Privacy Policy

This Policy applies to personal data we collect when you visit officeondemand.in, submit an inquiry on a Listing, list a workspace as an Owner, join our Owner Waitlist, or otherwise interact with the OfficeOnDemand platform (the “Platform”).

It does not apply to third-party websites, services, or platforms you access through links from the Platform, including those operated by Owners after a Lead is shared.

Read this Policy together with our Terms & Conditions.

For the purposes of the DPDP Act, the Data Fiduciary responsible for your personal data is:

The categories of personal data we may collect about you include:

Information you give us directly

• Contact details: full name, mobile phone number, email address.
• Inquiry content: the workspace you inquired about, your requirements (seat count, budget, move-in timeline, urgency), and any free-text message you send.
• Owner profile data: business name, building name, city, number of units/floors/desks, and any additional notes provided when joining the Owner Waitlist.
• Future KYC documents: when you onboard as an Owner, we may collect identification documents including PAN, GST registration certificates, proof of ownership or authorisation, and bank account details for payouts.
• User-generated content: photographs of workspaces, written Listing descriptions, and any other Content you submit.
• Account credentials: if you create an account, your password (stored only as a salted bcrypt hash — we never see the original).

Information we collect automatically

• Technical data: IP address, browser user-agent string, device type, operating system, language, time zone, and the pages you view on the Platform.
• Session data: the cookie used by NextAuth to keep you signed in, and short-lived tokens used for security purposes.
• Referrer and source: the page or URL from which you arrived (including UTM parameters where present), to help us understand how Seekers find us.

What we do NOT collect

• Government identifiers like Aadhaar are not collected at this time and will be introduced only with separate, granular consent at the time we expand KYC.
• Payment card details are not collected — Commission invoices are settled outside the Platform via bank transfer or invoice payment.
• Health data, biometric data, sexual orientation, or political opinions are not collected — they are not relevant to a workspace marketplace.

• From you: when you fill in a form, send a message, upload a photo, sign up, or contact us directly.
• From your device: automatic technical data collected when you visit the Platform.
• From third parties (limited): if you sign in using a third-party login provider in the future, that provider may share basic profile information with us in accordance with the permissions you grant.

We use your personal data for the following purposes:

• To provide the Service: route inquiries to Owners, display Listings, operate the marketplace, and complete your transactions.
• To communicate with you: send confirmations, transactional emails or WhatsApp messages, respond to your queries, and (where you have not opted out) share Service updates.
• To maintain quality and trust: verify Owners through KYC, review Listings and photographs, detect spam and fraud, and enforce our Terms.
• To improve the Platform: understand how the Platform is used in aggregate, identify bugs, prioritise improvements. Aggregated, anonymised data may also be used to publish market reports (for example, our Tricity Snapshot).
• To comply with law: respond to lawful requests from courts and authorities, meet our tax and accounting obligations, and exercise or defend legal claims.
• To enforce our rights: including the anti-circumvention provisions of our Terms and recovery of Commission.

Under the DPDP Act, we may process your personal data on one of the following bases:

• Consent — when you submit a form, list a workspace, or otherwise voluntarily provide data to us for the purposes communicated at the point of collection.
• Certain legitimate uses permitted under Section 7 of the DPDP Act, including (a) where data is provided voluntarily for a specified purpose and consent has not been withdrawn, (b) for the performance of any function under law, (c) for medical or safety emergencies, and (d) for legal compliance.

We will tell you the specific basis we rely on if you ask. For most processing relating to listings, inquiries, and the Owner Waitlist, we rely on your consent, which is given by your voluntary submission of data through our forms.

Where we rely on consent, your consent must be free, specific, informed, unconditional, and unambiguous. By submitting a form on the Platform, you confirm that you are giving such consent for the purposes described at that point of collection and in this Policy.

You have the right to withdraw your consent at any time, with the same ease that you gave it. To withdraw consent, contact us using the methods in Section 14 (How to exercise your rights).

Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal, and we may continue to retain certain data where another lawful basis applies (for example, to comply with tax or other legal obligations, or to enforce our Terms).

We share personal data only as described below.

With Owners (for Leads)

When you submit an inquiry on a Listing, we share your name, phone, email, and inquiry content with the relevant Owner so they can respond. By submitting an inquiry, you authorise this sharing.

With our service providers (Data Processors)

The Platform is built on a set of trusted infrastructure providers who process data on our behalf, under contract, and only for the purposes we direct:

• Supabase (database hosting) — stores all primary user data. Located in Mumbai, India (ap-south-1).
• Cloudflare (DNS, edge security, R2 object storage for photos) — global edge network with R2 photo storage in the APAC region.
• Vercel (application hosting and edge serving) — global edge with primary build/serve region at Mumbai (bom1).
• Resend (transactional email delivery, operating on AWS SES) — email sending region: Tokyo, Japan (ap-northeast-1).
• Wati (WhatsApp Business API provider) — used for Owner notifications. Activation pending.
• Upstash (rate-limiting data store) — used to prevent abuse. Activation pending.

Each provider is bound by its own terms and security commitments. We choose providers that meet industry-standard security and privacy practices.

With professional advisors

We may share data with our chartered accountants, lawyers, auditors, or other professional advisors where necessary for them to provide their services and under appropriate confidentiality obligations.

With courts and authorities

We may disclose personal data when required to do so by law, by court order, or by valid administrative request from a government authority — and to exercise or defend our legal rights.

In the event of a business transfer

If OfficeOnDemand is restructured, sold, or merged, personal data may be transferred to the successor entity as part of that transaction, subject to the same protections as in this Policy.

What we do NOT do

• We do not sell your personal data.
• We do not share your data with third-party advertisers or data brokers.
• We do not use your data for behavioural advertising on or off the Platform.

Some of our service providers process data outside India. Specifically:

• Resend / AWS SES sends email through Tokyo, Japan.
• Cloudflare and Vercel operate global edge networks; while we configure primary regions in or near India, edge traffic may be routed through other countries for delivery efficiency.

These transfers are necessary for the Platform to function. We rely on contractual safeguards with each provider and on the cross-border transfer framework permitted under Section 16 of the DPDP Act. Where the Central Government of India notifies a list of restricted jurisdictions, we will revise our provider configuration as required.

We use a small set of cookies and similar storage technologies, grouped into three categories. You can review and adjust your choices via the cookie banner shown on your first visit, and re-open it at any time from links in our footer or by clearing your browser storage for this domain.

Essential (always on)

• Session cookie (NextAuth): set when you sign in, used to keep you signed in between page loads. Expires when your session ends or after a fixed period.
• CSRF token: short-lived security token used to prevent cross-site request forgery on form submissions.
• Consent record (localStorage): a small entry in your browser's local storage that remembers your cookie banner choice so we don't prompt you on every visit. Stored on your device only — never sent to us.

These are necessary for the Platform to function and are not gated by consent. You cannot turn them off without breaking the Service.

Error monitoring (defaults to on)

We may use a privacy-respecting error-reporting tool to capture pseudonymous technical information when something goes wrong (a stack trace, the URL where the error occurred, the browser version). These reports help us fix bugs quickly and do not contain identifiable personal data. Activation is conditional on the relevant environment configuration being set; this category may currently be dormant.

Analytics (off by default — opt in via the banner)

When you grant consent through the cookie banner, we may load one or more of the following privacy-friendly analytics tools to understand how visitors use the Platform in aggregate. None of these are used to build behavioural advertising profiles or to retarget you off-platform.

• Google Analytics 4 — page-view counts and aggregate behaviour, with IP-anonymisation enabled.
• Plausible — cookieless, lightweight analytics (loaded if configured).
• Microsoft Clarity — anonymised session replay used to diagnose UX friction (loaded if configured).

Each is loaded only if (a) we have configured the corresponding integration on our infrastructure, and (b) you have consented through the banner. You can withdraw consent at any time, and on withdrawal the relevant scripts will not load on subsequent page views.

Advertising

We do not use advertising cookies, fingerprinting technologies, or any third-party tracking for advertising purposes. We do not participate in ad-tech data exchanges.

We keep your data for as long as we need it for the purposes set out above:

• Leads and inquiries: retained while the inquiry is active and for up to twenty-four (24) months after the last interaction, to enable Owners to follow up and to support fraud detection.
• Owner Waitlist entries: retained until the Owner is onboarded or for twelve (12) months after submission, whichever is earlier — unless we hear back asking for deletion.
• Account and Listing data: retained for as long as the account is active and for a reasonable period thereafter for business continuity and dispute resolution.
• Financial and tax records: retained for at least eight (8) years from the end of the financial year to which they relate, in compliance with tax law.
• Technical logs: rotated automatically every 30–90 days unless flagged for security investigation.

On expiry or on a valid erasure request, we delete or irreversibly anonymise the data, subject to lawful exceptions (such as legal-hold or tax-record obligations).

We use a combination of organisational and technical measures to protect personal data, including:

• TLS encryption in transit for every connection to the Platform;
• Passwords stored only as salted bcrypt hashes — never in plaintext;
• Access to production data limited to a small set of authorised personnel and infrastructure-provider service accounts;
• Object-storage permissions configured so only authenticated, authorised uploads can write to the photo bucket;
• Automated rate-limiting and validation at API boundaries to prevent abuse;
• Routine review of provider security posture and configuration.

No system can guarantee absolute security. If you suspect unauthorised access to your account or data, contact us immediately using the channels in Section 19.

Under the DPDP Act, you have the following rights:

• Right to information. To know what personal data we hold about you, the purposes of processing, and the identities of Data Processors and Data Fiduciaries with whom we share it.
• Right to correction and erasure. To request correction, completion, updating, or erasure of your personal data — subject to lawful exceptions.
• Right to grievance redressal. To complain to our Grievance Officer (see Section 15) if you believe we have not handled your data lawfully.
• Right to nominate. To nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity.
• Right to withdraw consent. To withdraw any consent you have given, going forward, with the same ease as it was given.

You also have the right, after exhausting our grievance process, to escalate to the Data Protection Board of India in accordance with the procedure prescribed under the DPDP Act.

To exercise any of the rights in Section 13, contact our Grievance Officer (see Section 15) with:

• Your name and the email/phone associated with your data;
• A clear description of the right you wish to exercise and the data involved;
• Any information needed to verify your identity — we may ask additional questions or documentation to prevent unauthorised access.

We will respond to verified requests within thirty (30) days. If we need more time due to complexity or volume, we will let you know and explain why. Most requests are free; we may charge a reasonable fee for requests that are manifestly unfounded or excessive, as permitted by law.

In accordance with the DPDP Act and the Information Technology Rules, we have appointed a Grievance Officer to receive and address concerns about our handling of personal data.

If your grievance is not resolved to your satisfaction within thirty (30) days, you may escalate to the Data Protection Board of India in accordance with the DPDP Act.

The Platform is a commercial workspace marketplace intended for use by adults (18 years and older) acting in a business capacity. We do not knowingly collect personal data from children.

If we become aware that we have inadvertently collected data from a child or from a person who has a lawful guardian under the DPDP Act, we will delete the data without undue delay, unless retention is required by law.

If you are the parent or guardian of someone whose data you believe we have collected, please contact our Grievance Officer.

If a personal data breach occurs and is likely to result in significant risk to affected Data Principals, we will notify the Data Protection Board of India and affected individuals in accordance with the DPDP Act and any rules made under it, without undue delay.

Notification will include, where reasonably available, the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures we have taken or will take in response.

We may update this Policy from time to time to reflect changes in our practices, services, or applicable law. The current version is always available at this URL.

When changes are material, we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email or in-product notice. Continued use of the Platform after the update takes effect signifies your acceptance of the revised Policy.

For questions about this Policy or our handling of your personal data, you can reach us at: