Privacy Policy — RenterFinder.com

1. Introduction and Definitions

RenterFinder.com ("Platform" or "we" or "us") is an online intermediary marketplace for property rental services owned and operated by VAMY Properties Private Limited, a company incorporated under the Companies Act, 2013, and headquartered in Patna, Bihar, India. The Platform connects property landlords and renters in India by facilitating access to online property and renter profile.

This Privacy Policy governs how the Platform collects, processes, uses, stores, and shares personal data of individuals who use our Platform, including users who create accounts, landlords listing properties and browsing renters' list, renters searching for properties and listing their profiles, and/or any other visitors to our website and mobile application (collectively, "Data Principals" or "Users").

Key Definitions:

"Personal Data": Any information that relates to, or is capable of identifying, a natural person, as defined under Section 2(m) of the Digital Personal Data Protection Act, 2023. It generally includes, but is not limited to, name, address, email, phone, mobile, Aadhar number, PAN, photos etc.

"Sensitive Personal Data": Personal data that includes sensitive information as defined under Section 2(s) of the DPDP Act, 2023, including but not limited to financial data (bank account, Debit/Credit card, UPI, etc), biometric data, genetic data, health data, sex life data, and more.

"Data Principal": A natural person to whom personal data relates, as defined under Section 2(k) of the DPDP Act, 2023.

"Data Fiduciary": The entity responsible for determining the means and purpose of processing personal data, as defined under Section 2(i) of the DPDP Act, 2023. VAMY Properties Private Limited is the Data Fiduciary.

"Data Processor": Any person who processes personal data on behalf of the Data Fiduciary, as defined under Section 2(j) of the DPDP Act, 2023.

"Processing": Any automated or manual operation performed on personal data, including collection, recording, organization, structuring, storage, alteration, retrieval, use, erasure, or destruction, as defined under Section 2(n) of the DPDP Act, 2023.

"Consent": Voluntary, informed, specific, and clear affirmative action by the Data Principal, as defined under Section 2(d) of the DPDP Act, 2023.

"Legitimate Use": Processing of personal data for purposes other than with consent, as enumerated in Section 7 of the DPDP Act, 2023.

2. Data Fiduciary and Legal Framework

2.1 Data Fiduciary Designation: VAMY Properties Private Limited acts as the Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDP Act"). As the Data Fiduciary, we determine the means and purpose of processing your personal data. We exercise control over what personal data is collected and how it is processed.

2.2 Regulatory Framework: Our collection and processing of personal data is governed by the existing laws and regulations applicable in India.

2.3 Data Protection Officer: VAMY Properties Private Limited has appointed a Data Protection Officer (DPO) as required under the DPDP Act and Rules. The DPO is responsible for overseeing data protection compliance and serving as the primary point of contact for Data Principals regarding their rights and grievances. You may contact our DPO at report.renterfinder@gmail.com with the subject line "DATA PROTECTION OFFICER" for any data protection-related inquiries.

2.4 Consent Manager: Pursuant to Rule 4 of the Digital Personal Data Protection Rules, 2025, we maintain a Consent Manager that records and tracks all consents provided by Data Principals.

3. Personal Data Collected

3.1 Categories of Personal Data: We collect basic personal data from Data Principals to understand their requirements.

3.2 Mandatory vs. Optional Data: When registering on the Platform, certain fields are mandatory for account creation, while others are optional.

3.3 Data Not Required: We want to be clear that we do not require, and you should not voluntarily provide, the following sensitive information unless explicitly requested in compliance with applicable law: (a) passwords of any online accounts, (b) biometric data such as fingerprints or iris scans (c) health or medical information, (d) sexual orientation or gender identity (unless voluntarily disclosed and wish to share), (e) religion, caste or social category (unless voluntarily disclosed and wish to share).

4. Purpose of Collection and Processing

4.1 Specified Purposes: We collect and process your personal data for the following specified, lawful, and reasonable purposes:

• Account Management: To create and maintain your account on the Platform, enable login functionality, and manage account settings and preferences.
• Service Delivery: To provide the rental property listing and search services you have requested, including displaying relevant property listings, processing rental inquiries, and facilitating connections between landlords and renters.
• Identity Verification: To verify your identity and prevent fraudulent account creation, using government-issued identification (Aadhaar, etc.) where permitted and appropriate.
• Payment Processing: To process payments for Profile Listing Fees (₹125) and Platform Service Fees (12-day split billing), including collecting, verifying, and storing payment information securely through authorized payment gateway on portal.
• Communication: To send you transactional emails and SMS notifications regarding your account, property listings, inquiries, payments, and platform updates.
• Messaging and Chat Services: To facilitate secure messaging and chat functionality between landlords and renters on the Platform, enabling direct communication about properties and rental terms. Sharing each other's contact information on mutual consent through clicking the Deal button on the platform.
• Automated Safety Monitoring and Moderation: To employ artificial intelligence and machine learning-based automated tools to monitor, moderate, and filter communications and content for prohibited activities, including illegal content, spam, harassment, threats, or fraud, as detailed in Section 7 of this Policy.
• Fraud Prevention and Detection: To detect and prevent fraudulent transactions, unauthorized access, fake accounts, identity theft, and other security threats using both manual review and automated systems.
• Refer and Earn Program: To administer, track, and reward our Refer and Earn referral program, including tracking referrals, validating successful referrals, and processing associated benefits or payments.
• Analytics and Improvement: To analyze how users interact with the Platform, identify trends, improve our services, optimize user experience, conduct A/B testing, and develop new features.
• Compliance with Law: To comply with legal obligations, court orders, government requests, and regulatory requirements under applicable Indian laws.
• Grievance Redressal: To address complaints, disputes, and grievances from Data Principals and to investigate claims of misuse or breach of Platform policies.
• Taxation and Financial Reporting: To maintain records necessary for income tax, GST, and other financial compliance obligations under Indian law.
• Legal Defense: To defend our legal interests, enforce Platform policies, and protect the Platform against misuse, abuse, or unlawful activities.
• Security and Data Protection: To protect the security of personal data, prevent unauthorized access, and ensure the integrity and availability of Platform systems.
• Platform Safety and Integrity: To maintain a safe, secure, and trustworthy marketplace by monitoring for prohibited activities and enforcing our Terms of Service and this Privacy Policy.
• Perform automated content moderation on platform communications using AI-based systems to ensure user safety and enforce community guidelines and detect prohibited content as described in our Terms of Use.

4.2 Purposes We Do NOT Pursue: We commit that we will NOT use your personal data for: (a) selling your data to third parties for marketing purposes without your explicit consent; (b) profiling for lending or credit decisions without your knowledge; (c) automated individual decision-making that produces legal effects about you without human review; (d) discriminatory profiling based on protected characteristics; (e) surveillance or tracking beyond the purposes listed above.

5. Legal Basis and Legitimate Uses

5.1 Consent-Based Processing: For most personal data processing activities, we rely on your explicit consent, obtained pursuant to the consent framework described in Section 6 of this Policy. Consent is the primary legal basis for processing your personal data at RenterFinder.com.

5.2 Legitimate Uses under Section 7 of DPDP Act: In addition to consent-based processing, the DPDP Act, 2023 permits processing of personal data without requiring consent for certain "legitimate uses." We process your personal data for the following legitimate uses, as enumerated in Section 7 of the DPDP Act:

• Compliance with Law: We process personal data to the extent necessary to comply with any legal obligation, court order, or judgment of a competent court under Indian law. This includes complying with tax obligations, regulatory investigations, and law enforcement requests.
• Performance of Contract: We process personal data to the extent necessary to perform contractual obligations between you and the Platform, including collecting payment, delivering rental property listings, and enabling communication with other users.
• Protection of Safety and Interests: We process personal data to protect the vital interests and safety of Data Principals and other persons, including detecting and preventing fraud, abuse, and security breaches.
• Intermediary Obligations: We process personal data to fulfill our legal obligations as an intermediary under the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. This specifically includes content moderation, user verification, and maintaining records as required by law. The automated content moderation system described in Section 7 is conducted pursuant to this legitimate use.
• Public Interest: We may process personal data for purposes that serve a legitimate public interest, such as preventing illegal activities and protecting public safety.
• Data Fiduciary's Legitimate Interests: We may process personal data for our own legitimate business interests, including improving our Platform, protecting our intellectual property, and managing our business operations, provided such processing does not infringe on the rights and fundamental freedoms of Data Principals.

5.3 Automated Processing under Legitimate Use: Specifically, the automated content moderation and fraud detection system described in Section 7 of this Privacy Policy operates under both: (a) the Intermediary Guidelines legitimate use (obligation to moderate content and maintain safe marketplace); and (b) the Protection of Safety and Interests legitimate use (to prevent fraud and protect users). This processing does not require separate consent beyond the terms of service consent.

5.4 Lawful Processing Commitment: We commit that all processing of personal data will be conducted in accordance with the principles of lawfulness, fairness, transparency, storage limitation, purpose limitation, data minimization, and accuracy as enshrined in the DPDP Act, 2023.

6. Consent Framework

6.1 Consent Requirements under DPDP Rules 2025: Pursuant to Rule 4 of the Digital Personal Data Protection Rules, 2025, we obtain consent from Data Principals before processing personal data, except where processing occurs under legitimate uses as described in Section 5.

6.2 Form of Consent: Consent shall be obtained in the following manner:

• Explicit and Clear: Consent must be expressed through clear affirmative action, such as checking a checkbox, clicking an "I Agree" button, or actively requesting a service that requires data processing.
• Not by Default: We do not obtain consent through pre-ticked boxes or inaction. Silence, inactivity, or failure to object does not constitute consent.
• Written Form: Consent is preferably obtained in writing or through digital record-keeping systems that maintain an audit trail.
• Contemporaneous: Consent is obtained at or immediately before the point of data collection, except where the Data Principal has already consented to similar processing.
• Specific to Purpose: We do not use blanket consent forms. Instead, we obtain specific consent for different purposes, data categories, and processing activities where reasonably possible.

6.3 Consent Granularity: We obtain granular consent for different data processing activities, allowing you to consent to some types of processing while declining others. During registration and in your account settings, you will be presented with options to manage consent for:

• Contact information processing for account management
• Payment information processing for transaction execution
• Marketing communications and promotional emails (opt-in)
• Analytics and behavior tracking (opt-in)
• Refer and Earn program participation
• Location data collection and usage (where applicable)
• Third-party service provider sharing

6.4 Withdrawal of Consent: You have the right to withdraw consent at any time. You may deactivate your account yourself or by sending us a mail on report.renterfinder@gmail.com. Post deactivation, your data shall no longer be visible publicly on our platform.

7. AI-Powered Automated Moderation and Fraud Detection

7.1 Automated Systems in Use: RenterFinder.com employs advanced automated tools, including artificial intelligence and machine learning-based systems, to enhance Platform safety, security, and user experience. These systems are used for the following automated processing activities:

• Content Moderation: Automated scanning of user-generated messages, chat conversations, and property descriptions to identify and filter prohibited content including illegal content, hate speech, threats, harassment, sexually explicit material, spam, and platform policy violations.
• Identity Verification: Automated cross-referencing of submitted personal data with available databases and public records to prevent identity fraud and verify legitimacy of accounts.
• Safety Monitoring: Automated detection of potentially unsafe interactions, aggressive negotiation patterns, scams, and transactions that deviate from normal marketplace behavior.
• Abuse Pattern Recognition: Automated identification of users engaging in coordinated inauthentic behavior, platform manipulation, or systematic abuse of Platform policies.

7.2 Legal Basis for Automated Moderation: The use of automated tools for content moderation and safety monitoring is conducted under a legitimate use basis under the DPDP Act, 2023, specifically:

(a) Intermediary Obligations: RenterFinder.com is an online intermediary as defined under Section 2(1)(w) of the Information Technology Act, 2000. Under Section 79 of the IT Act and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, online intermediaries have a legal obligation to exercise "due diligence" and implement "appropriate measures" to prevent, identify, and remove unlawful content, including content that is:

• Threatening, abusive, or harassing in nature
• Related to child exploitation or abuse
• Defamatory or violating privacy or intellectual property
• Patently false or misleading in nature creating public panic
• Fraudulent or deceptive
• Otherwise unlawful or in violation of applicable laws

(b) Legitimate Use Under Section 7: Automated content moderation processing is conducted to:

• Comply with Legal Obligations: Compliance with our mandatory obligations under IT Act Section 79 and Intermediary Guidelines Rules 2021 constitutes a "legitimate use" under Section 7(1)(a) of the DPDP Act, 2023 (processing necessary to comply with law). We cannot avoid this obligation, and therefore automated moderation does not require separate additional consent beyond the terms of service.
• Protection of Safety: Automated fraud detection and abuse pattern recognition are conducted under Section 7(1)(c) of the DPDP Act to protect the vital interests and safety of Data Principals and other persons on the Platform.

7.3 No Separate Consent Required: Automated content moderation and fraud detection processing does NOT require separate consent from Data Principals beyond the basic terms of service agreement. This is because:

• Processing is mandated by applicable law (IT Act 2000 Section 79, Intermediary Guidelines 2021)
• Processing is a legitimate use under Section 7 of the DPDP Act, 2023
• Consent cannot be meaningfully withheld without preventing your use of the core Platform service
• The automated processing does not create a legal or financial obligation on you beyond our existing terms of service

However, we remain transparent about these automated systems through this Privacy Policy, and you retain all other rights described in Section 9.

7.4 Scope and Mechanics of Automated Processing: The automated moderation and fraud detection systems process the following data:

• Chat and messaging content — Real-time scanning for prohibited content; Content moderation, spam detection
• Property descriptions and images — Analysis for misleading or illegal listings; Fraud prevention, compliance
• Account creation metadata — Analysis of device, IP, and behavioral patterns; Bot detection, fake account prevention
• Transaction patterns — Anomaly detection in payment and refund patterns; Fraud detection, financial crime prevention
• User interaction patterns — Analysis of messaging frequency, contact patterns, behavior; Harassment and abuse detection, safety
• Identity verification data — Cross-reference checking and consistency analysis; Identity fraud prevention, verification

7.5 AI/ML System Transparency: We acknowledge that our automated moderation and fraud detection systems employ artificial intelligence and machine learning technologies. These systems:

• Are continuously trained and updated to improve accuracy and reduce false positives
• May occasionally result in false positives (legitimate content or activity flagged as violations) or false negatives (prohibited content not detected)
• Use pattern recognition, statistical analysis, and behavioral profiling to identify risks
• Are designed to identify patterns of abuse but cannot be 100% accurate
• Are subject to regular audits and quality reviews to minimize bias and errors

We do not disclose the specific names, versions, or proprietary details of AI/ML service providers used, as this information is business-critical and confidential.

7.6 Human Review and Appeals: While our automated systems perform initial filtering and detection, significant actions (account suspension, content removal, ban) may involve human review. Data Principals have the right to:

• Request explanation of automated moderation decisions through our grievance system (see Section 17)
• Appeal any action taken based on automated detection within 30 days
• Request human review of automated decisions that significantly impact your account or access to services

7.7 Disclaimer on Automated Moderation: RenterFinder.com and its Data Protection Officer provide no warranty, express or implied, regarding the accuracy, completeness, or effectiveness of automated moderation and fraud detection systems. The Platform is not liable for:

• Any content that passes through automated moderation filters and is not detected
• Any action taken by automated systems, including false positives (legitimate content flagged as violations)
• Delays in moderation resulting from system processing time
• False negatives (prohibited content that is not detected)
• Any consequential damages arising from content passing through or being incorrectly flagged by automated systems
• Any loss of data or service interruption due to moderation system processing

Users of the Platform acknowledge and accept that automated moderation is imperfect and use the Platform at their own risk regarding third-party content they may encounter.

8. Data Retention and Deletion

8.1 Retention Principles: We apply the principle of "storage limitation" as required under the DPDP Act, 2023. We retain personal data only for as long as necessary to serve the purposes for which it was collected, and thereafter in compliance with legal and regulatory obligations.

8.2 Specific Retention Periods:

• Active Account Data (name, email, phone): Duration of account + 6 months. Dispute resolution, user recovery, reactivation.
• Financial/Payment Records: 7 years post-transaction. GST compliance, income tax filing, audit requirements.
• Transaction Logs and Communication Records: 3 years post-deletion of account. Legal disputes, grievance resolution, contractual disputes.
• Aadhaar and Government ID Data: 1 year post-account closure or verification completion. Verification purposes, Aadhaar Act compliance.
• Chat/Messaging Content (with valid reason): 3 years post-deletion or conversation end. Dispute evidence, fraud investigation, grievance redressal.
• Cookies and Behavioral Tracking Data: 1 year post-generation (Cookie law compliance). Analytics, platform optimization, user experience.
• IP Logs and Technical Data: 1 year post-collection. Security, fraud prevention, system troubleshooting.
• Account Suspension/Abuse Records: 3 years post-action or permanent ban. Prevention of re-offending, account reopening risks.

8.3 Deactivation on Request: Subject to applicable legal obligations, we will deactivate profile within 7 days of receiving a valid deactivation request from a Data Principal, except for:

• Data required to be retained under applicable tax or financial laws (retained as long as required)
• Data relating to ongoing disputes or grievances (retained until resolution)
• Data needed for fraud prevention or ongoing investigations (retained during investigation period)
• Data subject to legal holds or court orders (retained as ordered)
• Encrypted or anonymized data (no personal privacy implications)

8.4 Account Deactivation: When you deactivate your account, we will:

• Deactivate your account within 7 days
• Remove your personal data from public display (listings, profile) immediately
• Retain limited data as per Section 8.2 for legal compliance
• Pseudonymize remaining data where possible

8.5 Data Backup and Archival: For business continuity and disaster recovery purposes, we may retain copies of personal data in backup systems for a period of 1-year post-deactivation. However, such backup data is not used for any active processing and is segregated from live systems.

8.6 Anonymization and Pseudonymization: After retention periods expire, we may further anonymize or pseudonymize data for analytics and research purposes where the anonymized data cannot re-identify you.

9. Your Rights as Data Principal

9.1 Rights Under DPDP Act, 2023: As a Data Principal, you have the following rights under the Digital Personal Data Protection Act, 2023. We have implemented systems to honor these rights, and you may exercise them by contacting our Data Protection Officer at report.renterfinder@gmail.com or through the grievance system described in Section 17.

9.2 Right to Access (Section 8 of DPDP Act): You have the right to obtain confirmation from us whether personal data relating to you is being processed. You have the right to request and obtain the following information:

• A copy of all personal data we hold about you in a structured, commonly-used, and machine-readable format (e.g., CSV, JSON)
• Clarification of the purposes for which your data is being processed
• The duration for which your data will be retained
• Information about the recipients with whom your data is being shared
• Confirmation of automated processing and profiling information
• Information about the source of data if not collected directly from you
• Any logic or reasoning used in automated decision-making affecting you

9.3 Right to Correction (Section 9 of DPDP Act): You have the right to request correction, completion, or updating of inaccurate, incomplete, or outdated personal data maintained by us. You may:

• Submit a correction request specifying the inaccurate data and the correct information
• Log in to your account and directly update most profile information
• Submit requests to report.renterfinder@gmail.com for data you cannot update directly

Data will be corrected /edited within 7 days

9.4 Right to Erasure (Section 10 of DPDP Act): Subject to legal obligations, you have the right to request erasure ("right to be forgotten") of your personal data in the following circumstances:

• Your data is no longer necessary for the purposes for which it was collected
• You withdraw consent and no other legal basis exists for processing
• You object to processing and we have no overriding legal basis to continue
• Your data has been processed unlawfully
• Your data must be erased to comply with a legal obligation

9.5 Right to Data Portability (Derived Right): While not explicitly mandated by the DPDP Act, we enable data portability by providing your personal data in machine-readable formats upon request. This allows you to:

• Obtain a copy of your data in CSV or JSON format
• Transfer your data to another platform or service provider
• Request data export for backup or archival purposes

9.6 Right to Know About Automated Processing (Section 8 of DPDP Act and This Policy): You have the right to obtain information about automated processing, including:

• Confirmation that automated processing is being applied to your data
• Meaningful information about the logic, significance, and consequences of automated processing
• Information about decisions made by automated systems that significantly affect you
• In case of automated decision-making, you have the right to human review and appeal (see Section 7.6)

9.7 Right to Nominate a Nominee (Section 11 of DPDP Act): You have the right to nominate another person to exercise your rights in case of death or incapacity. You may write to report.renterfinder@gmail.com in this regard.

9.8 Right to Grievance Redressal (Section 12 of DPDP Act): You have the right to file a grievance if you believe your rights have been violated or if you have a complaint about our data handling practices. Our grievance redressal mechanism is detailed in Section 17 of this Policy.

9.9 No Fee for Rights Exercise: We will not charge any fee for exercising your rights under this Section 9, except where permitted by law for repetitive or manifestly unfounded requests.

10. Cross-Border Data Transfer

10.1 General Policy on Data Transfer: RenterFinder.com processes the majority of user data within India and does not engage in routine cross-border data transfers. However, certain business-critical functions may require transfer of limited personal data to countries outside India.

10.2 Restricted Territories: Pursuant to Section 5 of the Digital Personal Data Protection Act, 2023, we do NOT transfer personal data to any country or region that the Government of India has declared as having inadequate data protection standards. Currently, this restriction applies to transfers to certain jurisdictions designated by the Ministry of Electronics and Information Technology (MeitY).

10.3 Permitted Cross-Border Transfers: We may transfer personal data to the countries which have adequate or approved data protection safeguards.

10.4 Data Transfer Mechanism: When cross-border transfers are necessary, we implement the following safeguards:

• Standard Contractual Clauses: We have executed Data Processing Agreements with international recipients incorporating Standard Contractual Clauses approved under Indian law
• Data Protection Obligations: Recipients must implement data protection standards substantially equivalent to Indian law standards
• Purpose Limitation: Recipients must use transferred data only for the specified purpose and must not re-transfer data without authorization
• Encryption: Data in transit is encrypted using industry-standard protocols (TLS 1.2 or higher)
• Legitimate Benefit: We only transfer data where the transfer provides legitimate benefit to the business or is necessary for service delivery

10.5 Specific Service Providers: The following types of service providers may receive cross-border data transfers (service provider names and countries will be disclosed upon request to the Data Protection Officer):

• Cloud infrastructure providers (for secure data storage and backup)
• Payment processing platforms (for international payment verification and fraud prevention)
• Analytics service providers (for website performance analytics)
• Cybersecurity and fraud detection vendors (for threat intelligence and prevention)

10.6 Right to Object to Cross-Border Transfer: You have the right to object to cross-border transfer of your personal data by written mail to us.

10.7 Regulatory Changes: We will continuously monitor changes to Government of India data localization requirements and restricted territory designations, and we will update our data transfer practices accordingly to remain in compliance.

11. Cookies and Tracking Technologies

11.1 Use of Cookies: RenterFinder.com uses cookies and similar tracking technologies on our Platform to enhance user experience, enable core functionality, and gather analytics. Cookies are small files stored on your device that contain minimal personal information.

11.2 Google Analytics: We use Google Analytics to understand how users interact with our Platform. Google Analytics collects data including:

• Device type and operating system
• Pages visited and time spent on pages
• Search queries and links clicked
• Geographic location (city-level)
• Traffic source (how you arrived at the Platform)

11.3 Other Tracking Technologies: In addition to cookies, we may use:

• Pixel Tags (Web Beacons): Small invisible images embedded in emails and web pages to track opens and clicks
• Local Storage and Session Storage: Browser-based storage for user preferences and session data
• Device Fingerprinting: For fraud detection and security purposes (limited scope, not for tracking)
• Mobile App Analytics: For users of our mobile application, analytics are collected through SDK integration

11.4 Do Not Track (DNT) Signals: If your browser sends a Do Not Track signal, we will honor this preference by limiting non-essential tracking. However, some essential functionality may require minimal data collection even with DNT enabled.

11.5 Cookie Policy Compliance: Our cookie usage complies with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the tracking/cookie notification requirements under applicable Indian law.

12. Children's Data Protection

12.1 Age Restriction: RenterFinder.com is intended for use by individuals 18 years of age and older. We do not knowingly collect personal data from children under 18 years of age without appropriate safeguards. However, for ease of students in India, we allow 14 years and older to fill the registration form smoothly as Renter. The student below 14 years age must have their parent's consent for registration on our portal.

12.2 Definition of Child Data: For purposes of this Policy and the DPDP Act, 2023, a "child" is a natural person under 18 years of age.

12.3 Safer Internet Practices for Children: We encourage parents and guardians to:

• Monitor their child's account activity and Platform interactions
• Educate children about online safety and responsible use
• Review this Privacy Policy with their child
• Regularly update account security settings and passwords
• Report inappropriate content or contact involving minors to report.renterfinder@gmail.com immediately

13. Aadhaar and Sensitive Personal Data

13.1 Limited Collection of Aadhaar: RenterFinder.com does not mandate Aadhaar collection but may request Aadhaar numbers from users for identity verification purposes where permitted and beneficial.

13.2 Aadhaar Act Compliance: Any collection and processing of Aadhaar data is conducted in strict compliance with the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, including:

• Aadhaar is collected only for legitimate identity verification and fraud prevention purposes
• No Aadhaar number is mandatory for basic Platform services
• Aadhaar is encrypted and stored securely with restricted access
• Aadhaar is not shared with third parties without explicit consent
• Aadhaar is retained only for 1 year post-verification completion
• The Platform is not eligible to be an "authorized entity" under the Aadhaar Act

13.3 Sensitive Personal Data Categories: We collect the following types of sensitive personal data:

• Financial Data: Bank account numbers, credit card numbers, UPI IDs, payment history
• Government Identifiers: Aadhaar, PAN, passport number, driving license number (where provided)
• Identity-Related Data: Verification records, identity documents (photographs), proof of address

13.4 Financial Data Handling: Financial data including bank details and payment information is collected and processed through certified payment gateways. We do not store complete credit card numbers or CVV codes (PCI DSS compliant tokenization only). All financial data is:

• Collected only at point of payment through secure, encrypted channels
• Processed by certified third-party payment processors
• Retained only for the duration of transactions plus 7 years for GST/income tax compliance
• Never sold or shared for marketing purposes

13.5 Health and Sensitive Personal Information: We do not collect health information, sexual preferences, or other highly sensitive personal information. If you voluntarily provide such information in messages or property descriptions, we treat it with maximum confidentiality and do not use it for profiling or decision-making.

13.6 User Responsibility: We recommend that Data Principals:

• Do NOT provide sensitive information unless specifically requested and verified as necessary
• Do NOT include banking details, passwords, or security codes in messages
• Do NOT photograph government documents and upload to the Platform unless asked
• Understand that sharing sensitive information in chat is done at your own risk

14. Data Breach Notification

14.1 Commitment to Data Security: RenterFinder.com implements comprehensive security measures to protect personal data from unauthorized access, loss, destruction, or misuse. However, we acknowledge that no system is completely immune to breaches. In the event of a data breach, we are committed to transparent and timely notification.

14.2 Data Breach Definition: A "data breach" for purposes of this Policy is any unauthorized access, disclosure, alteration, or destruction of personal data that poses a risk to the rights and freedoms of affected Data Principals, including:

• Unauthorized access to personal data servers or databases
• Theft of personal data storage devices or backups
• Interception of data in transit through hacking or man-in-the-middle attacks
• Ransomware attacks affecting stored personal data
• Insider threats or employee misconduct resulting in data exposure
• Leakage of personal data to unauthorized third parties
• Loss of data integrity through unauthorized modification

14.3 Breach Notification Timeline: Pursuant to Section 6 of the DPDP Act, 2023, in the event of a data breach involving personal data:

Within 72 Hours: We will notify the Data Protection Board of India (if the breach is significant) and affected Data Principals of the breach, including:

• Nature and scope of the breach
• Categories of data involved
• Number of affected Data Principals (where determinable)
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact information for further inquiries

Notifications to Data Principals: Breach notifications will be sent via email to the registered email address, SMS to the registered phone number, and posted on our website. For breaches affecting a large number of users, media announcements may also be made.

14.4 Breach Assessment Criteria: We will determine whether to notify all affected users or only those at heightened risk based on:

• The type of data compromised (sensitive data = higher threshold for notification)
• The number of users affected
• The likelihood of misuse by the unauthorized accessor
• Whether adequate safeguards were in place (encryption, etc.)
• Any evidence of actual misuse or attempted misuse

14.5 Investigation and Mitigation: Upon discovery of a breach, we will:

• Contain: Immediately isolate affected systems to prevent further unauthorized access
• Investigate: Conduct a prompt forensic investigation to determine scope and cause
• Remediate: Patch vulnerabilities and implement additional security controls
• Monitor: Conduct monitoring for evidence of breached data being used maliciously
• Report: Provide detailed breach reports to the Data Protection Board if required
• Prevent Recurrence: Implement measures to prevent similar breaches in the future

14.6 Communication with Affected Users: Notifications will include:

• Specific details about what data was compromised (without disclosing data of non-affected users)
• Recommended steps to protect themselves (e.g., change passwords, monitor for fraud)
• Free credit monitoring or identity theft protection services if sensitive financial data was compromised
• Contact information for the Data Protection Officer for questions

15. Third-Party Services and Links

15.1 Third-Party Service Providers: RenterFinder.com uses third-party service providers for certain business functions. These providers act as Data Processors under Section 2(j) of the DPDP Act and are bound by written Data Processing Agreements that require them to:

• Process personal data only on our instruction
• Implement appropriate security measures
• Not disclose personal data to third parties without authorization
• Assist with data subject rights requests
• Delete or return personal data upon contract termination
• Comply with all data protection laws

15.2 Categories of Third-Party Processors:

• Payment Processors: Companies like Razorpay, PayU, Stripe, handling payment transactions (PCI DSS certified)
• Cloud Infrastructure Providers: Companies providing secure hosting, backup, and disaster recovery services
• Customer Support Platforms: Zendesk, Freshdesk, or similar platforms hosting our support system
• Analytics Providers: Google Analytics, AI website, Hotjar, or similar analytics services
• Communication Services: Email service providers, SMS aggregators, notification services
• Fraud and Security Vendors: Third-party fraud detection, cybersecurity services
• Backup and Archival Services: Data backup, document storage, compliance archival

15.3 Data Sharing with Third Parties: We do NOT share personal data with third parties for their independent purposes without your explicit consent, except as required by law. Where we share data with third-party processors:

• Data is shared only to the extent necessary for the specified purpose
• Third parties are contractually bound to confidentiality and data protection obligations
• Third parties are required to use the data only for the purpose specified
• Third parties cannot re-share data without our authorization
• We remain accountable to you for third-party processing

15.4 Third-Party Links and Websites: The Platform may contain links to third-party websites (landlord portfolios, payment gateways, external property listing sites, etc.). This Privacy Policy applies only to the RenterFinder.com platform. Third-party websites have their own privacy policies and data handling practices. We are not responsible for:

• The privacy practices of linked websites
• The content or conduct on linked websites
• Data collected by linked websites
• Breaches or misuse of data on linked websites

We encourage you to review the privacy policies of any third-party website before providing personal data.

15.5 Affiliate and Partner Disclosures: RenterFinder.com may share anonymized or aggregated user data with affiliate partners for analytics purposes. We do not share personal data (individual identifiable information) with affiliates without explicit consent. Aggregated data, such as "5,000 users searched properties in Patna," is not considered personal data.

15.6 Legal Requests and Disclosure: We may be required to disclose personal data in response to lawful requests from courts, law enforcement agencies, or government bodies. We will:

• Require a valid legal process (court order, search warrant, subpoena) before disclosing data
• Notify affected Data Principals of legal requests where permitted by law
• Provide only the minimum data necessary to satisfy the legal requirement
• Document all legal requests and disclosures

We will not voluntarily disclose personal data to law enforcement without legal process except in emergencies involving imminent harm to persons.

16. Refer and Earn Program

16.1 Program Overview: RenterFinder.com operates a "Refer and Earn" program allowing all users to refer new landlords and renters to the Platform and earn referral bonuses or credits. This program involves processing of personal data of both referrers and referred users.

16.2 Data Collected for Referrals: For the Refer and Earn program, we collect:

• From Referrer: Account ID, referral code (generated unique identifier), date of referral, referral incentive details
• From Referred User: Name, email, phone, account creation details, referral source attribution

16.3 Purpose and Processing: Refer and Earn personal data is processed for:

• Tracking successful referrals and account creation attribution
• Validating referral eligibility (e.g., ensuring referred user creates genuine account)
• Calculating and issuing referral rewards/credits/cash bonuses
• Preventing referral fraud and manipulation
• Analytics on referral program effectiveness

16.4 Consent and Opt-In: Participation in the Refer and Earn program is optional. Users who wish to participate must:

• Provide explicit consent to referral program processing
• Agree to Platform terms for the referral program
• Accept that referral data will be retained and analyzed

Users may opt out of the referral program by disabling it in their account settings, though previously earned rewards will not be forfeited.

16.5 Third-Party Referral Sharing: We do not share referral data with external marketing partners or third parties without your explicit consent. Referral program analytics may be shared with our business partners in aggregated, anonymized form.

17. Grievance Redressal Mechanism

17.1 Grievance and Complaint Rights: Pursuant to Section 12 of the Digital Personal Data Protection Act, 2023, RenterFinder.com maintains a comprehensive grievance redressal mechanism for Data Principals to raise complaints regarding data protection, privacy violations, or breaches of this Privacy Policy.

17.2 Grievance Officer Appointment: We have appointed Aditya Shankar (Founder and Grievance Officer) as the designated Grievance Officer responsible for:

• Receiving and registering all privacy-related grievances
• Investigating complaints with impartiality
• Responding to grievances within statutory timeframes
• Documenting all grievances and resolutions
• Coordinating with the Data Protection Officer for complex cases

17.3 How to File a Grievance: You may file a grievance through multiple channels:

• Email: report.renterfinder@gmail.com (Subject: "PRIVACY GRIEVANCE" or "DATA PROTECTION COMPLAINT")
• In-App Complaint: Submit through Platform's Feedback section
• Written Mail: Send registered letter to VAMY Properties Private Limited, Telegraph Colony, Patna, Bihar, India
• Phone: Contact our support team for grievance assistance

17.4 Categories of Grievances: Our grievance redressal system addresses:

• Complaints regarding unauthorized data collection or processing
• Data accuracy disputes and correction requests
• Denial of Data Principal rights (access, deletion, portability, etc.)
• Disputes regarding consent and withdrawal
• Complaints about automated decision-making or profiling
• Data breach complaints
• Cross-border transfer complaints
• Children's data protection violations
• Third-party disclosure complaints
• Cookies and tracking technology complaints
• Any other data protection or privacy concern

17.5 Appeals and Escalation: If you are unsatisfied with the grievance resolution:

• You may file an appeal within 30 days of receiving our final response
• Appeals will be reviewed by a senior team member not involved in the original investigation
• Appeal decision will be provided within 30 days

18. IT Act 2000 and Intermediary Compliance

18.1 Intermediary Status: RenterFinder.com is an online intermediary as defined under Section 2(1)(w) of the Information Technology Act, 2000. We provide an intermediary service by enabling storage, transmission, or facilitation of information provided by users.

18.2 Section 79 Safe Harbour: We qualify for safe harbour provisions under Section 79 of the IT Act, which provides conditional immunity from liability for user-generated content posted on our Platform, provided we:

• Observe due diligence in implementation and execution of information security practices
• Do not knowingly host, publish, transmit, modify, or facilitate distribution of certain unlawful content
• Act "expeditiously" in removing or disabling access to problematic content upon notification
• Maintain reasonable security practices per SPDI Rules, 2011

18.3 Due Diligence Obligations: We comply with due diligence requirements including:

• Terms of Service: Clearly posted, comprehensive rules governing user conduct and prohibited content
• Privacy Policy: Clear disclosure of data practices (this document)
• Monitoring: Proactive and automated monitoring for prohibited content using AI and ML systems (see Section 7)
• User Verification: Identity verification measures proportionate to service risk level
• Grievance Mechanism: Effective process for addressing complaints (Section 17)
• Record Keeping: Maintaining logs and records as required by law

18.4 Prohibited Content Removal: We actively remove or disable access to user-generated content that violates law or our policies, including:

• Content related to child sexual abuse material (CSAM)
• Hate speech and content promoting discrimination or violence
• Defamatory or harassing content
• Content facilitating financial fraud or scams
• Content infringing intellectual property rights
• Sexually explicit or obscene content (except age-appropriate adult content in specified contexts)
• Threat of violence or terrorism-related content
• Misleading health or safety information
• Content violating platform policies or laws

18.5 Takedown and Restore Notice Procedures: We comply with takedown and restore procedures under the IT Act:

• Notice Acceptance: We accept notice of illegal content via email, formal letter, or court order
• Content Assessment: We assess whether content is actually illegal within 5-7 business days
• Removal Decision: We remove content we determine to be illegal and notify the user
• User Appeal: Users can appeal removal by providing counter-notice explaining legality
• Restore Process: Content may be restored if we determine the counter-notice is valid and content is legal
• Reinstatement: We provide written explanation if content is not restored following counter-notice

18.6 Compliance with Intermediary Guidelines 2021: We comply with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, including:

• Contact Information: Maintaining up-to-date contact information of Grievance Officer and compliance officer
• Privacy Policy and Terms: Displaying clear, comprehensive policies
• User Reporting Mechanism: Enabling users to report illegal content and grievances
• Automated Tools: Deploying automated tools for content moderation (Section 7 of this Policy)
• Response Timeline: Responding to complaints within prescribed timeframes
• Content Moderation Transparency: Providing transparency in content moderation decisions
• Traceability of Originator: Maintaining user identification for law enforcement coordination

18.7 Compliance with 2026 Amendment Rules on AI-Generated Content: We comply with the 2026 amendments to Intermediary Guidelines regarding AI-generated and deepfake content:

• Automated detection and labeling of AI-generated content where technically feasible
• Removal of non-consensual deepfake content depicting real persons without authorization
• Disclosure of AI-generated content in property listings or user profiles
• Monitoring for AI-facilitated fraud and manipulated content

18.8 User Accountability and Liability: While Section 79 provides intermediary immunity, users remain fully accountable for:

• Content they generate and post on the Platform
• Violation of others' privacy, intellectual property, or legal rights through their content
• Any criminal liability for content they create or share
• Civil liability for defamation, harassment, fraud, or other torts

18.9 Law Enforcement Cooperation: We cooperate with law enforcement agencies, courts, and regulatory bodies by:

• Providing user identification information upon valid legal process
• Preserving evidence of unlawful activity upon law enforcement request
• Disclosing transaction records and communication logs as required by law
• Complying with court orders and search warrants
• Reporting certain illegal activities (child exploitation, terrorism) proactively

19. Changes to This Privacy Policy

19.1 Amendment and Update Process: RenterFinder.com may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will make reasonable efforts to notify Data Principals of material changes.

19.2 Notification of Changes: Material changes to this Privacy Policy will be communicated through:

• Prominent notice on the Platform homepage
• In-app notification for mobile app users
• Updated "Last Updated" date prominently displayed at top of Policy

19.3 Consent for Changes: Your continued use of the Platform after changes take effect constitutes your acceptance of the updated Privacy Policy. If you do not agree with material changes, you have the right to:

• Request clarification about the changes
• Withdraw specific consents affected by the changes
• Deactivate your account
• File a grievance regarding the changes

19.4 Version Control: We maintain version history of Privacy Policy changes.

20. Governing Law and Jurisdiction

20.1 Governing Law: This Privacy Policy is governed by and interpreted in accordance with the laws of the State of Bihar, India, without regard to its conflict of law principles. The Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and all other applicable Indian laws constitute the legal framework.

20.2 Exclusive Jurisdiction: You irrevocably agree that the courts of Patna, Bihar, India have exclusive jurisdiction to hear and determine any dispute, complaint, or claim arising out of or related to this Privacy Policy or its interpretation. You waive any objection based on inconvenient forum or absence of personal jurisdiction.

20.3 Dispute Resolution: Before initiating legal proceedings, we encourage Data Principals to first utilize our Grievance Redressal Mechanism (Section 17). Many disputes can be resolved through good-faith negotiation and grievance processes.

21. Contact Information

21.1 Data Fiduciary Contact:

• Company: VAMY Properties Private Limited
• Headquarters: Telegraph Colony, Patna, Bihar, India
• General Contact: info.renterfinder@gmail.com
• Grievances/Privacy: report.renterfinder@gmail.com
• Founder and Grievance Officer: Aditya Shankar

21.2 Data Protection Officer Contact:

• Title: Data Protection Officer, VAMY Properties Private Limited
• Email: report.renterfinder@gmail.com (mark email "DATA PROTECTION OFFICER" in subject)
• Response Time: Within 15 days
• Jurisdiction: India-based, subject to DPDP Act and Indian law