Privacy Policy
Chaanbeen ("we", "us", "our") is the Data Fiduciary under India's Digital Personal Data Protection Act 2023 ("DPDP Act") for personal data processed through chaanbeen.in. You are the Data Principal.
This policy explains what personal data we collect, why we collect it, how long we keep it, who we share it with, and what rights you have.
The short version
- We collect the minimum personal data needed to let you sign up, pay for a subscription, and receive evaluation reports.
- We never sell your data. We share it only with the named processors below, and only to deliver the service.
- We keep evaluations for three years after you last access them, and reports for five years or until you delete your account, whichever is earlier. Payment records we keep longer because Indian tax law says so.
- You can access, correct, port, or delete your data at any time from your account settings, or by emailing the grievance officer.
- If you think we have mishandled your data, email grievance@chaanbeen.in. If that does not resolve it, you can complain to the Data Protection Board of India.
1. Who we are
Chaanbeen is operated by a sole proprietorship registered in India. Our product is a subscription web service that synthesises public records from RERA, state IGRS registries, and eCourts into scored property evaluations for Indian home buyers.
Business contact:
- General support:
hello@chaanbeen.in - Privacy / grievance:
grievance@chaanbeen.in
Grievance Officer: Himanshu Dongre, reachable at grievance@chaanbeen.in. Acknowledgement within two working days; written response within thirty days per DPDP §13. The grievance officer is the person designated under DPDP §8(9) and §13 to answer questions about the processing of your personal data and to handle grievances.
2. What personal data we collect
2.1 Account data
- Email address (required; used as the login identifier).
- Password or OAuth identity assertions (if you sign in with a third party through Supabase Auth).
- Phone number (optional; used for login OTP and for Razorpay KYC on paid plans).
- Display name (optional).
2.2 Subscription and payment data
- Subscription tier, billing cycle, and plan history.
- Razorpay subscription ID, customer ID, and payment event IDs.
- Amount paid, currency (INR), and timestamps.
We do not store your card number, CVV, UPI VPA, or bank account number. Those are held by Razorpay, who is a RBI-regulated Payment Aggregator.
2.3 Evaluation content
When you submit an evaluation, we process:
- The URL or raw text you paste describing a property listing.
- Any parsed fields we derive from it (builder name, project name, city, state).
- The scored evaluation and 7-block report we generate from public records.
Listing text you paste may incidentally contain personal data of third parties (for example the seller's name or phone number in the body of a listing). You warrant that you have the right to share that text with us. We process it for the single purpose of producing your evaluation. We do not contact those third parties and we do not make their personal data visible to any other user.
2.4 Usage and technical data
- IP address, user-agent string, and device type — stored with your consent events and with admin audit actions for security.
- Rate-limit and quota usage counters.
- Cookies strictly necessary for session login (via Supabase Auth) and for Razorpay checkout. We do not use third-party analytics cookies on the authenticated product surface at launch.
2.5 Consent records
- The version of each policy you accepted (e.g.
tos-v1.0,privacy-v1.0). - Timestamp, IP, user-agent, and source (signup / settings / admin) for each consent event.
3. Lawful basis for processing
We process your personal data on the basis of your consent (DPDP §6), given at signup and recorded in our consent log. You can withdraw consent at any time; where processing required consent, the withdrawal stops that processing and does not affect the lawfulness of processing that happened before you withdrew.
A small number of operations — fraud detection, payment dispute resolution, and compliance with Indian tax law — also rely on the "certain legitimate uses" basis in DPDP §7.
4. Why we process your data (purposes)
| Purpose | Data used | Basis |
|---|---|---|
| Create and maintain your account | Email, phone, password | Consent |
| Process subscription payments | Razorpay payment and order IDs, subscription metadata | Consent + DPDP §7 (legitimate use: payment) |
| Generate property evaluations | Listing URL / text, parsed fields | Consent |
| Deliver, display, and cache reports | Evaluation output, property cache key | Consent |
| Enforce quota and rate limits | Usage counters, billing period records | Consent + performance of contract |
| Comply with Indian tax law (GST, Income Tax) | Payment records | Legal obligation |
| Audit security and fraud events | IP, user-agent, admin actions | Consent + DPDP §7 (legitimate use: prevention of fraud) |
| Respond to grievances and legal requests | Any relevant data you share with us | Consent + legal obligation |
5. Who we share your data with (processors)
We share the minimum personal data needed for each processor to do its job. None of them are authorised to use your data for their own marketing.
| Processor | What they process | Where | Purpose |
|---|---|---|---|
| Supabase | Account data, evaluation content, reports, consent logs | AWS region outside India | Primary database, authentication, file storage |
| Razorpay | Email, phone, payment instrument references | India | Subscription payments, KYC under RBI PA rules |
| Anthropic (Claude API) | Listing text and parsed fields sent in prompts; report drafts returned | USA | LLM processing for evaluation blocks |
| Fly.io | Transient scrape inputs and outputs in worker memory | USA / closest region | Scraping and PDF generation compute |
| Sentry | Error traces, possibly stack frames referencing user IDs | USA / EU | Error tracking |
| BetterStack | Uptime and alert metadata | EU | Uptime monitoring |
| Google Workspace | Email correspondence you send us | USA (with data centres inferred from Workspace region) | Support and grievance inbox |
We do not share your personal data with advertisers, data brokers, or unrelated third parties. We do not enrich your profile by buying data from outside sources.
We read public records from RERA portals, state IGRS portals, and eCourts in the course of producing your evaluation. We do not send your personal data to those portals.
6. Cross-border transfers
Some of our processors operate data centres outside India (see §5). As of the effective date of this policy, the Central Government of India has not issued a restriction under DPDP §16 that prohibits transfer to the countries where these processors are based. If such a restriction is issued in the future that would affect us, we will notify you before any further transfer to a restricted destination and give you a reasonable option to withdraw consent.
7. How long we keep your data (retention)
| Data category | Retention | Why |
|---|---|---|
| Active profile data (email, phone, name) | While your account is active | Necessary to run the service |
| Profile data after deletion request | 30 days then hard-deleted, except for records below | DPDP right to erasure with grace for reversal |
| Evaluations (records of your scrape requests, status, cost) | 3 years after your last access | Dispute resolution, COGS analytics, fraud investigation |
| Reports (the 7-block output) | 5 years or until account deletion, whichever is earlier | Your own re-access + cache utility |
| Scrape runs (per-scraper invocation records) | 1 year after completion | Operations, retry history |
| Payments | 8 years from the financial year of the transaction | Indian tax law retention requirement |
| Webhook events (payment gateway events) | 2 years | Reconciliation with Razorpay |
| Consent log | Indefinite, legally required | DPDP §8(5) audit trail |
| Admin audit log | Indefinite | Security, dispute resolution |
| Sample reports (public marketing reports) | While we continue to publish them | Not personal data |
Retention windows are enforced by automated deletion of rows whose
retained_until timestamp has passed, except for records the law
requires us to keep longer.
8. Security
We:
- Store passwords only as hashes managed by Supabase Auth.
- Enforce Row-Level Security on every application table, so one authenticated user cannot see another user's data.
- Encrypt data in transit (HTTPS/TLS) and rely on Supabase and Razorpay's at-rest encryption.
- Log all admin actions to an append-only audit table.
- Rotate infrastructure secrets on a documented schedule.
If we become aware of a personal data breach that is reasonably likely to cause harm, we will notify the Data Protection Board of India and affected Data Principals as required by DPDP §8(6).
9. Your rights under the DPDP Act
You have the following rights regarding personal data about you. To exercise any of them, use your account settings where possible, or email grievance@chaanbeen.in. We will respond within seven working days for most requests, and within the statutory timeline for requests that require it.
9.1 Right to access and obtain a summary (§11)
You can request:
- A summary of the personal data we process about you.
- The categories of processors we share it with.
- Any other information reasonably useful to understand how your data is being processed.
You can download a full JSON export of your account data from the settings page at any time without going through the grievance officer.
9.2 Right to correction and erasure (§12)
You can:
- Correct inaccurate or misleading personal data from your account settings.
- Request erasure of your personal data at any time. Erasure does not remove records we are legally required to keep (tax records, consent log); those are kept in the narrowest form permitted by law.
9.3 Right to data portability
We provide a JSON export of your account data on request.
9.4 Right to nominate (§14)
You may nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity. Contact grievance@chaanbeen.in with the nominee's name and contact; we will confirm the nomination in writing.
9.5 Right to grievance redressal (§13)
See §11 below.
9.6 Right to withdraw consent
You may withdraw consent to processing at any time. The effect will be to stop continued processing for the purpose you withdrew consent for. Withdrawal does not un-do processing that already occurred, and it does not cancel contractual obligations (e.g. you still owe fees for services already delivered before withdrawal).
Withdrawal may make the service unusable for you; if you withdraw consent for evaluation processing, we can no longer generate evaluations on your account.
10. Children
Chaanbeen is for adults buying residential property. We do not knowingly collect personal data of anyone under the age of 18 and our signup flow requires confirmation of adult status. If we learn that we have processed the data of a child without verifiable parental consent as required by DPDP §9, we will delete that data on becoming aware.
11. Grievance redressal
If you have a concern about how we process your personal data, or if we have denied a request under §9:
- Email
grievance@chaanbeen.in. Include the account email and a description of the concern. - The Grievance Officer will acknowledge within two working days and respond with a decision within thirty days.
- If you remain unsatisfied, you may complain to the Data Protection Board of India under DPDP §27.
Nothing in this policy prevents you from seeking remedies under other Indian law, including the Consumer Protection Act 2019.
12. Cookies and similar technologies
We use only cookies that are strictly necessary for the service:
- A session cookie set by Supabase Auth when you sign in.
- A Razorpay checkout cookie when you complete a payment.
12.1 What we will never add
We make the following permanent commitments:
- No Google Analytics. Not now, not later, not on marketing pages, not on the authenticated product. Google Analytics is a third-party tracker with cross-site profiling and ad-network ties that are incompatible with our positioning as an independent verification service for Indian home buyers.
- No Meta (Facebook) Pixel. Same reasoning.
- No third-party ad trackers of any kind. No LinkedIn Insight Tag, no TikTok Pixel, no Twitter/X Universal Website Tag, no affiliate-network pixels.
If at some point we decide to change these commitments, we will version this policy, email every active subscriber at least fifteen days before the change takes effect, and give you the option to withdraw consent and receive a prorated refund.
12.2 Analytics we may add in the future
We may, in the future, add privacy-respecting, cookie-free analytics for marketing and product pages. Candidates we consider acceptable are:
- Plausible Analytics (self-hosted or EU-hosted, cookie-free, no cross-site tracking).
- Umami (self-hosted, open-source, cookie-free).
Neither of these sets a persistent identifier on your browser, and neither shares data with any ad network. If we adopt one of these, the policy will be versioned accordingly and a notice placed in the footer of the pages where analytics runs.
Any analytics tool we adopt must, at minimum:
- Be cookie-free or use only first-party session cookies.
- Not share user-level data with third parties.
- Not track users across unrelated sites.
- Be disclosed by name in this policy before it ships.
13. Automated decision-making
Evaluation scores are produced by Large Language Models (Claude Sonnet and Claude Haiku) synthesising public records. The score and verdict are informational only; they do not authorise, deny, approve, or disapprove any transaction involving you. No significant legal or similarly significant effect on you is decided by our system.
The "Not investment / legal advice" disclaimer in every report applies here: Chaanbeen aggregates public data; it does not replace the advice of a qualified lawyer, chartered accountant, RERA officer, or RBI-licensed advisor.
14. Changes to this policy
We will:
- Increment the version number on material change.
- Publish the new version at
chaanbeen.in/privacy. - Notify active users by email at least fifteen days before any material change takes effect.
- Log the new version in our consent log for each user who re-consents.
Earlier versions are preserved internally for audit purposes.
15. Contact
Privacy and grievance: grievance@chaanbeen.in General support: hello@chaanbeen.in Grievance Officer: Himanshu Dongre Acknowledgement SLA: two working days. Response SLA: thirty days per DPDP §13.
This policy is governed by the laws of India and by the DPDP Act 2023. Disputes arising from it are subject to the exclusive jurisdiction of the courts at Pune, Maharashtra, without prejudice to your right to escalate to the Data Protection Board of India.