Privacy Policy

ReraDesk (operating as reradesk.in) is a B2B software-as-a-service platform providing RERA compliance automation tools exclusively to real estate developers (promoters), Chartered Accountant firms, RERA consultants, and lending institutions (collectively, "Business Users").

This Privacy Policy applies to:

• Individuals who access reradesk.in or the ReraDesk application on behalf of a Business User
• Authorised representatives of developer firms, CA firms, and lending institutions
• Trial users and beta programme participants

This policy does not apply to homebuyers. ReraDesk is not a homebuyer portal. If you are a homebuyer with a grievance, please visit your state RERA portal directly.

Under the Digital Personal Data Protection Act 2023 (DPDPA 2023) and its Rules notified in November 2025:

This distinction is critical: ReraDesk does not determine why data is processed — your organisation does. ReraDesk only determines how processing occurs, within the bounds of the service.

We collect three categories of data:

3.1 Account and identity data

• Name, business email address, mobile number
• Organisation name, GSTIN, PAN (for billing verification)
• Role designation (Developer, CA, Lender)
• Authentication credentials (hashed — never stored in plain text)

3.2 Compliance and project data (uploaded by you)

• RERA project registration numbers and portal credentials
• Quarterly Progress Report (QPR) data — financial progress, physical progress, unit sales
• Bank statements, cost certificates, architect completion certificates
• GST returns data (GSTR-2B extracts) — for ITC reconciliation only
• Tally / Zoho Books exports — for Form-7 reconciliation only
• Legal documents (cause lists, litigation notices) — for Litigation Watch only

3.3 Usage and technical data

• Browser type, device type, IP address
• Pages visited, features used, time spent (via analytics — see §10)
• Error logs and performance data
• Audit trail timestamps (who accessed what, when)

What we do NOT collect:

• Homebuyer personal data (names, Aadhaar, contact details of flat purchasers)
• DSC private keys (we never receive or store your digital signature private key)
• Biometric data of any kind
• Data from minors — our service is exclusively for business professionals

• Provide the subscribed service — QPR filing assistance, GST-ITC reconciliation, Form-7 audit, compliance monitoring, QR code generation, CIRP risk analysis
• AI extraction and traceability — Uploaded documents are processed by AI models to extract QPR fields. Every extracted value is traced back to its source document and line. No extraction result is submitted to any RERA portal without explicit human review and CA certification.
• Audit trail generation — Creating SHA-256 timestamped logs for court admissibility and CA certification purposes
• Compliance alerts — Sending deadline reminders, exception notifications, and risk alerts to registered users
• Service improvement — Aggregated, anonymised usage analytics to improve the platform (never linked back to individual users or organisations)
• Billing and invoicing — Processing subscription payments via Razorpay (a PCI-DSS compliant gateway); we do not store card details
• Legal compliance — Responding to court orders, government directives, or regulatory requirements under Indian law

We never use your data to: train general-purpose AI models, sell to third parties, serve advertising, or profile you for any purpose outside the compliance service.

Under DPDPA 2023, we process personal data on the following bases:

• Contractual necessity — Processing required to deliver the service you subscribed to (§7(a) DPDPA 2023)
• Legitimate interests — Security monitoring, fraud prevention, and service improvement (§7(d) DPDPA 2023)
• Legal obligation — Compliance with court orders, RERA authority requests, and government directives (§7(e) DPDPA 2023)
• Consent — Where required, for marketing communications (opt-in only, freely withdrawable)

For data processed on behalf of your organisation as Data Processor, our legal basis flows from your organisation's documented instructions and your subscription agreement.

Security measures in place:

• Encryption at rest: AES-256 encryption on all stored data
• Encryption in transit: TLS 1.3 on all connections
• Access control: Role-based access — no ReraDesk employee can access your project data without explicit authorisation and audit logging
• Authentication: Passwords are bcrypt-hashed (never stored in plain text). Multi-factor authentication available for all accounts.
• Audit logs: All access events are immutably logged with SHA-256 timestamps
• Supabase (database): Row-Level Security (RLS) enabled — organisations can only access their own data
• Vulnerability management: Regular security reviews; responsible disclosure programme at security@reradesk.in

In the event of a data breach, we will notify affected organisations within 72 hours of becoming aware, in accordance with DPDPA 2023 §8(6) and our processor obligations.

We share data only in these circumstances:

• Sub-processors: Infrastructure providers who process data on our behalf — AWS (Mumbai), Supabase, Razorpay. All sub-processors are contractually bound to the same data protection standards.
• AI processing: Document extraction uses Amazon Bedrock (AWS Mumbai region). Data does not leave India during AI processing. Bedrock models are not trained on your data.
• Within your organisation: Users within your subscribed organisation (e.g., your CA firm's team) can access shared project data per your role configuration.
• Legal compulsion: We disclose data when required by a valid court order, government directive, or RERA authority request under Indian law. We will notify you of such requests unless legally prohibited from doing so.

We never share data with: advertisers, data brokers, competitor platforms, or any party for commercial purposes not related to delivering the ReraDesk service.

• Active subscription: Data retained for the duration of your subscription
• Post-cancellation: Account data deleted within 30 days of subscription termination. Compliance documents (QPRs, audit trails) retained for 7 years from filing date — matching RERA 2016 §5(7) document retention requirements — unless you request earlier deletion.
• Audit logs: Security and access logs retained for 3 years for compliance purposes
• Backups: Encrypted backups retained for 90 days then permanently deleted
• Data deletion requests: Honoured within 30 days (see §9). QPR audit trails may be retained longer if required by RERA authority mandate.

As a Data Principal (individual user) or on behalf of your organisation, you have the following rights under DPDPA 2023:

• Right to access (§11): Request a summary of personal data we hold about you
• Right to correction (§12): Request correction of inaccurate or outdated personal data
• Right to erasure (§12): Request deletion of personal data, subject to legal retention requirements
• Right to grievance redressal (§13): Raise a complaint with our Grievance Officer (see §12)
• Right to nominate (§14): Nominate a person to exercise your rights in case of death or incapacity

To exercise any right, email privacy@reradesk.in with subject line "DPDPA Data Rights Request". We will respond within 30 days. If you are unsatisfied with our response, you may approach the Data Protection Board of India once constituted under DPDPA 2023.

We use the following cookies and analytics tools:

• Essential cookies: Session management, authentication tokens, CSRF protection. Cannot be disabled without breaking the service.
• Analytics (Google Analytics 4): Page view and usage data, anonymised. IP addresses are anonymised. You can opt out via browser settings or the GA Opt-out browser add-on.
• Product analytics (PostHog): Feature usage tracking, session replay (with sensitive fields masked). Data stored on PostHog Cloud EU servers. Used exclusively for product improvement.

We do not use advertising cookies, third-party tracking pixels, or any analytics for ad targeting purposes.

We will notify registered users by email at least 14 days before any material changes to this Privacy Policy take effect. Non-material changes (clarifications, formatting) may be made without prior notice.

Continued use of ReraDesk after the effective date of changes constitutes acceptance of the updated policy. Previous versions are available on request.