Privacy Policy

Summary

• Your data is stored on Supabase in Mumbai (India). Application requests are processed by Railway's Singapore infrastructure, but no data is stored outside India.
• You can export everything as CSV/ZIP, or permanently delete your account, at any time.
• We never sell your data, train AI on it, or share it with advertisers.
• GharStack does not knowingly collect personal data from persons under 18.
• We comply with India's DPDP Act 2023. Our Grievance Officer is reachable at grievance@gharstack.com. If unresolved, you may escalate to the Data Protection Board of India.

Overview

This Privacy Policy explains how P-Logix Software Private Limited ("GharStack", "we", "us") collects, uses, and protects information you provide while using the GharStack platform. It applies to anyone who signs up, including brokerage owners, their agents, and anyone invited to a workspace. We comply with India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the Digital Personal Data Protection Rules, 2025 (DPDP Rules). For the purposes of the Act, you are the Data Principal and GharStack is the Data Fiduciary. This notice is provided under Section 5 of the DPDP Act at the point of data collection.

1. Data we collect

We collect only what we need to run the product, in three categories:

• Account data — your name, mobile number (used as your login), brokerage name, GSTIN if you provide it, and the city you operate in.
• Workspace data — leads, properties, contacts, follow-ups, notes, and commission records you create inside GharStack. For lead/contact data entered by the brokerage, GharStack acts as a Data Processor; for account and usage data, GharStack acts as a Data Fiduciary.
• Usage data — pages you visit, features you use, and basic device information (browser, OS version, screen size). We do not record video, audio, or keystrokes.

We do not collect Aadhaar, biometric, health, or financial-account details. We do not ask for PAN except for billing where you provide it voluntarily; if you do, it is used solely to generate GST-compliant invoices and for no other purpose.

2. How we use your data

We process your personal data only for these specified purposes:

• To provide GharStack — store your leads, deliver in-app notifications, send OTPs for authentication.
• To send transactional messages — payment receipts, trial reminders, security alerts. These are not marketing.
• To improve the product — we analyse only aggregate, anonymised usage patterns. We do not examine individual lead records for this purpose.
• To comply with the law — if a valid court order or direction from a competent authority requires disclosure, we will comply, and notify you unless legally prohibited.

We do not use your data to train AI or machine-learning models, sell it to data brokers, or share it with third-party advertisers.

3. Where your data lives

All workspace and account data is stored on Supabase, in the Mumbai region (ap-south-1), India. Backups are retained by Supabase within the same India region. Supabase Inc is a US-incorporated company that provides this database and storage infrastructure; it acts as a sub-processor bound by a data-processing agreement that prohibits secondary use of your data, and the data itself remains stored in India.

4. Cross-border processing

The GharStack application is hosted on Railway, whose servers operate in Singapore. Every request you make (loading a page, saving a lead) is processed transiently by Railway's Singapore infrastructure before the response is returned. Your data is not stored in Singapore; it only transits there during processing. Error monitoring is provided by Sentry (EU) with PII scrubbing enabled — no personal data, including user identifiers, phone numbers, or request parameters, is transmitted to Sentry; only anonymised technical stack traces are sent.

Under Section 16 of the DPDP Act read with Rule 15 of the DPDP Rules, transfers of personal data to processors abroad are permitted unless the Central Government restricts a destination by notification. As of the effective date of this Policy, no such restriction applies to Singapore, the United States, or the EU. We monitor notifications under Section 16 and will update this Policy and our processor arrangements, and notify you under Section 11, if any applicable restriction is enacted. Payment metadata is processed by Razorpay in India; SMS OTP delivery is handled by MSG91 in India; both are bound by data-processing agreements prohibiting secondary use.

5. Sharing & third parties

We share data only with the processors below, and only the minimum each needs. All are engaged under written data-processing agreements compliant with Section 8(2) of the DPDP Act.

If you send a WhatsApp message through GharStack, the message is composed inside GharStack but transmitted by you via WhatsApp's own systems, after which WhatsApp's privacy policy governs the message contents.

6. Relationship with Practical Logix LLC (US)

P-Logix Software Private Limited (Bengaluru) is a subsidiary of Practical Logix LLC, a company incorporated in the United States. Practical Logix LLC may access personal data held by GharStack only where necessary for group-level technical support and security oversight, governed by an intra-group data-transfer agreement. Practical Logix LLC does not use GharStack user data for its own commercial purposes and is bound by the same data-protection obligations as GharStack.

7. Consent, notice & withdrawal

Under Section 5 of the DPDP Act and Rule 3 of the DPDP Rules, we present this Privacy Policy and our Terms of Service to you at the point of data collection (sign-up), when we request a new permission, and when these documents are revised. Pursuant to Rule 8(3), we maintain records of your consent — what you consented to, when, and through which mechanism — for at least one year; these are available on request to grievance@gharstack.com.

You have the right under Section 6(4) to withdraw consent at any time, as easily as it was given. We use only aggregate, anonymised data for product improvement (which is not personal data), so there is no separate analytics opt-out to manage. To withdraw consent for processing of your personal data, delete your account via Account → Danger → Delete Account, which terminates all processing; or contact our Grievance Officer to withdraw consent for a specific activity. Withdrawal does not affect the lawfulness of processing carried out before it. If we ever change the purpose of processing, we will seek fresh consent under Section 6(1) — a banner is not a substitute for fresh consent.

8. Your rights under the DPDP Act

To exercise any right, write to grievance@gharstack.com. We respond within 7 working days as required by Rule 14 of the DPDP Rules.

• Access (data summary) — request a summary of the personal data we hold about you and your workspace. You can export your data yourself via Account → Export, or email us with the subject "Data Summary"; we respond within 7 working days.
• Correction & erasure — correct or update most account data in Account → Profile. For selective erasure, email us with the subject "Erasure Request". Data we must retain by law (e.g. billing records for six years under the CGST Act, 2017) is retained for that period and cannot be erased earlier.
• Grievance redressal — submit a grievance to our Grievance Officer; we acknowledge within 48 hours and respond within 7 working days. If unresolved, you may complain to the Data Protection Board of India.
• Nomination — nominate someone to exercise your rights on your behalf in the event of death or incapacity. Email us with the subject "Nomination Request", including your nominee's full name, contact number, and relationship. We verify the nominee's identity before acting.
• Withdraw consent — see Section 7 above.

9. Your duties & third-party data

Section 15 of the DPDP Act places duties on you: do not impersonate another person, suppress material information, or file false or frivolous grievances, and comply with all applicable laws — including when you enter data about third parties such as buyers or tenants. When you enter personal data about a third party who has not signed up to GharStack, you act as the Data Fiduciary for that individual and GharStack processes it solely as your Data Processor, on your instructions. You represent that you have given that person a valid Section 5 notice, obtained any required consent, and will honour their rights requests. We may suspend or terminate accounts that violate these statutory duties.

10. Retention & deletion

• Active subscriptions — we retain workspace data only as long as necessary to provide the service. In line with Section 8(7), we periodically review and will notify you if data appears to no longer serve its original purpose (for example, a lead with no activity for an extended period).
• After cancellation — your account enters read-only mode immediately (you can still export everything). After 90 days of read-only status we permanently delete the workspace, with reminders at day 60 and day 80.
• Account deletion — if you use Account → Danger → Delete Account, your personal data is deleted from primary systems within 7 days; encrypted backups age out within 30 days.
• Downstream erasure — upon deletion, we issue corresponding instructions to all engaged processors (including Railway and Supabase) to erase your data; processors are required to confirm erasure within 30 days.

11. Security

We take reasonable security safeguards under Section 8(5) of the DPDP Act: all connections use TLS 1.3; data at rest is encrypted with AES-256; production access is limited to a small number of named engineers, fully logged and reviewed monthly; and we conduct an annual Vulnerability Assessment and Penetration Test (VAPT) by a CERT-In empanelled auditor (summary available on request).

12. Breach notification

In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals in accordance with Section 8(6) of the DPDP Act, within the timeframe prescribed by the Board and, in any case, without undue delay. Notifications will describe the nature of the breach, the categories of data affected, the likely consequences, and the steps taken to address it.

13. Changes to this Policy

If we change anything material, we will display a notice inside GharStack for 30 days before the change takes effect and email the brokerage owner. The previous version will remain available at gharstack.com/privacy/v1 for one year. Where a change involves a new purpose of processing, we will seek fresh consent before it takes effect.

14. Language

This Policy is currently available in English. In accordance with Rule 3 of the DPDP Rules, we are working to make it available in the languages listed in the Eighth Schedule to the Constitution of India; translated versions will be published at gharstack.com/privacy.

15. Contact our Grievance Officer

Grievance Officer

Shagufta Syed, Technical Project Manager & Grievance Officer

Email

grievance@gharstack.com

Response time

Acknowledged within 48 hours; resolved within 7 working days (DPDP Rules, Rule 14)

Postal address

P-Logix Software Private Limited, #1207/343 & 1207/1/343/1, 9th Main, 7th Sector, HSR Layout, Bengaluru, Karnataka 560102

CIN

U72900KA2019FTC129142

GSTIN

29AAKCP8438N1ZG

If your grievance is not resolved to your satisfaction, you may complain to the Data Protection Board of India under Section 13(2) of the DPDP Act. The Board was constituted on 13 November 2025; once its online complaint portal is operational, its URL will be added here and users notified under Section 13 of this Policy.