Privacy Policy

1. Who we are

SkyKraft is operated from Mumbai, India. You can reach us at hello@skykraft.in for general queries or at the Grievance Officer address below for privacy-specific requests.

2. What personal data we collect

We only collect data that we need to run the Service, operate safely, and meet our legal obligations. The categories below describe what we may hold about you; what actually applies depends on whether you use the Service as a client, a pilot, or both.

2.1 Account data

• Name, username, profile photo, and role (client, pilot, or admin).
• Mobile number, which we verify by one-time password (OTP) through Firebase Authentication.
• Sign-in events, device tokens, and session information.

2.2 Pilot-specific data

• DGCA Remote Pilot Certificate and related license documents, base location, service radius, gear, portfolio links, and availability.
• Bank, UPI, or RazorpayX payout details, collected only to pay you for completed jobs.
• Verification status and admin review notes maintained by our team.

2.3 Booking and chat data

• Booking requests, acceptances, declines, completion timestamps, cancellations, ratings, and reviews.
• Messages you exchange through SkyChat (our in-app chat). Messages are stored on our backend so they sync across your devices; they are not end-to-end encrypted.
• Shoot location, scheduled time, brief, and any reference material you share in the booking.

2.4 Location data

• Approximate or precise device location, used only when you enable location features (e.g. discovering pilots near you, setting your base as a pilot, or displaying nearby bookings).
• Location data is processed in real time for discovery; we do not build a continuous history of your movements.

2.5 Payment data

• Payments are processed by Razorpay. SkyKraft does not store full card numbers, UPI PINs, net-banking credentials, or CVVs. We receive and store transaction references, amounts, statuses, and payout metadata necessary to reconcile bookings.

2.6 Device and usage data

• Device model, operating system, app version, language, crash logs (via Firebase Crashlytics), and basic usage events used to diagnose issues and improve reliability.
• Push-notification tokens from Firebase Cloud Messaging (FCM), which we use only to deliver booking and chat notifications you have asked for.

3. How we collect your data

• Directly from you when you sign up, complete a profile, upload your license, request or accept a booking, chat, leave a review, or contact support.
• Automatically from your device when you use the Service — for example, the app version, device type, crash logs, and (with your permission) location.
• From our service providers — for example, Razorpay tells us the status of a payment, and Firebase tells us about authentication events or delivery of a push notification.

4. Why we process your data (purposes)

• Run the Service: authenticate you, show you relevant pilots or bookings, process payments and payouts, and deliver notifications you have asked for.
• Verify pilots: review DGCA licenses and approve or reject pilot accounts so clients know who they are hiring.
• Support and safety: resolve disputes, enforce our Terms, detect fraud or misuse, and keep accounts secure.
• Improve the product: diagnose crashes and understand how features are used at an aggregate level.
• Legal and regulatory: comply with Indian tax, payments, and data-protection law, and respond to lawful requests from public authorities.

5. Legal basis (DPDP Act)

Under the DPDP Act, we process your personal data on the following grounds:

• Your consent — we ask for your consent for specified purposes such as sending push notifications, accessing precise location, or any optional processing identified in the app. Before we ask, we tell you (in clear language) what data we will process, the purpose, the rights you have, and how to complain. You can withdraw consent at any time; this does not affect the lawfulness of processing that happened before you withdrew it.
• Certain legitimate uses (“deemed consent”) — for example, where processing is necessary to provide a service you have voluntarily asked for (such as delivering a booking you have created), to comply with a legal obligation, to respond to a medical emergency, or to carry out functions permitted by law.

6. Who we share your data with

We share only what is necessary for the purpose. We do not sell your personal data.

• Other users on the platform. Clients see a pilot’s name, photo, portfolio, base area, verification status, and ratings. Pilots see the booking details and contact method the client has chosen to share. A review you post on a pilot’s profile is visible to other clients.
• Our processors.
  • Google / Firebase (authentication, Firestore database, Cloud Storage, Cloud Functions, Cloud Messaging, Crashlytics, Google Maps) — backend and infrastructure.
  • Razorpay — booking payments, refunds, and pilot payouts via RazorpayX.
  • Apple and Google — app distribution (App Store, Play Store) and push-notification delivery (APNs, FCM).
  These providers process your data under contract, on our instructions, and for the specific purpose we have engaged them.
• Legal and regulatory authorities — where disclosure is required by law, a court order, or is necessary to protect the rights, safety, or property of SkyKraft, our users, or the public.
• Business transfers — if SkyKraft is acquired, merges with another business, or transfers substantially all of its assets, your personal data may be transferred as part of that transaction. We will notify you and give you a chance to exercise your rights before your data becomes subject to a different privacy policy.

7. Cross-border transfers

Firebase and several other service providers host data in jurisdictions outside India (our Firestore region is us-central1, located in the United States). Under the DPDP Act, personal data may be transferred outside India except to countries that the Central Government notifies as restricted. Where we transfer data internationally, we use providers that offer contractual and technical protections appropriate to the sensitivity of the data.

8. How long we keep your data

We keep your personal data only for as long as is needed for the purpose for which it was collected:

• Active accounts: while your account is open, plus a short period afterwards to resolve disputes, finalise payouts, and meet legal record-keeping obligations.
• Bookings, invoices, and payment records:retained for the period required under Indian tax, accounting, and payments law (typically up to 8 years for books of account).
• Chat and reviews: retained while the related pilot profile is active; deleted or de-identified when the profile is removed.
• Marketing/optional data: retained until you withdraw consent.

When the purpose is exhausted and retention is no longer required by law, we erase personal data or anonymise it so that it can no longer be associated with you.

9. Security

We use reasonable technical and organisational safeguards to protect your personal data, including encryption in transit, encrypted storage, access controls, role-based permissions, server-side enforcement of admin-only fields, and logging. No system is fully secure; please protect your own credentials, keep your app up to date, and use a device lock.

If we become aware of a personal-data breach that is likely to affect you, we will notify you and the Data Protection Board of India in line with the DPDP Act.

10. Your rights under the DPDP Act

As a Data Principal you have the following rights:

• Right to information about processing — request a summary of the personal data we are processing and the processing activities.
• Right to correction and erasure — ask us to correct inaccurate or incomplete data, update outdated data, or erase data no longer required for a lawful purpose.
• Right to withdraw consent — withdraw any consent you have given. You can disable push notifications or location permissions from your device settings; for any other consent, email the Grievance Officer below.
• Right of grievance redressal — raise a complaint with our Grievance Officer. If you are not satisfied with our response, you may approach the Data Protection Board of India.
• Right to nominate — nominate another individual who may, in the event of your death or incapacity, exercise these rights on your behalf. Write to us to register a nomination.

You can delete your account directly from the app (Profile → Settings → Delete Account). Deleting your account removes your profile and triggers erasure of personal data we do not need to keep for legal or accounting reasons.

11. Children’s data

The Service is intended for users aged 18 or over. We do not knowingly collect personal data from a child (defined as an individual under 18 years of age) or process a child’s data without the verifiable consent of a parent or lawful guardian.

We do not undertake tracking, behavioural monitoring, or targeted advertising directed at children. If you believe a child has provided us with personal data, please contact the Grievance Officer so we can delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date above and, if the change is material, notify you in the app or by email. Continued use of the Service after the effective date means you accept the updated policy.

13. Contact us & Grievance Officer

For general privacy queries: privacy@skykraft.in.

For grievance redressal under the DPDP Act:

• Grievance Officer (SkyKraft)
• Email: grievance@skykraft.in
• Address: Mumbai, Maharashtra, India

We will acknowledge your request within a reasonable time and respond within the timelines prescribed by the DPDP Act and its rules. If you are not satisfied with our response, you may escalate to the Data Protection Board of India once it is established and operational.