MezZingo — Privacy Policy
This Privacy Policy is published as an electronic record under the Information Technology Act, 2000 and in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the rules made thereunder. It explains how Midgaw Private Limited, operating the MezZingo platform (“MezZingo”, “We”, “Us”), collects, uses, shares, transfers, retains and protects Your personal data, and the rights available to You. It applies to all Users of the MezZingo website and mobile application. Where this Policy is read by Users in the EU/UK, Canada or the GCC, the corresponding regional terms apply and the additional protections in clauses 9 and 11 are extended to them.
Company Information
The MezZingo platform is owned and operated by Midgaw Private Limited, a company incorporated under the Companies Act, 2013. The following particulars are published in compliance with the Consumer Protection (E-Commerce) Rules, 2020 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
| Particular | Detail |
|---|---|
| Operating company | Midgaw Private Limited |
| Brand / platform | MezZingo |
| Corporate Identity Number (CIN) | U56210KA2025PTC203500 |
| Permanent Account Number (PAN) | AATCM4444Q |
| Tax Deduction and Collection Account Number (TAN) | BLRM51982A |
| Date of incorporation | 29 May 2025 |
| Registered office | #15/A, 31, 2nd Cross, Balaji Nagar, S.G Palya, Tavarekere, Bangalore - 560029, Karnataka, India |
| Customer support | support@mezzingo.com |
| Grievance Officer | grievance@mezzingo.com |
| Nodal Officer | nodal@mezzingo.com |
| Business hours | Monday to Saturday, 9:00 AM to 10:00 PM IST |
1. Roles and Scope
For the DPDP Act, Midgaw Private Limited is the Data Fiduciary; for the EU/UK General Data Protection Regulation (“GDPR”) it is the Controller; for Canada’s PIPEDA, the accountable organisation; and a corresponding role applies under applicable GCC data-protection law. Where MezZingo processes data only on a Service Partner’s documented instructions, it acts as a Data Processor for that limited purpose.
2. Notice and Consent
Where processing is based on consent, We request it through a clear, itemised notice presented at or before the point of collection, in accordance with Section 5 of the DPDP Act — describing the personal data sought, the purpose, the manner of exercising Your rights, and the manner of complaining to the Data Protection Board of India. Consent is free, specific, informed, unconditional and unambiguous, and is limited to the data necessary for the stated purpose. You may give or withdraw consent directly or, when the framework is operational, through a Consent Manager registered with the Board. Withdrawing consent is as easy as giving it and does not affect processing already carried out or processing on another lawful basis.
3. Categories of Personal Data Collected
- Identifiers & contact data — name, mobile number, email address, profile photograph, account identifier, and saved delivery addresses.
- Authentication data — one-time-password verification events (SMS and WhatsApp channels), session tokens, login timestamps and device-session metadata.
- Precise geolocation — GPS coordinates captured at high accuracy, with Your permission, for mess discovery, delivery-address resolution and live order tracking; collected in the foreground at the point of use, and not in the background.
- Transaction & financial data — subscription tier and plan, meal selections, order history, Wallet ledger and balance, payment method and a tokenised payment reference. We do not store full card numbers, CVV or banking credentials — these are handled within the payment gateway’s PCI-DSS environment.
- Device & technical telemetry — device model, operating-system and app version, IP address, language, push-notification token, and crash and diagnostic reports.
- Communications & chat data — in-app order chat with Service Partners and Delivery Partners; AI-chatbot conversation logs (Your inputs, bot responses, detected intent, confidence scores and escalation events); support tickets and grievance correspondence.
- Inferred data — fraud and integrity signals from automated checks, and service-usage and preference inferences.
4. Device Permissions
The mobile application requests the following device permissions, each used only for the stated purpose and each revocable at any time through Your device settings (revoking a permission may disable the related feature):
| Permission | Purpose |
|---|---|
| Location | Mess discovery, delivery-address resolution, live order tracking |
| Camera / Photos | Setting a profile photograph; attaching evidence to a complaint |
| Notifications | Order, delivery, payment and grievance alerts |
| Storage / Files | Saving invoices and downloaded passbook documents |
| Network state | Detecting connectivity to operate the app reliably |
5. Purposes and Lawful Basis of Processing
| Purpose | Data used | Lawful basis |
|---|---|---|
| Create and operate Your account; deliver the food and services ordered | Identifiers, transaction data, geolocation | DPDP: processing necessary for the service requested. GDPR: Art. 6(1)(b). |
| One-time-password authentication and account security | Authentication data, device telemetry | Necessary for the service; legitimate security interest. GDPR: Art. 6(1)(b),(f). |
| Process payments and prevent payment fraud | Transaction data, payment reference, integrity signals | Necessary for the service; legal obligation. GDPR: Art. 6(1)(b),(c). |
| Live delivery tracking | Precise geolocation, order data | Necessary for the service requested. GDPR: Art. 6(1)(b). |
| Service / transactional notifications | Notification token, order data | Necessary for the service. GDPR: Art. 6(1)(b). |
| Promotional / marketing communication | Identifiers, preferences | Consent, withdrawable at any time. GDPR: Art. 6(1)(a). |
| Tax, accounting and statutory record-keeping | Transaction data | Legal obligation. GDPR: Art. 6(1)(c). |
| Crash diagnostics, debugging and service optimisation | Device telemetry, error logs | Legitimate interest in a secure, functioning service. GDPR: Art. 6(1)(f). |
| AI chatbot operation and Knowledge-Base improvement | Chat logs (de-identified for improvement) | Necessary for the support service; legitimate interest. GDPR: Art. 6(1)(b),(f). |
6. AI Chatbot and Automated Processing
- Messages sent to the in-app AI chatbot are transmitted to a third-party generative-AI provider to produce a response, and the conversation is stored against Your account.
- Do not enter passwords, one-time passwords, full card numbers or government-identifier numbers into the chatbot. An automated input filter rejects recognisable credential and payment patterns, but You remain responsible for what You type.
- Transcripts are used to resolve Your query, to escalate to a human agent where the AI cannot answer, and — only in de-identified, aggregated form — to improve the Knowledge Base and response quality.
- The chatbot makes no decision producing a legal or similarly significant effect on You without human review; refund, suspension and payment outcomes are human-reviewable.
- You may request deletion of Your chatbot history through the deletion flow in clause 11.
7. Cookies and Tracking Technologies
The MezZingo website and application use cookies, local storage, software development kits and similar technologies that are strictly necessary to authenticate sessions, remember preferences, maintain security and operate core features. We also use analytics and crash-reporting technologies to understand usage and improve stability. Non-essential analytics are used on the basis of legitimate interest or, where required by applicable law, consent; You may manage non-essential tracking through Your browser or device settings. Disabling strictly necessary technologies may prevent the Platform from functioning.
8. Recipients and Disclosure
Personal data is shared only with: (a) Service Partners and Delivery Partners, strictly to fulfil Your Order — for example, the Delivery Partner is shown the delivery address and contact number; (b) processors acting on Our documented instructions — the cloud hosting, database, messaging and crash-reporting provider, the payment gateway, SMS and WhatsApp one-time-password providers, and the generative-AI provider; (c) professional advisers, auditors and insurers under confidentiality; (d) a prospective or actual successor in a merger, acquisition or reorganisation, under equivalent confidentiality and protection; and (e) courts, regulators and law-enforcement authorities where disclosure is legally compelled. MezZingo does not sell personal data and does not share it for third-party advertising.
9. International Data Transfers and Cross-Border Flows
- Storage. Primary Platform data is hosted on cloud infrastructure in the Mumbai (India) region; certain processors may process limited data outside India.
- DPDP Act. Cross-border transfer is made only to countries not restricted by Central Government notification; We monitor and comply with any such notified restriction and will localise affected processing if required.
- GDPR. Transfers of EEA/UK data to India and other third countries are made under Standard Contractual Clauses, with a transfer-impact assessment and encryption safeguards.
- Canada (PIPEDA). Canadian Users are notified that data processed outside Canada becomes subject to the laws of the processing jurisdiction; We remain accountable for comparable protection by contract.
- GCC. Transfers comply with the applicable national law’s conditions (adequacy, contractual safeguards, or explicit consent for the requested service).
- Payment-data localisation. Payment data governed by the Reserve Bank of India’s storage directive is stored within India by the payment gateway.
10. Retention and Erasure
| Data category | Retention period | Driver |
|---|---|---|
| Transaction, invoice and tax records | 8 years from end of the relevant financial year | Income-tax Act; CGST Act (72 months) - longest applicable period applied |
| Payment references and anti-money-laundering records | 5 years from transaction / account closure | PMLA, 2002 |
| Account profile and identifiers | Account life + 90-day grace window, then erased / anonymised | DPDP storage limitation; app-store deletion policy |
| Precise geolocation history | 90 days rolling; longer only if tied to an active dispute | Storage limitation |
| Order chat and AI-chatbot transcripts | 12 months, then deleted or de-identified | Support quality + storage limitation |
| Crash / diagnostic and API error logs | 180 days | Security and debugging |
| Grievance and dispute correspondence | 3 years from resolution | Limitation Act; dispute defence |
| Marketing-consent records | Until withdrawal + 3 years | DPDP / GDPR accountability |
11. Your Rights as a Data Principal / Data Subject
Subject to verification of identity, You may: access a summary of the personal data We hold and Our processing of it; correct, complete or update it; erase it; withdraw consent; and nominate another individual to exercise Your rights in the event of death or incapacity (DPDP Act). Users in the EU/UK additionally have the rights to a portable copy, to restrict or object to certain processing, and not to be subject to a solely automated significant decision without human review. Requests are actioned within the statutory timeline (ordinarily one month). Exercising rights is free; a manifestly unfounded or excessive request may attract a reasonable fee or a reasoned refusal. To exercise any right, contact the Data Protection contact in the Company Information section.
12. Account Deletion
You may request account deletion through in-app Settings or by emailing support@mezzingo.com from Your registered email. On a permanent-deletion request the account is deactivated immediately; data not under a legal retention obligation is erased or irreversibly anonymised within 30 days; data within the retention table in clause 10 is segregated, access-restricted, retained only for the stated period and then erased; and You receive confirmation. A discoverable in-app deletion route is maintained as required by Google Play and Apple App Store policy.
13. Security
We apply reasonable security safeguards including encryption of data in transit (TLS) and at rest, role-based access controls, abuse-prevention and rate-limiting controls, audit logging, and periodic review. No method of transmission or storage is perfectly secure; while We strive to protect Your data, We cannot guarantee absolute security.
14. Children’s Data
The Platform is not directed to children. Users must be 18 years or older, or have verifiable parental consent where the DPDP Act so permits. We do not knowingly process a child’s personal data without verifiable consent of a parent or lawful guardian, and We do not undertake tracking, behavioural monitoring or targeted advertising directed at children. If You believe a child’s data has been collected without such consent, contact the Data Protection contact and We will delete it.
15. Personal-Data Breach Notification
On becoming aware of a personal-data breach, We will assess and contain it and will notify the Data Protection Board of India and each affected Data Principal in the form and within the timelines required by the DPDP Act and its rules; where the GDPR applies, We will notify the lead supervisory authority within 72 hours and affected data subjects without undue delay where the breach poses a high risk.
16. Third-Party Links and Services
The Platform may contain links to, or integrations with, third-party websites and services that We do not control. This Privacy Policy does not apply to those third parties; their own privacy policies govern. We are not responsible for their content or practices.
17. App-Store Data-Safety Disclosures
The data categories, purposes, sharing and retention described in this Policy are the source of truth for the data-safety and privacy disclosures published on the Google Play Store and the Apple App Store. Where an app-store disclosure and this Policy appear to differ, this Policy, read with the Terms and Conditions, governs, and We will reconcile the disclosure.
18. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes are notified in-app and by email at least 7 days before they take effect. Continued use of the Platform after the effective date constitutes acknowledgement of the updated Policy.
19. Grievances and Supervisory Authorities
For any question, request or complaint regarding Your personal data, contact the Grievance Officer / Data Protection contact in the Company Information section; complaints are acknowledged within 48 hours and resolved within one month. An unresolved grievance under the DPDP Act may be escalated to the Data Protection Board of India. Users in the EU/UK may complain to their lead supervisory authority; users in Canada to the Office of the Privacy Commissioner of Canada; and users in the GCC to the relevant national data-protection authority.