Data Fiduciary — Who We Are
The entity responsible for your personal data is:
[Company Legal Name], CIN [●], registered at [Registered Address], India ("Company", "we", "us").
We determine the purposes and means of processing your personal data. In the terminology of the DPDP Act, 2023, we are the Data Fiduciary. You, the person whose data we process, are the Data Principal.
For all privacy-related queries, write to: privacy@interiorsahihai.com. For formal complaints and rights requests, contact our Grievance Officer (Section 18).
Scope & Applicability
This Policy applies to all digital personal data collected through the Platform — including the website interiorsahihai.com, any mobile applications, and all related digital interfaces — from any person who:
- Creates an account as a Home Buyer or Designer;
- Browses the Platform without creating an account;
- Communicates with us by email, phone, or any digital channel; or
- Interacts with the Platform through a third-party service (such as social login).
This Policy applies to personal data processed within India and outside India where processing is for the purpose of offering goods or services to individuals in India, in accordance with Section 3(b) of the DPDP Act, 2023.
This Policy does not apply to anonymised or aggregated data from which you cannot reasonably be identified.
Definitions
| "Personal Data" | Any data about an individual who is identifiable by or in relation to such data — as defined in Section 2(t) of the DPDP Act, 2023. |
| "Sensitive Personal Data" | Financial information, health data, sexual orientation, biometric data, and other categories defined in Rule 3 of the IT (SPDI) Rules, 2011 — applicable until superseded by DPDP Act rules. |
| "Processing" | Any operation performed on personal data — including collection, storage, use, sharing, disclosure, deletion, and transfer — whether automated or manual. |
| "Consent" | A freely given, specific, informed, unconditional, and unambiguous indication of your agreement to the processing of your personal data, as required by Section 6 of the DPDP Act, 2023. |
| "Data Processor" | Any person or entity that processes personal data on behalf of and under the instructions of the Company (e.g., cloud hosting providers, payment gateways). |
| "Data Protection Board" | The Data Protection Board of India, constituted under Section 18 of the DPDP Act, 2023. |
| "Child" | An individual below the age of 18 years, as defined in Section 9 of the DPDP Act, 2023. |
Personal Data We Collect
We collect the minimum personal data required to deliver the Platform's services. We will never collect data that is excessive, irrelevant, or unnecessary for the stated purpose.
4.1 Data You Provide Directly
- Identity: Full name, profile photograph, date of birth (collected solely to verify you are 18 or older).
- Contact: Email address, mobile number, city, state, PIN code.
- Designer Professional Data: Business name, trade name, portfolio images, years of experience, service areas, professional certifications and licence numbers, GST registration number, PAN number, bank account details (for payout processing only).
- Home Buyer Project Data: Property type, approximate area (sq ft), budget range, design style preferences, project location, and desired timeline — provided voluntarily when submitting a project enquiry.
- Financial Transactional Data: Records of Platform Fee transactions, invoice numbers, payment status. We do not store full card numbers, CVV codes, or bank account passwords — payments are processed by third-party gateways.
- Communications: Messages sent through in-platform chat; emails and calls to our support team; content of support tickets. We retain communication records for dispute resolution and legal compliance purposes.
4.2 Data We Collect Automatically
- Technical Data: IP address, browser type and version, operating system, device type and identifiers, referring URL, pages visited, time spent, access timestamps.
- Behavioural Data: Search queries entered on the Platform; features used; Designers viewed or shortlisted; filters applied. Used to improve matching and personalise the experience.
- Location Data: City-level location inferred from your IP address. Precise GPS location only where you explicitly grant permission on a mobile device. You may revoke GPS permission through your device settings at any time.
- Cookies and Tracking Technologies: See Section 13 for full details.
4.3 Data From Third Parties
- Social Login: Where you register using Google, Facebook, Apple, or any other OAuth provider, we receive your name, email address, profile picture, and unique identifier from that provider. We do not receive your passwords for those services.
- Identity Verification: Signals from authorised identity verification partners, used to prevent fraud and verify Designer credentials.
- Publicly Available Data: Information from public business registries, professional directories, or publicly accessible sources, used solely to assist with Designer verification.
Legal Basis for Processing
Under the DPDP Act, 2023, we process your personal data on the following lawful bases:
- Consent (Section 6, DPDP Act): Where we rely on your consent, we will request it clearly before processing. Consent is required for: marketing communications; non-essential cookies and tracking; and sharing of your data with third parties beyond what is necessary for Platform operation. You may withdraw consent at any time without affecting the lawfulness of prior processing.
- Legitimate Use (Section 7, DPDP Act): Processing that is necessary for the performance of a contract to which you are a party (e.g., operating your account, processing payments); compliance with a legal obligation; responding to medical or public health emergencies; fulfilling obligations under Indian law; and employment-related processing (for our own employees).
- IT (SPDI) Rules, 2011: Until the DPDP Act's substantive provisions are fully in force, we process sensitive personal data (including financial information) in accordance with Rule 5 of the SPDI Rules — which requires your free, informed, specific, and clear consent obtained in writing or electronically.
How We Use Your Data
- Platform Operation: To run the marketplace — powering search, matching, profiles, messaging, and all core features.
- Account Management: Creating and maintaining your account; authenticating your identity on login; managing your subscription; communicating account-related updates.
- Matching and Recommendations: Matching Home Buyers with relevant Designers based on stated requirements, location, budget, and behavioural data. See Section 16 for algorithmic decision-making disclosures.
- Payments: Processing Platform Fee transactions; issuing tax invoices; processing Designer payouts; maintaining financial records required by GST law, the Companies Act, and the Income Tax Act.
- Customer Support: Responding to support requests; investigating complaints; resolving disputes between Users.
- Transactional Communications: Sending booking confirmations, payment receipts, account security alerts, and other service-critical notifications. These cannot be opted out of while your account is active.
- Marketing (Consent-Based): Sending promotional emails, design inspiration content, personalised offers, and product updates — only where you have opted in. You may withdraw consent at any time (see Section 14).
- Safety and Fraud Prevention: Detecting, investigating, and preventing fraudulent transactions, identity fraud, fake reviews, fee circumvention, platform abuse, and violations of our Terms & Conditions.
- Legal Compliance: Meeting obligations under Indian law; responding to lawful government, regulatory, and judicial requests; enforcing our Terms & Conditions; exercising or defending legal claims.
- Analytics and Product Development: Analysing Platform usage in aggregated and/or pseudonymised form to improve features, fix bugs, and develop new services. We do not use individually identified data for product analytics unless necessary.
- Designer Verification: Verifying the accuracy of Designer credentials, qualifications, and portfolio claims submitted to the Platform.
Children's Data
The Platform is not directed at children. We do not knowingly collect personal data from any person under 18 years of age.
In compliance with Section 9 of the DPDP Act, 2023, we implement age-gate mechanisms to prevent children from creating accounts. If you are under 18, please do not use or register on the Platform.
If you are a parent or guardian and believe your child has provided personal data to us, please contact our Grievance Officer (Section 18) immediately with supporting information. We will investigate and delete the data within 72 hours of verification.
Sharing & Disclosure of Personal Data
We do not sell your personal data. We do not share personal data with advertisers for targeting purposes. We share data only in the circumstances described below.
8.1 Between Platform Users
When a Home Buyer initiates contact with a Designer: the Home Buyer's name, contact number, email address, and project details are shared with the Designer. Designer profiles — including name, business name, portfolio images, location, pricing range, and reviews — are publicly visible on the Platform to all visitors.
8.2 Data Processors (Service Providers)
We engage the following categories of third-party data processors who handle data on our behalf: cloud infrastructure and hosting providers (e.g., AWS, Google Cloud, or equivalent); payment gateway providers (Razorpay, PayU, or equivalent); SMS and email delivery services; customer support and helpdesk platforms; fraud detection and identity verification services; and web analytics tools. All data processors are contractually bound to: process data only on our documented instructions; maintain confidentiality; implement appropriate security measures; and not sub-process data without our prior authorisation.
8.3 Legal and Regulatory Disclosure
We may disclose personal data where required or authorised by: a court order; a direction from a government authority or regulatory body; the IT Act, 2000 (including Section 69 directions); the Prevention of Money Laundering Act, 2002; the Code of Criminal Procedure, 1973 / Bharatiya Nagarik Suraksha Sanhita, 2023; or any other Applicable Law. We will disclose only the minimum data required and will, where legally permitted, notify the affected User before disclosure.
8.4 Business Transfers
In the event of a merger, acquisition, restructuring, sale of all or substantially all assets, or insolvency proceedings involving the Company, personal data may be transferred to the successor or acquiring entity. We will notify affected Users of any such transfer and ensure that the successor entity is bound by data protection obligations equivalent to those in this Policy. If the transfer materially changes how your data is used, we will obtain fresh consent where required by law.
8.5 Aggregated and Anonymised Data
We may share aggregated, anonymised, or de-identified data — from which no individual can reasonably be re-identified — with partners, investors, or for industry research purposes. Such data sharing does not constitute personal data disclosure.
8.6 Disclosure Policy Commitment
We will not share your personal data with any third party for commercial purposes beyond what is described in this Policy. Any new category of third-party sharing will be disclosed in an updated Privacy Policy with appropriate notice.
International Data Transfers
Some of our third-party service providers (hosting, analytics, payment processing) operate servers outside India. Where personal data is transferred outside India, we ensure the following safeguards are in place:
- Transfer is to a country or entity deemed adequate by the Central Government under the DPDP Act, 2023 and applicable rules notified by the Ministry of Electronics and Information Technology (MeitY); or
- Transfer is governed by a data processing agreement that imposes obligations on the recipient equivalent to those required by Indian data protection law; or
- Transfer is permitted under any other lawful mechanism prescribed under the DPDP Act, 2023 or IT (SPDI) Rules, 2011 as may be applicable.
You may request details of the specific safeguards applicable to a particular international transfer by writing to our Grievance Officer.
Security Safeguards
We implement reasonable security practices and procedures as mandated by Rule 8 of the IT (SPDI) Rules, 2011, and consistent with emerging best practices under the DPDP Rules, 2025. Our security measures include:
- Encryption in transit: All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS 1.2 or higher).
- Encryption at rest: Sensitive personal data and financial information stored in our databases is encrypted at rest using AES-256 or equivalent.
- Access controls: Role-based access controls limiting employee access to personal data on a strict need-to-know basis. All access is logged and audited.
- Authentication: Multi-factor authentication (MFA) for internal admin access. Secure password hashing (bcrypt or equivalent) for User accounts.
- Security testing: Regular vulnerability assessments, penetration testing by qualified third parties, and security code reviews for all major releases.
- Vendor security: Security assessment of all data processors before engagement, and periodic re-assessment.
- Incident response: A documented personal data breach response plan, including breach containment, risk assessment, notification, and post-incident review.
- Employee training: Mandatory data security and privacy training for all employees who handle personal data.
Data Retention
We retain personal data for as long as your account is active, or as long as necessary for the purposes described in this Policy — including to comply with legal obligations, resolve disputes, prevent fraud, and enforce our Terms & Conditions.
11.1 Account Data
Upon account deletion request, we will delete or irrecoverably anonymise your personal data within 90 days, subject to the exceptions listed below.
11.2 Mandatory Retention (Legal Override)
Certain categories of data must be retained regardless of account deletion, as required by Applicable Law:
- Financial transaction records and invoices: 7 years, as required by the GST Act, Income Tax Act, and Companies Act.
- Dispute and complaint records: 3 years from final resolution, as required for limitation period compliance under the Limitation Act, 1963.
- Law enforcement holds: For the period specified in any lawful preservation or disclosure order.
- Legal proceeding records: Until final resolution of any pending legal claim to which the data is relevant.
11.3 Reviews and Ratings
When a Designer's account is deleted, their individual reviews are anonymised (reviewer details removed) but the aggregate rating and text content is retained as part of the Platform's historical record and trust infrastructure. This is a legitimate interest — Home Buyers rely on the integrity of review history.
11.4 Automated Deletion
Inactive accounts (no login for 36 consecutive months) will receive an email notification. If no action is taken within 30 days, the account and associated personal data will be deleted, subject to mandatory retention obligations above.
Your Rights as a Data Principal
Under the DPDP Act, 2023 (effective from the date its provisions are notified) and the IT (SPDI) Rules, 2011, you have the following rights in relation to your personal data:
12.1 How to Exercise Your Rights
Submit a rights request in writing to our Grievance Officer at grievance@interiorsahihai.com with: your full name; registered email address; a clear description of the right you wish to exercise; and any supporting information. We will respond within the period prescribed by Applicable Law (currently 30 days under the DPDP Act framework; 30 days under Consumer E-Commerce Rules). We may need to verify your identity before processing your request.
12.2 Escalation to Data Protection Board
If you are not satisfied with our response to a rights request or complaint, you have the right to file a complaint with the Data Protection Board of India, once it is fully constituted and operational under the DPDP Act, 2023. Information about the Board and the complaint process will be available at the government's official portal.
Cookies & Tracking Technologies
We use cookies, web beacons, pixels, local storage, and similar technologies to operate and improve the Platform.
13.1 Types of Cookies
- Strictly Necessary Cookies: Essential for the Platform to function — session authentication, CSRF protection, load balancing. These cannot be disabled. Using the Platform constitutes acceptance of strictly necessary cookies.
- Functional Cookies: Remember your preferences — saved filters, preferred city, language settings, theme preferences. Optional; disabling may affect your experience.
- Analytics Cookies: Collect anonymised usage data (pages visited, time on page, clicks, device type) to help us understand how the Platform is used and where to improve. Providers include Google Analytics ([●]) and Hotjar ([●]).
- Marketing / Targeting Cookies: Track browsing activity across sites to enable relevant advertising on third-party platforms (e.g., Meta, Google Ads). These require your explicit consent and are disabled by default until consent is given.
13.2 Managing Cookies
You may manage cookie preferences through: the cookie consent banner displayed on your first visit; the "Cookie Settings" link in the Platform footer; or your browser's privacy settings (clearing cookies, blocking third-party cookies). Disabling strictly necessary cookies will prevent the Platform from functioning.
13.3 Do Not Track
Some browsers offer a "Do Not Track" (DNT) signal. We currently do not respond to DNT signals in a standardised manner, as no uniform interpretation exists under Indian law. We commit to reviewing this position as regulatory guidance evolves.
Marketing Communications
We will only send you marketing communications (promotional emails, newsletters, design inspiration, offers) where you have opted in to receive them. Your opt-in consent is collected separately from account registration.
14.1 Opting Out
You may withdraw your marketing consent at any time through: (a) the "Unsubscribe" link in any marketing email; (b) your account settings under "Communication Preferences"; or (c) a written request to privacy@interiorsahihai.com. We will action opt-out requests within 10 business days. Opting out of marketing will not affect your receipt of transactional and account-essential communications.
14.2 No Marketing to Children
We will never send marketing communications to any person we know or reasonably believe to be under 18 years of age. We will not engage in behavioural monitoring of children or serve targeted advertising to children, in compliance with Section 9 of the DPDP Act, 2023.
Third-Party Services & Links
The Platform may contain links to third-party websites, social media pages, or external services. The Company has no control over the privacy practices of third-party sites and is not responsible for their privacy policies or data handling. We encourage you to read the privacy policy of any third-party site you visit through a link on our Platform.
Where we enable social login (Google, Apple, Meta), signing in with a social account will cause some data to be shared with and from the social network provider. This sharing is governed by the privacy policy of that provider. We only use the minimum data required to create and authenticate your account.
Automated Decision-Making
The Platform uses automated processing in the following ways:
- Search and Matching Algorithm: An algorithm ranks Designer profiles in response to Home Buyer search queries and project enquiries. Ranking factors include: overall rating score; number and recency of reviews; response rate and response time; profile completeness; portfolio quality assessment; paid promotion (where applicable); and relevance to stated requirements. This automated ranking does not produce any legal or similarly significant effect on Designers (it does not restrict rights or access to services).
- Fraud and Abuse Detection: Automated systems analyse account and transaction patterns to detect fraud, fake reviews, fee circumvention, and platform abuse. Where automated fraud detection results in an account action (such as suspension), you have the right to request human review of that decision by contacting our Grievance Officer.
- Spam and Prohibited Content Filtering: Automated tools scan messages and Content for spam, prohibited content, and policy violations. Content flagged by automated tools is reviewed by a human moderator before any account action is taken.
You may contact our Grievance Officer to request: an explanation of how a specific automated decision affecting you was made; and human review of any automated decision that produced a significant effect on your account.
Personal Data Breach Protocol
A "Personal Data Breach" means any incident resulting in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed by the Company or its processors.
17.1 Detection and Containment
We maintain a breach detection and incident response programme. Upon becoming aware of a potential breach, we will immediately: isolate affected systems; assess the scope and severity; preserve evidence; and engage our incident response team.
17.2 Notification
In the event of a personal data breach, and in compliance with the DPDP Act, 2023 (once its breach notification provisions are in force) and the IT (SPDI) Rules, 2011:
- We will notify the Data Protection Board of India within the period prescribed by notified rules (currently, the DPDP Act has not specified a fixed notification period; we will comply with the period prescribed when the provisions come into force).
- We will notify affected Data Principals whose data has been compromised, in a clear and plain-language notice describing: what data was affected; how the breach occurred (to the extent known); the likely impact; the steps we have taken; and what you can do to protect yourself.
- Where breach notification to all affected individuals is disproportionately onerous, we will issue a public notice on the Platform.
17.3 Post-Breach Review
Following any breach, we will conduct a root-cause analysis and implement corrective measures to prevent recurrence. A summary of our response may be shared with the Data Protection Board as required.
Grievance Officer & Data Protection Contact
In compliance with Rule 3(2) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, Rule 5(9) of the IT (SPDI) Rules, 2011, and Section 13 of the DPDP Act, 2023, we have appointed a Grievance Officer / Data Protection contact for all privacy-related matters.
Grievance Officer
All privacy complaints, data rights requests, and breach reports will be acknowledged within 24 hours and resolved within 30 days of receipt. If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India (once operational) under Section 27 of the DPDP Act, 2023.
Amendments to This Policy
We will update this Privacy Policy when: (a) our data practices change; (b) new features require new data collection; (c) Indian data protection law changes (particularly as DPDP Rules are notified in phases through to May 2027); or (d) a regulator or court requires us to.
Material amendments — changes that affect how we use your data or your rights — will be communicated by email at least 7 days before the effective date, and by a prominent banner on the Platform. Non-material amendments (corrections, clarifications, formatting) may be made without advance notice.
Continued use of the Platform after an amendment's effective date constitutes acceptance of the revised Policy. If you disagree with an amendment, you may exercise your right to erasure and close your account before the effective date.
Previous versions of this Policy are archived and available on written request to our Grievance Officer.
Version 1.0 · Effective 1 April 2025 · © 2026 Interiorsahihai / [Company Legal Name]. All rights reserved. This Policy is not legal advice. For specific legal guidance on data protection, consult a qualified advocate.