Privacy & DPDP Act 2023

Privacy Policy

How BookMySpace collects, uses, encrypts, and deletes your data — in plain English.

Last updated: June 2026 • DPDP Act 2023 compliant

The TL;DR

  • We collect your Name, Email, Phone, Age, Location, and Aadhaar document — only what's needed for KYC.
  • Your Aadhaar is encrypted with AES-256-GCM envelope encryption the instant we receive it.
  • Only you and our KYC admin can ever decrypt and view it. Every access is audit-logged.
  • We auto-delete your Aadhaar 30 days after admin approval (data minimization, DPDP §8).
  • We never sell, rent, or share your data. We use Razorpay (PCI-DSS L1) for payments — we don't see card data.

1. What we collect

When you sign up, we collect:

  • Name, Email, Phone, Age, Location (city) — to create your account and contact you.
  • Aadhaar card (image or PDF) — for one-time KYC verification, as mandated by Indian regulatory frameworks for high-value digital marketplaces.
  • IP address & user-agent — for rate limiting, fraud detection, and abuse prevention only.

When you book or list a space, we additionally store: the space's address & coordinates (provided by the host), booking timestamps, GPS check-in coordinates (within 500m of the space), and payment IDs returned by Razorpay (we never see your card number, CVV, or OTP).

2. How your Aadhaar is protected

Aadhaar is India's most sensitive identifier. We treat it accordingly:

  • Encrypted at rest with AES-256-GCM using envelope encryption: every Aadhaar gets its own random Data Encryption Key (DEK), which is itself encrypted with a Master Key (KEK) held only in our ops-managed environment variables — never in the database.
  • Encrypted in transit via TLS 1.3 (the ciphertext never travels in the clear).
  • Access-controlled: the download endpoint refuses any request that is not authenticated as either the document owner or our KYC admin.
  • Audit-logged: every successful and denied access is persisted with actor user_id, email, IP, user-agent, and timestamp. You can request your access log under DPDP §13.
  • Magic-byte validated: we reject any file whose declared type doesn't match its actual content (no Office macros, scripts, executables).

3. The 30-day deletion guarantee

The moment an admin approves your account, we schedule your Aadhaar document for permanent deletion 30 days later. After purge:

  • The ciphertext is removed from object storage.
  • The wrapped DEK in the database is wiped — making the file cryptographically unrecoverable even if storage backups exist.
  • The `aadhaar_url` field on your account is cleared and an `aadhaar_purged_at` timestamp is set.
  • Only the audit-log trail (without the document itself) is retained, per DPDP recordkeeping.

This satisfies DPDP §8(7) "data minimization" — we retain personal data only as long as necessary for the purpose for which it was collected.

4. Who has access

  • You — via your authenticated session.
  • Our KYC admins — for the explicit, documented purpose of one-time identity verification, before the 30-day purge fires.
  • No one else. Not advertisers, not data brokers, not "partners". We don't have any.

5. Your rights under DPDP Act 2023

  • Right to access — request a copy of all data we hold about you (§11).
  • Right to correction & erasure — fix or delete any of your data (§12).
  • Right to grievance redressal — any privacy complaint will be addressed within 30 days (§13).
  • Right to nominate — appoint someone to exercise your rights if you can't (§14).
  • Right to withdraw consent — at any time, by emailing us. Withdrawal triggers account deletion.

To exercise any of these, email privacy@bookmyspace.app from the email address on your account.

6. Payments

All payments are handled by Razorpay (PCI-DSS Level 1 certified). We never see, store, or process card numbers, CVVs, or OTPs. We only receive the payment ID and signature from Razorpay's servers, which we verify with HMAC-SHA256 before confirming a booking.

7. Cookies

We set one strictly-necessary cookie: access_token — an `HttpOnly; Secure; SameSite=None` JWT that authenticates you across pages. It's never accessible to JavaScript and expires in 24 hours.

Note: Cloudflare (our CDN) sets a `__cf_bm` bot-management cookie. We have no control over its contents and cannot read it.

8. Breach notification

If we ever discover a breach affecting your data, we'll notify you and the Data Protection Board within 72 hours, including: what data was affected, the time window, our mitigation, and your rights — per DPDP §8(6).

9. Contact

BookMySpace, c/o Emergent, India.

Privacy questions: privacy@bookmyspace.app

Security disclosures: security@bookmyspace.app (or our security.txt)

DPDP grievance officer: same — replied within 30 days.