eknaviq
Privacy Policy

How we handle your data

Written in plain language. Compliant with India's DPDP Act 2023 and IT Act 2000. We believe privacy is a right, not a checkbox.

No data selling httpOnly cookies Right to erasure Grievance officer

1. Overview

Eknaviq ("we", "us", "our") is a real estate technology platform operated from Hyderabad, India.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use eknaviq.com or our mobile apps.

By using our platform you agree to this Policy. If you disagree, please do not use the platform.

Governing law: India's Digital Personal Data Protection (DPDP) Act, 2023 and Information Technology (IT) Act, 2000.

Last updated: June 2025 · Version 1.0

2. Data We Collect

Account data: Full name, email address, mobile number, profile photo.

KYC/verification data: Aadhaar number (last 4 digits only), PAN number, GST registration (for entities). Uploaded document images are encrypted at rest and never shared without your consent.

Usage data: Pages viewed, search queries, listing clicks, session duration. Collected in aggregated, anonymised form.

Device data: IP address (hashed for storage), browser type, operating system, device model.

Location data: City and state only — we never track precise GPS location without explicit permission.

Payment data: Payment amount, purpose, and offline transaction reference. No card numbers or bank details are stored on our servers.

Communications: Support tickets, Chatwoot chat transcripts, and emails you send us.

Data we do NOT collect:

  • Precise real-time GPS location
  • Contact lists or call logs
  • Social media profiles beyond what you explicitly provide
  • Biometric data

    • 3. How We Use Your Data

    Service delivery: To create and manage your account, verify your identity, display listings, schedule visits, and process payments.

    Security: To detect fraud, prevent unauthorised access, enforce rate limits, and investigate suspicious activity.

    Communication: To send OTPs, booking confirmations, payment receipts, and important platform updates. We will only send marketing emails if you explicitly opt in.

    Improvement: Anonymised analytics help us improve search quality, UI performance, and feature prioritisation. No personal identifiers are used in analytics.

    Legal compliance: To comply with court orders, RERA requirements, GST audits, and law enforcement requests where legally mandated.

    Legal basis (DPDP Act 2023):

  • Consent — for marketing, analytics, and non-essential cookies.
  • Legitimate use — for security, fraud prevention, and service operation.
  • Legal obligation — for KYC, financial records, and audit logs.

    • 4. Cookies & Tracking

    Strictly necessary cookies (always on):

  • `ek_token` — authentication token (httpOnly, Secure, SameSite=Lax, 15 min expiry)
  • `ek_refresh` — refresh token (httpOnly, Secure, SameSite=Lax, 7 day expiry)
  • `ek_cookie_consent` — stores your cookie preferences (localStorage, 1 year)

    • Analytics cookies (opt-in only):

  • Aggregated page views and feature usage. No personal data. Stored on our own infrastructure, not sent to third parties.

    • Preference cookies (opt-in only):

  • Search filter preferences, map zoom level, display theme.

    • We do not use Google Analytics, Facebook Pixel, or any third-party advertising trackers.

    You can manage or withdraw cookie consent at any time via the cookie banner or Settings → Privacy.

    5. Data Sharing

    We never sell your personal data.

    We share data only in these circumstances:

    Agents and property owners: When you express interest in a listing, your name and contact number are shared with the verified agent for that listing only. You can withdraw interest at any time.

    KYC verification partners: Document images are processed by our internal system. No third-party KYC vendor receives your raw Aadhaar or PAN data.

    Infrastructure providers: Supabase (database, auth — EU/US data centres with SOC 2 Type II), Cloudflare R2 (document storage — encrypted). Both are bound by data processing agreements.

    Law enforcement: Only when required by a valid Indian court order or mandatory legal provision.

    Business transfer: If Eknaviq is acquired or merged, your data may transfer to the new entity under the same privacy commitments.

    6. Data Retention

    | Data type | Retention period | Reason ||-----------|-----------------|--------|| Account profile | Until deleted + 30 days | DPDP Act grace period || KYC documents | 5 years post-transaction | RERA & PMLA requirement || Financial records / invoices | 10 years | GST Act, Income Tax Act || Audit logs | 7 years | Legal requirement || OTP codes | 10 minutes | Security || Session tokens | 7 days | Operational || Search history | 30 days | Anonymised || Support tickets | 3 years | Consumer protection |

    When the retention period expires, data is securely deleted or anonymised.

    7. Your Rights (DPDP Act 2023)

    Under India's Digital Personal Data Protection Act 2023 you have the right to:

    Access: Request a copy of all personal data we hold about you. We will respond within 30 days.

    Correction: Correct inaccurate or incomplete personal data via Settings → Profile or by contacting us.

    Erasure (right to be forgotten): Request deletion of your account and personal data via Settings → Delete Account. Financial records are retained as required by law.

    Grievance redressal: Raise a complaint with our Data Protection Officer within 30 days. We will respond within 15 business days. Unresolved complaints can be escalated to the Data Protection Board of India once constituted.

    Withdraw consent: Withdraw consent for marketing emails, analytics cookies, or preference cookies at any time without affecting previous processing.

    Nominate: Nominate another person to exercise these rights on your behalf in case of incapacity.

    To exercise any right: email privacy@eknaviq.com or use the in-app Settings → Privacy panel.

    8. Security Measures

    Authentication: JWT tokens with 15-minute expiry, stored in httpOnly Secure cookies. Refresh tokens are DB-backed and revocable.

    Encryption: All data in transit via TLS 1.3. Document files encrypted at rest (AES-256) in Cloudflare R2.

    Access control: Row-Level Security (RLS) on all database tables — no query can return another user's data.

    Rate limiting: All endpoints rate-limited via distributed Redis. Brute-force protection on all auth endpoints (10 attempts per 15 minutes).

    MFA: Time-based OTP (TOTP) available for all users; mandatory for IT portal members.

    Anomaly detection: Automated detection of brute-force attacks, unusual data export volumes, and impossible travel. Critical events trigger immediate alerts.

    Penetration testing: Annual third-party OWASP-compliant penetration test. Automated OWASP ZAP scan on every deployment.

    Honeypots: Fake admin endpoints log and alert on scanning attempts.

    9. Children's Privacy

    Eknaviq is not directed at persons under 18 years of age. We do not knowingly collect personal data from minors.

    If you believe a minor has provided us with personal data, contact privacy@eknaviq.com and we will delete it immediately.

    10. Contact & Grievance Officer

    Data Protection / Grievance Officer:

    Name: Eknaviq Data Privacy Team

    Email: privacy@eknaviq.com

    Address: Eknaviq Technologies, Hyderabad, Telangana, India — 500 074

    Response time: Within 15 business days of receipt

    For urgent data breach reports: security@eknaviq.com

    Regulatory authority (once constituted): Data Protection Board of India — https://dpboard.gov.in

    Changes to this Policy: We will notify registered users by email at least 30 days before any material change. The version and date at the top of this page will also be updated. Continued use of the platform after the effective date constitutes acceptance of the updated policy.