BrokerBaatSign In
DRAFT — placeholder copy pending review by Indian SaaS counsel. Do not publish without sign-off.

Privacy Policy

Effective date: 21 June 2026

This Privacy Policy describes how BrokerBaat Technologies Private Limited (“BrokerBaat”, “we”, “us”) collects, uses, stores, and shares personal data when you use our WhatsApp-native lead management platform and our website at brokerbaat.in.

This policy is published in compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

1. Who we are

BrokerBaat acts as a Data Fiduciary under the DPDP Act for the personal data of broker-agency owners, agents, and platform users who sign up for our services. When buyer-side data is processed on behalf of a broker-agency, BrokerBaat acts as a Data Processor and the broker-agency is the Data Fiduciary.

Registered office: [TO BE FILLED — registered office address]
Email: privacy@brokerbaat.in

2. Data we collect

From broker-agency users (direct customers)

  • Identity: name, email, phone number, agency name, city.
  • Authentication: identifiers issued via email one-time passcode (OTP) through Clerk.
  • Billing: payment metadata via Razorpay (we do not store card numbers).
  • Usage: pages viewed, features used, login timestamps.

From end-buyers messaging your agency's WhatsApp number

  • WhatsApp identifier (phone number) and message content.
  • Lead metadata: budget, area preference, timeline, loan status — as captured during qualification.

3. How we use your data

  • To provide the service: qualify leads, deliver briefings, and generate insights.
  • To bill and account: process Razorpay subscription payments and wallet recharges.
  • To improve the service: aggregate and anonymise usage signals.
  • To comply with law and respond to lawful requests.

We do not sell personal data. We do not use buyer-lead content to train third-party AI models in a way that could identify individuals.

4. WhatsApp messaging — consent, opt-out & deletion

BrokerBaat sends and receives messages through the WhatsApp Business Platform on behalf of broker-agencies, in compliance with the WhatsApp Business Messaging Policy and Meta's terms. Meta Platforms processes message content and metadata as a sub-processor to deliver these messages.

Consent (opt-in)

A buyer opts in to receive WhatsApp messages when they message a broker-agency's WhatsApp number, tap a “Click-to-WhatsApp” advertisement, or otherwise provide their number to the agency for follow-up. Every conversation identifies the broker-agency by name and states its purpose. We record the opt-in source and timestamp. Consent for service / transactional updates is captured separately from consent for promotional messages — we do not send promotional messages without a specific opt-in for them.

Opt-out (unsubscribe)

A buyer can opt out at any time by replying STOP (or equivalents such as “band karo” / “बंद करो”), or by blocking the number in WhatsApp. On opt-out we immediately stop all business-initiated messages to that number and record the request. Promotional template messages include unsubscribe instructions, and we honour WhatsApp's native block / report signals.

WhatsApp data deletion

On request, BrokerBaat will delete a contact's WhatsApp data — the phone number from the messaging list, the chat history, and copies held in backups — within 30 days, and confirm completion to the requester. Broker-agencies can trigger this from their portal, or anyone may email privacy@brokerbaat.in.

5. Where your data is stored

Primary storage is in Amazon Web Services, Asia Pacific (Mumbai) region (ap-south-1). Database backups are retained in the same region.

Cross-border data transfers

Limited data may be transferred outside India in the following narrow cases:

  • Meta (WhatsApp Business Cloud API): message metadata and content as required to deliver and receive WhatsApp messages. Meta's servers are operated globally.
  • Anthropic (Claude AI): message text sent to the Claude API for qualification, summarisation, and coaching. Anthropic processes data in the United States.

We have evaluated each sub-processor against the DPDP Act's cross-border transfer requirements and use only providers with appropriate safeguards.

6. How long we retain data

Data categoryRetention
Broker account & CONFIG recordsLifetime of account + 12 months after closure
WhatsApp conversation logs (CONV)90 days (auto-deleted via DynamoDB TTL)
Lead records (LEAD)Retained while broker account active
Wallet ledger (audit)365 days
Razorpay transaction logs8 years (Indian tax law requirement)

7. Your rights as a Data Principal

Under the DPDP Act 2023, you have the right to:

  • Access personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Erase data we no longer need a lawful basis to retain.
  • Nominate another individual to exercise these rights on your death or incapacitation.
  • Withdraw consent at any time — though some processing may continue under other lawful bases (contract performance, legal obligation).
  • Grievance redressal — file a complaint with our Grievance Officer (see §10).

To exercise any right, email privacy@brokerbaat.in. We will respond within 30 days.

8. Cookies & tracking

Our website uses essential cookies for session management (Clerk authentication, Next.js routing). We do not currently run third-party analytics or advertising trackers. If we add analytics in future, we will update this policy and obtain consent where required.

9. Security

Personal data is encrypted in transit (TLS 1.2+) and at rest. Access to production systems is restricted via AWS IAM and least-privilege role scoping. We follow industry-standard practices including credential rotation, secrets management via AWS SSM, and regular security review.

10. Grievance Officer

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, the name and contact details of our Grievance Officer are:

[TO BE FILLED — Name]
Email: grievance@brokerbaat.in
Address: [TO BE FILLED — same as registered office]
Response SLA: Acknowledgement within 48 hours; resolution within 30 days.

11. Children

BrokerBaat is a B2B service intended for use by businesses and adults aged 18 and above. We do not knowingly collect data from children under 18.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified to broker-agency owners via email and via a notice on the platform at least 14 days before they take effect.

13. Contact

Questions about this policy: privacy@brokerbaat.in. General queries: hello@brokerbaat.in.