Privacy Policy

Cladbe Platforms LLP (“Cladbe”, “we”, “us”, or “our”) operates a next-generation real estate technology ecosystem comprising three integrated pillars: The Studio (data-driven design and launch strategy), The OS (the real estate operating system SaaS backbone), and The Stage (unified B2B and B2C distribution including the Property.new marketplace and physical Experience Centres).

This Master Privacy Policy (“Policy”) is a single, unified document that governs the collection, use, storage, sharing, and deletion of all Personal Data across the entire Cladbe ecosystem, including:

• The web and mobile platforms at cladbe.com, property.new, and all related subdomains;
• The OS SaaS panels (Builder Dashboard, CP Dashboard, Employee Self-Service, Smart VMS, Revenue Command Centre, etc.);
• The My Home Super App (post-purchase buyer engagement, snagging, payments, community newsfeed);
• The Property.new B2C marketplace (listings, EOIs, digital bookings, Flash Drops);
• Cladbe’s physical Experience Centres and pop-up kiosks;
• All APIs, SDKs, telephony, WhatsApp, Email, and SMS/RCS integrations offered to Builders, Brokers, and their teams;
• All AI/ML modules including the AI Sales Coach, algorithmic matchmaking engine, predictive pricing tools, and facial-recognition attendance system.

By accessing or using any part of the Services, you acknowledge that you have read, understood, and agreed to be bound by this Policy. Where required by applicable law — particularly the Digital Personal Data Protection Act, 2023 (“DPDP Act”) — your consent will be separately obtained through a clear, free, specific, informed, and unambiguous affirmative action. If you do not agree, you must discontinue use immediately.

This Policy applies to all User categories — Builders/Developers, Channel Partners (CPs)/Brokers, Employees/Staff/Vendors/colloborators, End Customers/Buyers, NRI/Global buyers, visitors to our websites and Experience Centres, and any other individuals whose data is processed via the Services — as defined in the Master Terms of Use.

This Policy must be read alongside the Cladbe Terms of Service, Master SaaS Agreements (MSAs) with Builders and Brokers, Project Onboarding Schedules, CP Agreements, the Refund & Cancellation Policy, and any specific consent notices or addenda presented within the product interfaces. In the event of any inconsistency between this Policy and a specific executed agreement with a Builder or enterprise client, such specific agreement shall prevail to the extent of the inconsistency, except where prohibited by applicable law.

Under India’s Digital Personal Data Protection Act, 2023 (DPDP Act), the roles of Data Fiduciary and Data Processor are context-dependent across Cladbe’s product suite. The table below clarifies the operative role in each module:

Where Cladbe acts as a Data Processor for a Builder or CP organisation (the Data Fiduciary), it will process Personal Data only pursuant to, and in accordance with, lawful instructions received from that Data Fiduciary. Cladbe shall not process such data for any purpose inconsistent with those instructions unless required to do so by applicable law.

Liability Firewall: Cladbe’s role separation — acting as Data Processor for builder-controlled employee and CRM data — creates a clear liability boundary. The legal burden of obtaining explicit, free, specific, informed, and unambiguous consent from end-customers, employees, field workers, labourers, and any third parties rests entirely with the Builder or Broker or User (as the Data Fiduciary). This applies strictly and without exception to the ingestion of buyer/tenant leads into the CRM, processing of biometric data for workforce attendance, GPS tracking and geo-fencing of field staff, and recording of customer calls via the Omni-Channel telephony stack. Cladbe assumes zero liability for a Builder’s or Broker’s failure to secure legally valid consent prior to utilising our Services.

The following definitions apply throughout this Policy:

Cladbe collects Personal Data across the following categories, depending on the applicable module and the user’s role within the ecosystem:

4.1 Identity & Contact Data

• Full legal name, preferred name;
• Mobile number, email address, residential/correspondence address;
• Date of birth (for KYC and eligibility verification);
• Government-issued identification: PAN, Aadhaar, passport, voter ID etc;
• Photograph / profile image.

4.2 Professional & Business Data

• RERA registration number (Builder, CP);
• GST Identification Number (GSTIN), PAN (entity-level);
• Company name, designation, employment history, organisational chart position;
• Bank account details (for commission payouts, payroll, and nodal account linkage — IFSC, account number);
• Professional certifications and company-backed seals issued via the OS.

4.3 Financial & Transaction Data

• EOI / token payment references (UPI Transaction ID, payment gateway reference;
• Demand letter history, payment schedule, instalment receipts;
• Interest on Delay (IOD) calculations and penalty records;
• Commission payout records (CP and employee incentives);
• Builder wallet balance and nodal account transaction metadata;
• Cash flow projections linked to construction milestones and sales velocity;
• GST, stamp duty, and registration fee transaction references.

4.4 Behavioural & Interaction Data (AI-Processed)

• Lead scoring data: engagement frequency, site visit history, EOI intent signals;
• Sales pipeline position (Fresh → Site Visit → Negotiation → EOI → Booked);
• AI Sales Coach interaction logs: call quality scores, agent performance metrics;
• Property search queries, filters applied, shortlisted units on Property.new;
• Response time to demand letters and follow-up communications;
• Flash Drop participation history and allocation outcomes.

4.5 Special Category Data

Cladbe collects the following categories of data that require heightened protection and explicit consent:

• Biometric Data (Facial Geometry): Collected via the AI-powered multi-office attendance system (InsightFace SDK with twin-detection) deployed by Builder organisations on their workforce. Cladbe processes this data strictly as a Data Processor acting on the Builder’s instructions.
• GPS / Location Data: Field Worker location stamps (for site staff logged under contractors); Experience Centre walk-in geolocation (for analytics and pop-up planning).
• Call & Communication Recordings: Full audio/text recordings of all Omni-Channel communications (calls, WhatsApp, email threads) for quality control and lead attribution.

4.6 Technical & Device Data

• IP address, browser type, device ID, operating system;
• Login timestamps, session duration, feature usage patterns;
• Cookie identifiers and tracking pixel data (see Section 11);
• API call logs (for builder/CP integrations).

4.7 Offline Experience Centre Data

• Lead details, site visit preferences, EOI intent, and interaction data collected via offline kiosks, tablets, or physical forms at Cladbe Experience Centres and pop-up events;
• This data is captured under the same consent framework as digital Services and is used for lead routing, matching, and campaign personalisation.

Cladbe processes Personal Data for the following purposes. The applicable legal basis under the DPDP Act, 2023 is identified for each purpose.

Where processing is based on Consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Withdrawal of consent may limit your ability to use certain features of the Services.

Where processing is based on Legitimate Use, Cladbe has assessed that its interests (platform security, fraud prevention, market intelligence) are not overridden by the Data Principal’s fundamental rights and are necessary for the provision of the Services.

Cladbe does not sell Personal Data. We share Personal Data only in the following circumstances and with the following categories of recipients:

6.1 Sharing Within the Cladbe Ecosystem

• Builder Organisations: Lead data, EOI details, customer KYC, and booking records are shared with the relevant Builder through the OS as part of the transaction workflow. Builders act as Data Fiduciaries for their own customer data.
• Channel Partners (CPs): Cladbe shares lead attribution data, unit availability (via Stakeholder Prism — controlled view), and commission payout details with verified, registered CPs. CPs receive only the information tier authorised under the Information Prism logic.
• Internal Teams: Cladbe employees access Personal Data on a strict need-to-know, role-based access control (RBAC) basis governed by the hierarchy management system.

6.2 Sharing with Third-Party Service Providers

• Payment Aggregators / Nodal Account Operators: Transaction references, bank account metadata, and payout instructions are shared with RBI-licensed Payment Aggregators for processing EOIs, Flash Pay commissions, and payroll. Full card data is never shared with Cladbe.
• KYC / eKYC Providers: Identity documents are shared with licensed KYC verification services for Smart Doc and eKYC processing.
• Cloud Infrastructure & Data Hosting: Cladbe operates on bare-metal clusters & cloud. Data processing agreements (DPAs) are in place with all infrastructure providers.
• Communication Platform Providers: WhatsApp Business API (Meta), telephony (Plivo / LiveKit), and email service providers receive message content and metadata for routing and delivery.
• AI / ML Vendors: Cladbe’s core AI functions are operated in-house. Where third-party AI APIs are used (e.g., for eKYC or document verification), only the minimum necessary data is transmitted under strict DPAs.
• Legal, Audit & Compliance: Data may be shared with legal counsel, auditors, or RERA authorities under a duty of confidentiality.

6.3 Token Money & Financial Intermediary Disclaimer

At no point does Cladbe hold, pool, or exercise custody or control over buyer token money, EOI deposits, or principal transaction funds at any stage of the transaction lifecycle.All buyer payments (including token money during Flash Drop events, EOI deposits, and instalment payments) are routed directly through RBI-licensed escrow accounts or nodal accounts operated by regulated third-party payment aggregators. Cladbe’s role is strictly limited to triggering payout instructions and commission deduction signals upon milestone verification via the Unified Payout Engine. Cladbe does not qualify as, and shall not be classified as, a payment system operator, prepaid payment instrument issuer, or financial intermediary under RBI regulations.

6.4 Sharing with Regulators & Law Enforcement

Cladbe will disclose Personal Data to government authorities, regulators (RERA, RBI, SEBI, Income Tax, CERT-In), or law enforcement agencies when required to do so by applicable law, court order, or government mandate. Where legally permissible, Cladbe will notify the affected Data Principal prior to such disclosure.

6.5 Stakeholder Prism — Controlled Information Release

The Stakeholder Prism is Cladbe’s proprietary information governance mechanism that generates multiple, controlled versions of project data for different stakeholder tiers. CPs and third-party portals receive only the inventory view explicitly authorised by the Builder. Sensitive pricing ladder data, discount structures, and internal booking records are never visible to CPs unless specifically permitted. Screenshotting, leaking, or sharing Prism dashboard data to competitors or the public constitutes a material breach of the CP Agreement and triggers immediate account termination.

6.6 Flash Drop & EOI Ecosystem Data Flow

When buyers participate in Flash Sales, flash events, or submit EOIs via Property.new or the Cladbe Network, they explicitly consent to their financial intent, KYC data, and EOI details being shared instantly across the integrated ecosystem (between the Marketplace, the specific Builder, and the executing CP) — subject to Prism Logic access controls and role-based visibility layers.

6.7 Third-Party System Integrations

Where a Builder or enterprise client integrates Cladbe OS with third-party systems (including but not limited to legacy ERPs such as SAP, Salesforce, or Zoho; custom APIs; marketing automation platforms; or accounting software) via API, webhook, or any other integration mechanism, Cladbe bears no responsibility for data breaches, data leaks, unauthorised access, or data loss originating from or routed through such external endpoints. The Builder or enterprise client is solely responsible for the security posture, access controls, and compliance status of their connected third-party systems and any data transmitted through those integrations.

6.8 Document Vault — Custodian Disclaimer

While Cladbe provides a “Document Vault” for storing sensitive E-KYC documents, contracts, and property records, Cladbe acts merely as a digital custodian of such documents. Cladbe is entirely indemnified against claims of identity theft, forged documentation, or financial fraud resulting from compromised user passwords, falsified uploads, or Builder/CP non-compliance with KYC obligations.

Cladbe retains Personal Data only for as long as necessary to fulfil the purpose for which it was collected, or as mandated by applicable law, whichever is longer. Transaction records, booking data, demand letters, KYC documents, and financial audit trails are retained for the minimum periods required under RERA 2016, the Companies Act 2013, and applicable tax laws (typically 5–10 years). Operational data such as call recordings, GPS logs, and device tracking data are retained for limited durations consistent with their operational purpose. Upon expiry of the applicable retention period, Personal Data is securely deleted or anonymised in accordance with our internal data deletion SOP. Immutable records maintained in The Time Machine (forensic audit trail) cannot be deleted but are anonymised at the point their legal retention obligation expires. Users may submit a deletion request to support@cladbe.com; however, Cladbe reserves the right to retain data to the extent required by law, and such retention shall not constitute a breach of this Policy.

As a Data Principal, you have the following rights under the Digital Personal Data Protection Act, 2023. To exercise any right, submit a written request to: support@cladbe.com. Cladbe will respond within 72 hours of receipt and endeavour to resolve all requests within 30 days.

Where you are an employee, CP, or customer of a Builder or Broker using our Services, certain requests may need to be routed via that organisation (as independent Data Fiduciary). We may request reasonable identity verification before acting on your request. We may charge a reasonable fee or decline requests that are excessive, frivolous, or manifestly unfounded as permitted by law.

Upon termination or non-renewal of a Builder’s or Channel Partner’s engagement with Cladbe, the following data portability provisions shall apply:

• Raw Data Export: Cladbe shall provide the Builder or CP with a machine-readable export (CSV/JSON format) of their raw transactional data — including customer records, booking data, demand letter history, receipt records, and lead data — within 30 business days of a written request submitted after the effective date of termination, subject to payment of the applicable Data Export & Portability Fee as per the Fee Schedule in force at the time of request. Export requests will not be processed until the fee is confirmed as received. Cladbe reserves the right to revise the export fee with prior notice, and no export obligation arises where the Builder or CP has outstanding dues payable to Cladbe. Where Cladbe acts as a Data Processor for Builder or CP-owned CRM data, all Data Principal requests for access, portability, correction, or erasure must be directed to and primarily handled by the Data Fiduciary (the Builder or Broker), who retains primary statutory responsibility under the DPDP Act, 2023. Where a Builder’s account is suspended for non-payment or is under active dispute, Cladbe will not directly service end-user DPDP requests for such Builder-owned CRM data, and shall instead notify the requesting Data Principal to contact the Builder directly as the responsible Data Fiduciary. Cladbe shall cooperate with any Data Protection Board of India investigation but shall not be obligated to perform data export workflows at its own cost on behalf of a Builder in material breach of its commercial obligations to Cladbe.
• Exclusions from Export: This right to data portability does not extend to Cladbe’s proprietary Derived Data, AI models, aggregated market intelligence, lead scoring algorithms, matchmaking outputs, system-generated metadata, audit trail logs, or any other intellectual property of Cladbe as defined in Section 13 of this Policy.
• Post-Export Deletion: Following successful data export and written confirmation of receipt by the Builder/CP, Cladbe shall delete the Builder’s/CP’s raw data from active systems within 120 days, subject to mandatory legal retention obligations under RERA, tax law, and the Companies Act (as detailed in Section 7).

10.1 Facial Recognition Attendance System

Cladbe’s multi-office attendance system uses the InsightFace SDK with built-in twin-detection to distinguish between highly similar faces, preventing buddy-punching. This system is deployed exclusively on hardware provided and controlled by the Builder organisation.

• Data Collected: Facial geometry vectors and photographs of enrolled employees.
• Controller: The Builder organisation acts as Data Fiduciary. Cladbe is the Data Processor.
• Consent Requirement: Builders must obtain explicit, informed consent from each employee before enrolment. A standardised DPDP-compliant Biometric Consent Waiver is available via the OS Document Vault.
• Retention: Facial geometry data is retained for the duration of employment and automatically purged within 30 days of the employee’s exit or termination — triggered by the ESS module. Biometric templates and facial embedding vectors shall be permanently and irreversibly deleted within this 30-day window.
• Liability: Cladbe bears no liability for labour disputes, wrongful termination claims, or regulatory action arising from the Builder’s use of biometric data. The Builder, acting as Data Fiduciary, fully and irrevocably indemnifies Cladbe against any regulatory penalties, fines, or proceedings initiated by the Data Protection Board of India under the DPDP Act, 2023 arising from: (a) the Builder’s failure to obtain valid, DPDP-compliant consent from employees, contractors, or customers for biometric processing, GPS tracking, or omni-channel communication recording; (b) the Builder’s failure to honour Data Principal rights requests as Data Fiduciary; or (c) any data breach attributable to the Builder’s own infrastructure, credentials, or personnel. Cladbe’s contractual liability cap does not limit, and shall not be construed to limit, any statutory regulatory penalty that a competent authority may impose on the applicable Data Fiduciary.

10.2 AI Sales Coach & Algorithmic Matchmaking

The AI Sales Coach analyses omni-channel interaction data (call recordings, WhatsApp threads, email response rates) to generate lead quality scores and agent performance metrics.

• Lead scores are computed using engagement frequency, site visit history, EOI intent signals, and communication quality;
• Agent performance scores assess call handling quality, follow-up speed, and lead-to-conversion ratios;
• All AI-generated scoring outputs are decision-support tools, not autonomous decisions. No adverse action (e.g., termination, commission reduction) should be taken solely on the basis of AI scores without human review.

Algorithmic Matchmaking & Predictive Pricing: Cladbe’s algorithmic matchmaking and lead distribution systems are designed to optimise buyer-property fit based on objective criteria including stated preferences, budget parameters, location requirements, and inventory characteristics. These AI/ML-driven systems are proprietary and confidential trade secrets of Cladbe. Cladbe disclaims liability for commercial outcomes resulting from algorithmic recommendations, and does not guarantee specific lead volumes, conversion rates, or revenue outcomes to any participant on the platform.

Cross-Ecosystem AI Training Disclosure: AI/ML models trained on ecosystem-wide anonymised data may generate insights, recommendations, or analytical outputs that benefit multiple participants on the platform. Individual builder-level or project-level data is never shared in identifiable form across entities. All AI training is conducted on aggregated, de-identified datasets as described in Section 13 (Derived Data Ownership).

10.3 Omni-Channel Communication Recording

Cladbe records and retains all customer-agent interactions across calls (Plivo/LiveKit), WhatsApp Business API, and in-app messaging as part of its 100% Quality Control framework.

• Automated Disclosure: Cladbe’s telephony integrations include automated IVR disclosure notifications (“This call may be recorded and analysed for quality and training purposes”) played to all call participants prior to connection via the Plivo/LiveKit stack. Builders and Brokers acknowledge that such automated disclosures supplement, but do not replace, their independent obligation to secure any additional consent required under applicable law.
• Retention:Recordings are stored for a minimum of 3 months on a rolling basis, or for such longer period as may be determined by the onboarded company's internal data retention policy in force from time to time.
• Access: Recordings are accessible to the Builder’s authorised managers and to Cladbe’s QC team on a need-to-know basis.
• Lead Attribution: Recording timestamps serve as verified proof of first engagement for accurate, dispute-free lead attribution — enforced via The Time Machine audit log.

10.4 Employer Surveillance Liability Shield

Builders and Contractors utilising Cladbe’s OS for GPS location-stamping of field workers or facial recognition via InsightFace are solely responsible for compliance with Indian labour laws, trade union agreements, and the DPDP Act. Cladbe assumes zero liability for claims of unlawful workplace surveillance, biometric privacy violations, or employee data rights breaches.

Cladbe uses cookies and similar tracking technologies on cladbe.com, property.new, and the My Home Super App to enable core functionality, analyse usage, and power AI-driven marketing campaigns.

Consent for non-essential cookies is obtained via a clearly visible cookie consent banner displayed upon first visit to cladbe.com and property.new, enabling granular opt-in/opt-out by category. Consent records are maintained for audit purposes and are accessible upon request.

You may manage your cookie preferences through the Cookie Preference Centre accessible at the footer of cladbe.com and property.new. Disabling non-essential cookies will not affect your ability to use the core platform features but may limit AI-powered personalisation and targeted marketing functionality.

Cladbe operates physical Experience Centres and periodic Pop-Up Kiosks where buyers can explore verified projects via VR walkthroughs, 3D floor plans, drone footage, and interactive map views. The following data collection activities occur at these locations:

• Walk-In Lead Registration: Name, mobile number, email, and property preferences are collected digitally at check-in kiosks or by Experience Centre staff.
• Site Visit Preferences & EOI Intent: Interaction with project displays, shortlisted units, VR session duration, and stated budget range are logged for lead qualification.
• Real-Time Inventory Enquiries & Quotation Generation: Any quotation generated at an Experience Centre is processed through the OS and subject to the same data handling as online quotations.
• CCTV Surveillance: Experience Centres and pop-up locations may be equipped with CCTV cameras for security purposes. CCTV footage is retained for 30 days and is not used for facial recognition or marketing analytics.
• VR Hardware Usage: VR session data (headset interactions, gaze direction) may be used for property discovery analytics. No biometric data is extracted from VR hardware.

This clause explicitly and legally covers all offline data collection mechanisms at Experience Centres and pop-up kiosks — including Delhi-NCR pop-up rollouts and any future Experience Centre expansions. By naming these offline collection points in this Policy, Cladbe establishes full DPDP compliance coverage for physical touchpoints without requiring separate policy amendments for each new location.

This clause establishes Cladbe’s proprietary rights over Derived Data — the aggregated, anonymised, and AI-generated intelligence that forms a core asset of The Studio. This clause survives termination of any individual user or builder relationship.

13.1 Definition of Derived Data

Derived Data means all insights, models, outputs, and intelligence generated by Cladbe’s AI/ML systems from the processing of User Content and Personal Data, including but not limited to:

• Hyper-local demand curves and market absorption models (by micromarket, project type, unit size);
• Predictive pricing ladders and optimal launch price ranges by geography and buyer segment;
• AI-generated unit mix recommendations by project type and location;
• Lead quality scoring models and agent performance benchmarks;
• Algorithmic matchmaking outputs (buyer preferences correlated with inventory attributes);
• Flash Drop demand forecasts and optimal timing models;
• Market velocity benchmarks (days-to-sell by unit type, location, and price band);
• Amenity preference maps by buyer cohort and micromarket.

13.2 Ownership

Notwithstanding any other provision of this Policy or any agreement with a Builder, CP, or User, Cladbe retains absolute, perpetual, irrevocable, royalty-free ownership of all Derived Data and all intellectual property rights therein.

No Derived Data constitutes “User Content” as defined in the Master Terms of Use. Derived Data is an independent creation of Cladbe’s proprietary algorithms and is not a derivative work of any individual user’s data inputs. Once transactional or behavioural data is aggregated, anonymised, and rendered non-identifiable under applicable law, it ceases to constitute “Personal Data” and becomes the exclusive intellectual property of Cladbe. This IP remains fully owned by Cladbe even if the underlying Builder or CP terminates their engagement with the platform.

Cladbe's data infrastructure operates on a combination of dedicated bare-metal servers and third-party cloud service providers, including content delivery, version control, and ancillary technology platforms. These infrastructure partners may operate data centres globally, and as a result, certain data may be stored or processed outside India. Cladbe does not commit to any single infrastructure provider and reserves the right to migrate or add providers in accordance with its evolving technical architecture.

Cladbe ensures that any cross-border transfer of Personal Data complies with the DPDP Act, 2023 and any notifications issued by the Central Government designating countries to which data may be transferred. Cladbe will execute appropriate Standard Contractual Clauses (SCCs) or equivalent safeguards with all data processors operating outside India.

NRI buyers using Property.new or the My Home Super App to interact with Indian projects may be located in multiple jurisdictions. Their data is processed and stored within Cladbe's Indian infrastructure to the maximum extent possible, with cross-border transfers limited to communication routing (WhatsApp, email) through their respective global carriers.

NRI / Global Buyer Liability Shield:Cladbe operates strictly under the Indian DPDP Act. Global Channel Partners and NRI-facing brokers warrant that any foreign data they input into the Cladbe ecosystem complies fully with their local extraterritorial privacy regimes (e.g., GDPR for EU-based buyers, CCPA for US-based buyers). The legal burden of securing foreign privacy law compliance rests entirely on the CP or broker initiating the transaction. Cladbe assumes no liability for cross-border privacy violations arising from a CP's failure to comply with applicable foreign data protection laws.

The Services are not directed at individuals under the age of 18. Cladbe does not knowingly collect or process Personal Data of minors. If Cladbe becomes aware that Personal Data of a minor has been collected without verifiable parental consent, it will delete such data immediately.

For EOI and booking transactions, the purchaser or primary account holder must be a competent adult under Indian law. Where data is processed on behalf of a Builder in connection with statutory documentation requirements (e.g., family member details for sale agreements), that entity bears primary responsibility for obtaining necessary consents. Property registrations in the name of minors require written legal guardian authorisation and are subject to additional KYC verification.

Cladbe maintains a formal Data Breach and Incident Response Playbook governing the detection, containment, notification, and forensic review of any actual or suspected Personal Data breach. In the event of a confirmed breach, Cladbe shall take prompt and reasonable steps to contain the incident and assess its scope. Notification to affected users, regulators, and relevant authorities will be issued within commercially reasonable timelines, prioritised based on the severity and scale of the breach, and in any case within the timelines mandated by applicable law including the DPDP Act, 2023 and CERT-In directives.

CERT-In Mandatory Reporting: For qualifying cybersecurity incidents as defined under CERT-In directives (including the Cyber Security Directions dated 28 April 2022), Cladbe shall report the incident to the Indian Computer Emergency Response Team (CERT-In) within the prescribed statutory timeline from the point of detection. Where Cladbe acts as a Data Processor, it shall simultaneously notify the affected Data Fiduciary (Builder/Broker) to enable their own downstream notification obligations.

The Time Machine (Cladbe's immutable forensic audit log) serves as the primary evidence source for all incident investigations. All breach-related actions, communications, and remediation steps are logged and time-stamped.

Cladbe maintains appropriate security baseline standards including access controls, authentication mechanisms, network security, encrypted data-at-rest and in-transit, vendor access management with time-limited credentials, and regular security assessments. However, no method of transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security, and you use the Services at your own risk. You are responsible for safeguarding your account credentials and for promptly notifying us of any actual or suspected unauthorised use of your account.

17.1 User Obligations

You are responsible for all information, content, and actions associated with your account, including ensuring that any personal data you upload or input into the Services has been collected and shared in compliance with applicable law and consents.

17.2 Intermediary Safe Harbour

User Content uploaded by Builders, CPs, or customers (including marketing materials, project documents, customer records, and transactional data) is the sole responsibility of the person or organisation from which it originates. To the extent Cladbe qualifies as an “intermediary” under the Information Technology Act, 2000 and the Intermediary Guidelines and Digital Media Ethics Code Rules, 2021, Cladbe is entitled to safe harbour protection for third-party information hosted or transmitted through the Services, subject to compliance with prescribed due diligence conditions. Cladbe does not actively monitor or endorse User Content.

17.3 Takedown, Moderation & Compliance

We reserve the right — but not the obligation — to remove, disable, or restrict access to any User Content or account that we reasonably believe violates our terms, applicable law, rights of third parties, or poses a security or reputational risk. We may act upon court orders, government or law enforcement requests, or credible complaints in accordance with applicable law.

17.4 Indemnity

You agree to indemnify and hold harmless Cladbe, its partners, directors, employees, and service providers from and against any claims, losses, liabilities, damages, costs, and expenses (including reasonable legal fees) arising out of or relating to:

• Your breach of this Policy or applicable law in relation to personal data;
• Any User Content or data you upload, provide, or process via the Services;
• Your misuse of the Services or violation of any third party’s rights;
• Your failure to secure requisite consents for E-KYC, biometrics, call recordings, GPS tracking, or any other processing of personal data of your employees, customers, or third parties.

To the maximum extent permitted by law, Cladbe will not be liable for any indirect, incidental, consequential, punitive, or special damages, or for loss of profits, data, goodwill, or business opportunities, arising out of or in connection with the processing of personal data or use of the Services.

The Services may contain links to third-party websites, apps, services, or resources not operated by Cladbe (including finance partners, legal advisors, real estate portals, and external marketing platforms). We are not responsible for the privacy practices, security, content, or policies of such third parties. You are encouraged to review the privacy policies of any third-party services before providing personal data to them.

In accordance with the DPDP Act, 2023 and the IT Act, 2000 (IT Rules, 2021), Cladbe has designated the following contact points for privacy-related grievances:

If you believe your grievance has not been adequately resolved by Cladbe’s Grievance Officer, you may, once the Data Protection Board of India is constituted under the DPDP Act, lodge a complaint with the Board. Details of the Board’s complaint mechanism will be updated in this Policy upon notification by the Central Government.

Cladbe reserves the right to modify this Policy at any time to reflect changes in applicable law, our data practices, or the Services. Material changes will be communicated to registered users via:

• In-app notification on the OS dashboard, My Home Super App, and Property.new;
• Email notification to the registered email address;
• A prominent notice on the login page of all Cladbe platforms for 7 days post-update.

Your continued use of the Services after the effective date of any modification constitutes your acknowledgement of the updated Policy. Where required by law, we will seek your consent to material changes that affect how we process your personal data. If you do not agree to the revised Policy, you must discontinue use and may exercise your rights under Section 8 (erasure/withdrawal of consent).

The version history of this Policy is maintained in Cladbe’s internal Document Vault and is available on written request.

This Policy and all privacy-related disputes shall be governed by and construed in accordance with the laws of India, including but not limited to the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

This Policy shall be governed by and construed in accordance with the laws of India. Any dispute arising out of or in connection with this Policy that cannot be resolved through Cladbe’s internal grievance mechanism shall first be referred to binding arbitration under the Arbitration and Conciliation Act, 1996. The arbitration shall be conducted by a sole arbitrator mutually appointed by the parties, or in the absence of agreement, appointed under the Act. The seat and venue of arbitration shall be New Delhi, India, and proceedings shall be conducted in English. The arbitral award shall be final and binding on the parties. Subject to applicable law and the mandatory jurisdiction of regulatory authorities (including the Data Protection Board of India once constituted), and subject to the foregoing arbitration obligation, the exclusive jurisdiction for interim relief and enforcement of awards shall vest in the competent courts at New Delhi.

Nothing in this clause limits your right to seek redress before the Data Protection Board of India or any other competent regulatory authority.