Privacy Policy

1. Introduction and Scope

Property Wall is an Indian real-estate technology platform that connects property owners, buyers, renters, and a curated network of verified service providers within a single, secure digital marketplace. The platform enables users to list, discover, and enquire about a wide spectrum of property asset classes, including agricultural land, residential flats, apartments, independent houses, and rental units across various BHK configurations. Property Wall serves as a pure technology intermediary: it provides the digital infrastructure for listing, discovery, and service coordination, but does not itself act as a real-estate agent, broker, franchisor, or a party to any purchase, rental, or service transaction that arises through its use.

The platform is accessed and used by a diverse population of participants. Property Users are individuals and entities who list properties for sale or rent or who search for properties to buy or rent. Field Managers are vetted local representatives who coordinate property-related services within declared geographic service zones defined by PIN code and taluk. Engineers are qualified technical professionals who offer inspection, assessment, and structural services to property users. Mediators act as intermediaries who facilitate negotiations and introductions between buyers, sellers, landlords, and tenants. Area Managers are regional network supervisors who sponsor and oversee the work of Field Managers within their assigned territory. Administrators manage the platform’s operations, review property listing submissions, approve or reject content, verify service-provider credentials, and maintain the integrity of the marketplace.

This Privacy Policy is a legally binding instrument that sets out the terms on which Property Wall collects, processes, stores, shares, and safeguards personal data arising from the operation of the platform. It applies universally to every person who accesses Property Wall in any capacity — whether through the web application, any associated mobile interface, or the platform’s API — regardless of whether they have registered an account. By accessing the platform, registering an account, submitting a property listing, completing a service-provider registration form, using a referral code, or using any feature of the platform, you confirm that you have read and understood this Privacy Policy in its entirety and that you freely consent to the data practices described herein. If you do not agree with this Privacy Policy, you must discontinue your use of Property Wall immediately and refrain from submitting any personal data to the platform.

This Privacy Policy is drafted in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), India’s primary statute governing the processing of digital personal data. It is additionally designed to reflect the core principles of the EU General Data Protection Regulation (GDPR) for users who access Property Wall from within the European Economic Area or from other jurisdictions that impose data protection standards comparable to or higher than those required by the DPDP Act. Where applicable law in your jurisdiction mandates standards that exceed those described in this policy, we commit to meeting those higher standards with respect to the processing of your personal data. The most current version of this policy is always available at this URL and is identified by the version number and date displayed at the top of the page.

2. Information We Collect

Property Wall collects personal data that is necessary and proportionate to the specific purpose for which it is collected. The categories of personal data we process are determined principally by two factors: the role you hold on the platform and the features you use. We do not collect personal data beyond what is described in this section, and we do not currently collect or process financial payment information, credit card numbers, or debit card details, as the platform does not directly process monetary transactions between buyers and sellers. The following sub-sections set out each category of personal data we collect and the primary reason for its collection.

2.1 Account Registration and Identity Data

When any user — regardless of role — creates an account on Property Wall, we collect the information that is essential to establishing, authenticating, and managing that account. Your full legal name is collected to identify you within the platform, to attribute your submissions and activities to your account, and to display your identity where relevant within the platform interface. Your email address functions as your unique login identifier and is the primary channel through which Property Wall communicates with you for account-related events, including property listing approvals or rejections, platform policy updates, notifications generated by the platform’s notification service, and password reset instructions. Your password is accepted at the point of registration but is never stored in its original form: it is immediately processed through the bcrypt cryptographic hashing algorithm with a computational work factor of ten before being written to the database, making the original password irrecoverable from the stored value even in the event of an unauthorised database access.

An optional mobile phone number is collected and, for property users, may be displayed on published listings as a contact channel for prospective buyers or renters. An optional profile photograph may be uploaded and is stored in cloud object storage. Every account is assigned a role designation — one of user, field_manager, engineer, mediator, area_manager, or admin — which is the single most important determinant of what data the account can access and what actions it may perform across the platform. The account’s current status — active, pending, or blocked — is maintained and updated throughout the account lifecycle. For security and audit purposes, the date and time of each successful authentication event is recorded as the last-login timestamp.

2.2 Property Listing Data

When a user submits a property for consideration on the platform, we collect the full set of information required to accurately represent the asset and to make it discoverable through the platform’s search and filtering functionality. This includes the property title and a comprehensive description of the property. The property type must be declared as one of Residential, Commercial, Land, or Agricultural. Within the residential category, the platform supports flats, apartments, independent houses, and BHK-configuration rental units; agricultural land constitutes its own distinct category. The listing purpose — whether the property is offered for sale or for rent — is captured, along with a category sub-classification that further specifies the nature of the asset. Integer values capturing the number of bedrooms, bathrooms, balconies, garages, and floors in the building, as well as the specific floor level of the unit, are collected. The living area and, where applicable, the plot area, expressed in square feet, are mandatory fields.

The asking price in Indian Rupees, together with an optional price-per-square-foot figure, is recorded. The furnishing status — furnished, semi-furnished, or unfurnished — and a declaration of available amenities are also collected. For location, we store the full street address, city, state, PIN code, taluk, and region, along with an optional landmark and, where provided, GPS coordinates (latitude and longitude) to support map-based property discovery. The listing also carries the property owner’s contact name, phone number, and an optional email address as entered by the listing user; these contact details are visible to authenticated users who view the listing. One or more property photographs are uploaded and stored in cloud object storage. Each listing is assigned an approval status of pending, approved, or rejected. Where a listing is rejected, the reviewing administrator’s stated reason is stored against the listing record. Approved listings record the database identifier of the approving administrator and the precise timestamp of approval. A URL-friendly SEO slug and an incremental view counter are maintained for each listing.

It is important to note that every property listing submitted to Property Wall enters the system with an approval status of pending and is not visible to the public, to other users, or to Field Managers until a platform Administrator has reviewed the submission and approved it. This moderation workflow is a fundamental feature of the platform and is designed to ensure the accuracy and legitimacy of the listings marketplace. The data captured during this workflow — including the approval or rejection decision, the relevant administrator’s identity, and the decision timestamp — is retained for audit and quality-assurance purposes.

2.3 Field Manager Registration Data

Field Managers register through the platform’s dedicated service-provider onboarding workflow and are required to provide substantially more personal and professional information than standard property users, because Field Managers operate as vetted local representatives who access property listing data and property owner contact information within their declared service areas. Beyond the standard account fields described in Section 2.1, Field Managers provide personal biographical data including the name of their father or spouse, date of birth, age, and gender. For identity verification purposes, we collect the PAN card number as a government-issued identifier. This is treated under heightened access restrictions as described in Section 6 of this policy and is not displayed to any user other than platform Administrators.

Field Managers are further required to provide complete nominee information — including the nominee’s full name, their relationship to the Field Manager, and their age — for account succession and benefit-processing purposes. Complete bank account details are collected to enable the processing of any reward or commission payments; these include the bank name, account number, branch name, and IFSC code. Scanned images of the Field Manager’s bank passbook and a cancelled cheque are uploaded and stored in cloud object storage to verify the authenticity of the stated bank account. The taluk and PIN code(s) constituting the Field Manager’s declared service area are critical operational data points used by the platform to route incoming property enquiries to the geographically appropriate Field Manager. Where the registration of a Field Manager was facilitated by another registered user through the platform’s referral system, the referring user’s database identifier and name are recorded against the Field Manager’s account.

2.4 Engineer Registration Data

Engineers register as independent professional service providers whose technical expertise supports property users with inspections, assessments, and structural evaluations. In addition to the biographical and identity data shared with Field Managers — including PAN number, date of birth, age, and gender — Engineers provide professional and firm data. This includes the registered company or firm name, the firm’s legal type (such as sole proprietorship, partnership, or private limited company), and the year in which the firm was established. The firm’s complete business address, including PIN code and taluk of primary operation, is recorded. A valid GST registration number and a professional licence or accreditation reference are both required to validate the Engineer’s professional standing before the account is reviewed and activated by an Administrator. An office reference number and any supplementary professional details voluntarily provided during onboarding are also stored against the Engineer’s account record.

The collection of GST registration and professional licence data from Engineers serves a specific purpose: it enables the platform’s Administrators to confirm that every Engineer listed on Property Wall operates as a legitimately constituted professional firm and holds the credentials required to render the specialised services they offer. This verification step is not merely procedural — it is designed to protect property users from engaging with unqualified or fraudulently presenting service providers, and to maintain the professional integrity of the platform’s service-provider network.

2.5 Referral and Sponsorship Network Data

Property Wall operates a structured referral and sponsorship network that enables existing platform participants to introduce new users to the platform and through which Area Managers may formally sponsor Field Managers within their geographic region. Each registered account is assigned a unique referral code at the time of account creation. When a new user registers using an existing referral code, a referral record is created that links the referring user’s database identifier to the newly registered user’s identifier, stores the specific referral code used, records the current referral status (pending, active, completed, or expired), and captures the reward amount associated with the referral if applicable. The system enforces, at the database level, that each user account may appear as a referred user only once, preventing the same individual from being counted as a new referral more than once.

Sponsorship records capture the formal relationship between an Area Manager and the Field Managers they elect to sponsor within their assigned region. Each record stores the sponsoring Area Manager’s identifier, the sponsored Field Manager’s identifier, the sponsorship type, the start date, any applicable end date, and the current sponsorship status. These records are used to manage the operational hierarchy of the platform’s service-provider network, to attribute network growth to the correct Area Manager, and to determine the scope of supervisory responsibility that Area Managers bear in respect of the Field Managers within their network.

2.6 Technical, Device, and Session Data

When you access Property Wall, certain technical data is automatically collected by the platform’s servers as a standard aspect of operating an internet-based service. This includes your IP address, from which a general geographic location at the city or regional level may be inferred for security, fraud-prevention, and abuse-detection purposes. We record your browser type and version, your device’s operating system, and the broad category of device you are using (mobile, tablet, or desktop). Aggregate and anonymised behavioural data — such as which pages you visit, which search filters you apply, and which property categories you browse — is recorded to support ongoing platform improvement and is analysed only in aggregate form, never in a way that identifies or profiles any individual user.

When you authenticate successfully, the platform issues a JSON Web Token (JWT) whose payload encodes your user identifier, email address, and role designation. This token is signed using the HS256 algorithm with a server-side secret key and has a fixed validity period of seven days. The token is stored in your browser’s localStorage under the key token and is transmitted as a Bearer token in the Authorization header of each subsequent authenticated API request. A serialised snapshot of your user account object is also stored in localStorage under the key user to improve interface rendering efficiency by eliminating the need for an additional round-trip API call on each page load; this data mirrors information already held on the server and is refreshed on every successful login. Your interface theme preference (light or dark mode) is persisted locally by the application’s theming library. None of these locally stored values are shared with, or accessible to, any third party.

3. How We Use Your Information

Every category of personal data described in Section 2 is collected and used exclusively for the specific, legitimate purposes set out in this section. Property Wall does not use personal data for purposes beyond those described here without first obtaining your explicit consent or establishing an independent lawful basis for the additional processing. The following paragraphs explain the primary purpose of each significant data-processing activity carried out by the platform.

Account creation and authentication. Your name, email address, hashed password, role designation, and account status are used to establish your account on the platform, to verify your identity during the authentication process, to issue and validate JSON Web Tokens that authorise your API requests, and to manage your session and access level throughout your use of the platform. The last-login timestamp is updated on each successful login for security auditing and to detect potentially anomalous access patterns.

Property listing management and the approval workflow. All property data submitted by a user is stored and processed to support the full lifecycle of a property listing — from the initial submission through administrator review and approval or rejection, to public display, search indexing, and eventual removal. Every new listing is created with an approval status of pending and is entirely invisible to the public until a platform Administrator has affirmatively approved it. The approval or rejection decision, the Administrator’s identifier, the precise decision timestamp, and any stated reason for rejection are all stored as part of the listing record to maintain a complete, transparent, and auditable moderation trail.

Geographic service routing for Field Managers. The PIN code and taluk fields maintained on both property listings and Field Manager accounts are the primary operational data points that enable the platform to match a listed property with the geographically appropriate Field Manager for that zone. This matching process is a fundamental element of the platform’s service-delivery model: without accurate location data on both listings and Field Manager service areas, the platform cannot route enquiries to the right local representative, undermining its core value proposition for property users.

Identity and credentials verification for service providers. The PAN numbers, GST registration details, professional licence references, bank passbook images, and cancelled cheque images collected from Field Managers and Engineers are used exclusively to verify the identity of the individual or firm and the legitimacy of their professional credentials before the account is activated by an Administrator. This verification process protects property users from engaging with fraudulent or unqualified service providers and is a non-negotiable element of the platform’s quality-assurance framework. These sensitive data fields are accessible only to Administrators and are not used for any other purpose.

Platform notifications. Your email address and in-platform user identifier are used by the platform’s notification service to send you notifications when events relevant to your account occur. These include, without limitation: changes to the approval status of a property listing you have submitted; confirmation that a user you referred has successfully joined the platform; account status changes affecting your access level; and the delivery of a password reset link when requested. Notifications are generated by the platform’s internal notification service, stored in the database for in-platform display, and may also be sent to your registered email address.

Referral and sponsorship network management. Referral codes, referral records, and sponsorship records are used to track and attribute the organic growth of the platform’s service-provider network, to credit the correct user when a new participant registers through their referral code, and to calculate and administer any reward or recognition associated with successful referral or sponsorship relationships.

Platform security and fraud prevention. IP addresses, device and browser data, login timestamps, account status records, and the outputs of the role-based access control system are collectively used to detect and respond to unusual access patterns, attempted privilege escalation, duplicate account creation, fraudulent property listings, referral-system abuse, and other forms of platform misuse. These security measures protect both individual users and the overall integrity of the marketplace.

Platform improvement through anonymised analytics. Aggregated and fully anonymised behavioural data — for example, data indicating which property categories generate the highest view counts, which search filters are applied most frequently, or which stages of the listing submission workflow experience the highest abandonment rates — may be analysed by Property Wall’s product and engineering teams to inform improvements to the platform’s design, functionality, and performance. No individual user is identified in this analysis, and the resulting insights are used solely for the purpose of improving the platform for all users.

4. Data Ownership and Role-Based Access Control

Property Wall recognises a clear and important distinction between data that users own and data that the platform processes on their behalf. You retain full ownership of all original content you submit to the platform, including property listing text, descriptions, photographs, and the professional credentials and documents you submit during service-provider registration. By submitting this content, you grant Property Wall a non-exclusive, royalty-free, worldwide licence to store, display, and make available that content for the sole purpose of operating the platform as described in our Terms & Conditions. This licence terminates when you permanently delete the relevant content or close your account, subject to the data retention obligations set out in Section 7.

With respect to your personal data, Property Wall acts as the data controller within the meaning of the DPDP Act, 2023 and, where applicable, the GDPR. As data controller, we determine the purposes and the means of processing your personal data, and we bear primary responsibility for ensuring that all processing is carried out on a lawful basis, is conducted fairly and transparently, and is limited to what is necessary for the stated purpose. Where we engage third-party service providers to process data on our behalf, those providers act as data processors under written agreements that restrict their use of your data to the specific purpose for which it was shared.

Access to personal data within the platform is governed by a strict, role-based access control (RBAC) system implemented at the API middleware layer. Administrators hold the highest level of data access and can view all user account records, all property listing submissions in any approval state, and all service-provider registration data including sensitive identity and financial documents. This elevated access exists solely to support platform governance functions. Area Managers can view the accounts and activity data of the Field Managers and Mediators within the network they supervise, but are prohibited from accessing the personal data of standard property users or of service providers outside their network. Field Managers have read access to the details of property listings and to the publicly declared contact information of listing owners, but only for properties that fall within their declared service zone. They cannot access data for listings outside their PIN code and taluk designation. Engineers and Mediators can view platform listings that are relevant to their specific service engagements but do not have access to the personal registration details or financial information of other users. Standard property users can view only their own profile information and the listings they have personally submitted. Any API request that attempts to access data outside the scope permitted by the requesting user’s role is rejected with an HTTP 403 Forbidden response by the platform’s role-guard middleware before any data is read or returned.

5. Data Sharing and Third-Party Disclosures

Property Wall does not sell, rent, barter, auction, or otherwise transfer your personal data to third parties for any commercial benefit. We do not share your personal data with advertising networks, data brokers, market research firms, or any other entity whose business purpose involves the commercial exploitation of personal data. Your data is shared with third parties only in the limited circumstances described in this section, each of which is strictly necessary for the lawful and effective operation of the platform.

Internal sharing with platform Administrators. All property listing submissions — including those in pending, approved, and rejected states — and all service-provider registration data are accessible to platform Administrators. Administrators require this access to perform their governance functions: reviewing and acting upon listing submissions, verifying service-provider credentials, investigating reports of fraudulent or misleading content, and managing the overall quality and integrity of the marketplace. Administrators are contractually bound by data handling obligations and may not use data accessed through their administrative role for any personal, commercial, or unauthorised purpose.

Disclosure to Field Managers for service delivery. When a property listing is approved and published, and where the listing’s PIN code and taluk correspond to the declared service area of a registered Field Manager, that Field Manager will gain access to the listing’s details and to the property owner’s publicly listed contact information (name and phone number) as entered at the time of submission. This disclosure is necessary and proportionate: it enables the Field Manager to fulfil their service obligation to the property owner within their designated zone. Field Managers cannot access listing data or owner contact information for properties that fall outside their declared service area.

Disclosure to Area Managers for network supervision. Area Managers have access to the profile information and activity data of the Field Managers and Mediators whom they personally sponsor within their regional network. This access is necessary to enable Area Managers to fulfil their supervisory responsibilities, provide operational support to Field Managers, and ensure the quality and compliance of their network’s activities. Area Managers are explicitly prohibited from accessing the personal data of standard property users or the financial details of service providers outside their network.

Disclosure to cloud infrastructure sub-processors. Operating Property Wall at scale requires the use of third-party cloud services that, as a necessary consequence of their function, will process some of your personal data. Our cloud hosting provider handles HTTP request routing and server-side processing; our database provider (such as MongoDB Atlas) stores all structured platform data; and our cloud object storage provider (such as AWS S3 or a compatible service) stores property photographs, passbook scans, and cheque images. Each of these providers is engaged as a data processor under a formal data processing agreement that restricts their use of your data to the specific operational purpose for which it is shared and prohibits any independent processing, commercial use, or onward transfer of your data.

Legal and regulatory disclosure. In certain circumstances, Property Wall may be legally compelled to disclose personal data to competent government authorities, law enforcement agencies, regulatory bodies, or courts of competent jurisdiction in India. Any such disclosure will be limited to the specific, minimum data requested, will be made only where we are legally required to comply and cannot lawfully refuse, and will be conducted in a manner that limits the exposure of data to the extent possible. Where permitted by applicable law, we will notify any affected user of such a disclosure before it is made, to allow them to seek appropriate legal protection if they wish to do so.

6. Data Security Practices

Property Wall has implemented a layered architecture of technical and organisational security controls designed to protect personal data against unauthorised access, unlawful disclosure, accidental alteration, and inadvertent destruction. We recognise that no digital system can achieve absolute security, but the measures described in this section represent our current security posture and are reviewed and updated on an ongoing basis as threats, technologies, and best practices evolve.

Password protection through cryptographic hashing. User passwords are never stored in their original, readable form at any point in the platform’s operation. When a password is submitted — whether at registration, during a password change, or in connection with a password reset — it is immediately passed through the bcrypt cryptographic hashing function with a computational work factor of ten before any write operation is performed against the database. Bcrypt is a deliberately slow, adaptive hashing function designed to remain computationally expensive even as hardware capabilities improve, making it highly resistant to brute-force and dictionary attack attempts. As a result, even if the underlying database were to be accessed without authorisation, the raw passwords of platform users could not be recovered from the stored hash values. Password reset tokens generated by the platform are similarly hashed before storage.

Stateless authentication through JSON Web Tokens. Upon successful login, the platform’s authentication service issues a JSON Web Token signed using the HMAC-SHA256 (HS256) algorithm with a server-side secret key that is never exposed to the client. The token’s payload carries only the minimum necessary claims: the user’s database identifier, email address, and role. The token carries a fixed server-enforced validity period of seven days, after which it becomes invalid and the user must re-authenticate. Every API request to a protected endpoint is validated by middleware that verifies the token’s cryptographic signature, confirms that it has not expired, and extracts the user’s identity and role. Any request that presents a missing, malformed, tampered-with, or expired token receives an HTTP 401 Unauthorized response and is rejected without processing.

Role-based access control at the API layer. A second layer of protection operates immediately after successful authentication. Before any request reaches its handler logic, a dedicated role-guard middleware layer verifies that the authenticated user’s role is among those explicitly permitted to access the requested endpoint and resource. The platform defines a strict hierarchy of roles, and each protected API endpoint declares the minimum role level required for access. Any request received from a user whose role falls below the required threshold receives an HTTP 403 Forbidden response and is rejected without any data being read or returned. This system prevents privilege escalation, protects sensitive administrator-only resources from less-privileged users, and ensures that the data access principles described in Section 4 are enforced programmatically rather than relying solely on procedural controls.

Encrypted data transmission using TLS. All data exchanged between user browsers, mobile clients, and the Property Wall servers — including login credentials, authentication tokens, property submission payloads, and API responses containing personal data — is transmitted exclusively over connections encrypted using HTTPS with Transport Layer Security (TLS). Connections over unencrypted HTTP are not supported. This ensures that data in transit cannot be intercepted, read, or tampered with by any party positioned between the client and the server.

Restricted access to sensitive identity and financial data. Sensitive government-issued identity data (PAN card numbers) and financial data (bank account numbers, IFSC codes, and scanned images of passbooks and cancelled cheques) submitted by Field Managers and Engineers during registration are subject to access restrictions that go beyond those applied to standard account data. These fields are stored with the same encryption-at-rest protection as all platform data and are retrievable only through API endpoints that require explicit Administrator-level authentication and role verification. They are never displayed in the platform interface to any user whose role is not admin, and they are not included in any data export, search index, or analytics pipeline.

Audit-preserving soft deletion. When a user account or a property listing is scheduled for removal — whether at the user’s request, as a result of an administration action, or as a consequence of a policy violation — the record is not immediately and permanently purged from the database. Instead, a boolean isDeleted flag on the record is set to true. Soft-deleted records are automatically excluded from all public-facing database queries and are invisible to other users and to search results; however, they are retained in the database for a fixed period to preserve the integrity of the audit trail, to support any pending disputes or investigations, and to prevent data loss from accidental deletion. Permanent purging of soft-deleted records occurs according to the schedule described in Section 7.

In the event that Property Wall becomes aware of a security incident that has resulted in, or that creates a material risk of, unauthorised access to or disclosure of personal data, we will promptly assess the nature and scope of the incident, take all reasonable steps to contain it, and, where the applicable law requires notification, notify affected users and the relevant supervisory or regulatory authority within the timeframe stipulated by that law. We strongly encourage all users to report any suspected security incident, unauthorised account access, or unusual account activity to hello@propertywall.com immediately.

7. Data Retention and Deletion

Property Wall retains personal data only for as long as is reasonably necessary to fulfil the purposes for which it was collected, to comply with applicable legal and regulatory obligations, to resolve any pending disputes, and to enforce our agreements. Where personal data is no longer required for any of these purposes, it is permanently and irreversibly deleted from both the primary database and all backup systems within the timescales described in this section. The retention periods set out below reflect both the operational necessities of running the platform and the minimum retention periods that may be required by Indian law.

Active user accounts and associated data. Personal data associated with a user account in an active or pending status — including profile information, submitted property listings, referral records, and any sponsorship relationships — is retained for as long as the account remains in that status. We do not currently impose automatic account expiry for inactivity, although we reserve the right to introduce such a policy in the future with appropriate advance notice to users.

Approved property listings. Approved and actively published property listings are retained in the database for the full duration of the submitting user’s account activity. Where a property listing is removed at the user’s request (rather than through an administrative rejection), it is first moved to a soft-deleted state before being permanently and irreversibly purged from the database within 30 days of the deletion request being confirmed.

Rejected and administrator-removed listings. Property listings that are rejected during the administrative review process, or that are administratively removed from the platform following approval, are retained in a soft-deleted state for up to 12 months from the date of rejection or removal. This retention window supports audit, quality-assurance, and potential dispute-resolution functions. At the end of this window, rejected and removed listings are permanently purged from all systems.

Field Manager and Engineer registration data. Given the heightened sensitivity of the personal and financial data gathered from Field Managers and Engineers during the service-provider registration and verification process — which includes government-issued identity numbers, bank account details, and scanned financial documents — this data is retained only for as long as the associated service-provider account remains active or pending. Upon confirmation of a verified account deletion request, sensitive fields (PAN number, bank account number, IFSC code, branch name) are permanently deleted from the database within 30 days. Document images (passbook scans, cheque images) stored in cloud object storage are permanently deleted from the storage bucket within the same 30-day window.

Blocked accounts and accounts pending deletion. When an account is permanently deleted or when an account’s deletion is confirmed following a user request, all personal identifiers associated with the account — including name, email address, phone number, government identity numbers, and financial data — are permanently deleted within 30 days. Fully anonymised aggregate records (for example, a count indicating the total number of property listings ever submitted by the account, expressed without any identifying information) may be retained indefinitely for statistical and platform-analytics purposes. Blocked accounts retain personal data only for as long as is necessary to maintain the block and to support any investigation into the circumstances that led to the block; thereafter, the standard 30-day deletion timeline applies.

Legal holds and regulatory retention requirements. Notwithstanding the retention schedules described above, any personal data that is, or becomes, subject to a legal hold, an active regulatory investigation, a pending or threatened legal proceeding, or a contractual obligation requiring its preservation will be retained beyond the standard period until that obligation, proceeding, or investigation is fully and finally resolved. Once the legal hold or regulatory requirement is lifted, the standard retention schedule described in this section will resume and the data will be permanently deleted in accordance with its applicable timeline.

To submit a request for the deletion of your personal data, please contact us at hello@propertywall.com with the subject line “Data Deletion Request”. We will acknowledge receipt of your request within two business days, verify your identity before processing the request, and complete the deletion within 30 days of verification unless a legal hold or other lawful retention obligation applies.

8. Your Rights as a Data Subject

The Digital Personal Data Protection Act, 2023 confers specific and enforceable rights on data principals (the individuals whose personal data is being processed) in relation to the processing of their personal data. Where you access the platform from within the European Economic Area or other jurisdictions covered by the GDPR or comparable legislation, you may hold additional or equivalent rights under those laws. Property Wall is committed to respecting and upholding these rights in good faith and to responding to all legitimate and verified requests within the timeframes described below.

Right of access to your personal data. You have the right to request a copy of all personal data that Property Wall holds about you. This includes, without limitation, your registered account information, any property listings associated with your account, your referral and sponsorship records, notifications generated in connection with your account, and any service-provider registration data you have submitted. Upon receiving a verified request, we will provide this information in a structured, commonly used, and machine-readable format within 30 days.

Right to correction of inaccurate data. You have the right to request the correction of any personal data that Property Wall holds about you that is inaccurate, incomplete, or out of date. For standard account fields such as your name, phone number, and declared service area, corrections can often be made directly through your account settings interface. For data submitted during a service-provider registration process that cannot be self-corrected — such as PAN number or bank account details — please contact us directly and we will update the relevant data following appropriate re-verification.

Right to erasure of your personal data. You have the right to request the permanent deletion of your personal data and account. This right is subject to the legitimate retention obligations described in Section 7 of this policy: data subject to a legal hold, data within a mandatory audit retention window, or data necessary to resolve an outstanding dispute may not be eligible for immediate deletion. Where deletion is possible, we will complete it within 30 days of receiving and verifying your request. Following deletion, anonymised aggregate data derived from your account activity may be retained as described in Section 7.

Right to withdraw consent. Where Property Wall processes your personal data on the basis of your consent — for example, for the processing of optional profile photographs or for receiving non-essential communications — you have the right to withdraw that consent at any time. Withdrawal of consent can be effected by contacting us or by discontinuing your use of the platform and requesting account deletion. The withdrawal of consent does not affect the lawfulness of any processing carried out prior to the withdrawal, nor does it affect processing carried out on a separate lawful basis.

Right to nominate for data access after death. In accordance with the DPDP Act, 2023, you may nominate an individual to act on your behalf with respect to your personal data in the event of your death or incapacity. If you wish to register a nominee for this purpose, please contact us at the details provided in Section 14.

Right to raise a grievance. If you believe that Property Wall has processed your personal data in a manner inconsistent with this Privacy Policy or applicable law, or if you are dissatisfied with our response to a data-rights request, you have the right to raise a formal grievance. Submit your grievance to hello@propertywall.com with the subject line “Privacy Grievance”. We will acknowledge receipt within two business days and provide a substantive written response within 30 days. If you remain dissatisfied following our response, you may escalate your complaint to the Data Protection Board of India or to the relevant supervisory authority in your jurisdiction.

9. Cookies and Browser Storage

Property Wall does not use traditional HTTP cookies to track your browsing behaviour, to build advertising profiles, or to share data with advertising networks or analytics platforms for commercial purposes. The platform's approach to client-side data persistence is deliberately minimal and restricted to what is functionally necessary to provide you with an authenticated, personalised user experience.

The most significant item stored on your device is the JWT authentication token, which is stored in your browser’s localStorage under the key token. This token is issued by the server upon successful login and is attached, as a Bearer token in the Authorization header, to every subsequent API request that requires authentication. Storing the token in localStorage rather than in an HTTP cookie means the token is not automatically sent with every browser request, which reduces certain categories of cross-site request forgery risk. The token has a server-enforced validity period of seven days; once it expires, the token becomes invalid regardless of whether it is still present in your browser. You may effectively log out at any time by clearing the token key from your browser’s localStorage for the Property Wall domain.

A serialised snapshot of your user account object is stored in localStorage under the key user. This snapshot is used solely to improve the responsiveness of the user interface by allowing pages to render certain account-specific UI elements without waiting for an API call. The data stored under this key entirely mirrors information held server-side and is refreshed on every successful login. It does not contain any information beyond what is already present in your account record on the server, and it is not used for profiling, tracking, or any purpose other than interface rendering.

The application’s light/dark theme preference is persisted in localStorage by the next-themes library as a convenience feature to remember your visual preference between sessions. This stores a single string value (either “light” or “dark”) and contains no personal data whatsoever.

Property Wall does not currently deploy third-party advertising trackers, behavioural analytics scripts, social media tracking pixels, fingerprinting technologies, or any other client-side technology that monitors your activity across websites or builds profiles of your behaviour. Should the platform introduce any such technology in the future, this Privacy Policy will be updated in advance of its deployment, and we will seek any necessary consents from affected users.

10. Third-Party Services and Infrastructure

Property Wall cannot be operated in isolation from third-party cloud service providers who provide the foundational infrastructure on which the platform is built and run. Each third-party provider whose services we use has been selected on the basis of their security standards, their data protection posture, and their ability to enter into contractual data processing terms that are consistent with our obligations under the DPDP Act and this Privacy Policy. The following paragraphs describe the categories of third-party services we use and the nature of the data each provider processes.

Cloud hosting and application delivery. The Property Wall web application is deployed on a managed cloud hosting platform (such as Vercel or an equivalent service). This provider is responsible for receiving, routing, and processing each HTTP request made to the platform, for executing server-side application code, and for delivering responses to clients. As an incidental consequence of these functions, the hosting provider’s infrastructure will process your IP address, the content of your HTTP request headers, and metadata about each request as part of its normal server access logs. These logs are retained by the provider in accordance with its own data retention policy.

Database storage and management. All structured platform data — including user account records, property listings, referral and sponsorship records, notification records, and policy documents — is stored in a MongoDB database cluster hosted on a managed cloud database provider (such as MongoDB Atlas or an equivalent service). The database provider encrypts data at rest using industry-standard encryption and applies strict network-level access controls to ensure that the database is accessible only from Property Wall’s authorised application servers. The provider does not have access to the application-level encryption layer managed by Property Wall.

Cloud object storage for uploaded files. Property photographs, Field Manager bank passbook scans, cancelled cheque images, and any other files uploaded to the platform are stored in a cloud object storage service (such as Amazon Web Services S3 or a compatible service). Storage bucket access policies are configured to prevent public, unauthenticated listing or download of stored objects. Uploaded files are accessible only through time-limited, signed URLs generated programmatically by the application at the point of access; they cannot be retrieved by guessing or constructing a URL.

Transactional email delivery. Account-related emails — including password reset instructions, listing status notifications, and similar operational communications — may be delivered through a third-party transactional email service provider. The content of these emails is generated by Property Wall’s internal notification service. Transactional emails do not contain sensitive identity data (PAN numbers or bank account details) or authentication credentials. The email provider processes your email address and the metadata of each email delivery event (such as delivery status and timestamp) as a data processor on our behalf.

Property Wall does not currently engage any third-party payment processor, as the platform does not process direct monetary transactions between users. There is accordingly no financial transaction data (such as credit card details, debit card numbers, or UPI identifiers) processed by or stored on the Property Wall platform. A complete and current list of our third-party data processors is available on request; please contact hello@propertywall.com to request this information.

11. Legal Basis for Processing and Compliance

Property Wall processes personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act), which establishes the legal framework governing the collection, use, storage, and sharing of digital personal data in India. Under the DPDP Act, Property Wall processes your personal data on the following lawful bases: (a) consent, which you provide freely and unambiguously by registering an account and accepting this Privacy Policy; (b) contractual necessity, where processing is required to fulfil the services you have requested of the platform — for example, storing your property listing data to enable its publication, or processing your service-area details to route enquiries to the correct Field Manager; (c) legitimate interests of the platform, where processing is necessary for purposes such as fraud prevention, platform security, and the generation of anonymised analytics that directly support the improvement of the service; and (d) legal obligation, where Indian law requires Property Wall to collect, retain, or disclose specific data.

For users who access Property Wall from within the European Economic Area or from other jurisdictions in which the General Data Protection Regulation (GDPR) applies personally to them, we apply the same data minimisation, purpose limitation, storage limitation, accuracy, integrity, and user-rights principles described in this Privacy Policy. These principles are substantively equivalent to those required by the GDPR. If your jurisdiction requires the execution of a formal Data Processing Agreement or the adoption of Standard Contractual Clauses to legitimise the transfer of your personal data to India, please contact us and we will make the necessary arrangements.

Property Wall does not knowingly or intentionally collect personal data from individuals under the age of 18. Registration on the platform requires the user to confirm that they are at least 18 years of age. If you are a parent or guardian and have reasonable grounds to believe that a minor has registered on the platform or has submitted personal data through the platform without appropriate parental consent, please notify us immediately at hello@propertywall.com. We will investigate the matter promptly and, where confirmed, will delete the minor’s data without delay.

12. Changes to This Privacy Policy

Property Wall reserves the right and retains the operational necessity to update and revise this Privacy Policy from time to time. Changes may be required to reflect the introduction of new platform features, modifications to the technical architecture, amendments to applicable law, changes to the categories of personal data we collect, or adjustments to our processing practices. We are committed to keeping this policy accurate, current, and reflective of how the platform actually operates at any given time.

When we make material changes to this Privacy Policy — that is, changes that meaningfully affect the types of data we collect, the purposes for which we use it, the parties with whom we share it, or the security measures we apply — we will update the policy’s version number and “Last updated” date displayed at the top of this page. Where reasonably practicable, and where we hold a current and valid email address for your account, we will also send you direct advance notice of material changes by email or through the platform’s notification system at least 14 days before the revised policy takes effect. This notice period is intended to give you time to review the changes and, if you disagree with them, to exercise your right to close your account before the revised policy applies to you.

For minor, non-material changes — such as clarifications of existing language, corrections of typographical errors, or updates to contact information — the version date will be updated but individual advance notice to registered users may not be sent. The most current and authoritative version of this Privacy Policy is always available at this URL. We encourage you to review this page periodically to stay informed about how Property Wall is protecting and using your personal data.

13. Contact Information

If you have any questions about this Privacy Policy, wish to exercise any of the data-subject rights described in Section 8, want to report a security or privacy incident, or wish to raise a formal grievance regarding our data handling practices, please contact our team using the details below. We are committed to acknowledging all privacy-related enquiries within two business days and to providing substantive responses within 30 days.