PropStackX

Legal

Privacy Policy

Last updated: 10 May 2026Effective: 10 May 2026

In plain English

We're a small Indian company. We built PropStackX so real-estate teams can run their business without leaking customer data. This policy explains exactly what we collect, why we collect it, who we share it with, and how you can ask us to stop.

For most personal data on PropStackX (leads, buyers, channel partners) we are a Data Processor — the real-estate developer is the Data Fiduciary and decides what happens to that data. For our marketing website, tenant accounts, and billing, we are the Data Fiduciary ourselves.

1. Who we are

PropStackX is a software product owned and operated by PropStackX Technologies LLP(referred to in this policy as "PropStackX", "we", "us" or "our"), a limited liability partnership constituted under the laws of India.

We process personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000and the rules framed under it (including the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 — the "SPDI Rules"), and the CERT-In Directions, 2022 on cyber-incident reporting and log retention.

2. What this policy covers

This policy applies to:

  • Visitors to propstackx.comand any sub-domain we operate (the "Marketing Site").
  • Users of the PropStackX admin console, partner portal, mobile apps, APIs and any other software we publish under the PropStackX brand (the "Platform").
  • People who contact us by email, phone, demo form, support channel or social media.

This policy does notcover the practices of our customers (real-estate developers and brokers who use PropStackX — we call them "Tenants"). Tenants decide why and how end-customer personal data is collected and processed on the Platform. If you are a homebuyer, lead, or channel-partner customer dealing with a developer, please refer to that developer's privacy notice for how your data is used. We process such data only on the developer's instructions, as their Data Processor.

3. Our role under DPDPA

The DPDPA distinguishes between a Data Fiduciary (the person who decides the purpose and means of processing) and a Data Processor (a person who processes personal data on behalf of a Fiduciary). Our role depends on which set of data is involved:

Data setOur roleFiduciary
Marketing-site visitors, demo requests, contact-form submissionsData FiduciaryPropStackX
Tenant signup info, tenant user accounts, billing & GST dataData FiduciaryPropStackX
Leads, prospective buyers, allottees, residents and any contacts a Tenant uploads or captures via PropStackXData ProcessorThe Tenant (real-estate developer)
Channel partners onboarded by a TenantData ProcessorThe Tenant
Service logs, security telemetry, fraud signals across the PlatformData Fiduciary (legitimate use under DPDPA s.7)PropStackX

Where we are the Processor, we will only act on the Tenant's documented instructions (typically embedded in our subscription contract and the Platform configuration). We do not sell, mine, re-use or train any AI model on Tenant-controlled data without explicit consent.

4. Information we collect

4.1 From Marketing-Site visitors

  • You give us: name, business email, mobile number, company, role and the message you send via demo, contact, pricing and newsletter forms.
  • We observe: IP address, approximate location inferred from IP, browser, device, referring page, the pages you view, and timestamps. We use Vercel Analytics, which collects aggregated, cookieless usage data.

4.2 From Tenants and Authorised Users on the Platform

  • Account & profile: name, work email, mobile number, role, designation, hashed password, profile photo (if uploaded), and the Tenant organisation you belong to.
  • Tenant business data: registered name, GSTIN, PAN, billing address, bank account details for payouts (encrypted with AES-256-GCM at rest), authorised signatory and project registration details.
  • Activity & audit: login IP and device, session history, actions you perform inside the Platform (creating leads, updating stages, sending messages), permission grants and changes. These feed an audit log we are required to maintain.

4.3 From end-customers (processed for the Tenant)

  • Leads & buyers:name, email, mobile, source, interest, budget, preferred locations, site-visit notes, KYC documents (where the developer collects them at booking — typically PAN, Aadhaar reference, address proof), payment milestones, unit allotment and any free-text notes the Tenant's sales team records.
  • Channel partners: firm name, RERA registration number, PAN, GSTIN, bank account (encrypted), KYC documents, commission ledger.
  • Conversations:email, SMS and WhatsApp content sent and received via the Platform's messaging modules, along with delivery, read and bounce signals returned by our messaging sub-processors.

4.4 What we do not collect

  • Card / UPI numbers: Payments are processed by third-party payment gateways. We receive only the transaction reference and status. We never store full card numbers, CVVs or UPI PINs.
  • Passwords in plaintext: Passwords are hashed (Argon2 / bcrypt class). Even our engineers cannot read them.
  • Sensitive special-category data (health, biometrics, religion, caste) — we do not solicit it. Aadhaar numbers, where collected by Tenants for KYC, are masked in our UI.

5. How and why we use it

We process personal data only for the purposes below, each of which is permitted under DPDPA s.4 (consent) or s.7 (legitimate use):

  • Delivering the Platform. Authenticating you, showing you the right data, sending the messages you ask us to send, generating reports, and keeping the service running.
  • Customer support. Answering tickets, debugging an issue you report, and contacting you about your account.
  • Billing and tax compliance. Issuing GST-compliant invoices, maintaining records under the GST Act and the Companies Act, 2013.
  • Security and abuse prevention. Detecting fraud, credential-stuffing, account takeover, abusive sending patterns, and complying with CERT-In directions on incident reporting.
  • Service improvement. Aggregated, de-identified usage analytics that help us improve features. We do not use Tenant-controlled customer data to build product features for other Tenants without explicit, written consent.
  • Legal obligations. Responding to lawful requests from Indian authorities, retaining audit trails required by RERA, GST and the Prevention of Money Laundering Act, 2002 (where applicable to KYC for property bookings).
  • Marketing — only with consent. We send product updates and marketing emails only to people who opt in. Every marketing email contains a one-click unsubscribe link. We do not sell or rent contact lists.

6. Sharing & sub-processors

We share personal data only with the categories of recipients listed below, and only to the extent needed for the purposes in section 5.

6.1 Sub-processors we use

Sub-processorPurposeHosting region
Vercel Inc.Marketing site & admin/partner UI hosting, edge CDN, analyticsGlobal edge; primary regions Mumbai (BOM1) / Singapore
Microsoft AzureApplication servers and managed PostgreSQL for the PlatformIndia (Central / South India regions)
SupabaseMarketing-site form submissions and lightweight content storageMumbai / Singapore
SparkPost (MessageBird)Transactional and marketing email deliveryEU / US (in transit; no Indian-resident-restricted data)
360dialog / Dialog360WhatsApp Business Cloud API gatewayEU (Frankfurt) — Meta-hosted endpoints
DLT-registered SMS aggregatorTransactional SMS via TRAI DLTIndia
Payment gateway(s) — [TO BE LISTED before publish: e.g. Razorpay, PayU]Subscription billingIndia
Customer-support tooling — [TO BE LISTED if applicable]Helpdesk & ticketing

Each sub-processor is bound by a written contract requiring at least the same level of protection we promise in this policy. We perform basic security due diligence before adding a sub-processor. The most current list lives at this URL — material changes will be notified to Tenants by email at least 30 days in advance.

6.2 Other recipients

  • Other Tenant users. Within a single Tenant account, your activity is visible to colleagues based on the permissions you have been granted.
  • Government and law enforcement. We disclose data when required by a valid order under Indian law, including the Code of Criminal Procedure, the IT Act and CERT-In directions. We push back on requests that are over-broad or unlawful and, where permitted, notify the affected Tenant.
  • Professional advisors. Lawyers, auditors, bankers and insurers — bound by professional confidentiality.
  • Successors in interest. If we are involved in a merger, acquisition, restructuring or asset sale, personal data may transfer to the acquirer. We will give you notice (typically via email and a notice on this site) before your data becomes subject to a different privacy policy.

We do not sell personal data. We do not share Tenant-controlled customer data with advertisers or data brokers.

7. Cross-border transfers

Our primary application servers and customer database are hosted in India. Some of our sub-processors (notably edge CDN, email and WhatsApp delivery) operate from data centres outside India. When your data is transmitted to such providers we rely on:

  • DPDPA s.16, which permits transfers to any country other than those notified by the Central Government as restricted (we will stop transfers to a country if and when it is notified);
  • Contractual safeguards with each sub-processor that bind them to equivalent protections; and
  • Encryption in transit (TLS 1.2 or higher) and, for sensitive fields, encryption at rest (AES-256-GCM).

For data that is restricted by sectoral regulators (for example, payment-system data under the RBI's 6 April 2018 directive), we ensure the data and its processing remain in India.

8. How long we keep data

CategoryRetentionWhy
Active Tenant account & configurationLifetime of the subscriptionTo deliver the service
Tenant data after subscription ends90 days grace period for export, then deletion within a further 30 daysTo allow lawful, orderly handover
Billing, invoice and GST records8 financial yearsGST Act & Companies Act, 2013
Channel-partner KYC records5 years after the partner relationship endsPMLA, 2002 record-keeping
RERA-relevant transaction trail (allotments, payments)5 years after project closureRERA, 2016 audit retention
Application logs & security telemetry180 days minimum (CERT-In)CERT-In Directions, 2022 §IV
Backups35 days rollingDisaster recovery
Marketing-site contact-form submissions24 months from your last interactionTo follow up on enquiries

Where the law requires us to keep data longer than the periods above (for example, in the case of an ongoing investigation), we will retain the minimum necessary copy and isolate it from active use.

9. Security

We follow reasonable security practices and procedures within the meaning of section 43A of the IT Act and Rule 8 of the SPDI Rules. Our controls include:

  • Encryption in transit: TLS 1.2+ for every connection to the Platform and the Marketing Site.
  • Encryption at rest for sensitive fields: AES-256-GCM for bank account numbers, PAN, GST credentials and third-party API keys. Other application data sits on encrypted managed storage.
  • Access control: Role-based access with permission-level granularity. Production access is restricted to a small named team and gated by SSO and multi-factor authentication.
  • Audit trail: Every privileged action is logged with the actor, timestamp, IP and affected resource.
  • Tenant isolation: Every business record is keyed by an account identifier. Application code reads it from the authenticated session — never from the request body — and a request that crosses tenants returns a 404, not a 403, to avoid leaking that the resource exists.
  • Patch & vulnerability management: Dependency scanning on every build; critical patches applied within 7 days.
  • Incident response & CERT-In reporting: If we suffer a reportable cyber incident, we will notify CERT-In within 6 hours of becoming aware, and notify affected Tenants and the Data Protection Board of India in line with DPDPA s.8(6) without undue delay.

No system is perfectly secure. If you spot a vulnerability, please email admin@propstackx.com — we take responsible disclosure seriously and will not pursue legal action against good-faith researchers.

10. Your rights

Subject to DPDPA s.11–14 and SPDI Rule 5, you have the following rights in relation to personal data we hold about you:

  • Right to access: Ask for a summary of the personal data we process about you and the identities of any other Data Fiduciaries with whom we have shared it.
  • Right to correction and erasure: Ask us to correct inaccurate data or erase data that is no longer needed for the purpose for which it was collected.
  • Right to grievance redressal: Use our grievance mechanism (section 14) to raise concerns. We will acknowledge within 48 hours and resolve within 30 days.
  • Right to nominate: Nominate another individual to exercise these rights on your behalf in case of your death or incapacity.
  • Right to withdraw consent: Withdraw any consent you have given. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
  • Right to opt out of marketing: Use the unsubscribe link in any marketing email, or write to us at admin@propstackx.com.

If you are a customer of one of our Tenants (for example, a homebuyer who provided your details to a developer who uses PropStackX), please exercise your rights with that developer. They are the Data Fiduciary. If you write to us, we will forward your request to the relevant Tenant within 7 days and assist them in fulfilling it.

We may need to verify your identity before acting on a request, to make sure we are not handing your data to someone else.

11. Cookies & tracking

We use a small number of cookies and similar technologies on the Marketing Site and Platform. Strictly-necessary cookies (login session, CSRF token, theme preference) load by default. Analytics and marketing cookies, where used, only load with your consent.

The full list of cookies and how to control them is in our Cookie Policy.

12. Children

PropStackX is a business tool. It is not directed at children. We do not knowingly collect personal data from anyone under 18 years of age and we do not process the personal data of a child for tracking, behavioural monitoring or targeted advertising. If you believe a child's personal data has been collected through our services, contact us and we will delete it.

13. Changes to this policy

We may update this policy as our service evolves or as the law changes. Material changes will be notified to Tenants by email and posted on this page at least 15 days before they take effect. The "Last updated" date at the top of the page always reflects the current version. Continued use of PropStackX after a change means you accept the updated policy.

14. Grievance Officer & contact

We have appointed a Grievance Officer in line with section 5 of the IT (Intermediary Guidelines) Rules and section 13(3) of the DPDPA. The Grievance Officer also doubles as our point of contact for any DPDPA query.

Grievance Officer / Data Protection Contact
Name: Deepak Kumar
Designation: Lead Engineer, PropStackX Technologies LLP
Email: admin@propstackx.com
Hours: Monday to Friday, 10:00–18:00 IST (excluding public holidays)

You can also write to us at admin@propstackx.com for general queries. If you are unhappy with how we have handled your complaint, you may approach the Data Protection Board of India once it begins accepting complaints under section 27 of the DPDPA, or seek redressal under the Consumer Protection Act, 2019.

This policy is governed by the laws of India. Disputes will be subject to the exclusive jurisdiction of the courts at Bengaluru, Karnataka, without prejudice to your statutory consumer-forum rights.