Privacy Policy

Effective: 1 June 2026 · Shahtra to Stay · India DPDP Act, 2023 compliant

1. Data We Collect

  • Account data: name, email, phone number.
  • Owner KYC: government ID type (Aadhaar/PAN/Passport), document image reference (S3 key), encrypted ID number.
  • Booking data: stay dates, guest count, payment amount, cancellation details.
  • Payment data: Razorpay handles card/bank details — we never store raw card or bank numbers.
  • Communication: in-app messages between guests and owners.
  • Usage data: anonymized page views and search queries (no cross-site tracking).

2. How We Use Your Data

  • Facilitate bookings and communicate booking status via WhatsApp and email.
  • Verify owner identity (KYC) and prevent fraud.
  • Process payments and manage subscription billing via Razorpay.
  • Send transactional notifications (booking confirmation, cancellation, payout).
  • Comply with legal obligations (GST, TCS, RBI regulations).

We do not sell your data or use it for third-party advertising.

3. Encryption & Security

KYC document numbers (Aadhaar, PAN) are encrypted using AES-256 (Fernet) at the application layer before storage. Encryption keys are managed via environment secrets, never committed to code. KYC document images are stored as S3 object keys (not publicly accessible URLs). Access to KYC records is logged at the field level.

No PII (email, phone, Aadhaar, PAN, bank details) is written to any application log.

4. Data Sharing

  • Razorpay: payment processing, KYC linked accounts, subscription mandates.
  • AWS S3: KYC document storage (India region, ap-south-1).
  • WhatsApp (Meta) / Email: transactional notifications only.
  • Regulatory authorities: as required by law (GSTN, IT Act, DPDP Act).

No data is shared with advertisers, data brokers, or analytics platforms.

5. Data Retention

Data typeRetentionReason
Booking records7 yearsGST / legal obligation
Payment records7 yearsRBI / GST / income tax
Chat messages2 years from stay dateDispute resolution
KYC document refsDeleted 30 days after account closureDPDP right to erasure
Account PII (name, phone)Deleted on account closureDPDP right to erasure
Raw KYC numbersEncrypted at rest; never exposedSecurity best practice

6. Your Rights (DPDP Act, 2023)

Under the India Digital Personal Data Protection Act, 2023, you have the right to:

  • Access: request a copy of your personal data via Settings → Export my data.
  • Correction: update your name, phone, and email from your account settings.
  • Erasure: delete your account via Settings → Delete account. Your PII is anonymized; booking records are retained for legal compliance.
  • Grievance redressal: contact our Data Protection Officer at dpo@shahtra.in within 30 days for a response.

7. Cookies

We use only functional cookies (session authentication). No tracking or advertising cookies. The platform does not use Google Analytics, Meta Pixel, or similar tracking tools.

8. Changes to This Policy

We will notify you by email at least 14 days before any material change. Continued use of the Platform after the effective date constitutes acceptance.

Data Protection Officer: dpo@shahtra.in · legal@shahtra.in