Privacy Policy

At a Glance

1. Who This Policy Applies To

This Policy applies to all individuals who access or use the Platform, including:

• Registered users (buyers, sellers, renters, investors)
• Non-Resident Indians (NRIs) and Overseas Citizens of India (OCIs) using our NRI services
• Property consultants and channel partners listed on the Platform
• Estatepreneur referral partners
• Visitors who browse without registering
• Applicants for employment through our Careers section

2. Personal Data We Collect

2.1 Data You Provide Directly

• Identity data: full name, date of birth (optional), gender (optional)
• Contact data: email address, mobile phone number, WhatsApp number
• Account credentials: hashed password (we never store plaintext passwords)
• Property preferences: city, locality, budget range, BHK, transaction type, lifestyle tags, investment goals
• KYC documents: Aadhaar card, PAN card, Passport, salary slips, ITR, bank statements, sale agreement (uploaded voluntarily to My Documents)
• Listing data: property address, pricing, photographs, description (when you list a property)
• Referral data: your name, phone, UPI ID, referee's name and phone (Estatepreneur programme)
• Employment data: resume, cover letter, educational and professional history (job applications)
• Communication data: messages sent via contact forms, IRA chatbot conversation history, consultant enquiries
• NRI data: country of residence, preferred communication platform, bank account type (NRE/NRO/FCNR) — provided voluntarily
• Payment data: we do not store card numbers. Razorpay processes payments and stores card data under PCI-DSS compliance. We retain payment confirmation IDs, transaction amounts, and plan IDs.

2.2 Data Collected Automatically

• Device identifiers (browser type, OS, screen resolution, device ID)
• IP address and approximate geolocation (city/state level)
• Pages visited, search queries, properties viewed, time spent, click patterns
• Session cookies and anonymous session IDs (pc_sid)
• Referring URL and marketing campaign identifiers (UTM parameters)
• Error logs and performance diagnostics

2.3 Data From Third Parties

• Developer/builder data from public RERA portals (for our Developer Directory)
• Consultant ratings aggregated from user reviews
• Property valuation signals from government registry data (where publicly available)

3. Sensitive Personal Data or Information (SPDI)

Under the IT (SPDI) Rules, 2011 and the DPDP Act, the following data we collect is classified as Sensitive Personal Data and is subject to heightened protection:

• Financial information (bank account details, salary, ITR)
• Identity documents (Aadhaar, PAN, Passport)
• Biometric data (Aadhaar contains biometric linkage — we never access or store biometric data itself)

We collect SPDI only with your explicit prior consent, only to the extent necessary, and only for the purposes disclosed in this Policy.

4. Legal Basis for Processing

We process your personal data on the following legal bases:

• Consent: You have given us clear, informed consent — particularly for SPDI, marketing communications, and KYC document uploads.
• Contract performance: Processing is necessary to provide the services you request (account creation, property listings, NRI bookings).
• Legitimate interest: Platform security, fraud prevention, analytics to improve features, and referral programme operations — balanced against your fundamental rights.
• Legal obligation: Compliance with Indian tax laws, FEMA, RERA, and any court or regulatory order.
• Vital interests: In rare circumstances where processing is necessary to protect someone's life or safety.

5. How We Use Your Data

• Service delivery: Creating and managing your account; displaying personalised property listings; running Smart Match AI scoring; enabling IRA chatbot conversations; connecting you with consultants.
• NRI services: Facilitating virtual site visit bookings; providing FEMA compliance guidance; processing NRI loan enquiries.
• Communications: Sending transactional emails (booking confirmations, document status updates, welcome emails) via Resend; sending WhatsApp messages where you have provided your WhatsApp number and consented.
• Marketing: Sending property alerts and promotional content only where you have opted in. You may opt out at any time via the unsubscribe link or by emailing us.
• Safety & security: Rate limiting to prevent brute-force attacks; fraud detection; monitoring for prohibited content; verifying consultant credentials.
• Analytics & improvement: Analysing aggregated, anonymised usage patterns to improve search relevance, AI matching accuracy, and platform performance.
• Legal compliance: Responding to lawful requests from courts, regulators, or law enforcement; maintaining records as required by Indian law.
• Payments: Processing payments via Razorpay for NRI virtual visits and other paid services; reconciling transactions; issuing receipts.

6. Sharing and Disclosure

We do not sell your personal data. We share it only as described below:

6.1 Verified Consultants

When you submit an enquiry about a consultant or a property managed by a consultant, we share your name and contact number with that consultant solely to facilitate your request. Consultants are contractually prohibited from using your data for any other purpose.

6.2 Service Providers (Data Processors)

• Razorpay Financial Solutions Pvt. Ltd. — payment processing (PCI-DSS compliant)
• Resend Inc. — transactional email delivery
• Anthropic PBC / OpenAI — IRA chatbot AI responses (conversation content is processed on their servers under confidentiality agreements; we do not share PII beyond what you type)
• Cloudflare R2 / AWS — encrypted cloud storage for KYC documents
• Upstash Inc. — Redis-based rate limiting and caching (no personal data stored in cache)
• Neon / PostgreSQL hosting — encrypted database hosting
• Sentry — error monitoring (stack traces, anonymised usage; we scrub PII before sending)

All service providers are bound by data processing agreements that prohibit them from using your data for their own purposes and require them to maintain appropriate security.

6.3 Legal and Regulatory Disclosure

We may disclose personal data to government authorities, courts, or law enforcement agencies when required by law, court order, or to protect the legal rights, property, or safety of PropCapital.ai, our users, or the public. Where legally permissible, we will notify you of such a request.

6.4 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of assets, your data may be transferred to the successor entity. We will notify you via email or a prominent notice on the Platform at least 30 days before any such transfer, and the new entity will be required to honour this Privacy Policy or provide equivalent protection.

6.5 Aggregated or Anonymised Data

We may share anonymised, aggregated data (e.g., "search volume for Gurugram properties increased 40% in Q2") with business partners, media, and the public for market insights. Such data cannot reasonably identify you.

7. International Data Transfers

Your data is primarily stored in servers located in India. Some service providers (Anthropic, OpenAI, Resend, Sentry) process data on servers outside India. Where data is transferred outside India, we ensure:

• The recipient country provides an adequate level of data protection as recognised by the Government of India or Data Protection Board
• Appropriate contractual safeguards (Standard Contractual Clauses or equivalent) are in place
• We transfer only the minimum data necessary for the service

NRI users should note that data relating to their Indian property transactions is stored in India and subject to Indian law, regardless of your country of residence.

8. Data Retention

After the retention period, data is securely deleted or permanently anonymised. Deletion requests (see Section 9) are honoured within 30 days, subject to legal retention obligations.

9. Your Rights Under the DPDP Act 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

• Right to access (Section 11): Request a summary of personal data we hold about you and the purposes for which it is processed.
• Right to correction and erasure (Section 12): Request that we correct inaccurate or incomplete data, or erase data that is no longer necessary. Erasure may be limited where retention is required by law.
• Right to grievance redressal (Section 13): Lodge a complaint with our Grievance Officer (see Section 13 below) and, if unresolved, with the Data Protection Board of India.
• Right to nominate (Section 14): Nominate another individual to exercise your rights on your behalf in the event of death or incapacity.
• Right to withdraw consent: Withdraw consent for any processing based on consent at any time. This does not affect processing done before withdrawal. Withdrawal may affect your ability to use certain features.
• Right to data portability: Request a machine-readable copy of your account data that you provided to us.
• Right to opt out of direct marketing: At any time, by clicking "Unsubscribe" in any email or by contacting privacy@propcapital.ai.

To exercise any of these rights, email privacy@propcapital.ai with the subject line "Data Rights Request — [Your Right]". We will respond within 30 days. Identity verification may be required.

10. Cookies and Tracking Technologies

10.1 Types of Cookies We Use

• Strictly necessary: pc_sid (anonymous session ID for security and rate limiting) and propcapital_token (authentication JWT). Cannot be disabled without breaking the service.
• Functional: User preferences (city filters, saved comparisons). Stored in localStorage; no server-side cookie.
• Analytics: Anonymised page view and search analytics stored in our own database. We do not use Google Analytics, Meta Pixel, or other third-party tracking scripts.
• Security: CSRF protection tokens and rate-limit identifiers. Automatically expire after 15 minutes.

We do not use advertising cookies, cross-site tracking pixels, or third-party retargeting scripts. Your browsing data is never sold to advertisers.

11. Security

We implement technical and organisational measures appropriate to the sensitivity of the data:

• All data transmitted over TLS 1.2 or higher (HTTPS enforced with HSTS)
• Passwords hashed using bcrypt with cost factor 10 — we cannot read your password
• JWT tokens signed with HS256 — expire after 7 days
• KYC documents stored encrypted at rest in Cloudflare R2 (AES-256) with private presigned URLs (1-hour expiry)
• Database encrypted at rest; production access restricted to authorised personnel via VPN + MFA
• Content Security Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers on all responses
• Rate limiting on all authentication and sensitive endpoints to prevent brute-force attacks
• No sensitive data stored in browser localStorage or cookies except encrypted JWT
• Annual security reviews and penetration testing planned from Q4 2026

Security breach notification: In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Data Protection Board of India and affected users within 72 hours of becoming aware, in accordance with the DPDP Act and applicable rules.

12. Children's Privacy

The Platform is not directed at children under 18 years of age. We do not knowingly collect personal data from minors. Under the DPDP Act, 2023, processing of data of children requires verifiable parental consent. If you believe we have inadvertently collected data of a minor, please contact us immediately at privacy@propcapital.ai and we will delete such data promptly.

13. Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, we have appointed a Grievance Officer:

If your complaint is not resolved to your satisfaction within 30 days, you may escalate to the Data Protection Board of India once it is constituted under the DPDP Act, or file a complaint with the Adjudicating Officer under the IT Act, 2000.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

• Update the "Effective Date" at the top of this Policy
• Send you an email notification if you have an account (at least 15 days before changes take effect)
• Post a banner on the Platform for at least 7 days

Your continued use of the Platform after the effective date of any revision constitutes acceptance of the updated Policy. If you do not agree, you must stop using the Platform and may request deletion of your account.

15. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of India. Any disputes arising out of or relating to this Policy shall be subject to the exclusive jurisdiction of the courts at Gurugram, Haryana, India.