Last updated: April 2026
This Privacy Policy describes how PodPot ("we", "us") collects, uses, and protects your personal data in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA).
1.1. Account Data: Name, email, phone number, password (stored as encrypted hash).
1.2. Profile Data: Date of birth, gender, occupation, company/college, dietary preferences, blood group, emergency contacts, permanent address.
1.3. Identity Documents: Aadhaar, PAN, or other KYC documents (uploaded voluntarily or via DigiLocker).
1.4. Booking Data: Property, room, bed assignments, check-in/check-out dates, rental amounts.
1.5. Payment Data: Transaction IDs, invoice records, payment status. Card numbers are NOT stored — Razorpay handles all card data.
1.6. Communication Data: Chat messages between residents and property managers.
1.7. Maintenance Data: Service requests, photos, status updates.
1.8. Device Data: Device type, OS version, FCM push notification tokens.
1.9. Usage Data: Login timestamps, IP addresses (for security and audit purposes).
2.1. To provide and maintain the Service (booking management, payment processing, communication).
2.2. To verify your identity (KYC compliance).
2.3. To send transactional notifications (booking confirmations, payment receipts, maintenance updates).
2.4. To improve the Service (analytics, bug reports, performance monitoring).
2.5. To comply with legal obligations.
2.6. With your separate consent: to send marketing communications.
We share your data with:
3.1. Payment gateways (Razorpay and, where enabled, Cashfree) — for payment processing, vendor onboarding, split settlement, and fraud screening. Card numbers are handled only by the gateway; PodPot stores transaction IDs, order references, and payment status.
3.2. MSG91 — for sending SMS and email notifications.
3.3. Amazon Web Services (AWS) — for cloud hosting and storage (data stored in India, ap-south-1 region).
3.4. Firebase (Google) — for push notifications only.
3.5. Google Maps — for location-based features (property discovery, directions).
3.6. DigiLocker (Government of India) — for optional document verification.
3.7. Sentry — for error monitoring and crash reporting (anonymized).
We do NOT sell your personal data to third parties.
4.1. Active account data: Retained while your account is active.
4.2. After account deletion: Data retained for 90 days, then permanently deleted.
4.3. Financial records: Retained for 8 years as required by Indian tax law.
4.4. Audit logs: Retained for 3 years for security and compliance.
4.5. Consent records: Retained indefinitely as required by DPDPA.
5.1. Right to Access: You can view all your personal data in the app.
5.2. Right to Correction: You can update your profile information at any time.
5.3. Right to Erasure: You can request deletion of your account and personal data.
5.4. Right to Data Portability: You can export your data in machine-readable format.
5.5. Right to Withdraw Consent: You can withdraw consent at any time from Privacy & Security settings.
5.6. Right to Grievance Redressal: Contact our Grievance Officer for complaints.
6.1. Passwords are hashed using bcrypt (industry standard).
6.2. Sensitive data encrypted at rest using AES-256-GCM.
6.3. All data transmitted over HTTPS (TLS 1.2+).
6.4. Multi-tenant isolation ensures your data is never visible to other organizations.
6.5. Rate limiting and account locking protect against brute-force attacks.
6.6. Payment integrity controls: amounts derived from invoices and bookings on the server; gateway signature verification; webhook deduplication; audit logs for payments, agreements, and admin actions.
6.7. Regular security audits and vulnerability assessments.
7.1. Vendor agreements: Property Owners using PodPot for collections must accept these Terms and the Privacy Policy at registration. Before accepting online payments they complete gateway vendor onboarding (identity and linked settlement account). Marketplace kitchen operators must additionally upload applicable compliance documents and complete vendor payout onboarding.
7.2. Rental-agreement validation: PodPot generates rent-agreement PDFs from confirmed booking data (rent, deposit, dates, parties). Residents may accept agreements in-app; acceptance is recorded in consent and agreement logs. Rent payments require an active booking and a payable invoice balance.
7.3. Monitoring and triggers (examples): rejection of payments when booking status is cancelled or invoice balance is zero; rejection of overpayments and zero-amount payments; duplicate webhook/event suppression; invalid gateway signature rejection; blocking kitchen or marketplace checkout when vendor onboarding is incomplete or the module is disabled; admin-only verification workflow for UPI proof before marking paid.
7.4. Card-to-cash and fraud policy: PodPot prohibits using the platform to facilitate card-to-cash conversion, synthetic transactions, or payments without a legitimate underlying service. We investigate anomalies via audit logs and gateway reconciliation and may suspend accounts or escalate to security@podpot.in and the payment partner.
The Service is not intended for users under 18 years of age. We do not knowingly collect data from children.
The web version may use essential cookies for session management. No tracking or advertising cookies are used.
Name: PodPot Grievance Officer
Email: grievance@podpot.in
Response time: Within 72 hours of receiving a complaint.
We will notify you of material changes via email or in-app notification. Continued use after notification constitutes acceptance.
For privacy inquiries: privacy@podpot.in
For general support: support@podpot.in