Privacy Policy

Account & Identity Information

When you register on PGBuddies, we collect your mobile number (used for OTP-based authentication), full name, email address, and profile photo. PG tenants may additionally be required to submit a government-issued photo ID (Aadhaar, PAN, Passport, or Voter ID) for identity verification at the time of check-in, as required by applicable law.

Booking & Transaction Data

We collect records of your booking history, room preferences, visit schedules, and payment receipts. Payment processing is handled exclusively by Razorpay — we do not store your card numbers, UPI handles, or net-banking credentials on our servers.

Property & Listing Data (Owners)

PG owners and business partners submit property details, photos, floor plans, pricing, amenity information, and ownership/rental documents. This data is used to display verified listings to prospective tenants.

Usage & Device Data

We automatically collect device type, browser, operating system, IP address, pages visited, session duration, and interaction events. This telemetry helps us debug issues, improve performance, and understand platform usage.

Location Data

We collect city and locality preferences you provide when searching for PGs. We do not collect precise GPS coordinates without your explicit consent.

Support & Communication Data

When you raise a support ticket, send us an email, or contact us through any channel, we retain the content of that communication along with metadata (timestamp, contact details) for resolution and audit purposes.

Service Delivery

We use your data to create and manage your account, process bookings, send booking confirmations and receipts, enable communication between tenants and PG owners, and provide customer support.

Verification & Trust

Identity documents are reviewed to ensure the safety of all platform participants. Listing documents are audited before a property goes live. We use this data solely to maintain platform integrity.

Product Improvement

Aggregated and anonymised usage data is analysed to improve features, detect bugs, personalise search results, and develop new services such as Tiffin, Gyms, Cafes, and Laundry verticals.

Communications

We may send transactional SMS/WhatsApp messages (OTPs, booking updates, payment confirmations) and, with your consent, promotional notifications about new features or offers. You may opt out of promotional communications at any time.

Legal & Compliance

We process data as required to comply with the Information Technology Act 2000, DPDP Act 2023, and any other applicable Indian law, regulation, or court order.

PG Owners & Partners

When you make a booking or submit an inquiry, we share your name, contact number, and booking details with the relevant PG owner or business partner strictly to fulfil the service. Owners are bound by contractual confidentiality obligations and may not use your data for any other purpose.

Payment Processors

Payments are processed by Razorpay (a PCI-DSS-compliant gateway). Your financial data is governed by Razorpay's privacy policy and is not accessible to PGBuddies employees.

Analytics & Infrastructure

We use Vercel (hosting), Supabase (database), Google Analytics (usage analytics), and Firebase (authentication). Each provider is bound by data-processing agreements and applicable privacy laws. None of these providers may sell your data.

SMS & Notification Services

OTPs and alerts are sent via Twilio or 2Factor. Only your phone number and message content are shared for this purpose.

No Data Brokerage

We do not sell, rent, or trade your personal information to any third party for marketing or any other commercial purpose. Ever.

Legal Disclosure

We may disclose data to law-enforcement authorities, courts, or government agencies when required by a valid legal order and only to the extent legally compelled.

Encryption

All data transmitted between your browser/app and our servers is encrypted using TLS 1.2+. Data at rest in our database is encrypted using AES-256.

Access Controls

Personal data and identity documents are stored in access-controlled environments. Only authorised personnel with a legitimate business need can access raw identity documents, and all such accesses are logged and audited.

Security Headers

Our platform enforces strict Content Security Policy (CSP), HSTS, X-Frame-Options, and other security headers to protect against XSS, clickjacking, and injection attacks.

Incident Response

In the event of a data breach that materially affects your personal data, we will notify you within 72 hours of becoming aware of it, in line with our legal obligations.

Active Accounts

We retain your personal data for as long as your account is active or as needed to provide services to you.

After Account Deletion

Upon account deletion, we anonymise or delete personal data within 30 days, except where we are legally required to retain certain records (e.g., financial transactions must be retained for 7 years under Indian tax law).

Identity Documents

Identity documents submitted for verification are deleted or de-linked within 90 days of verification completion, unless longer retention is mandated by law.

Access

You may request a copy of the personal data we hold about you at any time by writing to privacy@pgbuddies.com.

Correction

You may update incorrect or incomplete personal information directly in your account settings, or request a correction via our support team.

Deletion (Right to be Forgotten)

You may request deletion of your account and associated personal data. We will process such requests within 30 days, subject to legal retention obligations.

Portability

You may request an export of your personal data in a machine-readable format (JSON/CSV).

Withdraw Consent

Where processing is based on your consent (e.g., marketing messages), you may withdraw consent at any time without affecting the lawfulness of prior processing.

Grievance Redressal

For any privacy-related grievance, you may contact our Grievance Officer at privacy@pgbuddies.com. We will acknowledge your complaint within 48 hours and resolve it within 30 days.

Essential Cookies

We use session cookies to keep you logged in and to protect against CSRF attacks. These are strictly necessary and cannot be disabled.

Analytics Cookies

With your consent, we use Google Analytics cookies to understand how users interact with our platform. You may opt out by refusing non-essential cookies or using a browser extension such as Google Analytics Opt-out.

No Third-Party Ad Tracking

We do not currently use cookies for behavioural advertising or sell cookie data to ad networks.

Age Restriction

PGBuddies is intended for users who are 18 years of age or older. We do not knowingly collect personal information from minors under 18. If we discover that a minor has registered, we will delete the account and associated data promptly.

Notification

We may update this Privacy Policy periodically. For material changes, we will notify you via the email or phone number on your account at least 14 days before the change takes effect. Continued use of the platform after the effective date constitutes acceptance of the revised policy.