Privacy Policy
How Cladbe collects, uses, shares, and protects your personal data.
Purpose
This Master Privacy Policy describes how Cladbe Platforms LLP collects, processes, stores, shares, and protects Personal Data across its real estate technology ecosystem. The Policy is written in plain language to help Data Principals exercise their rights under the Digital Personal Data Protection Act, 2023, the Digital Personal Data Protection Rules, 2025, the Information Technology Act, 2000 and the IT Rules, 2021, and any other applicable data protection law in India.
How to Read This Document
This document is written in plain English to ensure accessibility for all stakeholders. Defined terms appear in bold or initial-capital form and carry consistent meanings across all Cladbe master documents (Master Terms of Use, Master Privacy Policy, and Master Refund & Cancellation Policy).
As required under Rule 3(1)(a) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, a copy of this document in any of the languages specified in the Eighth Schedule of the Constitution of India will be made available to a User upon written request to info@cladbe.com within a reasonable timeframe.
1. Introduction & Scope
Cladbe Platforms LLP ("Cladbe", "we", "us", or "our") operates a real estate technology ecosystem comprising three integrated pillars: The Studio (data-driven design and launch strategy), The OS (the real estate operating system SaaS backbone), and The Stage (unified B2B and B2C distribution including the Property.new marketplace and physical Experience Centres).
This Master Privacy Policy ("Policy") is a single, unified document that governs the collection, use, storage, sharing, and deletion of all Personal Data across the Cladbe ecosystem, including:
- The web and mobile platforms at cladbe.com, property.new, and all related subdomains;
- The OS SaaS panels for Builders, Channel Partners, and their teams;
- Cladbe's customer post-purchase mobile application;
- The Property.new B2C marketplace;
- Cladbe's physical Experience Centres and pop-up locations;
- All APIs, SDKs, telephony, messaging, email, and SMS/RCS integrations;
- All AI/ML, automation, and analytics modules embedded within the Services.
By accessing or using any part of the Services, you acknowledge that you have read, understood, and agreed to be bound by this Policy. If you do not agree, you must discontinue use immediately.
Plain Language and Multi-Language Availability: This Policy is published in English using plain, itemised language as required by Rule 3 of the DPDP Rules, 2025. A copy of this Policy in any of the languages specified in the Eighth Schedule of the Constitution of India will be made available upon written request to info@cladbe.com.
2. Who We Are: Data Fiduciary vs. Data Processor
Under the DPDP Act read with the DPDP Rules, the roles of Data Fiduciary and Data Processor are context-dependent across Cladbe's product suite:
| Module / Context | Cladbe's Role | Data Fiduciary |
|---|---|---|
| Property.new — Buyer discovery, EOI, booking | Data Fiduciary | Cladbe Platforms LLP |
| Property.new — Aggregated listings from public RERA registries | Intermediary (IT Act safe harbour) | Not applicable — public-domain data |
| Customer post-purchase mobile application | Data Fiduciary | Cladbe Platforms LLP |
| The OS — Builder team data (employees, attendance, HR) | Data Processor | Builder Organisation |
| The OS — CRM lead data (Builder's leads & customers) | Data Processor | Builder / CP Organisation |
| Omni-channel communication recording (calls, messaging) for builder teams | Data Processor | Builder Organisation |
| Biometric attendance system (Builder's workforce) | Data Processor | Builder Organisation |
| The Studio — Market research & analytics (aggregated/anonymised) | Data Fiduciary | Cladbe Platforms LLP |
| Experience Centres — Walk-in lead capture | Data Fiduciary | Cladbe Platforms LLP |
Liability Firewall: The legal burden of obtaining explicit consent from end-customers, employees, field workers, and any third parties rests entirely with the Builder, Broker, or User (as the Data Fiduciary). Cladbe assumes zero liability for a Builder's or Broker's failure to secure legally valid consent prior to utilising our Services.
3. Definitions
The following definitions apply throughout this Policy:
| Term | Definition |
|---|---|
| Personal Data | Any data that, alone or in combination with other data, identifies or can identify a natural person, as defined under the DPDP Act. |
| Data Principal | The individual to whom the Personal Data relates. |
| Data Fiduciary | The entity that determines the purpose and means of processing Personal Data. |
| Data Processor | The entity that processes Personal Data on behalf of a Data Fiduciary. |
| Processing | Any operation performed on Personal Data, including collection, storage, use, sharing, alteration, or deletion. |
| Consent Manager | A consent management platform registered with the Data Protection Board of India under Rule 4 of the DPDP Rules. |
| DPB / Board | The Data Protection Board of India established under the DPDP Act. |
| Biometric Data | Facial geometry vectors, embedding templates, and related biometric data captured through Cladbe's biometric attendance system. |
| Derived Data | Aggregated, anonymised, de-identified, statistical, analytical, and AI/ML-generated outputs, insights, models, recommendations, and intelligence produced by Cladbe through the processing of User Content or Personal Data on the Services. |
| Sub-Processors | The infrastructure, communication, analytics, and security service providers engaged by Cladbe to deliver the Services. |
| EOI | Expression of Interest — a pre-booking commitment registered on Property.new or the OS. |
| Limited-Time Inventory Sale | A time-limited, high-velocity inventory sale event hosted via the Services. |
| Omni-Channel Recording | The capture and storage of buyer-agent communications across calls, messaging, email, and in-app messaging for quality control and dispute resolution. |
| Audit Log | Cladbe's tamper-resistant audit and forensic log system that records critical financial, operational, and compliance events on the Services. |
| Nodal Account | A designated bank account (per RBI guidelines) through which token/EOI funds are routed. |
| CP / Channel Partner | A RERA-registered real estate broker or broker network onboarded onto the Cladbe platform. |
| Services | All products, platforms, APIs, and features described in Section 1 of this Policy. |
| User Content | Any data, documents, media, or information uploaded or submitted by a User through the Services. |
4. Categories of Personal Data Collected
Cladbe collects Personal Data across the following categories:
4.1 Identity & Contact Data
- Full legal name, preferred name;
- Mobile number, email address, residential/correspondence address;
- Date of birth (for KYC and eligibility verification);
- Government-issued identification: PAN, Aadhaar, passport, voter ID, etc.;
- Photograph / profile image.
4.2 Professional & Business Data
- RERA registration number (Builder, CP);
- GST Identification Number (GSTIN), PAN (entity-level);
- Company name, designation, employment history;
- Bank account details (for commission payouts, payroll).
4.3 Financial & Transaction Data
- EOI / token payment references;
- Demand letter history, payment schedule, instalment receipts;
- Commission payout records;
- GST, stamp duty, and registration fee transaction references.
4.4 Behavioural & Interaction Data (AI-Processed)
- Lead scoring data: engagement frequency, site visit history, EOI intent signals;
- Sales pipeline position;
- Sales call quality scores and agent performance metrics;
- Property search queries, filters applied, shortlisted units.
4.5 Special Category Data
- Biometric Data (Facial Geometry): Collected via Cladbe's biometric attendance system.
- GPS / Location Data: Field worker location stamps; Experience Centre walk-in geolocation.
- Call & Communication Recordings: Full audio/text recordings for quality control.
4.6 Technical & Device Data
- IP address, browser type, device ID, operating system;
- Login timestamps, session duration, feature usage patterns;
- Cookie identifiers and tracking pixel data;
- API call logs (for builder/CP integrations).
4.7 Offline Experience Centre Data
- Lead details, site visit preferences, EOI intent, and interaction data collected via offline kiosks, tablets, or physical forms at Cladbe Experience Centres and pop-up events;
- This data is captured under the same consent framework as digital Services and is used for lead routing, matching, and campaign personalisation.
5. Purposes & Legal Basis for Processing
Cladbe processes Personal Data for the following purposes:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation & authentication | Identity, Contact, Device | Consent |
| Lead capture, allocation & CRM management | Identity, Contact, Behavioural | Consent / Legitimate Use |
| EOI processing, priority logic & digital booking | Identity, Financial, Contact | Consent / Contract Performance |
| Automated demand letter & payment schedule generation | Financial, Identity | Contract Performance |
| Commission calculation and payout processing | Financial, Professional | Contract Performance |
| Sales call quality scoring and agent performance analytics | Communication Recordings, Behavioural | Consent / Legitimate Use |
| Lead matching and analytics | Behavioural, Financial, Identity | Consent / Legitimate Use |
| Biometric attendance verification (builder workforce) | Biometric | Explicit Consent (via Builder) |
| Field worker GPS tracking (site staff) | Location | Explicit Consent / Contract |
| Property.new marketplace listing & discovery | Identity, Professional, Financial | Consent / Legitimate Use |
| Time-limited inventory sale events | Identity, Financial, Behavioural | Consent |
| KYC / eKYC verification for all entities | Identity, Financial | Legal Obligation |
| GST, stamp duty & tax computation | Identity, Financial | Legal Obligation |
| Marketing and remarketing campaigns | Contact, Behavioural, Device | Consent |
| Customer post-purchase services (snagging & payments) | Identity, Financial, Contact | Contract Performance |
| Fraud detection & platform security | Device, Behavioural, Transaction | Legitimate Use |
| Regulatory compliance and audit trail maintenance | All categories as applicable | Legal Obligation |
| Generating anonymised Derived Data & market intelligence | Anonymised / Aggregated only | Legitimate Use |
Where processing is based on Consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
6. Data Sharing, Disclosure & Third Parties
Cladbe does not sell Personal Data. We share Personal Data only in the following circumstances and with the following categories of recipients:
6.1 Sharing Within the Cladbe Ecosystem
- Builder Organisations: Lead data, EOI details, customer KYC, and booking records are shared with the relevant Builder through the OS as part of the transaction workflow. Builders act as Data Fiduciaries for their own customer data.
- Channel Partners (CPs): Cladbe shares lead attribution data, unit availability (via role-based access controls), and commission payout details with verified, registered CPs. CPs receive only the information tier authorised under Cladbe's tiered information access framework.
- Internal Teams: Cladbe employees access Personal Data on a strict need-to-know, role-based access control (RBAC) basis governed by the hierarchy management system.
6.2 Sharing with Sub-Processors and Third-Party Service Providers
Cladbe engages a network of Sub-Processors to deliver the Services. The current list of Sub-Processors, the categories of Personal Data processed by each, and the locations where such processing occurs is available on written request to info@cladbe.com. Categories include:
- Payment Aggregators / Nodal Account Operators: Transaction references, bank account metadata, and payout instructions are shared with RBI-licensed Payment Aggregators operating under the Reserve Bank of India (Regulation of Payment Aggregators) Directions, 2025 for processing EOIs, commission payouts, and payroll.
- KYC / eKYC Providers: Identity documents are shared with licensed KYC verification services for identity verification and document authentication.
- Cloud Infrastructure & Data Hosting: Cladbe operates on a combination of dedicated and cloud-based data centre infrastructure. Data Processing Agreements are in place with all infrastructure providers.
- Communication Platform Providers: Licensed messaging, telephony, real-time communication, and email service providers receive message content and metadata for routing and delivery.
- AI / ML Vendors: Cladbe's core AI/ML functions are operated in-house. Where third-party AI APIs are used, only the minimum necessary data is transmitted under strict DPAs.
- Legal, Audit & Compliance: Data may be shared with legal counsel, auditors, or regulatory authorities (including RERA) under a duty of confidentiality.
6.3 Token Money & Financial Intermediary Disclaimer
At no point does Cladbe hold, pool, or exercise custody or control over buyer token money, EOI deposits, or principal transaction funds at any stage of the transaction lifecycle. All buyer payments are routed directly through RBI-licensed escrow accounts or nodal accounts operated by regulated third-party payment aggregators. Cladbe's role is strictly limited to triggering payout instructions and commission deduction signals upon milestone verification.
6.4 Sharing with Regulators & Law Enforcement
Cladbe will disclose Personal Data to government authorities, regulators (RERA, RBI, SEBI, Income Tax, CERT-In, the Data Protection Board of India, and the Telecom Regulatory Authority of India), or law enforcement agencies when required to do so by Applicable Law, court order, or government mandate. Where legally permissible, Cladbe will notify the affected Data Principal prior to such disclosure.
6.5 Tiered Information Access Controls
Cladbe operates a tiered information access framework that generates multiple, controlled views of project data for different stakeholder tiers. CPs and third-party portals receive only the inventory view explicitly authorised by the Builder. Sensitive pricing, discount structures, and internal booking records are not visible to CPs unless specifically permitted.
6.6 Limited-Time Sale & EOI Ecosystem Data Flow
When buyers participate in time-limited inventory sale events or submit EOIs via Property.new or the Cladbe Network, they explicitly consent to their financial intent, KYC data, and EOI details being shared instantly across the integrated ecosystem — subject to role-based access controls and visibility layers.
6.7 Third-Party System Integrations
Where a Builder or enterprise client integrates the Cladbe OS with third-party systems via API, webhook, or any other integration mechanism, Cladbe bears no responsibility for data breaches, data leaks, unauthorised access, or data loss originating from or routed through such external endpoints.
6.8 Secure Document Storage — Custodian Disclaimer
While Cladbe provides a secure document storage feature for storing sensitive eKYC documents, contracts, and property records, Cladbe acts merely as a digital custodian of such documents. Cladbe is entirely indemnified against claims of identity theft, forged documentation, or financial fraud resulting from compromised user passwords, falsified uploads, or Builder/CP non-compliance with KYC obligations.
6.9 Common-Control Disclosure
Cladbe Platforms LLP and Amiltus Builders Pvt Ltd (CIN U70200UP2016PTC086686) are entities under common control. Amiltus Builders Pvt Ltd is a real estate developer that operates as a Builder on the Services and lists its projects on Property.new alongside third-party Builder listings.
This Policy applies identically to Personal Data collected and processed in connection with Amiltus Builders Pvt Ltd's use of the Services as it does for any other Builder. Specifically:
- Algorithmic ranking, search, matching, and lead-distribution engines apply identical objective parameters to all Builder listings;
- End Customers transacting with Amiltus Builders Pvt Ltd through the Services are entitled to the same Data Principal rights, security measures, breach notification, and grievance redressal processes;
- Personal Data collected from End Customers in connection with an Amiltus Builders Pvt Ltd listing is not shared with the Cladbe-controlled commercial group beyond the Builder organisation itself;
- Where Cladbe acts as Data Processor for Amiltus Builders Pvt Ltd, the same processor-fiduciary boundaries described in Section 2 apply.
End Customers, Builders, or Channel Partners with concerns regarding alleged differentiated treatment may write to grievance@cladbe.com.
7. Retention, Logs & Erasure
Cladbe retains Personal Data only for as long as necessary to fulfil the purpose for which it was collected, or as mandated by Applicable Law, whichever is longer. Upon expiry of the applicable retention period, Personal Data is securely deleted or anonymised.
8. Your Rights Under the DPDP Act, 2023
As a Data Principal, you have the following rights:
| Right | Description | How to Exercise |
|---|---|---|
| Right of Access | Obtain a summary of Personal Data processed, the processing activities, and a list of Sub-Processors with whom your data has been shared. | Submit request to info@cladbe.com |
| Right to Correction | Correct inaccurate or outdated Personal Data. | In-app profile update or written request |
| Right to Erasure | Request deletion of Personal Data no longer required for stated purposes, subject to legal retention obligations. | Written request; subject to legal minimum retention |
| Right to Grievance Redressal | Raise a grievance with Cladbe's Grievance Officer. If unresolved, escalate to the Data Protection Board of India. | Section 20 of this Policy |
| Right to Nominate | Nominate another individual to exercise rights on your behalf in the event of death or incapacity. | Written notarised nomination to info@cladbe.com |
| Right to Withdraw Consent | Withdraw consent for consent-based processing at any time, without affecting prior lawful processing. | Account settings or written notice to info@cladbe.com |
9. Data Portability on Termination
Upon termination, Cladbe shall provide a machine-readable export (CSV/JSON format) of raw transactional data within a 90-day read-only access window. This right does not extend to Cladbe's proprietary Derived Data or AI/ML models.
10. Biometrics, AI Analytics & Communication Recording
10.1 Biometric Attendance System
Cladbe's biometric attendance system uses AI-based facial matching with safeguards designed to distinguish between highly similar faces and prevent identity substitution at attendance points. This system is deployed exclusively on hardware provided and controlled by the Builder organisation.
- Data Collected: Facial geometry vectors, embedding templates, and photographs of enrolled employees.
- Controller: The Builder organisation acts as Data Fiduciary. Cladbe is the Data Processor.
- Consent Requirement: Builders must obtain explicit, informed consent from each employee before enrolment. A standardised DPDP-compliant Biometric Consent Waiver is available via Cladbe's secure document storage feature.
- Retention: The Builder, as Data Fiduciary, determines the retention period for biometric data and is responsible for instructing deletion upon an employee's exit or termination.
- Liability: Cladbe bears no liability for labour disputes, wrongful termination claims, or regulatory action arising from the Builder's use of biometric data. The Builder fully indemnifies Cladbe against any regulatory penalties or proceedings arising from the Builder's failure to obtain valid consent.
10.2 Sales Analytics & Algorithmic Lead Matching
Cladbe's sales analytics tools analyse omni-channel interaction data (call recordings, messaging threads, email response rates) to generate lead quality scores and agent performance metrics.
- Lead scores are computed using engagement frequency, site visit history, EOI intent signals, and communication quality;
- Agent performance scores assess call handling quality, follow-up speed, and lead-to-conversion ratios;
- All AI-generated scoring outputs are decision-support tools, not autonomous decisions. No adverse action should be taken solely on the basis of AI scores without human review.
Algorithmic Lead Matching: Cladbe's algorithmic lead-matching and distribution systems are designed to optimise buyer-property fit based on objective criteria including stated preferences, budget parameters, location requirements, and inventory characteristics. These AI/ML-driven systems are proprietary and confidential trade secrets of Cladbe.
Aggregated Model Training: Cladbe may use aggregated, anonymised, and de-identified data across the platform to improve the Services and develop new features. No identifiable builder-level or project-level data is shared across entities.
10.3 Omni-Channel Communication Recording
Cladbe records and retains customer-agent interactions across voice calls, business messaging, email, and in-app messaging as part of its quality control and dispute resolution framework.
- Automated Disclosure: Cladbe's telephony integrations include an optional automated IVR disclosure notification. Securing all notice and consent legally required is the sole responsibility of the Builder or Broker as Data Fiduciary.
- Retention: Recordings are stored on a rolling basis, in line with Cladbe's standard retention defaults.
- Access: Recordings are accessible to the Builder's authorised managers and to Cladbe's QC team on a need-to-know basis.
- Lead Attribution: Recording timestamps serve as verified proof of first engagement for accurate, dispute-free lead attribution — enforced via Cladbe's audit log.
10.4 Employer Surveillance Liability Shield
Builders and Contractors utilising Cladbe's OS for GPS location-stamping of field workers or for biometric attendance are solely responsible for compliance with Indian labour laws, trade union agreements, and the DPDP Act. Cladbe assumes zero liability for claims of unlawful workplace surveillance, biometric privacy violations, or employee data rights breaches.
12. Offline Experience Centres & Pop-Up Locations
Cladbe operates physical Experience Centres and periodic Pop-Up Locations where buyers can explore verified projects via VR walkthroughs, 3D floor plans, drone footage, and interactive map views. The following data collection activities occur at these locations:
- Walk-In Lead Registration: Name, mobile number, email, and property preferences are collected digitally at check-in kiosks or by Experience Centre staff.
- Site Visit Preferences & EOI Intent: Interaction with project displays, shortlisted units, VR session duration, and stated budget range are logged for lead qualification.
- Real-Time Inventory Enquiries & Quotation Generation: Any quotation generated at an Experience Centre is processed through the OS and subject to the same data handling as online quotations.
- CCTV Surveillance: Experience Centres and pop-up locations may be equipped with CCTV cameras for security purposes. CCTV footage is retained for a limited period and is not used for facial recognition or marketing analytics.
- VR Hardware Usage: VR session data (headset interactions, gaze direction) may be used for property discovery analytics. No biometric data is extracted from VR hardware.
This clause expressly covers all offline data collection mechanisms at Experience Centres and pop-up locations — including any current and future Experience Centre or pop-up location, in any geography in which Cladbe operates.
13. Property.new Listing Sources and Aggregation
Projects appear on Property.new through more than one route. Some listings are compiled from publicly maintained Real Estate Regulatory Authority ("RERA") registries operated by State Real Estate Regulatory Authorities in India. Other listings are onboarded directly by Builders/Developers who bring their projects onto Property.new. Cladbe compiles, indexes, and displays this information on Property.new to support buyer discovery and statutory transparency in the real estate market.
13.1 Source of Information
Project information displayed on Property.new is compiled from publicly available information and other lawful sources, including:
- publicly available records and registries relating to real estate projects;
- information voluntarily provided by Builders/Developers who onboard or enrich their own listings on the Services;
- publicly available information published by government and development authorities in respect of statutory housing scheme listings.
13.2 No Personal Data of Builder Personnel Processed Beyond Public Record
Listings aggregated from public RERA registries contain information about real estate projects and registered promoter entities. Such listings do not contain Personal Data of individual Builder personnel beyond what is mandatorily disclosed in the underlying RERA registration.
13.3 Builder Claim, Correction, and Takedown
A Builder/Developer named in a publicly aggregated Property.new listing may at any time:
- Claim a listing through the Property.new claim interface, following Builder identity and RERA registration number verification;
- Submit a correction request in respect of factual inaccuracies, by written notice to grievance@cladbe.com;
- Submit a takedown request supported by evidence that the displayed information is factually inaccurate or no longer in force.
13.4 No Endorsement
The display of a listing on Property.new aggregated from a public RERA registry does not constitute an endorsement, verification, or recommendation by Cladbe of the underlying project, the promoter, or the disclosed information. Buyers are encouraged to independently verify project details with the source RERA Authority and the relevant Builder/Developer before entering into any transaction.
13.5 Government Scheme Listings
Listings relating to government and development authority housing schemes are currently displayed for informational discovery purposes, and buyers interested in such a scheme are routed to the official portal of the relevant authority for application and transaction handling.
14. Derived Data Ownership & Intellectual Property
This Section establishes Cladbe's proprietary rights over the aggregated, anonymised, and AI-generated outputs that Cladbe creates while operating the Services. This Section survives termination of any individual user or Builder relationship.
14.1 Definition of Derived Data
Derived Data means all aggregated, anonymised, de-identified, statistical, analytical, model-generated, and AI/ML-generated outputs, insights, models, benchmarks, recommendations, and intelligence created by Cladbe through processing of User Content or Personal Data on the Services. For clarity, Derived Data includes (without limitation) market intelligence outputs, demand and supply analytics, pricing analytics, scoring models, matchmaking outputs, and any algorithmic outputs produced by Cladbe's proprietary systems. Derived Data, once aggregated, anonymised, and rendered non-identifiable under Applicable Law, does not constitute Personal Data.
14.2 Ownership
Notwithstanding any other provision of this Policy or any agreement with a Builder, CP, or User, Cladbe retains absolute, perpetual, irrevocable, royalty-free ownership of all Derived Data and all intellectual property rights therein.
No Derived Data constitutes "User Content" as defined in the Master Terms of Use. Derived Data is an independent creation of Cladbe's proprietary algorithms and is not a derivative work of any individual user's data inputs. Once transactional or behavioural data is aggregated, anonymised, and rendered non-identifiable under Applicable Law, it ceases to constitute "Personal Data" and becomes the exclusive intellectual property of Cladbe. This IP remains fully owned by Cladbe even if the underlying Builder or CP terminates their engagement with the platform.
15. Cross-Border Data Transfers & Localisation
Cladbe's data infrastructure operates on a combination of dedicated and cloud-based data centre infrastructure, including content delivery, version control, and ancillary technology platforms. These infrastructure partners may operate data centres globally, and as a result, certain data may be stored or processed outside India. Cladbe does not commit to any single infrastructure provider and reserves the right to migrate or add providers in accordance with its evolving technical architecture.
Cladbe ensures that any cross-border transfer of Personal Data complies with the DPDP Act read with the DPDP Rules, and any notifications issued by the Central Government designating countries to which data may be transferred. Cladbe will execute appropriate Standard Contractual Clauses (SCCs) or equivalent safeguards with all Sub-Processors operating outside India.
Conditional Localisation: Cladbe shall comply with any restriction on cross-border transfer notified by the Central Government under Rule 15 of the DPDP Rules in respect of any category of Personal Data so specified, and shall localise the processing of such data within India where required.
NRI buyers using Property.new or the customer post-purchase mobile application to interact with Indian projects may be located in multiple jurisdictions. Their data is processed and stored within Cladbe's Indian infrastructure to the maximum extent possible, with cross-border transfers limited to communication routing through their respective global carriers.
NRI / Global Buyer Liability Shield: Cladbe operates strictly under the Indian DPDP Act. Global Channel Partners and NRI-facing brokers warrant that any foreign data they input into the Cladbe ecosystem complies fully with their local extraterritorial privacy regimes (e.g., GDPR for EU-based buyers, CCPA for US-based buyers). The legal burden of securing foreign privacy law compliance rests entirely on the CP or broker initiating the transaction. Cladbe assumes no liability for cross-border privacy violations arising from a CP's failure to comply with applicable foreign data protection laws.
16. Children's Privacy
The Services are not directed at individuals under the age of 18. Cladbe does not knowingly collect or process Personal Data of minors. If Cladbe becomes aware that Personal Data of a minor has been collected without verifiable parental consent, it will delete such data immediately.
Verifiable Parental Consent: Where, in connection with statutory documentation or other lawful purpose, the processing of a minor's Personal Data is required, verifiable parental consent shall be obtained through one of the prescribed mechanisms under Rule 10 of the DPDP Rules, including by reference to reliable identity and age details available with Cladbe, integration with Digital Locker service providers, or other authorised token-based verification systems as may be notified by the Central Government from time to time.
Prohibited Processing: Cladbe does not engage in tracking, behavioural monitoring, or targeted advertising directed at individuals identified as minors, in compliance with Rule 10 of the DPDP Rules.
For EOI and booking transactions, the purchaser or primary account holder must be a competent adult under Indian law. Where data is processed on behalf of a Builder in connection with statutory documentation requirements, that entity bears primary responsibility for obtaining necessary consents. Property registrations in the name of minors require written legal guardian authorisation and are subject to additional KYC verification.
17. Data Breach, Incident Response & CERT-In Compliance
Cladbe maintains a formal Data Breach and Incident Response Playbook governing the detection, containment, notification, and forensic review of any actual or suspected Personal Data breach or cybersecurity incident.
17.1 Notification to Data Principals
In the event of a confirmed personal data breach, Cladbe shall notify each affected Data Principal without undue delay, in plain language, with details of: (a) the nature and scope of the breach; (b) the categories of Personal Data affected; (c) the likely consequences; (d) the mitigation and remediation measures undertaken by Cladbe; and (e) a designated contact point for assistance. This notification process is carried out in accordance with applicable law.
17.2 Notification to Regulators
Cladbe shall report any qualifying personal data breach to the Data Protection Board of India within the timeline required under applicable law. Where Cladbe acts as a Data Processor, it shall simultaneously notify the affected Data Fiduciary (Builder/Broker) to enable their own downstream notification obligations.
17.3 CERT-In Cyber Security Compliance
Cladbe complies with the Indian Computer Emergency Response Team ("CERT-In") Cyber Security Directions issued under Section 70B(6) of the IT Act on 28 April 2022, including:
- Reporting of qualifying cyber security incidents to CERT-In within the timeline prescribed under the CERT-In Directions;
- Maintenance of system logs within Indian jurisdiction for the period required under the CERT-In Directions;
- Synchronisation of system clocks with the National Informatics Centre or National Physical Laboratory time servers;
- Designation of a point of contact for CERT-In communications and cooperation with CERT-In investigations.
17.4 Audit Trail and Security Baseline
Cladbe's audit log system serves as the primary evidence source for all incident investigations. All breach-related actions, communications, and remediation steps are logged and time-stamped.
Cladbe maintains appropriate security baseline standards including access controls, multi-factor authentication for privileged access, network security, encryption of data at rest and in transit, vendor access management with time-limited credentials, and regular security assessments, in accordance with applicable law. However, no method of transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security, and you use the Services at your own risk. You are responsible for safeguarding your account credentials and for promptly notifying us of any actual or suspected unauthorised use of your account.
18. Platform Conduct, Intermediary Safe Harbour & Indemnity
18.1 User Obligations
You are responsible for all information, content, and actions associated with your account, including ensuring that any personal data you upload or input into the Services has been collected and shared in compliance with Applicable Law and consents.
18.2 Intermediary Safe Harbour
User Content uploaded by Builders, CPs, or customers (including marketing materials, project documents, customer records, and transactional data) is the sole responsibility of the person or organisation from which it originates. To the extent Cladbe qualifies as an "intermediary" under the IT Act and the IT Rules, Cladbe is entitled to safe harbour protection for third-party information hosted or transmitted through the Services, subject to compliance with prescribed due diligence conditions. Cladbe does not actively monitor or endorse User Content.
18.3 Takedown, Moderation & Compliance
We reserve the right — but not the obligation — to remove, disable, or restrict access to any User Content or account that we reasonably believe violates our terms, Applicable Law, rights of third parties, or poses a security or reputational risk. We may act upon court orders, government or law enforcement requests, or credible complaints in accordance with Applicable Law.
18.4 Indemnity
You agree to indemnify and hold harmless Cladbe, its partners, directors, employees, and service providers from and against any claims, losses, liabilities, damages, costs, and expenses (including reasonable legal fees) arising out of or relating to:
- Your breach of this Policy or Applicable Law in relation to personal data;
- Any User Content or data you upload, provide, or process via the Services;
- Your misuse of the Services or violation of any third party's rights;
- Your failure to secure requisite consents for eKYC, biometrics, call recordings, GPS tracking, or any other processing of personal data of your employees, customers, or third parties.
To the maximum extent permitted by law, Cladbe will not be liable for any indirect, incidental, consequential, punitive, or special damages, or for loss of profits, data, goodwill, or business opportunities, arising out of or in connection with the processing of personal data or use of the Services.
19. Third-Party Links & Services
The Services may contain links to third-party websites, apps, services, or resources not operated by Cladbe (including finance partners, legal advisors, real estate portals, and external marketing platforms). We are not responsible for the privacy practices, security, content, or policies of such third parties. You are encouraged to review the privacy policies of any third-party services before providing personal data to them.
20. Grievance Officer & Data Protection Contact
In accordance with the DPDP Act and the IT Rules, Cladbe has designated the following contact points for privacy-related grievances:
| Designation | Details |
|---|---|
| Name | Sumit Kashyap |
| Title | Grievance Officer, Cladbe Platforms LLP (LLPIN: ACH-4755) |
| grievance@cladbe.com | |
| Privacy / Data Protection Email | info@cladbe.com |
| Phone | +91-8941999555 |
| Address | Tulsi Nagar, Bareilly, Uttar Pradesh – 243006, India |
| Acknowledgement & Resolution | Acknowledged and resolved within the timelines prescribed under applicable law. |
If you believe your grievance has not been adequately resolved by Cladbe's Grievance Officer, you may lodge a complaint with the Data Protection Board of India through its digital portal once operationalised. Appeals from any order of the Data Protection Board of India shall lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) in accordance with the DPDP Act.
21. Changes to This Policy
Cladbe reserves the right to modify this Policy at any time to reflect changes in Applicable Law, our data practices, or the Services. Material changes will be communicated to registered users via:
- In-app notification on the OS dashboard, customer post-purchase mobile application, and Property.new;
- Email notification to the registered email address;
- A prominent notice on the login page of all Cladbe platforms for 7 days post-update.
Your continued use of the Services after the effective date of any modification constitutes your acknowledgement of the updated Policy. Where required by law, we will seek your consent to material changes that affect how we process your personal data. If you do not agree to the revised Policy, you must discontinue use and may exercise your rights under Section 8 (erasure/withdrawal of consent).
The version history of this Policy is maintained internally and is available on written request to info@cladbe.com.
22. Governing Law, Appeals & Dispute Resolution
This Policy and all privacy-related disputes shall be governed by and construed in accordance with the laws of India, including but not limited to the DPDP Act and the DPDP Rules, the IT Act and the IT Rules, and the CERT-In Cyber Security Directions.
Appeals from any order of the Data Protection Board of India shall lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) in accordance with the DPDP Act.
Any dispute arising out of or in connection with this Policy that cannot be resolved through Cladbe's internal grievance mechanism shall be referred to arbitration under the Arbitration and Conciliation Act, 1996, by a sole arbitrator mutually appointed by the parties, or in the absence of agreement, appointed under the Act. The seat and venue of arbitration shall be New Delhi, India, and proceedings shall be conducted in English. The arbitral award shall be final and binding on the parties. Where the Data Principal is a consumer within the meaning of the Consumer Protection Act, 2019, reference to arbitration shall be on a consent basis only and shall not displace, restrict, or waive that consumer's statutory remedies before a Consumer Disputes Redressal Commission or any other competent forum; nothing in this clause requires a consumer to arbitrate against their will. Subject to Applicable Law and the mandatory jurisdiction of regulatory authorities (including the Data Protection Board of India and TDSAT), and subject to the foregoing, the exclusive jurisdiction for interim relief and enforcement of awards shall vest in the competent courts at New Delhi.
Nothing in this clause limits your right to seek redress before the Data Protection Board of India, TDSAT, or any other competent regulatory authority.