Your data, handled honestly.

Who we are

XOOM ("we", "us", "the Platform") is a technology platform operated in Karachi, Pakistan. For the purposes of this Policy, we are the data controller of personal information you provide while using XOOM Passenger or XOOM Captain.

If you have any questions about this Policy or how your data is handled, contact us at privacy@xoomrides.com.

What data we collect

From all users:

• Phone number — used as the primary login identifier (verified via OTP).
• Name — shown to your match (Captain or Passenger) so they can identify you.
• Profile picture (optional) — uploaded from your device.
• Email address (optional) — used for receipts, weekly bills (Captains only), and account recovery.
• Device information — operating system, app version, device ID, and push notification token, used for delivering ride alerts and diagnosing crashes.

From Captains, additionally:

• CNIC (front + back) for identity verification.
• Driving licence for legal eligibility to drive.
• Vehicle registration document and vehicle photos.
• Vehicle details — make, model, year, colour, registration number, vehicle type.
• Bank or mobile wallet identifier — only if you choose to receive digital payouts.

Generated automatically:

• Ride history — pickup and drop-off coordinates, timestamps, fare, vehicle type, route.
• Ratings and chat messages exchanged during a ride, retained for safety review.
• Billing records for Captains — number of completed rides, weekly bill amounts, payment status.
• Login and session logs — for fraud prevention and account security.

How we use your data

• Run the service — match Passengers and Captains, route rides, calculate fares, generate Captain bills.
• Verify identity — for KYC compliance on the Captain side.
• Keep users safe — review chat and ratings if a complaint is filed; identify Captains and Passengers in dispute resolution.
• Communicate with you — send OTP codes, ride status updates, weekly bills, support replies, and important policy changes.
• Improve the platform — diagnose crashes, fix bugs, analyse aggregated usage to improve features.
• Comply with the law — respond to lawful requests from regulators or law enforcement.

Who we share with

With your match on a ride:

When a ride is accepted, the Captain and Passenger see each other's name, profile picture, phone number (so you can call before pickup), and live location. The Captain sees the Passenger's pickup and drop-off; the Passenger sees the Captain's vehicle make, model, colour, and registration number.

With service providers:

• Hosting and infrastructure providers who store data on our behalf (encrypted at rest and in transit). They cannot use your data for their own purposes.
• SMS and push notification gateways — to deliver OTP and ride alerts.
• Map and routing providers — to display maps, calculate routes and ETAs. Coordinates are shared with these providers only for the duration of the request.

With law enforcement:

We share data with Pakistani authorities only when legally compelled by a court order, FIA notice, or valid request under the Prevention of Electronic Crimes Act 2016 (PECA). We may also voluntarily share data in genuine safety emergencies (e.g. a ride in progress where a Passenger or Captain is in danger).

What we do not share:

We do not share your data with marketing companies, social networks, data brokers, or analytics platforms that build user profiles for advertising.

Location data — read this

Location is the most sensitive data we handle. Here is exactly what we do:

• Passengers — we read your precise location when the app is open, to show nearby Captains, set your pickup point, and track ride progress. We do not collect background location when the app is closed.
• Captains — we read your precise location only while you are online. This includes background updates so a Passenger can see you approach pickup. The moment you go offline, location collection stops.
• Storage — location pings are kept for the duration of a ride and the ride record (start, end, route polyline). After 12 months we anonymise old ride locations for analytics; raw GPS pings are deleted.
• Sharing — your live location during a ride is visible only to your matched counterparty and to XOOM support staff dealing with that ride.

Where your data is stored

Your data is stored on encrypted servers operated by XOOM. Servers are physically located in data centres operated by reputable hosting providers; the location may be in Europe or in Pakistan, depending on infrastructure availability. All data is encrypted in transit (HTTPS / TLS 1.2+) and encrypted at rest in our database.

We use the same data, with the same protections, regardless of where you live or where your trip happens.

How long we keep it

• Account data (name, phone, email, profile photo) — kept while your account is active.
• Ride records — kept for 7 years for tax, audit, and legal-defence purposes (this is the standard limitation period for civil and tax claims in Pakistan).
• Chat messages and ratings — kept for 12 months, then deleted unless required for an active investigation.
• Captain KYC documents — kept while the Captain is registered, plus 3 years after deactivation, for legal record-keeping.
• Server logs (IP, timestamps) — kept for 90 days.
• OTP codes — discarded immediately after verification (kept only briefly to validate the code).

If you request account deletion, we delete or irreversibly anonymise everything we are not legally required to retain, within 30 days of the request.

Your rights

You always have the right to:

• Access the data we hold about you. Email privacy@xoomrides.com and we will reply within 30 days with an export.
• Correct inaccurate data — most of it (name, profile picture, email, vehicle details) you can edit directly in the app.
• Delete your account and your associated data. Tap Profile → Account → Delete Account, or email us. Deletion is irreversible.
• Withdraw consent for any optional processing — though revoking core processing (location, phone, name) means the service can no longer function and your account will be closed.
• Object to specific processing or lodge a complaint by writing to us at the address in Clause 13.

We respond to verified rights requests at no cost. If a request is excessive or repeated, we may charge a reasonable fee or decline, and we will explain why.

Security

• All traffic between the app and our servers is encrypted using TLS 1.2 or higher.
• Database fields containing sensitive data (CNIC, driving licence, bank details) are encrypted at rest.
• Passwords are not stored in plaintext — we use OTP-based authentication, so there is no password to leak.
• Internal access to user data is restricted to staff who need it for support or platform operations, on a least-privilege basis, with audit logging.
• We patch and update our infrastructure regularly and run periodic security reviews.

No system is perfectly secure. If we ever detect a breach that materially affects you, we will notify you directly within 72 hours of becoming aware, by SMS or email, with an explanation of what happened and what you should do.

Children

XOOM is intended for users 18 or older. We do not knowingly create accounts for or collect data from children under 18. If you believe a child has registered with us, contact privacy@xoomrides.com and we will close the account and delete the data immediately.

Cookies & device IDs

The XOOM apps use a small number of standard mechanisms:

• Session tokens — to keep you logged in. Stored on your device and invalidated when you log out.
• Push notification token — to deliver ride alerts and updates. You can disable notifications in your device settings.
• Crash reporting — anonymised crash logs to fix bugs. No identifying user data is sent with these logs.

The xoomrides.com website uses only essential cookies needed to operate. We do not use third-party tracking, analytics, or advertising cookies.

Changes to this Policy

We may update this Policy as the service evolves or as the law changes. The date at the top of this page reflects the latest version. Material changes (anything affecting your rights or what data we collect) will be notified in-app and by SMS or email at least 14 days before they take effect. Continued use after the notice period means you accept the update.

Contact

• Privacy questions or rights requests: privacy@xoomrides.com
• General support: support@xoomrides.com
• In-app: Profile → Contact XOOM
• Registered office: to be listed once incorporation details are finalised

This Policy is governed by the laws of the Islamic Republic of Pakistan, including the Electronic Transactions Ordinance 2002, the Prevention of Electronic Crimes Act 2016 (PECA), and applicable consumer-protection legislation. Disputes will be heard in the courts of Karachi.