Privacy Policy — ProRently

01

Who We Are

ProRently Technologies Pvt. Ltd. ("ProRently," "we," "us," or "our") is a technology company incorporated under the Companies Act, 2013 and registered in Bangalore, Karnataka, India. We operate the online rent agreement platform at prorently.in.

For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDPA"), ProRently is the Data Fiduciary — meaning we determine the purpose and means of processing your personal data. Our third-party service providers (listed in Section 5) are Data Processors who handle data on our instructions.

This Privacy Policy applies to all Users of the Platform, including Landlords, Tenants who receive signing requests, and visitors to our website. If you are a Tenant who received a WhatsApp signing request from a Landlord using ProRently, this policy also applies to the data we process about you in facilitating that signing.

✓

Our commitment in plain language. We collect only what we need to provide the service. We do not sell your data. We do not use your data for advertising. We do not store your Aadhaar number or biometrics. You can ask us to delete your data at any time.

02

Data We Collect

A. Data You Provide Directly

Data Type	Specific Data Points	Why Collected
Account Registration	Full name, mobile number, email address	Account creation, login, communication
KYC / Identity	PAN number, city, permanent address	Used on agreement documents as legally required party details
Landlord Details	Full name as on Aadhaar, address, PAN	Populated on rent agreements; legally required
Tenant Details	Full name, mobile number, address	Populated on rent agreements; required to send signing request
Property Details	Property address, type, city, state	Used to generate the correct state-specific agreement
Financial Terms	Monthly rent, security deposit, agreement duration	Populated on agreement; used for stamp duty calculation
Bank Account	Account number (masked after verification), IFSC, account holder name, UPI ID	Displayed on rent receipts sent to tenants; not used for any debit/credit by ProRently
Payment Information	Payment method type, transaction reference ID, amount, timestamp	Billing, GST invoicing, payment confirmation. Card/bank credentials are processed solely by Razorpay — we never see or store them.

B. Data Generated by Your Use of the Platform

Data Type	Specific Data Points	Why Collected
Agreement Records	Generated PDF, document ID, creation timestamp, eSign completion status, e-Stamp certificate reference	Stored for your access, legal audit trail, and support
eSign Audit Log	Signing timestamp, IP address at time of signing, Aadhaar OTP authentication confirmation (not the Aadhaar number itself)	Legal evidence of valid execution; provided by Digio
Communication Logs	WhatsApp message delivery status (sent/delivered/read), reminder timestamps	Track reminder delivery; evidence in case of dispute about notice
Device & Usage Data	IP address, browser type, device type, pages visited, session duration	Security, fraud detection, platform analytics

C. Data We Receive from Third Parties

Source	Data Received	Why
Digio (eSign)	Signing success/failure status, audit log reference, timestamp	To confirm agreement is validly executed
Razorpay	Payment success/failure, transaction reference ID	To confirm payment for ProRently service fees and billing records
User-provided stamp details	Certificate number, stamp amount, uploaded PDF (optional)	To attach stamp reference metadata in document audit trail

03

How We Use Your Data

Under the DPDPA 2023, we process your personal data only for the following lawful purposes, each based on your consent given at the time of registration or transaction:

Purpose	Activities	Legal Basis (DPDPA)
Service Delivery	Generating the agreement document, recording stamp references, facilitating eSign, delivering the PDF	Consent; Contractual necessity
Account Management	Creating and managing your account, authenticating login, providing support	Consent; Contractual necessity
Payments & Billing	Processing payments via Razorpay, issuing GST invoices, maintaining billing records	Contractual necessity; Legal obligation (GST Act)
WhatsApp Reminders	Sending automated rent reminders and overdue alerts to tenants on behalf of landlords	Consent (given by Landlord and Tenant at setup)
Legal Compliance	Maintaining records as required under Indian law; responding to lawful government requests	Legal obligation
Security & Fraud Prevention	Detecting and preventing fraudulent transactions; protecting the Platform	Legitimate interest; Legal obligation
Platform Improvement	Aggregated, anonymised analytics to improve features (e.g. which states have highest usage)	Legitimate interest (data is anonymised — no personal data used)
Communications	Transactional emails (payment receipts, agreement delivery, agreement expiry alerts)	Contractual necessity; Consent

ℹ️

We do not use your data for advertising or to build behavioural profiles. We do not sell, rent, or trade your personal data to any third party for marketing. We do not use your agreement data (rent amounts, property addresses, tenant names) for any purpose other than providing the service you requested.

Marketing Communications

We may send you product updates, new feature announcements, or information about related services by email or WhatsApp. This is always based on your explicit consent, which you can withdraw at any time from Settings → Notifications or by emailing privacy@prorently.in. Withdrawing marketing consent does not affect transactional communications necessary to provide the service.

04

Aadhaar & eSign Data — Special Category

ℹ️

We never see, store, or process your Aadhaar number. This is the most important thing to understand about how our eSign works.

How the Aadhaar eSign Flow Works

When you sign a document using Aadhaar OTP on ProRently:

You are redirected to Digio's secure interface — at no point does this data touch ProRently's servers;
You enter your Aadhaar number and receive an OTP on your Aadhaar-linked mobile directly from UIDAI;
Digio verifies the OTP with UIDAI and applies a digital signature to the document;
Digio returns to ProRently only a signed document and a transaction audit log containing: a transaction reference ID, timestamp, signing status (success/failure), and IP address — nothing else;
ProRently stores this audit log as evidence that the document was validly executed.

ℹ️

Aadhaar Act, 2016 compliance. Because ProRently does not collect, store, or use Aadhaar numbers or biometric data, we are not required to be a registered Authentication User Agency (AUA) or e-KYC User Agency (KUA) under the Aadhaar Act. Digio, our eSign provider, holds the necessary certifications and is empanelled with the CCA under the IT Act, 2000.

PAN Number

We collect your PAN number solely to populate it on rent agreement documents, as is standard practice for high-value rental transactions. We do not use PAN for financial verification, credit checks, or identity linking beyond this purpose. PAN data is stored encrypted in our database.

05

Data Sharing & Third Parties

We share your personal data only with the following categories of third parties, and only to the extent necessary to provide the service:

Third Party	Data Shared	Purpose	Their Privacy Policy
Digio eSign Provider	Document to be signed, party names	Aadhaar OTP eSign execution	digio.in/privacy-policy
State Stamp Portals User-visited external portals	None auto-shared by ProRently in MVP	User purchases e-Stamp directly on official portal	Government portal — subject to respective portal policies
Razorpay Payment Gateway	Name, email, phone, amount, order ID	Payment processing; GST compliance	razorpay.com/privacy
WATI WhatsApp Business API	Tenant phone number, message content (rent amount, due date, UPI ID)	Sending rent reminders and signing invites via WhatsApp	wati.io/privacy-policy
Supabase Database & Auth	All user account and agreement data	Database hosting and authentication	supabase.com/privacy

Government & Law Enforcement

We may disclose personal data to Indian government authorities, courts, or law enforcement agencies when required by law — for example, under the IT Act 2000, DPDPA 2023, Income Tax Act, or in response to a valid court order. We will notify you of such disclosure unless prohibited by law from doing so.

Business Transfers

In the event of a merger, acquisition, or sale of all or part of ProRently's business, your data may be transferred to the acquiring entity, subject to equivalent data protection obligations. You will be notified of any such transfer at least 30 days in advance.

ℹ️

We do not sell your data. At no time do we sell, rent, or trade your personal data to advertisers, data brokers, or any third party for their own commercial purposes.

06

Data We Do Not Collect

For the avoidance of doubt, ProRently does not collect, store, or process:

Aadhaar numbers — handled solely by Digio and UIDAI;
Biometric data — fingerprints, iris scans, or facial recognition data of any kind;
Card numbers, CVV, or bank passwords — all payment credentials are handled solely by Razorpay;
WhatsApp message content beyond rent reminders — we do not read or store the content of your private WhatsApp conversations;
Location data — we do not request or collect GPS location from your device;
Sensitive personal data beyond PAN — we do not collect caste, religion, sexual orientation, health records, or political affiliation;
Children's data — see Section 11.

07

Cookies & Tracking

Cookies We Use

Cookie Type	Purpose	Can You Opt Out?
Essential / Session	Maintain your login session; CSRF protection; cart/payment state	No — required for the Platform to function
Preference	Remember your state selection, notification settings, dashboard layout	Yes — delete cookies in your browser
Analytics	Understand which features are used (via anonymised, aggregated data only). We use privacy-first analytics — no individual tracking.	Yes — opt out in Settings → Privacy

ℹ️

No third-party advertising cookies. We do not use Google Ads, Meta Pixel, or any advertising tracking cookies on the Platform. We do not build behavioural advertising profiles from your usage data.

WhatsApp Tracking

When we send WhatsApp messages via WATI, we receive message delivery and read receipts. This is standard WhatsApp functionality and allows us to confirm that rent reminders were delivered. We use this information only for service delivery confirmation and dispute support — not for profiling.

08

Data Retention

We retain your data only as long as necessary for the purpose it was collected, or as required by Indian law. The following table sets out our standard retention periods:

Data Type	Retention Period	Reason for Retention
Account data (name, mobile, email)	Duration of account + 90 days	Active service delivery; 90-day grace period for account recovery after deletion
Agreement PDFs (generated documents)	7 years from execution date	Indian limitation law (Limitation Act 1963) — agreement disputes can arise up to 3 years; stamp duty records required for 6 years under Indian Stamp Act
eSign audit logs	7 years from signing date	Legal evidence of valid execution; IT Act 2000 requirements
Payment & billing records	8 years from transaction date	GST Act, 2017 requires records for 72 months; Income Tax Act requirements
WhatsApp reminder logs (delivery status)	2 years from sending date	Evidence in case of tenant dispute about whether notice was given
Bank account details (masked)	Duration of account	Used on rent receipts; deleted with account
Device / IP / usage logs	90 days	Security and fraud detection; short retention minimises privacy exposure
Deleted account data	90 days, then purged	Grace period for account recovery; exception for data required by law (see above)

ℹ️

Note on legal retention obligations. Even if you request deletion of your account, we are legally required to retain agreement PDFs and payment records for the periods specified above. This is not optional — it is mandated by Indian law. We will confirm what data we must retain when you submit a deletion request.

09

Data Security

We implement technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include:

Encryption in transit: All data transmitted between your browser/app and our servers is encrypted via TLS 1.3;
Encryption at rest: Sensitive fields (PAN, bank account numbers) are encrypted at rest in our Supabase database using AES-256;
Access controls: Internal access to personal data is restricted to employees who need it to perform their job functions, and is logged and audited;
Payment security: We do not store payment credentials — all card and bank data is processed and stored solely by Razorpay, which is PCI-DSS compliant;
OTP-based authentication: Login to the Platform is secured by OTP sent to your registered mobile number;
Penetration testing: The Platform undergoes periodic security assessments.

Data Breach Notification

In the event of a personal data breach that is likely to result in risk to your rights, ProRently will:

Notify the Data Protection Board of India (when constituted) as required under the DPDPA 2023;
Notify affected Users via email and/or WhatsApp within 72 hours of becoming aware of the breach, where feasible;
Provide details of the nature of the breach, data affected, and steps taken to mitigate it.

ℹ️

No system is completely secure. While we take all reasonable precautions, ProRently cannot guarantee absolute security. If you suspect your account has been compromised, change your credentials immediately and contact security@prorently.in.

10

Your Rights Under DPDPA 2023

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights. These can be exercised by contacting privacy@prorently.in:

Right to Access DPDPA S.11

You have the right to obtain a summary of the personal data we process about you and the purposes for which it is being processed.

How: Email privacy@prorently.in → Response within 30 days

Right to Correction DPDPA S.12

You have the right to correct inaccurate or misleading personal data about you. Note: correcting data in generated agreements requires creating a new agreement — old agreements cannot be altered.

How: Settings → Profile or email privacy@prorently.in

Right to Erasure DPDPA S.12

You have the right to request deletion of your personal data. We will delete it within 30 days, subject to our legal retention obligations (see Section 8).

How: Settings → Danger Zone → Delete Account, or email privacy@prorently.in

Right to Withdraw Consent DPDPA S.12

You may withdraw consent at any time. Note: withdrawal of consent for core service processing will prevent us from providing the service to you.

How: Settings → Notifications (for marketing), or email privacy@prorently.in

Right to Grievance Redressal DPDPA S.13

You have the right to a readily available means of grievance redressal in relation to the processing of your personal data.

How: Email grievance@prorently.in → Acknowledged in 24h, resolved in 30 days

Right to Nominate DPDPA S.14

You have the right to nominate another individual to exercise your data rights in the event of your death or incapacity.

How: Email privacy@prorently.in with nominee details

Data Protection Board

If you are not satisfied with how we handle your rights request or grievance, you have the right to file a complaint with the Data Protection Board of India (when constituted under the DPDPA 2023). Until the Board is constituted, you may approach the Adjudicating Officer under the IT Act 2000 or the relevant Consumer Disputes Redressal Commission.

ℹ️

Response timelines. We commit to acknowledging all privacy rights requests within 3 business days and resolving them within 30 days. If we are unable to fulfil a request (e.g. due to legal retention obligations), we will explain why in writing.

11

Children's Privacy

ℹ️

The Platform is not intended for persons under 18 years of age. We do not knowingly collect personal data from minors.

To use the Platform, users must be at least 18 years old and legally competent to contract under the Indian Contract Act, 1872. If we become aware that we have inadvertently collected personal data from a minor, we will delete it promptly.

Under the DPDPA 2023, if we ever expand services to areas that may involve persons under 18, we will implement additional consent and verification requirements as required by law. Currently, no such services are offered.

12

Cross-Border Data Transfers

ProRently primarily processes data within India. However, some of our service providers operate servers outside India:

Supabase	Database hosted on AWS — primary region is Mumbai (ap-south-1), which keeps data within India. Backups may be replicated to other AWS regions as part of Supabase's infrastructure.
WATI	WhatsApp Business API provider. Data processed through Meta's global infrastructure for WhatsApp message delivery.
Digio	eSign infrastructure is India-based. Audit logs are stored in India.

Where data is transferred outside India, we ensure that it is subject to contractual data protection obligations at least equivalent to those in India, in accordance with DPDPA 2023 and any rules framed thereunder.

13

Third-Party Links

The Platform may contain links to third-party websites or services (e.g. SHCIL portal, UIDAI website, state stamp duty portals). This Privacy Policy does not apply to those external sites. We encourage you to review the privacy policies of any third-party sites you visit. ProRently is not responsible for the privacy practices or content of third-party sites.

14

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will:

Update the effective date at the top of this page;
Send a notification to your registered email and/or WhatsApp at least 14 days before the changes take effect;
Display a prominent banner on the Platform for 30 days after the change;
For significant changes affecting your rights, request your renewed consent where required under DPDPA.

Your continued use of the Platform after the revised policy's effective date constitutes acceptance of the revised policy. If you do not agree, you may request account deletion.

Previous versions of this policy are available on request by emailing privacy@prorently.in.

15

Grievance Officer & Contact

In accordance with the Information Technology Act, 2000, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the DPDPA 2023, ProRently has designated a Grievance Officer to address complaints related to personal data processing:

Grievance Officer

[Name of Officer]

ProRently Technologies Pvt. Ltd.
[Registered Address], Bangalore — 560XXX
grievance@prorently.in

Acknowledged in 24h · Resolved in 30 days

Privacy Queries

Data Protection Team

For access, correction, deletion, or withdrawal of consent requests.
privacy@prorently.in

Response within 3 business days

Security Incidents

Security Team

To report suspected account compromise, data breaches, or vulnerabilities.
security@prorently.in

Acknowledged within 4 hours

General Support

Customer Support

Mon–Sat, 9 AM–6 PM IST
contact@prorently.in

Response within 1 business day

ℹ️

Escalation to the Data Protection Board. If you are not satisfied with our response to a privacy complaint, you may escalate to the Data Protection Board of India (when constituted under DPDPA 2023). Until the Board is operational, you may approach the Adjudicating Officer under the IT Act 2000 or a Consumer Disputes Redressal Commission with jurisdiction.