Privacy Policy

Effective date: 31 May 2026 · Last updated: 31 May 2026

Eltaman ("we", "us") provides a delivery management platform consisting of a web dashboard for merchants and dispatchers and a mobile driver application ("Eltaman Driver"). This policy explains what personal data the platform collects, why we collect it, who it is shared with, how long we keep it, and the rights you have over it.

Operator: Eltaman — Limited Liability Company (Masuliyati Cheklangan Jamiyat, "MCHJ"), registered in Uzbekistan. Contact: eltamandms@gmail.com.

1. Who this policy applies to

Drivers who install and sign in to the Eltaman Driver mobile application.
Merchant employees (owners, dispatchers, admins) who sign in to the web dashboard.
Recipients whose delivery orders are dispatched through the platform — limited to the data the merchant supplies when creating an order (name, phone, address).

2. Data we collect

Category	Examples	When
Account	Name, email, phone number, password (hashed), preferred language, role.	Account creation and updates.
Driver location	Precise GPS (latitude, longitude, accuracy, heading, speed). Foreground and background while on shift.	Only while the driver is logged in and assigned to an active route. Driver can stop sharing by logging out or going offline.
Photos	Proof-of-delivery photos and optional signature images captured at delivery / pickup stops.	When the driver completes a stop and uploads proof.
Order details	Pickup and delivery addresses, recipient name and phone (provided by the merchant), parcel description, COD amount, status updates.	Throughout the order lifecycle.
Device & technical	Device model, operating system version, app version, crash logs, network type. IP address at sign-in.	Each request and on app launch.
Activity	Logins, status changes, route actions (accept, start, arrive, complete, fail).	For audit and dispute resolution.

3. Why we use this data

Service delivery. Route drivers, share live ETA with merchants and customers, accept and complete stops, capture proof of delivery, settle cash on delivery.
Security. Detect unusual sign-ins, enforce session limits, block compromised credentials.
Support and disputes. Reproduce issues a driver or dispatcher reports; respond to delivery disputes.
Compliance. Retain settlement and COD records as required by Uzbek commercial law.
Improving the product. Aggregate, de-identified analytics about feature usage and crash rates.

We do not use personal data for advertising and we do not sell it to third parties.

4. Who we share data with

The merchant who employs the driver. The merchant sees their own drivers, orders, routes and POD media in their tenant dashboard. Drivers do not see data from other merchants.
Recipients may see a public tracking page with the order status and the driver's current ETA when the merchant shares a link.
Infrastructure providers we use to operate the service: DigitalOcean (hosting, in the EU), Cloudflare (DNS and edge cache), and Telegram (driver and dispatcher notifications when enabled).
SMS gateways (bring-your-own-key). If a merchant configures SMS notifications for their tenant, we forward the recipient's phone number and the notification text to the SMS gateway the merchant has selected. Common providers are Eskiz (Uzbekistan) and BudgetSMS (international). The merchant supplies the API key; we do not share data with any SMS provider the merchant has not configured, and you can ask the merchant to disable SMS notifications for your number.
Maps and routing. We run self-hosted OpenStreetMap-based routing and geocoding on our own servers. For some text address searches we may fall back to the public Nominatim service operated by the OpenStreetMap Foundation.
Authorities when we are legally required to disclose (court order, valid law-enforcement request).

5. Mobile app permissions

Android

ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, ACCESS_BACKGROUND_LOCATION — to position the driver on the map and update live ETA. Background location is used only while a route is active; it stops when the driver logs out or ends the route.
CAMERA, READ_MEDIA_IMAGES — to capture and upload proof-of-delivery and signature photos.
POST_NOTIFICATIONS — to alert the driver about new routes and order updates.
FOREGROUND_SERVICE, FOREGROUND_SERVICE_LOCATION — to keep the location channel alive on Android 14+.
INTERNET — required for the app to talk to our server.

You can revoke any of these in Android Settings → Apps → Eltaman Driver → Permissions. Revoking location will disable route tracking.

iOS

Applies once the iOS build is published to the App Store.

NSLocationWhenInUseUsageDescription and NSLocationAlwaysAndWhenInUseUsageDescription — to position the driver on the map and update live ETA, including while the app is in the background during an active route.
NSCameraUsageDescription — to capture proof-of-delivery and signature photos.
NSPhotoLibraryUsageDescription, NSPhotoLibraryAddUsageDescription — to attach an existing photo as proof of delivery and to save POD photos to the device library if the driver chooses.
Push notifications (via Apple Push Notification service) — to alert the driver about new routes and order updates.

You can revoke any of these in iOS Settings → Eltaman Driver. Revoking location will disable route tracking.

6. Cookies and local storage

Eltaman uses only first-party, strictly necessary storage. We do not use third-party marketing or advertising cookies and we do not embed any third-party analytics scripts on the marketing landing or the dashboard.

Web dashboard (app.eltaman.com)

dms_token — HttpOnly, Secure, SameSite=Lax cookie that holds your signed-in session (a short-lived JWT). Required for authentication; cleared on sign-out.
csrf_token — companion cookie used to protect state-changing requests against cross-site forgery. Required for any write action.
Browser localStorage — used to remember non-sensitive UI preferences only: chosen language, light/dark theme, last-used table filters and column layouts. No personal data, no tokens.

Marketing landing (eltaman.com)

Language preference stored in localStorage so visitors return to the same locale.
No tracking cookies, no Google Analytics, no Meta Pixel, no advertising network beacons.

Mobile app

Authentication tokens and the cert-pin fingerprint are stored in the platform secure keystore (Android EncryptedSharedPreferences / iOS Keychain) via flutter_secure_storage. Tokens are erased on sign-out and on app uninstall.
An on-device SQLite cache holds order, route and POD data so the app keeps working when the network drops. The cache is wiped on sign-out.

7. How we secure data

All traffic between the apps and our servers uses TLS 1.2+. The mobile app pins our server certificate.
Passwords are stored as salted hashes (bcrypt). Session tokens are short-lived JWTs.
Per-tenant data isolation is enforced at the database layer (PostgreSQL row-level security).
Backups are encrypted at rest and retained for 30 days.

8. How long we keep data

Account: while the account is active, then 30 days after deletion request.
Order, route, POD photos, COD settlement: 7 years (Uzbek commercial-record retention).
Driver location history: 30 days, after which only aggregated route metadata is kept.
Crash logs and device diagnostics: 90 days.

9. Your rights

Access. Request a copy of your personal data.
Correction. Ask us to correct inaccurate data.
Deletion. Ask us to delete your account. Operational records tied to completed orders may be retained as required by law (see Section 8).
Withdraw consent. Revoke optional permissions in Android Settings or stop using the app.
Complaint. Contact us first; you may also contact the data protection authority in your country.

To exercise any of these, email eltamandms@gmail.com from the email tied to your account. We respond within 14 days.

10. Children

The driver app is intended for users 18 and older. We do not knowingly collect data from children.

11. Changes to this policy

We will publish material changes here and update the "Last updated" date. Significant changes that affect what we collect or share will also be communicated to merchants by email so they can inform their drivers.

12. Contact

Eltaman — eltamandms@gmail.com

← Back to eltaman.com