Last updated: 22 April 2026

Privacy Policy

This policy explains what personal data Broker365 collects from subscribers and visitors, why we collect it, how long we keep it, and how to contact us if you want it changed or deleted.

1. Who we are

Broker365 (“we”, “us”) is an invite-only customer-relationship-management platform for Indian real-estate brokerages. Visiting broker365.in or using the dashboard at /dashboard means you agree to the processing described here.

2. Data we collect

  • Account data — name, business email, phone number, role, and the brokerage you belong to. Required to create and secure your account.
  • Operational data — clients, Inventory, pipeline stages, commissions, and any notes you enter into the CRM. Stored on your behalf; never sold or shared.
  • Authentication data — password hashes (bcrypt, 12 rounds), OTP codes (hashed, 10-minute expiry), session records with IP and user-agent. Used only to authenticate and to alert you of suspicious sign-ins.
  • Logs and telemetry — request IP, user-agent, timestamp, and an anonymised request ID. Error traces flow into Sentry with personal-data scrubbing enabled.
  • Payment records — Razorpay handles card/UPI details directly; we only ever see the transaction reference and status.
  • Onboarding enquiries — if you submit the landing-page form, we store the name, company, email, phone, city, team size, and message you provided so a human can reply.

3. Why we process it

  • To run and secure your account (contractual necessity).
  • To send you sign-in codes, security alerts, and weekly performance emails you've opted into.
  • To investigate abuse, prevent fraud, and respect lawful requests (legitimate interest).
  • To improve the product via aggregated, de-identified usage analytics.

4. How long we keep it

Operational data stays in your workspace until your brokerage deletes it or ends their subscription. After cancellation we retain backups for 30 days and then delete them. Audit logs are retained for 12 months for compliance. OTP codes are wiped once consumed or after 10 minutes.

5. Who we share it with

  • MongoDB Atlas — primary datastore (region: Mumbai).
  • Resend / Gmail SMTP — outbound email delivery.
  • Razorpay — payment processing.
  • WhatsApp Business API — only when you enable WhatsApp automation.
  • Sentry — error reporting with personal data scrubbed.
  • Vercel — hosting and CDN.

We never sell personal data, ever.

6. Your rights

Under the Digital Personal Data Protection Act 2023 you can ask us to access, correct, or delete your personal data, and to nominate a person to act on your behalf in the event of incapacity. Email broker365.support@gmail.com and we'll respond within 30 days.

7. Cookies

We set one strictly-necessary cookie (auth_token) to keep you signed in. It is httpOnly and SameSite=Lax. No third-party advertising cookies are set from our domain.

8. Contact

Privacy questions: broker365.support@gmail.com.

This is an early draft. Please review with a lawyer before publication — especially the Data Protection Officer, registered address, and grievance contact sections required by DPDPA and the IT Rules 2011.