FeaturesModulesSecurityPricingSignupAboutContact
Sign Up
Privacy

Privacy Policy

How GateFlux collects, uses, and protects your personal data in accordance with Indian and international privacy law.

Version 1.3Effective: 28 Feb, 2026Last Reviewed: 28 Feb, 2026

GateFlux Pvt. Ltd. ("GateFlux", "we", "us") operates a governance-focused apartment management platform. We process personal data in accordance with the Digital Personal Data Protection Act, 2023 (India), the Information Technology Act, 2000, and the GDPR (EU) 2016/679 where applicable.

1.Scope

This Policy applies to all individuals who interact with the GateFlux Platform, including:

  • Residents, Owners, and Tenants
  • Committee members and Society Administrators
  • Visitors whose data is logged at entry
  • Website users and prospective customers

2.Data Protection Roles

Under Indian Law (DPDP Act 2023)

GateFlux acts as a Data Fiduciary for platform and website data.

Under GDPR (where applicable)

GateFlux may act as:

  • Data Controller — for account and website data
  • Data Processor — when processing resident data on behalf of a Society

A Data Processing Addendum (DPA) is available upon request at privacy@gateflux.co.

3.Categories of Personal Data

3.1 Identity & Contact Data

  • Full name, email address, mobile number
  • Apartment/unit number and role designation
  • Profile image (optional)

3.2 Financial & Governance Data

  • Maintenance dues, ledger entries, and invoices
  • Payment references and defaulter status
  • Committee notices and governance records

3.3 Visitor Data

  • Visitor name and phone number
  • Entry and exit timestamps
  • Flat/unit visited

3.4 Technical & Usage Data

  • IP address, browser type, device information
  • Login logs and session metadata

4.Legal Basis for Processing

4.1 India — DPDP Act 2023

Processing is based on:

  • Explicit consent obtained at account registration and visitor logging
  • Legitimate governance use for housing society operations
  • Legal compliance obligations under applicable Indian law

Users may withdraw consent subject to lawful retention requirements.

4.2 GDPR — EU Residents

Where GDPR applies, we rely on:

  • Article 6(1)(b) — Contractual necessity
  • Article 6(1)(f) — Legitimate interests (security, fraud prevention)
  • Article 6(1)(c) — Legal obligation
  • Article 6(1)(a) — Consent (analytics cookies, optional tracking)

5.Consent Mechanisms

Consent is obtained through:

  • Registration checkbox acceptance at account creation
  • Auto-renewal billing authorization at checkout
  • Cookie consent banner for non-essential cookies
  • Visitor data acknowledgment at the gate/entry point

Consent records are logged with timestamp and policy version. Users may withdraw consent at any time by contacting privacy@gateflux.co.

6.Purpose of Processing

We process personal data for the following purposes:

  • Society financial governance and ledger management
  • Committee decision dashboards and reporting
  • Defaulter tracking and notice generation
  • Visitor management and physical access control
  • Platform security and fraud detection
  • Compliance with the Maharashtra Co-operative Societies Act and Model Bye-Laws
  • Legal and regulatory compliance obligations

We do not sell personal data to third parties.

7.Data Retention

Data CategoryRetention PeriodJustification
Financial RecordsUp to 8 yearsTaxation, audit, statutory accounting
Visitor Logs12–24 monthsSecurity review, dispute resolution
Security & Login LogsUp to 24 monthsFraud investigation
Account DataSubscription + 90 daysService continuity
Backup DataUp to 180 daysDisaster recovery

Inactive accounts may be permanently deleted after 3 years in accordance with DPDP Draft Rules (2025), unless renewed consent or legal necessity applies. Data may be retained longer where required by law or pending regulatory proceedings.

8.International Data Transfers

Where personal data is transferred outside India or the European Union:

  • Transfers comply with applicable data protection laws
  • EU transfers rely on Standard Contractual Clauses (SCCs) or equivalent safeguards
  • Primary data hosting occurs within India (AWS Mumbai region)
  • Third-party vendors in the US or EU are covered by SCCs or lawful transfer mechanisms

9.Security Measures

GateFlux implements SOC 2-aligned security controls, including:

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest (AES-256 where applicable)
  • Role-based access controls (RBAC)
  • Multi-factor authentication (where enabled)
  • Audit logging and continuous monitoring
  • Documented incident response procedures
  • Vendor risk management and periodic security reviews

No online system is completely secure. We will notify affected parties promptly in the event of a confirmed breach.

10.Cookies & Tracking Technologies

10.1 Essential Cookies

Required for authentication, session management, and security enforcement. Cannot be disabled.

10.2 Analytics Cookies (If Enabled)

Used for product improvement and usage analytics. Require explicit consent for EU residents and under DPDP.

See our Cookie Policy for full details. Users may manage preferences via browser settings or the cookie banner.

11.Data Sharing

We may share personal data with the following categories of recipients:

  • Payment gateway providers (e.g., Razorpay or equivalent)
  • Cloud hosting providers (e.g., AWS Mumbai region)
  • SMS and email notification service providers
  • Legal authorities where required by law

All vendors are bound by contractual confidentiality obligations and data processing agreements. A subprocessor list is available upon request.

12.Data Subject Rights

Under Indian Law (DPDP Act)

  • Right to access your personal data
  • Right to correction of inaccurate data
  • Right to withdraw consent
  • Right to erasure (subject to lawful retention)
  • Right to nominate a person to exercise rights on your behalf

Under GDPR

  • Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to lodge a complaint with your supervisory authority

Submit requests to privacy@gateflux.co. We will respond within 30 days.

13.Data Breach Notification

Under DPDP Act

The Ministry of Electronics & Information Technology (MeitY) shall be notified within 72 hours where required. Affected individuals shall be notified where high risk to rights and freedoms exists.

Under GDPR

The relevant Supervisory Authority shall be notified within 72 hours of awareness where required. Affected data subjects shall be informed where high risk exists.

14.Children's Data

The Platform is not directed to individuals under 18 years of age. We do not knowingly collect children's personal data without appropriate lawful authorization.

15.Updates to This Policy

Material changes will be communicated through:

  • Email notification to Society administrators
  • Prominent notice within the Platform interface

Continued use of the Platform after the effective date constitutes acceptance of the updated Policy.

16.Version History

VersionDateDescription
1.028 Feb, 2026Initial release
1.128 Feb, 2026Added GDPR & SOC 2 alignment
1.228 Feb, 2026Strengthened consent and retention disclosures
1.328 Feb, 2026Added DPDP retention nuance, breach timelines, Maharashtra compliance, transfer safeguards

17.Contact Information

Data Protection Contact

GateFlux Pvt. Ltd., Godavari Homes, Quthbullapur, Hyderabad 500067, Telangana, India
Email: privacy@gateflux.co
Response Timeline: Within 30 days

Grievance Officer: grievance@gateflux.co

Data protection enquiries:

privacy@gateflux.co
Book Demo