulatory and law-enforcement authorities — on a valid legal request (court order, notice under section 91 of the Bharatiya Nagarik Suraksha Sanhita / CrPC, notice under the Income-tax Act 1961, notice under section 36 of the DPDP Act, or analogous instrument). We log every such disclosure.

6.2 Named sub-processors / infrastructure providers

The following named sub-processors process Personal Data on our behalf. We will keep this list current and provide thirty (30) days' notice on the website of any addition.

All sub-processors are bound by written terms requiring confidentiality, security safeguards consistent with section 8(5) of the DPDP Act, breach-notification cooperation and assistance with Data Principal rights requests.

7. Cross-border transfer of Personal Data

7.1 Default — data stays in India. We host our primary production systems in India. Customer KYC documents are stored in AWS ap-south-1 (Mumbai). Application databases are hosted in Indian regions.

7.2 Exceptions. Personal Data may be transferred outside India in the following limited circumstances:

• when a global cloud provider replicates encrypted backups to a secondary region outside India for resilience;
• when a cross-border Shipment requires sharing data with foreign customs authorities, foreign courier partners, or the destination delivery network;
• when a sub-processor's global edge network processes diagnostic telemetry; or
• when a Customer has expressly directed cross-border movement of data.

7.3 Safeguards. Where Personal Data is transferred outside India: (a) transfers are made only to jurisdictions not restricted by notification of the Central Government under section 16 of the DPDP Act; (b) we rely on Standard Contractual Clauses or equivalent contractual safeguards where the destination jurisdiction does not provide a comparable level of protection; (c) Aadhaar numbers and Aadhaar images are not transferred outside India; and (d) we will update this section if any new central-government restriction or whitelist is notified under the DPDP Act.

8. How long we keep Personal Data (retention)

We retain Personal Data only for as long as is reasonably necessary for the purposes set out in clause 3 or as required by Applicable Law. Specific retention periods are set out alongside each data field in clause 3. The principal headline periods are:

Once a retention period expires the data is securely deleted or, where deletion is infeasible (e.g., in immutable backups), is anonymised and access-restricted until natural roll-off.

9. How we keep Personal Data secure

9.1 Security programme. Pursuant to section 8(5) of the DPDP Act and the SPDI Rules 2011, we maintain reasonable security safeguards including:

• encryption of data in transit using TLS 1.2 or higher;
• encryption of KYC documents and Aadhaar / PAN / DL images at rest using AES-256 with managed-key services;
• network segmentation; identity-aware access controls; multi-factor authentication for administrative access; just-in-time elevation of privilege; comprehensive audit logging;
• role-based access — Hub Managers, support staff and engineers receive only the minimum data required for their role;
• input validation, output encoding and parameterised queries to mitigate injection;
• regular vulnerability scanning, static-analysis and dependency monitoring;
• annual third-party penetration testing of the production stack;
• software-development-lifecycle controls including code review, secure-coding training and pre-production change approval;
• endpoint hardening, malware controls and patch management for personnel devices that touch production;
• documented incident-response, business-continuity and disaster-recovery plans tested at least annually;
• personnel screening, written confidentiality undertakings and data-protection training for all staff and contractors who handle Personal Data; and
• vendor due-diligence on sub-processors before engagement and at periodic intervals thereafter.

9.2 Personal Data Breach notification. In the event of a Personal Data breach affecting Personal Data we process, we will, in accordance with section 8(6) of the DPDP Act and rule 7 of the DPDP Rules, 2025: (a) notify the Data Protection Board of India and each affected Data Principal without delay; (b) submit a detailed report to the Board within seventy-two (72) hours of becoming aware of the breach (or such longer period as the Board permits); (c) include in the notification (i) a plain-language description, (ii) the categories and approximate volume of data exposed, (iii) the protective measures the Data Principal can take, (iv) measures we have taken in response, and (v) our contact details for further information; and (d) maintain a record of the breach and the response actions.

9.3 No guarantee. Despite all reasonable safeguards, no security programme is impenetrable. You should keep your account credentials confidential and notify us immediately of any actual or suspected compromise.

10. Children

10.1 The Services are not directed at children. We do not knowingly collect Personal Data of any individual below the age of eighteen (18) years.

10.2 Delivery Partner onboarding explicitly requires a self-declaration of age ≥ 18 plus verification against the date of birth derived from Aadhaar.

10.3 No targeted advertising to children, no profiling, no behavioural monitoring of children, in compliance with section 9 of the DPDP Act read with rule 10 of the DPDP Rules, 2025.

10.4 If we become aware that we hold Personal Data of a child without verifiable consent of a lawful guardian, we will delete it without undue delay. To report such concerns please write to admin@delvexpress.com.

11. Your rights as a Data Principal

Under sections 11 to 14 of the DPDP Act and rule 14 of the DPDP Rules, 2025, you have the following rights:

11.1 Right to access (section 11). You may request a summary of the Personal Data we hold about you, the purposes of processing, the identities of Data Fiduciaries and Data Processors with whom we have shared Personal Data, and any other information prescribed.

11.2 Right to correction, completion, updating and erasure (section 12). You may ask us to correct inaccurate or misleading data, complete incomplete data, update data, or erase data that is no longer necessary. Erasure is subject to retention obligations imposed by Applicable Law (such as the eight-year commercial-records obligation under the Companies Act 2013 and the GST Act 2017, and the Income-tax Act 1961 record-keeping obligations).

11.3 Right to withdraw consent (section 6(4)). Where processing is based on consent you may withdraw it at any time. The withdrawal will be as easy as the original grant. Withdrawal does not affect the lawfulness of processing already carried out or processing that continues under a different lawful basis. Withdrawal may have operational consequences (for example, a Delivery Partner who withdraws KYC consent cannot continue to take assignments).

11.4 Right to grievance redressal (section 13). You can submit a grievance to our Grievance Officer (clause 13 below). We will acknowledge within seven (7) days and resolve within ninety (90) days. Unresolved grievances can be escalated to the Data Protection Board of India.

11.5 Right to nominate (section 14). You may nominate another individual to exercise these rights on your behalf in the event of your death or incapacity. Use the nomination form available on request from admin@delvexpress.com.

11.6 How to exercise. Send a written request to admin@delvexpress.com with the subject line "DPDP Request — [Access / Correction / Erasure / Withdraw Consent / Nominate / Grievance]". Include sufficient information for us to verify your identity. You may also use the in-app "Privacy" screen of the Delv Partner application or the dashboard's "My data" page. Our standard acknowledgement is within seven (7) days and our standard resolution is within thirty (30) days for routine requests and ninety (90) days for complex requests (rule 14).

11.7 No charge for routine requests. Routine requests are processed free of charge. We may charge a reasonable fee for manifestly excessive or repetitive requests, or where the request requires substantial engineering work, and we will inform you of any fee before incurring it.

11.8 Verification. Before responding to a request that materially affects Personal Data, we verify the identity of the requester through OTP confirmation against the registered mobile number, e-mail confirmation against the registered e-mail address, or any other reasonable means.

11.9 Refusals. If we cannot fulfil a request (because, for example, an erasure would prevent us from meeting a statutory retention obligation) we will tell you so, explain the reason, and where applicable offer an alternative such as restriction of processing.

12. Account-deletion path (in-app and on the web)

In compliance with the Google Play Account Deletion policy and our own commitment to user control:

12.1 In-app. From the Delv Partner mobile application, navigate to Profile → Account → Delete my account. The flow confirms the consequences of deletion, allows you to download a summary of your KYC and earnings data, and submits the request.

12.2 On the web. You can submit an account-deletion request at https://delvexpress.com/account-delete without re-installing the app or signing in. Provide the registered mobile number and we will verify the request via OTP.

12.3 What gets deleted. All Personal Data tied to your account is deleted, save for (i) data we are required to retain under Applicable Law (commercial / tax / claim-defence records — see retention table at section 8), (ii) data that has been irreversibly aggregated or anonymised, and (iii) records of the deletion request itself. Retained data is restricted to legal-hold access only.

12.4 Timeline. Standard deletion completes within thirty (30) days. Where a regulatory retention period applies, we will indicate when it expires.

13. Grievance Officer and Data-Protection contact

Pursuant to section 13 of the DPDP Act, rule 9 of the DPDP Rules, 2025, rule 5(9) of the Information Technology (Intermediary Guidelines) Rules 2021 (where applicable) and rule 5(3) of the Consumer Protection (E-Commerce) Rules 2020, the contact details of our Grievance Officer are:

• Name: The Grievance Officer
• Designation: Grievance Officer & Data-Protection Contact Person
• E-mail: admin@delvexpress.com
• Phone: +91 80774 81613 (Mon–Sat, 10:00–19:00 IST)
• Postal address: Grievance Officer, Lazyfoxs Logistics Pvt Ltd, Plot 63, Udyog Vihar Extension, Ecotech-II, Surajpur, Greater Noida, Uttar Pradesh 201306, India

Service standards (as required by rule 9 and rule 14 of the DPDP Rules, 2025):

• We acknowledge every grievance within forty-eight (48) hours.
• For requests covered by sections 11 to 14 of the DPDP Act, we respond within seven (7) days and resolve within ninety (90) days.
• For consumer-protection grievances under the Consumer Protection (E-Commerce) Rules, 2020, we resolve within one (1) month.

If you are not satisfied with the resolution, you may escalate to the Data Protection Board of India established under section 18 of the DPDP Act, through the Board's portal (https://dpb.gov.in or such other URL as the Board notifies), or to the appropriate consumer redressal forum constituted under the Consumer Protection Act, 2019.

14. Cookies and similar technologies

Detailed information about cookies, web beacons and SDKs, including a list of cookies, their purposes, the entities that set them and how to control them, is set out in the Cookie Policy.

Strictly necessary cookies (session, authentication, CSRF protection) are set without consent. Analytical and preference cookies are set only after you grant consent through the cookie banner on first visit, which you can withdraw at any time using the "Cookie Preferences" link in the website footer.

15. Mobile-application permissions (Delv Partner app)

We do not request permissions for SMS, contacts, calendar, microphone, call logs or files outside what is shown in the picker. Permissions can be granted or revoked at any time through Android Settings → Apps → Delv Partner → Permissions. Revoking a required permission will prevent the corresponding feature from functioning.

16. Automated decision-making and profiling

We do not make decisions that produce legal effects on you, or similarly significant effects, solely by automated means. Where AI or ML systems are used (e.g., RTO scoring, courier allocation, fraud signals, ETA prediction), a human reviewer is involved in any decision that materially affects KYC outcomes, Delivery Partner deactivation or claim adjudication. You may request human review of a decision by writing to admin@delvexpress.com.

17. Personnel and third-party access

Internal access to Personal Data is gated by role-based access controls, multi-factor authentication and audit logging. Access is granted on a need-to-know basis, reviewed periodically, and revoked when no longer required. All personnel are bound by written confidentiality undertakings and complete data-protection training at induction and annually.

18. CCTV and physical access controls at Hubs

Hubs may operate closed-circuit television cameras for security and operational quality. Notice of CCTV is posted at the premises. CCTV footage is retained for thirty (30) days and is accessed only by authorised personnel for security, accident investigation, dispute resolution or law-enforcement requests on valid legal process. Badge swipes, vehicle-entry registers and visitor logs at Hubs are retained for twelve (12) months.

19. Changes to this policy

We may update this policy from time to time. Material changes will be notified at least thirty (30) days before they take effect by (a) e-mail to your registered e-mail address, (b) an in-app banner in the Delv Partner application and the Customer dashboard, and (c) updating the "Last updated" date at the top. The current effective version of this policy is the one available at https://delvexpress.com/privacy. Past versions are archived and available on written request to admin@delvexpress.com.

20. How to contact us

• General Privacy contact: admin@delvexpress.com
• Grievance Officer / Data-Protection contact: as set out at clause 13.
• Nodal Officer (law-enforcement requests): admin@delvexpress.com
• Postal: Lazyfoxs Logistics Pvt Ltd, Plot 63, Udyog Vihar Extension, Ecotech-II, Surajpur, Greater Noida, Uttar Pradesh 201306, India.
• Phone: +91 80774 81613 (Mon–Sat, 10:00–19:00 IST).

Related documents

• Terms of Service
• Cookie Policy
• Aadhaar / KYC Consent Notice (Delivery Partners)
• Delivery Partner Agreement
• Account-deletion request
• Contact / Grievance

© 2026 Lazyfoxs Logistics Pvt Ltd. All rights reserved.