Privacy policy

This Privacy Policy (“Policy”) was updated on 29TH April 2026  (“Effective Date”)

BIG FM REALTY PRIVATE LIMITED (“BIG FM REALTY” or “Company”) is committed to respecting the privacy and safeguarding the personal data of its customers, property buyers, sellers, investors, tenants, landlords, brokers, vendors, employees, and all other stakeholders. As a responsible real estate company engaged in property consultancy, brokerage, transactions, leasing, investment advisory, and related services, BIG FM REALTY recognises the critical importance of transparency, consent, and data protection in building lasting trust This Policy governs the collection, use, storage, processing, and disclosure of personal data of all individuals interacting with the Platform, including but not limited to customers, users, collaborators. Etc. The Policy reflects the Company’s commitment to upholding the rights of individuals and its obligation to adopt responsible, transparent, and secure data practices. 

This Policy is formulated in accordance with the provisions of the Digital Personal Data Protection Act, 2023 (“DPDPA”), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and such other rules, regulations, and guidelines as may be applicable. It is also guided by internationally recognised privacy principles, including purpose limitation, data minimisation, and data security.. 

The Policy reflects the Company’s enduring commitment to ensure that all personal data is processed fairly, lawfully, and in a manner that respects the privacy rights of individuals and upholds the principles of integrity, confidentiality, and accountability. 

WHEREAS

A) BIG FM REALTY PRIVATE LIMITED (“BIG FM REALTY” or “Company”) operates in the field of real estate consultancy, property buying and selling, leasing, rentals, investments, project marketing, and related property advisory services and is committed to protecting the personal data and privacy rights of its users and stakeholders in accordance with the highest standards of transparency, accountability, and ethical data governance.

B) The Company is committed to ensuring that its data governance practices remain fully compliant with the applicable laws in force within India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and all relevant rules, directions, advisories, or notifications issued by the Indian Computer Emergency Response Team (CERT-In) and the Ministry of Electronics and Information Technology (MeitY).

C.      The Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and the IT Rules, 2011 require data fiduciaries such as the Company to establish clear privacy practices, ensure security safeguards, and provide mechanisms for informed consent and grievance redressal.

D.     The Company acknowledges that personal data, including sensitive personal data such as financial information, KYC documents, ownership records, title documents, and transaction records, must be processed lawfully, with consent or legitimate basis, and handled in a manner that prevents misuse, loss, or unauthorized access.

E.       BIG FM REALTY aims to foster client trust and legal compliance by establishing this comprehensive Privacy Policy, which ensures that all individuals interacting with the Company—whether as buyers, sellers, investors, landlords, tenants, brokers, consultants, vendors, or personnel—are informed of their rights, the Company’s obligations, and the mechanisms available for grievance redressal and data protection;

NOW THEREFOREBIG FM REALTY PRIVATE LIMITED hereby adopts this Privacy Policy to provide a clear, lawful, and user-centric framework for the collection, processing, storage, use, disclosure, and protection of personal data, thereby reinforcing its commitment to data privacy and regulatory compliance. By accessing, browsing, using the Platform, via website or its application, submitting any personal data voluntarily, or otherwise engaging with the services of the Company, each user is deemed to have read, understood, and agreed to be bound by this Privacy Policy, and to adhere to the rights and obligations set out herein.  

1.    DEFINITIONS AND INTERPRETATION

1.1.    Definitions: In this Policy (including the recitals above hereto), except where the context otherwise requires, the following words and expressions shall bear the meaning assigned to them below:

a)       “Act” shall mean the Digital Personal Data Protection Act, 2023, including all applicable rules, notifications, and amendments relating to the collection, processing, storage, transfer, and protection of personal data in India, and shall include the Information Technology Act, 2000IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 and CERT-In Directions, to the extent applicable.

b)      “Data Principal” shall mean the individual to whom the personal data relates, and includes any user, customer, website visitor, or individual whose personal data is processed by the Company.

c)       “Data Fiduciary” shall mean BIG FM REALTY PRIVATE LIMITED, which determines the purpose and means of processing personal data in its capacity as a data fiduciary under the Act.

d)      “Data Processor” means any natural or legal person, public or private entity, agency, or other body, whether incorporated or unincorporated, who processes personal data on behalf of the Data Fiduciary pursuant to a contract or other lawful instruction. A Data Processor shall not process such data for any purpose other than as expressly instructed by the Data Fiduciary, and shall be subject to obligations of confidentiality, data security, and regulatory compliance as prescribed under applicable law. 

e)       “Personal Data” shall mean any data about an individual who is identifiable by or in relation to such data, whether directly or indirectly, through reference to identifiers such as name, contact details, location data, online identifiers, or any other characteristic or attribute of identity.

f)        “Sensitive Personal Data” shall mean personal data that relates to passwords, financial information such as bank account or credit card details, biometric data, and any other category of data notified as sensitive under applicable law.

g)      “Processing” shall mean any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

h)      “Consent” shall mean any freely given, specific, informed, and unambiguous indication of the Data Principal’s agreement to the processing of their personal data for the intended purpose, either through a clear affirmative action or through any other prescribed manner under applicable law.

i)         “Grievance Officer” shall mean the designated individual appointed by the Company to address privacy-related grievances and ensure redressal in accordance with the timelines and procedures under the Act.

j)         “Third Parties” shall mean any external persons or entities, including service providers, contractors, consultants, registration partners, and technology vendors, with whom personal data may be shared for business purposes, subject to appropriate safeguards.

k)       “Data Breach” shall mean any unauthorised or accidental disclosure, alteration, loss, access, or destruction of personal data that compromises its confidentiality, integrity, or availability.

l)         “Website” shall mean the online platform of the Company, accessible at www.bigFMrealty.com, including all subdomains operated by or on behalf of the Company.

m)    “User” shall mean any individual who accesses or uses the Company’s website, interacts with its services, purchases products, or otherwise provides personal data to the Company.

n)      “BIG FM REALTY Team” or “Personnel” shall mean all full-time, part-time, probationary, temporary, or contractual employees, interns, consultants, and authorised representatives of the Company, regardless of location or designation.

o)      “Nominee” shall mean a person appointed by a Data Principal under the Act to act on their behalf in the event of their death or incapacity.

p)      “Notice” shall mean a clear and accessible statement provided by the Company to the Data Principal, before collecting personal data, informing them of the purpose, method, legal basis, and rights in relation to such processing.

1.2.    Interpretation

a)       In addition to the terms defined above, certain terms may be defined elsewhere in this Policy, and wherever such terms are used, they shall have the meaning assigned to them.

b)      Section headings are for convenience only and shall not affect the construction or interpretation of any provision of this Policy.

c)       References to sections or annexures are, unless the context otherwise requires, references to sections or annexures of this Policy.

d)      Where a word or phrase is defined, other parts of speech and grammatical forms and the cognate variations of that word or phrase will have corresponding meanings

e)       Words denoting singular shall include the plural and vice versa, and words denoting any gender shall include all genders unless the context otherwise requires.

f)        The terms “hereof”, “herein”, “hereto” and derivative or similar words refer to this entire Policy or specified Sections of this Policy, as the case may be.

g)      All references to this Policy shall include any amendments or updates to this Policy, as approved by the Compliance Officer or the designated authority from time to time.

2.    PURPOSE

The purpose of this Privacy Policy is to establish a clear, lawful, and comprehensive framework for the collection, processing, usage, storage, disclosure, and protection of personal data submitted to, or collected by, the BIG FM REALTY platform. The Policy reflects the Company’s commitment to ensuring the privacy and dignity of individuals whose data is processed in connection with the use of the Platform.

b) This Privacy Policy (“Policy”) applies to all Personal Data collected, received, processed, stored, disclosed, transferred, or otherwise handled by BIG FM REALTY PRIVATE LIMITED (“BIG FM REALTY” or “Company”) in the course of its operations through its website www.bigFMrealty.com , communication platforms, or other digital interfaces owned or operated by the Company (“Platform”). This Policy governs the privacy practices adopted by the Company in relation to:

(i) Users who visit, access, or use the Platform, including those who browse property listings, submit enquiries, register accounts, schedule site visits, engage in property transactions, or otherwise communicate with BIG FM REALTY (“Users”);

(ii) All categories of Data Principals whose Personal Data is processed by the Company, including customers, prospective buyers, sellers, landlords, tenants, investors, developers, brokers, business partners, vendors, employees, consultants, service providers, and visitors who voluntarily provide their data;

(iii) Real estate developers, channel partners, brokers, contractors, architects, legal consultants, project collaborators, and other stakeholders who engage with the Company in relation to property development, project marketing, sales, leasing, and construction activities;

(iv) Personal Data collected through both online and offline channels, including but not limited to customer interactions, site visits, property enquiries, booking forms, KYC submissions, feedback forms, email communications, social media interactions, call records, payment gateways, and registration documentation;

(v) Third parties acting on behalf of the Company (such as legal advisors, banks, payment processors, logistics providers, valuation professionals, technical consultants, marketing affiliates, and cloud service providers), to the extent that they process Personal Data under the Company’s instructions and authority along with customer consent or lawful basis;

(vi) Personal Data processed in India, as well as data collected from Users outside India but processed or stored in India, subject to applicable local and cross-border data transfer laws.

c) This Policy shall apply regardless of the device, platform, or medium used to access the Company’s services, including desktops, mobile phones, tablets, smart devices, and other digital channels.

d) This Policy does not apply to:

(i) Aggregated or anonymised information that does not, directly or indirectly, identify an individual;

(ii) Data submitted directly to banks, financial institutions, registration authorities, government portals, affiliate service providers, or external applications used in conjunction with the Platform but governed by their own privacy practices;

(iii) Third-party websites, platforms, or applications which may be linked from the Company’s Platform but are not owned or operated by the Company. Users are encouraged to review the privacy policies of such third-party services independently;

(iv) Data that is collected or processed for purely personal, household, or journalistic purposes by individuals and is exempted under the provisions of the Digital Personal Data Protection Act, 2023.

e) By accessing or using the Platform or otherwise providing Personal Data to the Company, the User expressly acknowledges and agrees to the terms of this Policy, and consents to the processing of their Personal Data in accordance with the terms stated herein.

f) In case of any conflict between this Policy and any contractual terms agreed between the Company and any Data Principal (such as employees, vendors, consultants, brokers, developers, contractors, or service providers), the provisions offering higher privacy protection shall prevail, unless otherwise required by applicable law.

This Policy applies to all Personal Data collected, received, processed, stored, disclosed, or otherwise handled by the Company in relation to:

  • property purchase and sale transactions
  • leasing and rental transactions
  • project marketing and developer coordination
  • site visits and property inspections
  • KYC verification and legal due diligence
  • booking forms and registration support
  • brokerage services and advisory consultations
  • property investment and portfolio assistance
  • vendor, broker, and consultant onboarding
  • website lead generation and enquiries
  • customer service and grievance handling
  • buyers
  • sellers
  • investors
  • developers
  • landlords
  • tenants
  • brokers
  • channel partners
  • architects
  • contractors
  • legal consultants
  • Chartered Accountants
  • compliance professionals
  • vendors and service providers
  • employees and consultants
  • website visitors and prospective clients

3.    CATEGORIES OF PERSONAL DATA COLLECTED

a) BIG FM REALTY collects and processes specific categories of personal data to facilitate the delivery of its real estate services, enhance user experience, ensure legal compliance, and enable commercial collaboration. The nature and extent of data collected may vary depending on the user’s role and interaction with the Platform, including but not limited to that of a property buyer, seller, landlord, tenant, investor, broker, developer, contractor, visitor, or guest user.

b) In the course of providing its services and operating its Platform, the Company may collect and process the following categories of Personal Data, either directly from the User or through third-party service providers acting on its behalf. Each entry defines the nature of the data, its origin, how it is collected, and the contextual interaction in which such collection typically occurs:

CATEGORYDESCRIPTIONSOURCE
Identity DataFirst name & Last name, date of birth, PAN, Aadhaar (where legally required), passport details (if applicable), KYC records, user IDUser during registration, booking, KYC submission
Contact DataEmail address, mobile number, billing address, residential address, business address, postal codeEnquiry forms, registration, agreements
Payment and Financial DataBank account details, UPI ID, payment transaction ID, loan details, credit/debit card details (masked), payment timestampsPayment gateway, banking partners, transaction processing
Property and Ownership DataTitle deeds, ownership records, registry details, possession letters, sale deeds, lease agreements, rent agreements, project documentationUser submissions, legal verification, registration authorities
Property Booking, Registration, Lease, and Transaction RecordsBooking forms, property transaction details, agreement records, payment schedules, receipts, brokerage recordsPlatform backend, legal and finance teams
Device & Technical DataIP address, browser type, device type, operating system, screen resolution, time zone, device identifiersAutomatically via website
Usage DataBrowsing behaviour, clickstream, pages visited, property views, enquiry history, time spent on listingsAnalytics tools, cookies
Marketing & Communication DataNewsletter opt-in, promotional preferences, communication logs, feedback, customer responsesUser entries, CRM tools
Account CredentialsHashed passwords, OTP verification records, login timestampsRegistration & login systems
Social Media DataPublic profile name, email ID, linked account data from social platformsGoogle login integrations, social platforms
Customer Support DataChat transcripts, complaint records, support tickets, consultation records, call recordings (if applicable)Helpdesk tools, email/chat support
Location Data (if any)Approximate geolocation, site visit location, delivery or registration location via IP or GPS (when permitted by the user)Device/browser during use
Referral or Affiliate DataReferral codes, broker references, channel partner tracking, affiliate tracking URLsMarketing platforms, broker networks
User-Generated ContentProperty reviews, comments, testimonials, uploaded documents, images, feedbackPlatform, user interaction

c) The above Personal Data may be collected at the time of account creation, property enquiry, booking, registration, KYC verification, while placing a transaction request, interaction.

4.    PURPOSE OF DATA COLLECTION & USE

aa) The Company collects and processes Personal Data only for specified, lawful, and legitimate purposes directly connected with its real estate business operations, including property discovery, brokerage support, leasing, sale and purchase transactions, project marketing, customer relationship management, legal compliance, and related support services. Such processing is carried out either with the consent of the Data Principal or where reasonably necessary for the performance of a contract, compliance with legal obligations, or for other purposes permitted under applicable law.

b) The Company may, from time to time, use AI-enabled tools or automated software systems to support the internal processing, organisation, segmentation, verification, and analysis of Personal Data, including for trend recognition, fraud detection, customer preference mapping, lead qualification, property recommendations, and service optimisation. All such tools are deployed subject to appropriate ethical safeguards, human oversight, accuracy checks, and restricted access controls. Automated processing shall not be used as the sole basis for any decision that materially affects the rights or interests of the Data Principal.

c) All Personal Data collected and processed by BIG FM REALTY shall be accessed internally strictly on a need-to-know basis and governed by the principles of role-based access control (RBAC) and least privilege. Access is granted only to authorised personnel depending on their functional responsibilities, including customer support, sales, finance, legal, compliance, technology, marketing, and relationship management teams. Access logs are maintained, monitored, and periodically reviewed to prevent unauthorised access, misuse, or cross-functional exposure of Personal Data.

d) The following table outlines the specific purposes for which each category of Personal Data may be collected and used:

PURPOSE OF PROCESSINGCATEGORY OF PERSONAL DATA INVOLVEDLEGAL BASIS UNDER APPLICABLE LAW
To process property enquiries, bookings, site visits, registrations, agreements, and transaction fulfilmentIdentity Data, Contact Data, Payment Data, Property Data, Transaction Data, Location DataConsent; Performance of Contract
To provide account registration, login access, and user verificationIdentity Data, Account Credentials, Contact DataConsent; Legitimate Use
To communicate booking updates, project status, service-related information, and transaction notificationsContact Data, Transaction Data, Property DataPerformance of Contract; Legitimate Use
To recommend relevant properties, investment opportunities, leasing options, and project launchesUsage Data, Device Data, Property Preferences, Enquiry HistoryConsent; Legitimate Use
To conduct marketing campaigns and send promotional communications regarding projects, offers, launches, and servicesContact Data, Marketing Preferences, Communication DataExplicit Consent
To schedule and manage site visits, consultations, inspections, and customer appointmentsContact Data, Location Data, Enquiry Data, Property PreferencesConsent; Performance of Contract
To provide customer support, resolve complaints, and manage service requestsContact Data, Support Data, Transaction Data, Property DataLegitimate Use; Performance of Contract
To detect and prevent fraud, misrepresentation, abuse, or policy violationsIdentity Data, Device Data, Transaction Data, KYC DataLegitimate Use; Legal Obligation
To comply with applicable legal, regulatory, tax, registration, and anti-fraud obligationsIdentity Data, Transaction Data, Payment Data, KYC Data, Property Ownership DataLegal Obligation
To maintain records for audit, dispute resolution, legal defence, internal reporting, and risk managementIdentity Data, Contact Data, Transaction Data, Payment Data, Property RecordsLegal Obligation; Legitimate Use
To improve website performance, platform analytics, customer experience, and internal reportingUsage Data, Device Data, Aggregated Non-Personal DataConsent (where required); Legitimate Use
To process broker references, referral programs, affiliate arrangements, and channel partner relationshipsReferral Data, Identity Data, Transaction Data, Broker DataConsent; Performance of Contract
To publish, display, and moderate user-generated content such as reviews, testimonials, feedback, and property commentsUser-Generated Content, Identity Data (where public), Feedback DataConsent

e) The Company shall not use Personal Data for any purpose other than those specified herein without providing appropriate notice to the Data Principal and, where required under applicable law, obtaining specific, informed, and unambiguous consent.

f) Where consent forms the legal basis for processing, the Data Principal shall have the right to withdraw such consent at any time by contacting the Grievance Officer or by using the withdrawal mechanisms made available on the Platform. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal; however, such withdrawal may affect the Company’s ability to provide certain services.

g) The Company may periodically send communications relating to new project launches, investment opportunities, leasing offers, promotional campaigns, market updates, and other information that may be relevant to the User, using the contact details provided by the User, subject to applicable consent requirements.

h) From time to time, the Company may also use Personal Data for internal research, service improvement, customer satisfaction analysis, market research, and website customisation to better align the Platform and services with user preferences and business requirements.

i) The Company ensures that all processing of Personal Data remains proportionate, relevant, and limited to what is necessary for the stated purposes and is carried out in accordance with the principles of fairness, transparency, accountability, and lawful processing under applicable data protection laws.

5. LEGAL BASIS FOR PROCESSING

a) The Company processes Personal Data only where there exists a lawful basis for such processing under the Digital Personal Data Protection Act, 2023 (“DPDPA”), and other applicable laws. Such lawful bases may include one or more of the following:

(i) Consent of the Data Principal

Where the Company collects Personal Data directly from a User or Data Principal, such collection shall be undertaken only after obtaining the individual’s free, specific, informed, unconditional, and unambiguous consent through clear affirmative action.

Examples include:

  1. Subscribing to project updates, newsletters, marketing communications, or promotional offers;
  2. Providing optional demographic information, investment preferences, or customer feedback;
  3. Participating in surveys, promotional campaigns, referral programs, or property consultation requests;
  4. Creating an account on the Platform for property search, enquiry, booking, or transaction management;
  5. Scheduling site visits, requesting callbacks, or submitting enquiry forms.

(ii) Withdrawal of Consent

The User may withdraw consent at any time through the Platform settings, unsubscribe links, opt-out mechanisms, or by contacting the Grievance Officer. Such withdrawal shall not affect the lawfulness of any processing undertaken prior to such withdrawal but may impact the Company’s ability to provide certain services.

(iii) Performance of a Contract

The Company may process Personal Data where such processing is necessary for the performance of a contract with the Data Principal or to take steps at the request of the User prior to entering into such contract.

Examples include:

  1. Processing property enquiries, booking requests, lease transactions, or property purchase requests;
  2. Facilitating booking payments, brokerage arrangements, agreement execution, registration support, and possession handover;
  3. Providing customer support relating to property transactions, documentation, payments, and registrations;
  4. Coordinating with developers, brokers, landlords, tenants, or channel partners for transaction fulfilment.

(iv) Compliance with Legal Obligations

The Company may process Personal Data where such processing is required for compliance with applicable laws, statutory obligations, court orders, or lawful directions issued by government authorities, regulatory bodies, or law enforcement agencies.

Examples include:

  1. Compliance with taxation, invoicing, and financial reporting obligations;
  2. KYC verification, anti-fraud checks, and anti-money laundering compliance where applicable;
  3. Retention of records for audit, registration, legal due diligence, and dispute resolution;
  4. Compliance with obligations under applicable property registration laws, RERA requirements, Information Technology laws, and consumer protection laws;
  5. Assisting law enforcement or judicial authorities in investigations relating to fraud, title disputes, or criminal proceedings.

(v) Certain Legitimate Uses (as permitted under Section 7 of the DPDPA, 2023)

The Company may process Personal Data without separate consent for certain legitimate uses expressly permitted under applicable law, including but not limited to the following:

LEGITIMATE USE CATEGORYEXAMPLE
Voluntarily Provided Data by UserUser submits details for property enquiry, callback request, booking request, or customer support
Provision of Service Requested by UserFacilitating site visits, property consultations, transaction assistance, or documentation support
Legal Proceedings or Dispute ResolutionDefending legal claims, enforcing contractual rights, title disputes, or tenancy disputes
Public Interest or Public OrderCooperating with law enforcement, fraud investigations, regulatory inspections, or public safety requirements
Internal Administration and ComplianceProcessing employee, consultant, vendor, broker, or developer-related records for compliance and governance

(vi) Protection of Rights and Reasonable Expectations

The Company ensures that reliance on legitimate uses does not override the rights, freedoms, and reasonable expectations of the Data Principal and remains consistent with the principles of purpose limitation, necessity, proportionality, and fairness.

(vii) Public Interest or Public Health (Where Applicable)

In exceptional situations such as public emergencies, pandemics, natural disasters, or other statutory exigencies, the Company may process Personal Data in the interest of public health, public safety, or public order, subject to applicable legal permissions and governmental directions.

(viii) Third-Party Data Sharing and Legal Basis Verification

Where Personal Data is collected indirectly or shared through third-party service providers, channel partners, brokers, developers, financial institutions, legal consultants, or government authorities, the Company ensures that such parties have obtained the appropriate legal basis for such sharing, including valid consent where required under applicable law.

The Company may share Personal Data with the following categories of third parties, strictly for lawful business purposes and subject to confidentiality, security, and contractual obligations:

CATEGORYPURPOSE OF PROCESSINGTHIRD PARTY NAME(S)TYPE OF DATA SHARED
Payment ProcessorsTo facilitate secure booking payments, refunds, brokerage payments, and transaction settlementsRazorpay, Paytm, Cashfree, PhonePe, StripeName, contact details, transaction ID, masked banking/payment information
Financial Institutions / Loan PartnersHome loan processing, financing support, loan eligibility verificationBanks, NBFCs, Housing Finance CompaniesIdentity data, financial details, KYC documents, transaction records
Registration and Documentation Service ProvidersAgreement execution, stamp duty, registration assistance, legal documentationRegistration consultants, documentation vendorsIdentity data, address, KYC documents, transaction and ownership records
Developers / Builders / Property OwnersProperty booking confirmation, project coordination, documentation and possession supportBuilders, Developers, Landlords, SellersIdentity data, booking details, payment records, transaction information
Brokers / Channel PartnersLead management, referral tracking, brokerage processing, transaction coordinationReal estate brokers, referral agents, channel partnersContact details, transaction records, referral source details
Email and SMS Communication ProvidersSending booking updates, project alerts, reminders, and promotional communicationsMailchimp, Sendinblue, Gupshup, TwilioEmail address, phone number, communication preferences
Web Hosting and Cloud Infrastructure ProvidersWebsite operations, platform security, backups, access managementAWS, Cloudflare, DigitalOcean, HostingerDevice metadata, IP address, access logs
Customer Support ToolsCustomer support, complaint resolution, consultation recordsFreshdesk, Zoho Desk, IntercomName, contact details, support tickets, transaction-related records
Analytics and Tracking ProvidersWebsite analytics, service improvement, platform optimisationGoogle Analytics, Microsoft Clarity, HotjarIP address, browsing behaviour, session data
Legal, Tax and Compliance ConsultantsLegal due diligence, tax compliance, dispute handling, regulatory auditsChartered Accountants, Legal Counsel, Compliance AuditorsFinancial records, transaction records, KYC data, legal documentation
Government and Regulatory AuthoritiesStatutory compliance, legal disclosures, law enforcement obligationsIncome Tax Department, Sub-Registrar Offices, RERA Authorities, Police, Consumer ForumsPersonal Data as legally required

(ix) Internal Record Maintenance

The Company maintains appropriate internal records documenting the legal basis applicable to each category of processing activity. Such records are reviewed periodically to ensure continued compliance with applicable data protection laws.

(x) Change in Legal Basis

Where the legal basis for processing changes, including where consent becomes necessary for continued processing, the Company shall notify the Data Principal and obtain fresh consent wherever required under applicable law before proceeding with such processing.

6. CONSENT MANAGEMENT

a) Obtaining Consent: The Company shall obtain the free, specific, informed, unconditional, and unambiguous consent of the Data Principal before collecting or processing any Personal Data, unless such processing is permitted under applicable law, including for certain legitimate uses or compliance with legal obligations in accordance with this Privacy Policy and the Digital Personal Data Protection Act, 2023 (“DPDPA”).

b) The User may choose to restrict the collection or use of Personal Data in the following ways:

(i) Whenever the User is requested to fill in a form on the Platform, including enquiry forms, booking requests, site visit requests, callback requests, registration forms, or consultation requests, the User may select the relevant option indicating that they do not wish their Personal Data to be used for direct marketing or promotional communications;

(ii) If the User has previously agreed to the use of Personal Data for direct marketing purposes, including project updates, promotional offers, investment opportunities, newsletters, or property launch communications, the User may withdraw such consent at any time by contacting the Company through the “Contact Us” details provided on the Platform or by using the available opt-out mechanisms.

c) Consent is obtained in a clear, specific, and granular manner at the point of data collection, including but not limited to:

(i) Account registration on the Platform;

(ii) Submission of property enquiries, booking requests, or consultation forms;

(iii) Site visit scheduling, property inspections, and callback requests;

(iv) Token payments, booking payments, registration payments, brokerage payments, or other transaction-related payment stages;

(v) Subscription to newsletters, promotional communications, project updates, or investment alerts;

(vi) Participation in referral programs, customer feedback surveys, webinars, promotional campaigns, or property launch events;

(vii) Acceptance of cookies and similar tracking technologies on the Platform.

No pre-ticked boxes, bundled consent, deemed consent, or inferred consent mechanisms shall be used. Consent must be provided through clear affirmative action by the User.

d) Layered Notices: All consent requests shall be accompanied by a clear and accessible layered privacy notice containing:

(i) The purpose of data collection;

(ii) The categories of Personal Data being collected;

(iii) Whether such data shall be shared with third parties including developers, brokers, financial institutions, or service providers;

(iv) A link to this Privacy Policy;

(v) The contact details of the Grievance Officer.

e) These notices shall be drafted in clear, plain, concise, and easily understandable language to ensure that Users fully understand the nature and purpose of the processing activities to which they are consenting.

f) Proof and Record of Consent: The Company shall maintain verifiable and auditable records of consent obtained from each Data Principal, including the date, time, method, purpose, and scope for which consent was granted. Such records shall be stored securely and may be produced before the Data Protection Board of India or any other lawful authority upon valid request, audit, or investigation.

g) Refusal or Conditional Consent:

(i) Users shall have the right to refuse consent for optional features such as marketing communications, promotional updates, newsletters, investment alerts, or referral programs without affecting access to essential services such as property search, property enquiry, site visit requests, booking requests, registration support, or transaction facilitation;

(ii) The Company shall not impose conditional consent requiring the User to provide unnecessary Personal Data for unrelated services, unless such collection is reasonably necessary for the functioning of the requested service.

h) Withdrawal of Consent: The Data Principal may withdraw consent at any time, without adverse consequences, by:

  1. Using unsubscribe or opt-out links provided in emails, SMS messages, or promotional communications;
  2. Changing privacy or communication preferences available within the user account settings (where such functionality is available);
  3. Contacting the Grievance Officer directly at the contact details specified in this Policy.

i) Upon withdrawal of consent:

(i) The Company shall cease processing the relevant Personal Data within a reasonable time unless retention is required under applicable law, contractual obligations, fraud prevention requirements, or dispute resolution purposes;

(ii) Certain services may become unavailable where such services are dependent upon the withdrawn consent, including booking support, personalised property recommendations, transaction updates, or financing assistance.

j) Consent for Minors:

(i) The Company does not knowingly collect Personal Data from individuals below the age of 18 years without verifiable consent from a parent or lawful guardian, as required under Section 9 of the DPDPA, 2023;

(ii) If the Company becomes aware that Personal Data relating to a minor has been collected without valid parental or guardian consent, such data shall be promptly deleted in accordance with applicable law.

k) Cookies and Tracking Consent:

(i) The Company uses cookies, analytics tools, and similar tracking technologies to improve user experience, enhance Platform functionality, conduct analytics, personalise property recommendations, and support lawful advertising and promotional activities;

(ii) Consent for non-essential cookies shall be obtained through a cookie banner that enables Users to:

  1. Accept all cookies;
  2. Manage cookie preferences by category;
  3. Reject non-essential cookies;

(iii) The Company shall honour the User’s tracking preferences and provide clear instructions regarding the modification, management, or withdrawal of cookie preferences through its Cookie Policy.

l) Updates to Consent Preferences:

(i) Users may review and modify their consent preferences at any time through the account privacy settings (where available) or by contacting customer support or the Grievance Officer;

(ii) The Company may periodically request Users to review, update, or reconfirm their consent preferences to ensure continued compliance with legal requirements and alignment with the User’s expectations.

7.    CHILDREN’S DATA

a)       The Company is committed to protecting the privacy of children and complying with the provisions of Section 9 of the Digital Personal Data Protection Act, 2023, which restricts the processing of personal data of children without verifiable parental or guardian consent.

b)      For the purposes of this Policy, a child is defined as an individual who has not completed the age of 18 years, unless a different age threshold is prescribed by applicable law.

c)       The Company does not knowingly collect, process, or store Personal Data from children unless:

(i)            It is necessary for delivering a service explicitly intended for child users; and

(ii)          Verifiable parental or guardian consent has been obtained through acceptable means, such as a digitally signed declaration or validated OTP-based consent process.

d)      If it comes to the Company’s attention that Personal Data of a child has been collected without lawful consent, the Company shall:

(i)                   Promptly delete such Personal Data from its systems; and

(ii)                 Notify the parent or guardian, if identifiable, of such deletion.

e)       The Company does not engage in behavioral tracking, profiling, or targeted advertising towards children, directly or indirectly, in compliance with the prohibitions under Section 9 of the DPDPA.

 8.    COOKIE AND TRACKING TECHNOLOGIES

a)       A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.

b)      We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

c)       Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

d)      Users are shown a cookie consent banner upon their first visit to the Platform, in accordance with the notice and consent requirements under the Digital Personal Data Protection Act, 2023, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. This banner allows Users to:

(i)                       Accept all cookies;

(ii)                      Reject non-essential cookies;

(iii)                    Manage preferences granularly by category.

e)       The types of cookies used, their purposes, and the list of third-party tools involved are described in the Company’s Cookie Policy, which forms an integral part of this Privacy Policy. 

f)        Users may review or update their cookie preferences at any time by visiting the Cookie Settings Panel available in the footer of the Website or in their account dashboard.

g)      For more detailed information on our cookie practices, including how to manage or disable cookies at the browser level, please refer to our full Cookie Policy.  

9.    DATA SHARING AND THIRD-PARTY TRANSFERS

h) Internal Access and Sharing: Personal Data collected by the Company may be accessed only by authorised internal teams, including but not limited to sales, customer support, relationship management, legal, finance, compliance, technology, marketing, operations, and property coordination teams, strictly on a need-to-know basis. All such access shall be governed by internal access controls, confidentiality obligations, role-based access management, and data minimisation principles.

i) Third-Party Disclosures: The Company may share Personal Data with trusted third-party service providers, vendors, business partners, developers, brokers, financial institutions, legal professionals, and regulatory authorities (collectively, “Third Parties”) solely for the purpose of enabling the Company to provide its real estate services efficiently, including property transactions, leasing support, documentation, registration, financing assistance, and customer relationship management.

Such Personal Data shall only be shared with the User’s consent, where required, or where disclosure is necessary for compliance with applicable law, contractual obligations, or legitimate uses permitted under the Digital Personal Data Protection Act, 2023.

The Company may also use the User’s Personal Data to share information regarding third-party project launches, co-developed offerings, investment opportunities, financing options, or strategic partnerships that may be relevant to the User, subject to applicable consent requirements.

All such Third Parties process Personal Data on behalf of the Company and are contractually obligated to comply with applicable data protection laws, maintain confidentiality, implement appropriate security safeguards, and process data strictly for authorised purposes only. A summary of categories of Third Parties and the purposes of sharing is provided in Section 5(a)(viii) of this Policy.

j) Categories of Third Parties May Include:

(i) Payment Gateways and Payment Processors – to facilitate booking payments, token amounts, registration payments, brokerage settlements, refunds, and transaction-related financial processing;

(ii) Financial Institutions and Loan Partners – to support home loan processing, financing eligibility verification, mortgage coordination, and housing finance assistance;

(iii) Registration, Documentation, and Site Visit Coordination Service Providers – to support agreement execution, registration formalities, stamp duty processing, title verification, legal documentation, property inspections, and site visit scheduling;

(iv) Cloud Hosting, IT Infrastructure, and Cybersecurity Providers – to securely store, process, protect, and manage Platform operations, backups, and access control systems;

(v) Marketing, Analytics, and Advertising Tools – to manage campaigns, property promotions, project launches, remarketing, and personalised content delivery;

(vi) Customer Support, CRM, and Relationship Management Platforms – to resolve service requests, customer complaints, lead management, consultation records, and communication history;

(vii) Auditors, Legal Counsel, Chartered Accountants, and Tax Advisors – for legal due diligence, compliance reviews, audits, tax obligations, litigation management, and dispute resolution;

(viii) Government Authorities, Regulatory Bodies, and Law Enforcement Agencies – where disclosure is required under applicable law, judicial orders, registration obligations, RERA compliance, or lawful governmental requests;

(ix) Broker Networks, Channel Partners, and Referral Agents – for referral tracking, brokerage processing, lead attribution, commission management, and transaction coordination;

(x) Retargeting and Personalised Advertising Platforms – to deliver relevant project advertisements, investment opportunities, and interest-based promotional content across websites and social media platforms;

(xi) Analytics and Performance Monitoring Tools – to analyse Platform usage patterns, improve customer experience, enhance service delivery, and monitor system performance (including tools such as Google Analytics);

(xii) Communication and Messaging Platforms – to manage transactional emails, SMS alerts, WhatsApp notifications, voice calls, reminders, and customer communication through authorised third-party APIs;

(xiii) Identity Verification and Access Management Providers – to support KYC verification, identity authentication, secure login management, fraud prevention, and account protection;

(xiv) Platform Development and Technical Service Providers – to conduct usability testing, technical troubleshooting, feature deployment, system optimisation, and Platform improvements;

(xv) Affiliates, Group Entities, and Strategic Business Partners – to ensure coordinated service delivery, shared operations, project collaboration, and lawful business management under common ownership or contractual arrangements;

(xvi) Corporate Transaction Parties – in connection with mergers, acquisitions, investments, restructuring, financing arrangements, due diligence exercises, or transfer of business assets.

k) Cross-Border Transfers:

(i) As of the effective date of this Policy, the Company stores and processes Personal Data primarily on servers located within India. However, certain third-party technology providers or service partners may process limited Personal Data using infrastructure located outside India, subject to lawful safeguards.

(ii) Any transfer of Personal Data outside India, where required, shall be conducted strictly in accordance with Section 16 of the Digital Personal Data Protection Act, 2023, and any applicable rules, notifications, or government restrictions relating to cross-border transfers.

(iii) The Company shall ensure that such transfers are made only:

  1. To countries or jurisdictions permitted by the Government of India; or
  2. Pursuant to appropriate contractual safeguards, including data processing agreements, confidentiality obligations, and transfer mechanisms that ensure equivalent levels of data protection under applicable law.

(iv) No Sale of Personal Data: The Company does not sell, rent, trade, or otherwise monetise the Personal Data of Users or customers to any third party for direct commercial gain.

(v) Aggregated and Anonymised Data: The Company may share anonymised, aggregated, or statistical information that does not directly or indirectly identify an individual with developers, research agencies, market intelligence providers, investors, business partners, or consultants for market analysis, service improvement, trend detection, and strategic planning. Such information shall not constitute Personal Data under applicable law.

(vi) Due Diligence and Oversight: The Company undertakes vendor due diligence and executes appropriate data processing agreements, confidentiality undertakings, or contractual safeguards with all Third Parties who receive or process Personal Data, ensuring that:

  1. Personal Data is processed only for legitimate, lawful, and stated purposes;
  2. Appropriate technical and organisational security measures are maintained to prevent misuse, unauthorised access, disclosure, or loss;
  3. Processing ceases upon completion of the contractual purpose or termination of the relevant engagement.

USER OBLIGATIONS

a) Users accessing or interacting with the Company’s Platform shall act in good faith, comply with lawful conduct, and take reasonable responsibility for the Personal Data and activities associated with their accounts. By using the Platform, each User agrees to comply with this Privacy Policy, the Terms of Use, and all applicable Indian laws.

b) Users shall ensure that all information submitted, including identity details, KYC documents, property-related declarations, booking details, transaction information, and communication records, is accurate, complete, lawful, and not misleading, impersonated, stolen, or fraudulently obtained. The Company shall not be liable for consequences arising from reliance on false, incomplete, or unauthorised data provided by Users.

c) Users shall remain personally responsible for maintaining the integrity, confidentiality, and security of their account credentials, devices, and access points used to engage with the Platform:

(i) Login credentials, passwords, and OTPs must not be shared, disclosed, or reused insecurely;

(ii) Devices used to access the Platform must be protected against unauthorised access, malware, or security compromise;

(iii) Users are advised to log out from shared or public systems and update passwords periodically.

d) Users shall refrain from engaging in, authorising, or facilitating any activity that:

(i) Violates the privacy, dignity, intellectual property rights, or lawful interests of other Users, brokers, developers, landlords, tenants, or service providers;

(ii) Circumvents or manipulates Platform features, transaction flows, payment systems, verification systems, consent mechanisms, or lead management processes;

(iii) Submits false property listings, fabricated testimonials, misleading reviews, forged ownership claims, impersonated identities, fraudulent KYC documents, or deceptive representations.

e) Users shall not attempt to:

(i) Probe, scan, test, or exploit vulnerabilities of the Platform or its security systems;

(ii) Gain unauthorised access to user accounts, internal databases, restricted APIs, administrative systems, or confidential records;

(iii) Use bots, scrapers, crawlers, automated extraction tools, or unauthorised scripts without prior written approval of the Company.

f) Users must promptly notify the Company in the event of:

(i) Suspected unauthorised access to their account, credentials, or transaction records;

(ii) Discovery of any security vulnerability, fraud attempt, or data protection concern;

(iii) Receipt of fraudulent communications falsely representing the Company, brokers, developers, or authorised representatives.

g) Users may have the ability to submit, post, or upload content on the Platform, including property reviews, testimonials, feedback, comments, ratings, site visit experiences, broker reviews, project reviews, customer feedback, uploaded documents, photographs, and other publicly visible content (“User-Generated Content” or “UGC”).

h) All UGC submitted must be original, lawful, respectful, accurate, and relevant to the purpose for which it is submitted. Users shall remain solely responsible for the content they contribute and represent that they possess full rights, authority, and lawful permission to submit such material.

i) By submitting UGC to the Platform, the User grants the Company a worldwide, royalty-free, non-exclusive, and irrevocable licence to use, display, reproduce, publish, modify, distribute, and republish such content for the purposes of:

(i) Displaying it on the Platform;

(ii) Promoting projects, property listings, campaigns, customer engagement, and service awareness;

(iii) Republishing or syndicating such content through the Company’s social media channels, marketing campaigns, partner platforms, and business communications.

j) The Company reserves the right to:

(i) Review, moderate, verify, edit, or remove submitted content;

(ii) Refuse publication of content deemed unlawful, misleading, defamatory, abusive, fraudulent, or in violation of applicable law or Platform policy;

(iii) Remove any UGC without prior notice at its sole discretion.

k) Users may request removal of previously submitted UGC by contacting the Company in writing, subject to identity verification, lawful review, and compliance obligations.

l) The Company reserves the right to suspend, restrict, terminate, or investigate any User account where a violation of these obligations is suspected, reported, or confirmed. The Company may also initiate legal proceedings or report such violations to competent authorities under applicable law where necessary.

 11. DATA RETENTION & STORAGE

a) Retention Principle: The Company retains Personal Data only for as long as is reasonably necessary to:

(i) Fulfil the purpose for which such Personal Data was collected, including property enquiries, bookings, lease transactions, registration support, customer relationship management, and service delivery;

(ii) Comply with applicable legal, regulatory, tax, registration, and statutory obligations;

(iii) Resolve disputes, enforce agreements, defend legal claims, and manage fraud prevention or legal due diligence;

(iv) Maintain records for auditing, title verification, transaction history, internal reporting, and business continuity purposes.

b) The applicable retention period shall be determined based on the nature of the Personal Data, the purpose of processing, contractual obligations, statutory requirements, dispute resolution needs, and any applicable limitation periods under law.

c) Data Retention Timelines:

CATEGORY OF DATATYPICAL RETENTION PERIODLEGAL / OPERATIONAL BASIS
Identity and Contact Data3 years from last activity, enquiry, or completed transactionStatutory limitation period for claims, customer relationship management, customer support
Property Booking, Registration, Lease, and Transaction Records8 years from the date of transaction or as required by applicable lawIncome Tax Act, accounting obligations, registration compliance, audit requirements
Property Ownership and Legal Verification Data8–10 years or longer where required by lawTitle verification, due diligence, registration records, dispute resolution, legal defence
Payment and Financial Data (masked)Retained in accordance with RBI guidelines and applicable financial regulationsRegulatory compliance, fraud prevention, transaction verification
Customer Support, Consultation, and Complaint Records3 years from last interactionDispute resolution, grievance handling, service quality monitoring
Marketing Preferences, Consent Records, and Opt-in DataUntil withdrawal of consent or inactivity exceeding 2 yearsConsent-based processing and compliance verification
Analytics and Usage Data (pseudonymised)12–18 months from collectionPlatform improvement, service optimisation, performance analysis
Account Credentials and Login RecordsUntil account deletion, deactivation, or legal retention necessityUser authentication, security, fraud prevention
Dormant or Inactive Account Data2 years of inactivity (subject to prior notice before deletion)Data minimisation and compliance obligations
Anonymised or Aggregated DataMay be retained indefinitelyOutside the scope of “Personal Data” under applicable law

Note: The above retention periods may be extended where required in connection with pending legal proceedings, fraud investigations, regulatory reviews, enforcement actions, title disputes, contractual obligations, or statutory preservation requirements.

d) Deletion and De-identification: Upon expiry of the applicable retention period, Personal Data shall either be:

(i) Permanently deleted from active systems, archived systems, and backup environments, where technically feasible and legally permissible; or

(ii) Anonymised, aggregated, or de-identified in a manner that prevents the identification or re-identification of the Data Principal.

The Company ensures that deletion and destruction of Personal Data are carried out securely using industry-standard sanitisation, erasure, and access control procedures.

e) Right to Request Deletion:

(i) A Data Principal may request deletion of their Personal Data where:

  1. The Personal Data is no longer necessary for the purpose for which it was collected;
  2. Consent has been withdrawn and no other lawful basis exists for continued retention;
  3. The Personal Data has been processed unlawfully or in violation of applicable law.

(ii) Such requests shall be reviewed and processed subject to legal retention obligations, contractual commitments, anti-fraud requirements, registration records, title verification obligations, dispute resolution requirements, and other lawful grounds for continued retention.

(iii) The Company shall respond to such requests within a reasonable period in accordance with the Digital Personal Data Protection Act, 2023 and applicable regulatory requirements.

f) Storage Location and Backups: Personal Data is stored on secure servers operated either by the Company or its authorised cloud hosting and infrastructure providers, primarily located within India. Periodic encrypted backups are maintained to ensure data recoverability in the event of accidental loss, corruption, system failure, cyber incidents, or disaster recovery requirements. Such backups remain subject to the same security, retention, and deletion standards set out in this Policy.

g) Policy Review and Updates: The Company periodically reviews its retention schedules, storage mechanisms, and deletion practices to ensure continued compliance with evolving legal requirements, operational realities, and industry standards applicable to the real estate sector. Any material changes to retention periods or storage practices shall be reflected through updates to this Privacy Policy.

12.   REASONABLE SECURITY PRACTICES

a)       BIG FM REALTY is committed to ensuring the security, integrity, and confidentiality of the Personal Data it collects and processes. In line with Rule 8 of the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and Section 8(5) of the Digital Personal Data Protection Act, 2023, the Company implements appropriate technical, organizational, and administrative security measures to protect Personal Data against accidental loss, unauthorised access, destruction, misuse, alteration, or disclosure.

b)      The Company adopts industry-standard safeguards including, but not limited to:

(i)                   End-to-end encryption of sensitive data during transmission (SSL/TLS protocols);

(ii)                 Hashing and salting of passwords;

(iii)                Firewalls and intrusion detection systems for network monitoring;

(iv)               Access control policies based on role and need-to-know;

(v)                 Secure APIs and encrypted payment gateways;

(vi)               Multi-factor authentication (MFA) for administrative and system access;

(vii)              Logging and monitoring of access to sensitive systems;

(viii)            Regular vulnerability assessments and penetration testing (VAPT);

(ix)               Frequent security patching and system updates.

c)       Personal Data is stored in secure servers hosted on reputable cloud platforms that are compliant with industry frameworks such as ISO/IEC 27001 and SOC 2, where applicable. All third-party service providers processing Personal Data on the Company’s behalf are contractually bound to adhere to similar or higher levels of security and confidentiality.

13. NOTIFICATION OF PERSONAL DATA BREACH

a)       BIG FM REALTY adopts a proactive and structured approach to identifying, mitigating, and responding to any personal data breach. A personal data breach refers to any unauthorised or accidental disclosure, alteration, loss, destruction, or access to Personal Data that compromises its confidentiality, integrity, or availability—whether caused by technical failures, malicious attacks, human error, or organisational gaps.

b)      Data Breach Response Procedure and Timelines: In the event of a suspected or confirmed data breach, the Company shall activate its internal Data Breach Response Procedure, which comprises the following steps and timeframes as detailed in Annexure A.

c)       Information Included in Notifications: Any notification to the Data Protection Board of India, CERT-In, or affected individuals (Data Principals) shall include the following information:

(i)                   Nature and categories of Personal Data affected;

(ii)                 Number of individuals impacted;

(iii)                Date and time of the breach (estimated and confirmed);

(iv)               Likely consequences or harm;

(v)                 Actions taken to mitigate risks and limit damage;

(vi)               Contact information of the Grievance Officer or point of contact;

(vii)              Instructions for Users on how to protect themselves.

d)      Breach Severity Categorisation:The Company classifies data breaches into three severity levels:

(i)                   Level 1 – Minor: No sensitive data involved, minimal or no risk;

(ii)                 Level 2 – Moderate: Involves contact or identity data, limited exposure;

(iii)                Level 3 – Critical: Involves sensitive personal data, financial data, or a large number of individuals, with potential for significant harm.

Only Level 2 and Level 3 breaches require mandatory external notification.

e)       User Cooperation: Users who become aware of any potential compromise of their account, such as unauthorized login attempts, phishing emails, or suspicious transactions, must report the same immediately by emailing abhishek.bigfmrealty@gmail.com.The Company will investigate such reports on priority and take appropriate action.

14. RIGHTS OF DATA PRINCIPALS

a)       As a Data Principal under the Digital Personal Data Protection Act, 2023, you are entitled to exercise the following rights in relation to your Personal Data collected and processed by BIG FM REALTY. These rights are subject to reasonable limitations and applicable legal requirements.

b)      As per the Digital Personal Data Protection Act, 2023, Data Principals have the following rights in relation to their Personal Data:

RIGHTDESCRIPTIONTIMELINE FOR RESPONSEHOW TO EXERCISE THIS RIGHT
Right to AccessTo know whether the Company processes your Personal Data and request details such as categories, purpose, recipients, and retention period.Within 15 working daysEmail a request to  using Contact Us information.
Right to CorrectionTo request correction, updating, or completion of inaccurate, outdated, or incomplete Personal Data.Within 10 working daysSubmit a correction request with valid supporting documents to  info@bigFMrealty.com  & abhishek.bigfmrealty@gmail.com
Right to ErasureTo request deletion of Personal Data that is no longer necessary, has been unlawfully processed, or after consent withdrawal.Within 15 working daysSend a deletion request via email to info@bigFMrealty.com  and abhishek.bigfmrealty@gmail.com with identity verification.
Right to Withdraw ConsentTo withdraw previously given consent for specific data processing activities.Immediate upon confirmationUse opt-out links in emails or write to info@bigFMrealty.com and abhishek.bigfmrealty@gmail.com specifying the consent to withdraw.
Right to Grievance RedressalTo file a complaint regarding delay, denial, misuse, or mishandling of Personal Data or non-fulfilment of rights.Acknowledgement in 48 hrs, resolution in 7 working daysEmail your grievance to the Grievance Officer at abhishek.bigfmrealty@gmail.com



Right to NominateTo nominate another individual to exercise your rights under this Policy in the event of your death or incapacity.As per Company recordsSend a signed nomination form or declaration via email to info@bigFMrealty.com  & abhishek.bigfmrealty@gmail.com
Right to Be InformedTo receive clear, accessible information on data collection, legal basis, purpose, rights, third-party disclosures, and policy changes.Continuous rightReview this Privacy Policy regularly and subscribe to update notifications via email or the Platform.

15. GRIEVANCE REDRESSAL MECHANISM

a)       BIG FM REALTY is committed to addressing all privacy-related concerns, complaints, and requests in a transparent, secure, and time-bound manner. In accordance with Section 13 of the Digital Personal Data Protection Act, 2023 and Rule 5(9) of the IT Rules, 2011, the Company has appointed a Grievance Officer to ensure proper handling of grievances related to Personal Data.

b)      Lodging a Grievance: If you have any concerns or grievances regarding:

(i)                   Denial or delay in fulfilling your data rights;

(ii)                 Misuse, unauthorised access, or mishandling of your Personal Data;

(iii)                Withdrawal of consent not being respected;

(iv)    Violation of any terms of this Privacy Policy;

(v)      Any breach of applicable data protection laws;

c)       You may raise a grievance by sending an email to the designated Grievance Officer:

Grievance Officer
Name: Abhishek Mangla
Email: abhishek.bigfmrealty@gmail.com

Address: 6th Floor, Caddie Commercial Tower Novotel Pullman Hotel , Asset No.2, IGI Airport Hospitality Area, Aerocity, New Delhi-110037

d)    Grievance Handling Procedure and Timelines:  

STAGEACTIONTIMELINE
AcknowledgementThe Grievance Officer will acknowledge receipt of your complaint.Within 48 hours
Initial ReviewAssess completeness and legitimacy of the grievance.Within 2 working days
Investigation and ResolutionConduct internal inquiry, coordinate with relevant departments, resolve issue.Within 7 working days
Notification of OutcomeCommunicate resolution decision or status update to the complainant.Within 10 working days total

e)       If you are dissatisfied with the resolution provided by the Grievance Officer or if no response is received within the prescribed period, you have the right to escalate the matter to the Data Protection Board of India under Section 13(2) of the Digital Personal Data Protection Act, 2023.

16. FORCE MAJEURE

The Company shall not be held liable for any failure or delay in performing its obligations under this Privacy Policy, including the processing of rights requests or breach notifications, due to circumstances beyond its reasonable control. Such events may include natural disasters, war, civil unrest, pandemic, governmental actions, electricity or internet outages, cyberattacks, or other force majeure events. During such periods, the Company will take reasonable steps to mitigate the impact and restore normal operations as soon as practicable.

17. GOVERNING LAW AND JURISDICTION

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts located in New Delhi, India, without regard to conflict of law principles.

18. CHANGE IN OWNERSHIP OR CONTROL

In the event of a merger, acquisition, reorganisation, or sale of all or a portion of the Company’s assets or business, Personal Data held by the Company may be transferred to the successor entity. Such transfer will continue to be governed by the terms of this Privacy Policy unless and until it is amended by the successor with due notice to Users.

19. POLICY UPDATES AND NOTIFICATION

The Company may update or modify this Privacy Policy from time to time to reflect changes in legal requirements, business practices, or technological advancements. Any material changes will be notified to Users through:

(i)  Prominent notices on the Platform;

(ii)   Email communication to registered Users (where applicable); and

(iii)Updates to the “Last Updated” date at the top of this Policy.

Users are encouraged to periodically review this Policy to ensure that you are happy with any such changes made to the Policy.

20. CONTACT US

If you have any questions, concerns, or require clarification regarding this Privacy Policy, the processing of your Personal Data, or your rights as a Data Principal, you may contact our designated

Grievance Officer
Name:  Abhishek Mangla
Email: abhishek.bigfmrealty@gmail.com


Address: 6th Floor, Caddie Commercial Tower Novotel Pullman Hotel , Asset No.2, IGI Airport Hospitality Area, Aerocity, New Delhi-110037
Working Hours: 10:00 AM – 6:30 PM

By continuing to access or use the Platform, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. Your continued use of the services constitutes your consent to the collection, processing, and disclosure of your Personal Data in accordance with this Policy.

This Privacy Policy shall remain in effect until it is updated, superseded, or revoked by the Company.

***********************************************************************************************

ANNEXURE A

DATA BREACH RESPONSE FRAMEWORK & TIMELINE

STAGEACTIONTIMELINE
1. Detection & ContainmentIdentify and verify the breach, isolate affected systemsWithin 6 hours of detection
2. Preliminary Risk AssessmentAssess scope, type of data affected, sensitivity, and potential impactWithin 12 hours of detection
3. Internal EscalationNotify Compliance Officer, Data Protection Officer, and senior managementWithin 12 hours
4. Reporting to AuthoritiesNotify CERT-In and/or the Data Protection Board of India, where applicableWithin 6 hours of confirming the breach (as per CERT-In guidelines)
5. Notification to IndividualsInform affected Data Principals of the nature of the breach, risk, and mitigation stepsWithin 48 hours, where risk of harm is high
6. Remedial ActionContain breach, patch systems, reset credentials, and prevent recurrenceImmediate, completed within 72 hours
7. Documentation & Audit TrailRecord breach details, investigation logs, and corrective measures takenWithin 7 days of incident
8. Final Report & Policy UpdateRoot cause analysis and review of internal policies/trainingWithin 15 days of breach