What is the DPDP Act?
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's comprehensive data protection legislation. It establishes a legal framework for the processing of digital personal data, granting individuals (“Data Principals”) clear rights over their data and imposing obligations on entities (“Data Fiduciaries”) that collect and process it.
The DPDP Act applies to any entity that processes digital personal data within India, or processes data outside India if it relates to offering goods or services to individuals in India. Penalties for non-compliance can be significant — up to ₹250 crore for certain violations.
For PG operators, compliance matters because you collect and process personal data of your residents — names, phone numbers, Aadhaar details, payment information, and more. Both you and the software platforms you use must meet DPDP requirements.
RentFlow's Role
Under the DPDP Act, RentFlow operates in two capacities depending on the type of data being processed:
- Data Fiduciary — when processing account data of PG owners and subscribers (your name, email, phone, payment info). We determine the purpose and means of processing this data.
- Data Processor — when processing resident data on behalf of PG operators. You (the operator) decide what resident data to enter; we process it according to your instructions.
This creates a shared responsibility model: RentFlow is responsible for securing the platform and processing data lawfully, while PG operators are responsible for obtaining proper consent from residents and ensuring the data they enter is lawful and accurate.
How RentFlow Complies
Lawful Purpose (Section 4)
All processing of personal data is tied to a legitimate, lawful purpose. We process data only to deliver the Service you have subscribed to.
Consent (Section 6)
Explicit, informed consent is obtained before collecting personal data. Consent can be withdrawn at any time without affecting prior processing.
Data Minimization (Section 4(2))
We collect only the personal data that is necessary for the stated purpose. No excessive or unnecessary data collection.
Purpose Limitation (Section 5)
Personal data is used only for the specific purposes stated at the time of collection. We do not repurpose data without consent.
Storage Limitation (Section 8(7))
Clear data retention periods are defined and enforced. Data is deleted when no longer needed, subject to legal retention requirements.
Data Accuracy (Section 8(3))
Users can view and correct their personal data at any time through the platform. Operators can update resident data on request.
Security Safeguards (Section 8(4))
AES-256-GCM encryption at rest, TLS 1.3 in transit, role-based access control (RBAC + ABAC), and comprehensive audit trails.
Breach Notification (Section 8(6))
In the event of a data breach, we notify the Data Protection Board of India and affected users within 72 hours.
Data Principal Rights (Sections 11–14)
Full support for access, correction, erasure, and grievance redressal rights. Exercise via privacy@rentflow.in.
Cross-Border Transfer (Section 16)
Data is stored in India. If any transfer to other jurisdictions occurs, it will only be to countries notified by the Central Government.
Children's Data (Section 9)
No processing of personal data of persons under 18 without verifiable guardian consent. The Service is intended for users aged 18+.
For PG Operators: Your Obligations
As a Data Fiduciary for your residents' data, you have specific obligations under the DPDP Act:
- Obtain Consent: Before entering resident personal data into RentFlow, you must obtain clear, informed consent from each resident explaining what data you collect and why.
- Respond to Requests: If a resident requests access to, correction of, or deletion of their personal data, you must respond within a reasonable time.
- Maintain a Privacy Notice: You should have a privacy notice or policy that informs residents about your data collection and processing practices.
- Appoint a Grievance Officer: The DPDP Act requires Data Fiduciaries to appoint a Grievance Officer whom residents can contact with privacy concerns.
RentFlow provides tools to help you comply: data export functionality, resident consent logging, comprehensive audit trails, and granular access controls to ensure only authorised personnel access resident data.
Technical Measures
RentFlow implements the following technical safeguards to protect personal data:
- Encryption at Rest & in Transit: AES-256-GCM for stored data, TLS 1.3 for all network communications.
- Multi-Tenant Data Isolation: Every database record is scoped to a TenantId. One operator's data is never accessible to another.
- Role-Based Access Control (RBAC + ABAC): 24 granular capabilities control who can access what data within each property.
- Audit Logging: All data access and modifications are logged with timestamps, user identity, and action type.
- Automated Data Retention Enforcement: Data retention policies are enforced automatically. Expired data is purged on schedule.
- Secure Aadhaar Handling: Aadhaar numbers are stored as irreversible cryptographic hashes. The original number cannot be recovered from our systems.
Data Processing Agreement
A formal Data Processing Agreement (DPA) is available upon request for Business and Enterprise tier subscribers. The DPA defines the terms under which RentFlow processes personal data on your behalf, including data categories, processing purposes, security obligations, and breach notification procedures.
To request a DPA, contact us at privacy@rentflow.in.
Contact
For questions about RentFlow's DPDP compliance or to exercise your data rights:
- Data Protection Officer: privacy@rentflow.in
- Grievance Officer: grievance@rentflow.in (response within 30 days)
Registered Office: FBT Technologies Private Limited, Bengaluru, Karnataka, India.