Privacy Policy
How Raftaar handles your data and your leads' data, under India's Digital Personal Data Protection Act, 2023.
Last updated: 11 July 2026
1. Who we are & what this covers
Raftaar ("Raftaar", "we", "us", "our") is a business-management platform for Indian real-estate brokers, developers and high-ticket interior designers. Raftaar is a registered micro-enterprise (Udyam Registration UDYAM-KR-10-0053582), Challakere, Chitradurga District, Karnataka 577522, India. This Privacy Policy explains what personal data we handle, why, on what legal basis, who we share it with, and the rights you have under India's Digital Personal Data Protection Act, 2023 (the "DPDP Act"). It applies to our website, dashboard, APIs, and the AI assistant that replies to buyers on WhatsApp, voice and web.
2. The two kinds of people this policy protects
Our subscribers (brokers, developers, designers)
The businesses who create a Raftaar account. In DPDP terms you are a Data Principal for your own account data, and — because the leads you bring in are your customers — you also act as a Data Fiduciary for those leads, with Raftaar acting as your Data Processor. You are responsible for having a lawful basis to collect your own leads' data.
Buyers / leads
The property buyers who contact a subscriber through Raftaar (via a click-to-WhatsApp ad, a landing page, or by messaging a broker's number). We process their data on the subscriber's behalf to qualify the enquiry, book site visits and follow up.
3. Key definitions (DPDP Act)
"Personal Data" is any data about an identifiable individual. "Data Principal" is the individual the data is about. "Data Fiduciary" decides why and how personal data is processed. "Data Processor" processes it on a Fiduciary's behalf. "Processing" means any operation on data — collection, storage, use, sharing or erasure. "Consent" under the Act must be free, specific, informed, unconditional, unambiguous and given by a clear affirmative action, and must be as easy to withdraw as it was to give.
4. Data we collect
4.1 From subscribers
Business name, contact person, email, phone, city/areas served, property focus and price ranges, GSTIN (if provided), and — for compliance and your own books — invoices, commissions and GST details you enter. Account-security data: a one-way hashed password, login timestamps and failed-login counters. Connected-integration identifiers you authorise (e.g. your WhatsApp phone-number ID, Meta ad-account and Page IDs, Razorpay mandate ID) so the system can act on your own accounts.
4.2 From buyers / leads
Name (or a placeholder until shared), phone number, stated budget, timeline, preferred location and configuration, language, and the content of the messages, voice-call transcripts and web-chat they exchange with the AI assistant. We derive a lead score and qualification signals from these to help the broker prioritise.
4.3 Property & project data
Listing details you provide — project name, configuration, price, highlights, RERA registration number and the disclosures Indian real-estate advertising law requires. These are business details shown to buyers as part of a listing, not personal data.
4.4 Collected automatically
Standard server logs (IP address, timestamp, request path, coarse device/browser data) and rate-limiting counters, used to keep the service secure and reliable. We mask phone numbers and redact message content in our operational logs.
5. How we collect it
From subscribers: directly at sign-up and as you use the dashboard. From buyers: when they initiate contact with a subscriber — by messaging a broker's WhatsApp number (a click-to-WhatsApp ad or direct message), submitting a landing-page/ad enquiry, or answering a consented voice call. From integrations: only the specific identifiers a subscriber authorises when they connect their own WhatsApp/Meta/Razorpay/Google accounts.
6. Why we process data & our legal basis
Purposes
To run the subscriber's business: reply to and qualify buyer enquiries, book and remind about site visits, run and pace advertising the subscriber funds, keep the subscriber's books and compliance records, and report results back to the subscriber. We do not sell personal data to anyone, ever, and we do not use buyers' personal data to train third-party AI models.
Legal basis under DPDP
For a buyer's first contact and the resulting conversation, the buyer's own act of initiating the enquiry is their consent to be helped with it. For proactive follow-ups outside an active conversation, we rely on the buyer's opt-in and honour opt-out immediately. For subscribers, we process on the basis of the contract you enter and your consent at sign-up.
7. Consent, opt-in and opt-out
7.1 Subscriber consent
You agree to this policy and our Terms at sign-up. You can withdraw consent by closing your account (see §12).
7.2 Buyer opt-in
A buyer opts in by initiating contact. We only send a proactive (buyer-didn't-just-message) WhatsApp message where the buyer has opted in, and only inside WhatsApp's rules (see §8).
7.3 STOP / opt-out is absolute
A buyer can reply STOP, UNSUBSCRIBE, or an equivalent (including common Hindi phrases) at any time. This is honoured before any reply — the buyer is opted out of all further messaging immediately and permanently unless they choose to resume.
7.4 Voice-call consent
Automated voice calls are placed only to leads with affirmative consent on record (an explicit call opt-in, or a genuine inbound enquiry that established contact). A buyer who has opted out is never called. Telephony is additionally subject to India's TRAI/DLT rules.
8. WhatsApp Business Platform terms
Buyer conversations on WhatsApp are delivered through the WhatsApp Business Platform (Meta). We operate within Meta's and WhatsApp's Business Policies: we message a buyer within the 24-hour customer-service window opened by their own message, and outside that window only using message templates that comply with WhatsApp policy and only to opted-in recipients. We never send unsolicited bulk messages. Meta processes message delivery as described in §9, and a buyer's use of WhatsApp is also governed by WhatsApp's own privacy policy.
9. Sub-processors we rely on
We use trusted service providers to deliver Raftaar. Each processes only the data needed for its function, under its own security and privacy commitments, and is not permitted to use your data for its own purposes:
Data & hosting
Airtable (database/CRM storage), Vercel (application hosting & serverless compute), Upstash (ephemeral rate-limit counters, when enabled).
AI / language
Google (Gemini) and Groq (LLM inference for qualification and drafting), Sarvam (Indian-language text-to-speech for voice). Message content is sent to these providers only to generate a reply and is not used by us to train models.
Messaging & telephony
Meta / WhatsApp Business Platform (WhatsApp delivery and advertising), Plivo (voice-call delivery), Resend (transactional email).
Payments & scheduling
Razorpay (subscription billing and payment processing — Raftaar never stores your card details), Cal.com (site-visit scheduling), Google (OAuth sign-in and, where connected, Google Ads).
10. AI processing & human oversight
Raftaar uses AI to draft replies, qualify leads and suggest business actions. AI output can be imperfect and is treated as assistance, not authority. Decisions that spend money or take an irreversible outward action are gated for human approval or bounded by hard limits — the AI advises, a person or a deterministic rule decides. We do not make solely-automated decisions that produce legal or similarly significant effects on a buyer without a human in the loop.
12. Retention & deletion
We keep personal data only as long as needed to provide the service and meet legal/accounting obligations. Subscribers can export a full copy of their data, or erase their account and personal data, self-serve from account settings at any time — no email required. On account closure, the subscriber's data and their leads' personal data are deleted within a reasonable period, save for records we are legally required to retain (e.g. tax/GST records). A buyer's STOP suppression is retained precisely so we can keep honouring it.
13. Data security
We apply defence-in-depth and improve continuously. Passwords are stored only as a salted one-way hash, never as text. Data is transmitted over encrypted connections (TLS). API keys and secrets are held server-side only and never exposed to the browser. Access is scoped per account (tenant isolation), internal admin access is capability-gated on a least-privilege basis, and inbound webhooks are cryptographically signature-verified. No system is perfectly secure; see our Security page for detail and how to report an issue.
14. Your rights under the DPDP Act, 2023
Access & correction
You may obtain a summary of the personal data we process about you and request correction or completion of inaccurate or incomplete data.
Erasure
You may request deletion of your personal data, subject to legal retention requirements. Subscribers can do this self-serve; buyers may reply STOP or contact us.
Withdraw consent
You may withdraw consent at any time, as easily as it was given; this does not affect processing already lawfully carried out.
Grievance redressal & nomination
You have the right to a readily-available means of grievance redressal (see §15) and to nominate another individual to exercise your rights in the event of death or incapacity.
15. Grievance Officer & contact
For any privacy request — access, correction, erasure, consent withdrawal or a complaint — contact our Grievance Officer at raftaar.saas@gmail.com (phone +91 99869 15525), Raftaar, 1st Floor, Aravindam, Bangalore Road, Challakere, Chitradurga, Karnataka 577522. We aim to acknowledge requests promptly and resolve them within the timelines the DPDP Act prescribes. If you are unsatisfied, you may escalate to the Data Protection Board of India once it is operational.
16. Children's data
Raftaar's services are intended for adults transacting in real estate. We do not knowingly process the personal data of a person under 18 without the verifiable parental/guardian consent the DPDP Act requires, and we do not undertake tracking, behavioural monitoring or targeted advertising directed at children. If you believe a child's data has reached us, contact us and we will delete it.
18. International transfers
Some sub-processors in §9 may process data on infrastructure outside India. Where that happens we rely on the provider's contractual and security commitments and process only what is necessary, consistent with the DPDP Act and any restrictions notified under it.
19. Changes to this policy
We may update this policy as the service, our sub-processors, or the law evolves. Material changes will be reflected here with a revised "last updated" date; where the law requires, we will seek fresh consent.
20. Governing law
This policy is governed by the laws of India, and the courts at Chitradurga / Bengaluru, Karnataka have jurisdiction, subject to any dispute-resolution mechanism in our Terms of Service.
This policy is written in good faith to reflect how Raftaar operates and India's DPDP Act, 2023. It is not a substitute for advice from a qualified lawyer, which should review it before wide-scale processing.