Privacy Policy

We are a Data Fiduciary as defined under the DPDP Act 2023. Our registered office is in Hyderabad, Telangana, India.

Contact: privacy@rentright.in

We collect the following categories of personal data:

The following data is classified as Sensitive Personal Data or Information under Rule 3 of the SPDI Rules, 2011, and receives enhanced protection:

• Aadhaar number (only the masked version is handled; full Aadhaar is processed by UIDAI's servers directly);
• Financial account information (bank account details for rent receipt);
• Biometric data used for facial verification (if enabled);
• Health information (only if disclosed voluntarily in maintenance requests).

We collect SPDI only with your explicit, informed, written consent as required under Rule 5 of the SPDI Rules. You may withdraw consent at any time (see Section 12).

We process personal data for the following purposes and on the following legal bases:

We use your data to:

• Provide, operate, and improve the Platform;
• Verify identity and prevent fraud;
• Process and track rent payments;
• Generate and store tenancy agreements and GST receipts;
• Send transactional communications (payment confirmations, reminders, maintenance updates);
• Comply with applicable laws including GST, Income Tax, and PMLA;
• Respond to your support requests;
• Conduct internal analytics to improve product features.

We do not sell, rent, or trade your personal data to third parties for their own marketing purposes.

We share data only as described below:

All third-party processors are bound by data processing agreements that prohibit secondary use of your data.

As an NRI-focused platform, your data may be accessed by our team members or processors located outside India (e.g., for customer support). Such transfers are made only to countries with adequate data protection standards or with appropriate contractual safeguards (Standard Contractual Clauses) in place.

Your SPDI and sensitive KYC data is never transferred outside India unless required by law or with your explicit consent.

In compliance with emerging requirements under the DPDP Act 2023, all primary user data is stored on servers located within India (AWS Mumbai region). Payment data is governed by RBI's data localisation circular of 2018, and all payment data is stored exclusively in India.

We use the following cookies:

We do not use advertising, retargeting, or third-party tracking cookies. You may manage cookie preferences via your browser settings. Disabling essential cookies may impair Platform functionality.

After the applicable retention period, data is securely deleted or anonymised.

We implement security measures meeting or exceeding the standards specified in Rule 8 of the SPDI Rules, 2011, including:

• Encryption: TLS 1.3 for data in transit; AES-256 for data at rest;
• Access Control: Role-based access; principle of least privilege;
• Infrastructure: AWS VPC isolation; private subnets for databases;
• Vulnerability Management: Regular penetration testing and security audits;
• Incident Response: Data breach notification to the Data Protection Board within 72 hours as required by DPDP Act (upon commencement of relevant provisions).

Under the Digital Personal Data Protection Act, 2023, you ("Data Principal") have the following rights:

To exercise any right, email privacy@rentright.in with subject line "Data Principal Request — [Your Right]". We will respond within 30 days. Identity verification may be required before processing requests.

Note: Erasure requests cannot override legal retention obligations under PMLA, GST, or Income Tax law.

The Platform is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that a minor has registered, we will promptly delete that account and associated data. Please notify us at privacy@rentright.in if you believe a minor has created an account.

By providing your WhatsApp number and opting in to WhatsApp communications, you consent to receiving:

• Rent payment reminders and confirmations;
• Maintenance update notifications;
• Agreement signing requests;
• Account and security alerts.

WhatsApp messages are delivered via Twilio/Meta Business API. Meta's data practices are governed by its own Privacy Policy. You may opt out of WhatsApp communications at any time from your account settings or by replying "STOP" to any message. Opting out of transactional messages may limit Platform functionality.

Aadhaar-based verification on our Platform is conducted exclusively via UIDAI's official OTP-based authentication API, through a UIDAI-licensed KYC User Agency (KUA). We receive only a success/failure flag and the masked Aadhaar number. The full 12-digit Aadhaar number is never stored on Rent Right's systems, in compliance with the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and UIDAI circulars.

PAN verification is conducted via government-approved APIs. PAN data is used only for identity verification and GST compliance.

The Platform may contain links to third-party websites, apps, or payment portals. We are not responsible for the privacy practices of those third parties. Please review their privacy policies before providing any data.

We may update this Policy to reflect changes in law, technology, or our practices. Material changes will be notified via email and in-app notice at least 15 days in advance. The latest version will always be available at rentright.in/privacy.

For DPDP Act compliance queries:

If unsatisfied with our response, you may approach the Data Protection Board of India (once constituted under the DPDP Act 2023) or the National Consumer Helpline at 1800-11-4000.

General privacy queries: privacy@rentright.in