Privacy Policy
This Privacy Policy explains how Decipher Consultancy Services (“we”, “us”, “our”) — the operator of the Realzent Software-as-a-Service platform (“Realzent”, “the Platform”, “the Service”) — collects, uses, shares, retains, and protects your personal data when you access or use the Service. It is published in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules (as notified) along with applicable Indian information-technology and consumer-protection law.
1. Who we are
Realzent is operated by Decipher Consultancy Services, a firm based in India. For the purposes of the DPDP Act we act as the Data Fiduciary in respect of personal data of our account holders (real-estate agents, brokerages and their authorised team members) and as a Data Processor in respect of personal data that account holders upload about their own customers (leads, clients, prospects) while using the Service. References to “you” mean a Data Principal under the DPDP Act.
2. Personal data we process
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Identity & account data | Name, phone number, email, business name, RERA registration number, GSTIN, city, password (stored hashed) | Provided by you at signup / onboarding |
| Workspace & operational data | Leads, deals, builders, projects, property cards, site visits, commissions, invoices, documents you upload | Entered or uploaded by you while using the Service |
| Communication data | Messages sent via the Service (email, WhatsApp, SMS templates), contact-form submissions, support tickets | Provided by you / generated by use |
| Billing & subscription data | Plan, subscription status, invoice records, payment transaction identifiers. We do not store card numbers, CVV or bank credentials — these are handled directly by our payment gateway (Razorpay). | Generated by subscription / Razorpay |
| Technical & usage data | IP address, user-agent, device type, language, referer URL, pages viewed, feature usage events, timestamps, error logs | Collected automatically |
| Cookies & similar technologies | Session identifiers, CSRF tokens, preference cookies. See our Cookie Policy. | Set by the Service |
2.1 Sensitive personal data
We do not intentionally collect sensitive personal data such as financial account details, biometric identifiers, health information, sexual orientation, religious beliefs, caste/tribe, or political affiliation. If you choose to upload such data into the Service (for example, as part of a customer record), you confirm that you have obtained all necessary consents from the relevant Data Principal and that you alone are responsible for the lawfulness of that processing.
3. Purposes for which we process your data
Each category above is processed only for the specific, lawful purposes listed below:
- Account creation and authentication — to register you, sign you in, and protect your workspace from unauthorised access.
- Service delivery — to provide the CRM, AI assistance, PropCards, document vault, site-visit, WhatsApp inbox, commission-tracking and similar features you have subscribed to.
- Billing — to process payments via Razorpay, issue tax invoices, and maintain GST records as required by Indian tax law.
- Transactional communication — to send password-reset emails, billing notifications, security alerts, service updates and similar non-promotional messages.
- Customer support — to respond to enquiries you raise via the contact form, WhatsApp, email, or in-app channels.
- Product improvement and security — to monitor for fraud, abuse, performance issues, and to improve features through aggregated, de-identified analysis.
- Compliance and legal obligations — to comply with tax, accounting, anti-money-laundering, RERA, telecom, and other applicable Indian laws and to respond to lawful requests from courts, regulators or law-enforcement.
- Promotional communication — only where you have given specific opt-in consent (you may withdraw at any time).
4. Legal basis for processing
Under the DPDP Act we rely on the following lawful grounds:
- Your consent — given at the time of account creation by ticking the privacy-policy box, by submitting the contact form, or by other unambiguous affirmative action.
- Certain legitimate uses permitted by Section 7 of the DPDP Act, including provision of a subscribed service, compliance with court orders, and prevention of fraud or breach of law.
- Performance of a contract — to deliver the subscription you signed up for.
- Legal obligation — to keep records required by tax, accounting, or other Indian statutory law.
5. Notice and consent
Before we collect personal data that requires consent, you are presented with this Privacy Policy and a clear opt-in. You may withdraw your consent at any time by writing to our Grievance Officer (see Section 12) or by deleting your account. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal, and may also mean we can no longer provide some or all of the Service.
6. Children
The Service is intended for use only by individuals aged 18 or above. We do not knowingly collect personal data of children (persons below 18 years of age) or persons with disabilities who have a lawful guardian, except with verifiable consent of the parent or guardian as required by Section 9 of the DPDP Act. We do not track, profile, or run targeted advertising directed at children. If you believe we have inadvertently collected such data, contact our Grievance Officer and we will delete it without undue delay.
7. How we share your personal data
We do not sell your personal data. We share it only with the parties below and only to the extent necessary:
| Recipient | Purpose | Location |
|---|---|---|
| Razorpay Software Pvt. Ltd. | Payment processing, subscription billing, refunds | India |
| Cloud and hosting providers (e.g. Contabo / AWS / Cloudflare) | Infrastructure, content delivery, DDoS protection, edge TLS | EU / Global edge |
| Anthropic, OpenAI, Google (Gemini), Perplexity | AI-assisted features (script generation, RERA intelligence, market reports). Inputs to these models are governed by the respective provider's terms; we do not opt in to using your data for model training. | United States / Global |
| Communication providers (WhatsApp Business API, Twilio / SMTP) | Sending messages on your behalf when you initiate them | Global |
| Tax / accounting professionals | GST and statutory filings | India |
| Courts, regulators, law-enforcement | Compliance with lawful orders, subpoenas, or statutory notices | India |
| Acquirers in a corporate transaction | If we merge, sell or restructure, we may transfer personal data to a successor entity. You will be notified of any such transfer. | Depending on transaction |
All processors we engage are contractually bound to process your data only on our instructions, maintain appropriate security safeguards, and comply with the DPDP Act and applicable laws.
8. Cross-border transfers
Some of our processors (cloud, AI providers, edge CDN, communication APIs) operate outside India. Such transfers are made only to countries that are not restricted under Section 16 of the DPDP Act or by any notification of the Central Government. Where the data leaves India we ensure equivalent contractual protections through Data Processing Agreements (DPAs), Standard Contractual Clauses, or recognised certifications.
9. Data retention
We keep personal data only for as long as necessary for the purpose it was collected, after which it is deleted or anonymised. Indicative retention periods:
| Type of data | Retention |
|---|---|
| Account credentials and workspace data | While your account is active. Deleted within 90 days after account closure, subject to the next rows. |
| Invoices, GST records, tax filings | 8 financial years (as required by Indian tax law) |
| Audit logs (logins, security events) | 180 days |
| Marketing-consent records | Until consent is withdrawn + 3 years (for proof) |
| Contact-form submissions | 90 days from receipt, unless a professional engagement is established |
| Backups | Up to 60 days on a rolling basis; data subject to deletion requests will be removed from backups in the next scheduled cycle |
10. Your rights as a Data Principal
Subject to the DPDP Act and reasonable verification of your identity, you may:
- Right to information (Section 11) — request a summary of the personal data we hold about you and the processing carried out.
- Right to correction and erasure (Section 12) — ask us to correct inaccurate or outdated data, complete incomplete data, or erase personal data no longer required.
- Right to grievance redressal (Section 13) — escalate any complaint to our Grievance Officer (Section 12 below). If you are not satisfied with our response within 30 days, you may approach the Data Protection Board of India.
- Right to nominate (Section 14) — nominate another individual to exercise your rights in the event of your death or incapacity.
- Right to withdraw consent — at any time, by writing to our Grievance Officer.
Most account-level rights can be exercised directly inside the Service (Profile and Settings). For everything else, write to our Grievance Officer. We will acknowledge your request within 72 hours and respond substantively within 30 calendar days, unless the law requires sooner.
11. Security of your data
We take reasonable security safeguards to protect personal data, including:
- HTTPS/TLS encryption for all data in transit
- Bcrypt-hashed passwords (cost factor ≥ 12) — passwords are never stored in plaintext or recoverable
- Database access restricted to least-privilege application users
- Multi-tenant isolation — every record is scoped to your workspace
- Audit logging of administrative actions
- Daily backups with restricted access
- Vulnerability and dependency monitoring
- Razorpay-hosted PCI-DSS Level 1 payment processing — Realzent never touches raw card data
No system is perfectly secure. In the event of a personal-data breach that is likely to result in risk to you, we will notify both you and the Data Protection Board of India within the timelines prescribed under the DPDP Rules.
12. Grievance Officer
Designated Grievance Officer (DPDP Act, Section 8(9))
- Name
- Mr. Subesh Kumar
- Role
- Grievance Officer, Decipher Consultancy Services
- [email protected]
- Phone
- +91 9911202099
- Address
- Decipher Consultancy Services, India
- Response time
- Acknowledgement within 72 hours; substantive response within 30 days
If you are not satisfied with the resolution provided by the Grievance Officer, you may approach the Data Protection Board of India at the address notified by the Central Government from time to time.
13. Changes to this Privacy Policy
We may revise this Privacy Policy from time to time. When we make a material change, we will bump the version number, update the “Last updated” date, and — where required — request renewed consent. The version of the Privacy Policy you accepted is recorded in your user record and can be reviewed on request. Earlier versions remain available on request to the Grievance Officer.
14. Contact
For any questions about this Privacy Policy or how we handle your personal data, please write to our Grievance Officer (Section 12) or use our contact form.
Read next: Terms of Service · Cookie Policy · Grievance Redressal