Privacy Policy

How RentFlow collects, uses, and protects your personal data.

Last updated: March 24, 2026

Effective: March 24, 2026 · Company: FBT Technologies Private Limited (“RentFlow”, “we”, “us”, “our”)

1. Introduction & Scope

This Privacy Policy explains how FBT Technologies Private Limited (“RentFlow”) collects, uses, stores, and shares personal data when you use our cloud-based property management platform, including the RentFlow web application, public marketing website at rentflow.in, tenant property sites at {slug}.rentflow.in, mobile applications, and APIs (collectively, the “Service”).

This policy applies to all users of the Service, including PG owners, property managers, co-living operators, residents, staff members, and visitors to our websites.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. Our processing of personal data is governed by the laws of India, including the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act).

2. Information We Collect

Account Information

When you create a RentFlow account, we collect your name, email address, phone number, and business name. Property managers and operators also provide property-related details during onboarding.

Identity Verification

For operators who enable identity verification features, we may collect Aadhaar numbers for resident verification purposes. Aadhaar data is stored only as an irreversible cryptographic hash — we never store Aadhaar numbers in plain text. Photo verification data is processed securely and retained only as long as necessary.

Property Data

Property details, room and bed configurations, pricing structures, amenities, photos, and facility information you input into the platform.

Financial Data

Payment records, invoices, and subscription billing information. Payment processing is handled by Razorpay, a PCI DSS-compliant payment gateway. We do not store credit card numbers, debit card numbers, or bank account details on our servers.

Resident Data

Resident profiles, occupancy history, meal preferences, complaints, maintenance requests, and communication records entered by property operators on behalf of their residents.

Usage Data

Pages visited, features used, device information (browser type, operating system, screen resolution), IP addresses, and interaction patterns. This data helps us improve the platform experience.

Communication Data

Metadata related to WhatsApp messages, SMS notifications, and email notifications sent through the platform. We store delivery status and timestamps, not message content from third-party channels.

Cookies

We use a minimal set of cookies: rf-theme for your display theme preference, httpOnly session tokens for authentication, and first-party analytics cookies. See Section 10 for details.

3. How We Use Your Information

  • Provide, operate, and maintain the Service
  • Process payments and manage subscriptions
  • Send operational notifications via WhatsApp, SMS, and email (rent reminders, maintenance updates, billing alerts)
  • Verify identity when requested by property operators
  • Generate analytics, reports, and dashboards for operators
  • Improve platform features, performance, and reliability
  • Comply with legal obligations under Indian law, including tax regulations and regulatory requirements
  • Detect, prevent, and address fraud, abuse, and security issues
  • Consent: Explicit opt-in consent is obtained for marketing communications, Aadhaar verification, and optional data processing activities.
  • Contractual Necessity: Processing required to deliver the Service you have subscribed to, including account management, billing, and feature access.
  • Legitimate Interest: Platform security, fraud prevention, service improvement, and analytics that do not override your fundamental rights.
  • Legal Obligation: Retention of financial records as required by Indian tax law, and compliance with court orders or regulatory requirements.

5. Data Sharing & Third Parties

We share data only with the following categories of service providers:

  • Razorpay: Payment processing. Razorpay is PCI DSS Level 1 compliant and processes payments on our behalf. Their privacy policy governs data they collect during payment.
  • WhatsApp Business API / Exotel: Delivery of operational notifications (rent reminders, alerts). Only phone numbers and message metadata are shared.
  • Cloud Infrastructure: Our platform is hosted on secure cloud infrastructure with data centres that meet international security certifications.

We do not sell personal data to third parties. Ever. We do not share data with advertisers or data brokers.

We may disclose personal data to law enforcement or government authorities only when legally compelled to do so by a valid court order or legal process under Indian law.

6. Data Storage & Security

  • Multi-tenant Isolation: Every database record is scoped to a TenantId. One tenant's data is never accessible to another tenant.
  • Encryption at Rest: All data is encrypted using AES-256-GCM encryption.
  • Encryption in Transit: All communications use TLS 1.3.
  • Aadhaar Protection: Aadhaar numbers are stored as irreversible cryptographic hashes. The original number cannot be recovered from our systems.
  • Access Control: Role-Based Access Control (RBAC) combined with Attribute-Based Access Control (ABAC) with 24 granular capabilities ensures only authorised personnel access data.
  • Rate Limiting: Per-IP request throttling protects against abuse.
  • Audit Trail: All data access and modifications are logged with timestamps and user identity.
  • Incident Response: We commit to notifying affected users and the Data Protection Board of India within 72 hours of discovering a data breach, as required by the DPDP Act.

7. Data Retention

  • Active Accounts: Data is retained for the duration your account remains active.
  • Post-Deletion: After you delete your account, we retain data for a 90-day grace period (in case of accidental deletion), after which it is permanently and irreversibly deleted.
  • Financial Records: Retained for 8 years as required by Indian tax law (Income Tax Act, 1961 and GST regulations).
  • Audit Logs: Retained for 3 years for security and compliance purposes.
  • Anonymized Analytics: Aggregated, non-identifiable analytics data may be retained indefinitely to improve the Service.

8. Your Rights

Under the DPDP Act 2023 and applicable Indian law, you have the following rights as a Data Principal:

  • Right to Access: Request a copy of the personal data we hold about you.
  • Right to Correction: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of your account and associated personal data.
  • Right to Data Portability: Export your data in a structured, machine-readable format.
  • Right to Withdraw Consent: Withdraw previously given consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
  • Right to Object: Object to processing based on legitimate interest.
  • Right to Grievance Redressal: Lodge a complaint with the Data Protection Board of India if you believe your rights have been violated.

To exercise any of these rights, email us at privacy@rentflow.in. We will respond within 30 days.

9. Children's Privacy

RentFlow is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we discover that we have inadvertently collected data from a person under 18, we will promptly delete that data and, if applicable, notify the child's guardian.

10. Cookies & Tracking

  • Essential Cookies: rf-theme (stores your light/dark theme preference) and httpOnly session cookies for secure authentication. These are strictly necessary for the Service to function.
  • First-Party Analytics: We collect page views and feature usage data using first-party analytics only. This data is not shared with any third party.
  • No Third-Party Advertising Cookies: We do not use any third-party advertising cookies, tracking pixels, or cross-site tracking mechanisms.

11. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you via email and/or an in-app notification at least 30 days before the changes take effect.

Continued use of the Service after the effective date of a revised policy constitutes acceptance of the updated terms. Previous versions of this policy are available upon request.

12. Contact

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

  • Data Protection Officer: privacy@rentflow.in
  • Grievance Officer (as required under the IT Act, 2000): grievance@rentflow.in
  • Response Time: We aim to respond to all queries within 30 days.

Registered Office: FBT Technologies Private Limited, Bengaluru, Karnataka, India.

Start Free