Privacy Policy
Effective date: 16 July 2026 · Last updated: 16 July 2026 · Version 2
Last updated: 14 July 2026 · Version 2
This Privacy Policy describes how Spacelinkers Infotech Private Limited (CIN: U72900UP2020PTC129695), registered office at H No. 55, Shiv Nagar, Tundla, 283204, Firozabad, Uttar Pradesh, India ("Spacelinkers", "we"), the Data Fiduciary for the StayLocal platform, processes personal data — in accordance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
A summary of your rights and self-serve tools is on the DPDP Compliance page; exercise them at /privacy/manage.
1. Personal data we collect
You provide:
- Account data: name and email from Google sign-in or your sign-in email; optional profile details.
- Lister data: property details, addresses, geolocation, photographs, pricing, and call/WhatsApp numbers (the call number is OTP-verified).
- Communications: enquiry messages, reports, support requests, correction/deletion requests.
- Consent records: what you agreed to, the policy version shown, timestamp, IP address, and device user-agent.
Collected automatically:
- Usage data: searches (including natural-language queries), listing views, contact reveals, clicks, waitlists and saved searches.
- Technical data: IP address, user agent, request identifiers, approximate location derived from IP, and cookie identifiers per the Cookie Policy.
From third parties: basic profile data from Google when you choose Google sign-in.
Payment data: invoices and payment confirmations for Paid Services. Payments are currently offline; we never store card/UPI credentials. If an online payment provider (e.g., Razorpay) is integrated, your payment instrument details will be processed by that provider under its own privacy policy — we receive only transaction status and references.
We do not seek sensitive personal data (financial credentials, health, biometrics, caste, religion) and ask you not to include any in listings, messages, or reviews.
2. Purposes of processing
- Operating the marketplace: accounts, listings, search and ranking, connecting Seekers with Listers, waitlist matching.
- AI-assisted search: your natural-language queries are parsed (rule-based, with an AI model fallback) into structured filters; queries and results are logged for search quality, abuse prevention and demand analytics.
- Verification, trust and safety: pre-publication review, OTP contact verification, duplicate detection (address and photo-fingerprint matching), fraud prevention, moderation of reports.
- Communications: transactional messages (service, security, listing status, leads) and — only with separate opt-in consent — marketing via email, SMS, WhatsApp, or push notifications.
- Analytics and product improvement; advertising measurement only per your cookie consents (Section 5).
- Legal compliance: tax and accounting records, responding to lawful demands (Law Enforcement Request Policy), enforcing our Terms.
3. Legal bases
We process personal data on the basis of consent (Section 6, DPDP Act) — collected at sign-up, granularly for marketing and cookie categories, and per-listing for lister declarations — and for certain legitimate uses under Section 7 (voluntary provision for a specified purpose, compliance with law and judicial orders, responding to your own requests, employment where applicable). You may withdraw consent at any time as described in Section 8; withdrawal does not affect processing already carried out, and consequences of withdrawal (e.g., inability to keep an account) are stated where you exercise it.
4. Sharing of personal data
- With other users: when you contact a Lister, your name is shared with them; when your Listing is live, its content and verified contact number are visible to signed-in Seekers who request them.
- Processors (bound by contract to process only on our instructions): hosting and CDN (Vercel), database/authentication/storage (Supabase), transactional email (Resend), SMS OTP (MSG91), error monitoring (Sentry), and — when enabled — the analytics/advertising/communication providers listed in Section 5 and the Cookie Policy.
- Corporate: within Spacelinkers group entities, or with a successor in a merger/acquisition (with notice).
- Authorities: strictly per the Law Enforcement Request Policy.
- We do not sell personal data.
5. Analytics, advertising and Google services disclosures
The Platform currently sets only strictly-necessary cookies. We anticipate enabling some or all of the following; each will operate only in accordance with your cookie consents (/privacy/cookies) and this Policy, without further rewrites:
- Google Analytics 4 / Google Tag Manager — usage measurement (Analytics category). IP truncation/de-identification configured where available; data may be processed by Google LLC on servers outside India.
- Google Search Console — aggregate search-appearance data; no user cookies.
- Google AdSense / advertising products — ad serving and measurement (Marketing category). Google and its partners may use advertising cookies to serve personalised or non-personalised ads; you can additionally manage Google ad personalisation at adssettings.google.com and learn how Google uses data at policies.google.com/technologies/partner-sites.
- Meta Pixel (Marketing), Microsoft Clarity (Analytics — session analytics/heatmaps), push-notification services, and bulk email/SMS/WhatsApp campaign providers (Marketing consent).
Where any such provider processes data outside India, Section 7 (cross-border transfers) applies.
6. Cookies and tracking technologies
Covered in the Cookie Policy with a four-category consent model (Necessary, Functional, Analytics, Marketing) and a self-serve preferences manager. Non-essential scripts are code-gated on your recorded consent.
7. Cross-border data transfers
Our infrastructure providers may store or process data in jurisdictions outside India (e.g., Vercel/Supabase/Sentry regions, Google/Meta services). We transfer personal data only to countries not restricted by the Central Government under Section 16 of the DPDP Act, and require our processors to provide adequate contractual safeguards and security standards.
8. Your rights (DPDP Act) and how to exercise them
- Access / copy (§11): instant JSON export at /privacy/manage.
- Correction and completion (§12): edit your profile directly; raise a correction request for anything else — actioned within 15 days.
- Erasure (§12): request account deletion at /privacy/manage; executed after identity/abuse review (usually within 2 working days), subject to statutory retention (Section 9).
- Withdrawal of consent (§6): marketing and cookie consents toggle instantly; Terms/Privacy consent is withdrawn by deleting your account, since the service cannot operate without it.
- Grievance redressal (§13): per the Grievance Redressal Policy; unresolved DPDP complaints may be escalated to the Data Protection Board of India.
- Nomination (§14): nominate a person to exercise your rights in case of death or incapacity by writing to the Grievance Officer.
Requests are free of charge. We may verify your identity before acting.
9. Retention
Detailed schedule in the Data Retention Policy. Highlights: account data for the life of the account; consent records for account life plus 3 years; invoices/payment/credit records 7 years (Companies Act, 2013 / Income-tax Act, 1961); audit logs 2–7 years; deleted accounts are scrubbed of identifying fields while legally-retained records are minimised and access-restricted.
10. Security practices
Reasonable security practices under the IT Act and DPDP Act §8(5), including: encryption in transit (HTTPS/TLS); row-level security on the database with deny-by-default policies; permission-gated APIs with role-based access control; OTP verification of published contact numbers; tamper-evident (hash-chained) audit logs; secrets isolation; rate limiting; personnel access on a need-to-know basis. Breach notification: personal-data breaches are reported to the Data Protection Board of India and affected Data Principals as required by §8(6).
11. Children
The Platform is intended for users 18+. We do not knowingly process children's data; verified reports of underage accounts lead to deletion.
12. Automated decision-making and AI
Search ranking and duplicate detection are automated but subject to human review before any adverse action (listing rejection/suspension is decided by a human reviewer). AI-assisted query parsing interprets your search text; it makes no decisions about you. If materially consequential automated decision-making is ever introduced, this Policy and on-platform notices will disclose it first.
13. Data Fiduciary and Grievance Officer
Data Fiduciary: Spacelinkers Infotech Private Limited (CIN: U72900UP2020PTC129695). Grievance Officer: Data Protection & HR Compliance Officer · info@spacelinkers.com · 3rd Floor, A-83, Sector 63, Block A, Noida, Uttar Pradesh, 201301, India. Grievances: acknowledged within 24 hours, resolved within 15 days. General privacy queries: within 30 days.
14. Changes to this Policy
Material changes are notified by email and on-platform notice with a new version number and effective date; the consent records you gave always reference the exact version you accepted.
Version 2 · Effective 16 July 2026 · Questions about this policy? See the Grievance Redressal Policy or contact us.