Privacy Policy
Last updated: 15 March 2025
1. Introduction
PGflow (“we”, “us”, or “the Platform”) is a paying-guest and hostel management platform. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website, mobile application, or any services offered through PGflow.
This policy is published in compliance with India’s Digital Personal Data Protection Act, 2023 (DPDPA) and applies to all users of the Platform, including tenants, property owners, supervisors, and visitors.
By using PGflow, you consent to the collection and processing of your personal data as described in this policy.
2. Personal Data We Collect
a) Identity & Contact Information
- Full name, email address, mobile number
- Gender, date of birth, blood group
- Residential address
- Parent/guardian name and phone number
- Emergency contact name and phone number
b) Government-Issued Identity
- Aadhaar number (12-digit)
- Uploaded copies of identity documents (Aadhaar card, photograph, employment or student ID card)
c) Employment & Education Details
- For employed tenants: employer name, designation
- For student tenants: college/institution name, course name, course year
d) Financial & Payment Data
- Security deposit and rent amounts
- Payment transaction references (Razorpay order & payment IDs)
- We do not store credit/debit card numbers, CVVs, or bank account details. All card processing is handled by Razorpay.
e) Technical & Session Data
- IP address and browser user-agent string (collected during login)
- Session tokens stored in secure, httpOnly cookies
- Form draft data saved in your browser’s local storage
3. Why We Collect Your Data
We process your personal data for the following purposes:
- Tenant verification — verifying your identity as required by PG/hostel regulations before move-in.
- Property management — assigning beds, managing occupancy, issuing rent invoices, and handling maintenance tickets.
- Payment processing — collecting security deposits and monthly rent via Razorpay.
- Communication — sending transactional emails (invoices, OTPs, application status updates, vacate confirmations).
- Security & fraud prevention — session management, rate-limiting, and audit logging.
- Legal compliance — fulfilling obligations under applicable laws and regulations.
4. How We Store & Protect Your Data
- All data is transmitted over HTTPS with TLS encryption.
- HTTP Strict Transport Security (HSTS), Content Security Policy (CSP), and other security headers are enforced on all responses.
- Session cookies are httpOnly and Secure, preventing JavaScript access and ensuring transmission only over HTTPS.
- Passwords are never stored — we use OTP-based and Google OAuth authentication.
- OTP codes are generated using cryptographically secure random number generation.
- Access to tenant data is restricted by role-based permissions (tenant, supervisor, admin).
- Uploaded documents are stored with access-controlled URLs — they are not publicly listed or indexed.
5. Third-Party Services
We share your data with the following third-party service providers, solely for the purposes described above:
| Service | Purpose | Data Shared |
|---|---|---|
| Razorpay | Payment processing | Name, amount, order details |
| Cloudinary | Document & image storage | Uploaded documents (Aadhaar, photo, ID) |
| Resend | Transactional email delivery | Email address, email content |
| OAuth authentication (optional) | Email address (only if you choose Google sign-in) | |
| Neon | Database hosting | All stored personal data (encrypted in transit) |
We do not sell your personal data to any third party. We do not use advertising cookies or tracking pixels.
6. Cookies & Local Storage
| Name | Type | Purpose | Duration |
|---|---|---|---|
pgflow_access | httpOnly cookie | Authentication (JWT session token) | 4 hours |
pgflow_refresh | httpOnly cookie | Session continuity (refresh token) | 30 days |
| Form draft | localStorage | Save onboarding form progress | Until submission |
We do not use any advertising, analytics, or third-party tracking cookies.
7. Your Rights Under DPDPA 2023
As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:
- Right to Access — You may request a summary of the personal data we hold about you.
- Right to Correction — You may request correction of any inaccurate or incomplete personal data.
- Right to Erasure — You may request deletion of your personal data, subject to legal retention requirements and outstanding contractual obligations (e.g., unpaid rent).
- Right to Grievance Redressal — You may file a complaint with our Grievance Officer or with the Data Protection Board of India.
- Right to Nominate — You may nominate a person to exercise your data rights in case of death or incapacity.
To exercise any of these rights, contact our Grievance Officer at the details provided in Section 12 below.
8. Data Retention
- Your personal data is retained for the duration of your tenancy and for a reasonable period afterward for legal, accounting, and dispute-resolution purposes.
- Session data (IP address, user agent) is automatically deleted after 30 days.
- Form draft data stored in your browser is cleared upon successful submission.
- Upon receiving a valid erasure request, we will delete or anonymize your personal data within 30 days, except where retention is required by law.
9. Children’s Data
PGflow does not knowingly collect personal data from individuals under 18 years of age without verifiable parental or guardian consent. The onboarding process requires parent/guardian contact information for all tenants.
10. Cross-Border Data Transfer
Your data may be processed and stored on servers located outside India, including Singapore (database hosting) and other regions where our third-party service providers operate. Such transfers are conducted in compliance with applicable provisions of the DPDPA 2023, and we ensure that adequate safeguards are in place to protect your data.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you via email or an in-app notification. The “Last updated” date at the top of this page indicates when the policy was last revised.
12. Contact
If you have questions, concerns, or requests regarding your personal data or this Privacy Policy, please contact:
- Email: support@pgflow.in
- Grievance Email: support@pgflow.in
You also have the right to lodge a complaint with the Data Protection Board of India if you believe your data rights have been violated.