Privacy Policy

ZOYPG ("Company", "we", "our", or "us") places the highest importance on respecting and protecting the privacy of its users ("you", "User's", "user"). We recognize that in the course of engaging with our mobile application, website, and services (collectively referred to as the "Platform"), User entrust us with User's personal information, and we take this responsibility very seriously.

This Privacy Policy sets out in detail how ZOYPG collects, uses, stores, processes, discloses, and safeguards User's personal information in compliance with applicable laws, including the Digital Personal Data Protection Rules, 2025, the Information Technology Act, 2000, and other relevant rules and regulations. Our commitment is not only to adhere to legal obligations but also to adopt industry best practices to ensure transparency, accountability, and fairness in the way User's data is handled.

By accessing or using our Platform, User expressly acknowledge and agree to the terms of this Privacy Policy and consent to the collection and use of User's information in the manner described herein. If User do not agree with the terms of this Privacy Policy, we kindly request that User discontinue using the Platform immediately. Continued use of our services will be deemed as User's acceptance of this Privacy Policy and any updates that may be made from time to time.

This Privacy Policy has been carefully prepared to ensure that ZOYPG fully complies with the prevailing statutory and regulatory framework governing data protection, privacy, and consumer rights in India, while also aligning with globally recognized best practices.

Specifically, this Policy is framed in accordance with:

• The Digital Personal Data Protection Act, 2023 (DPDP Act): Governs the collection, processing, storage, transfer, and protection of digital data within India, ensuring principles of lawful use, purpose limitation, data minimization, and user consent are strictly followed.
• The Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011: Provides a legal framework for safeguarding sensitive personal data such as financial details, passwords, health information, and ensures adoption of reasonable security measures to prevent unauthorized access, misuse, or breach.
• Applicable Consumer Protection, E-Commerce, and Sectoral Laws in India: Including but not limited to the Consumer Protection (E-Commerce) Rules, 2020, which mandate transparency, accountability, and grievance redressal in digital services.

By following this multi-layered compliance framework, ZOYPG ensures that User's personal information is handled with the highest degree of integrity, transparency, and legal protection. This allows users to trust that their data is collected and processed only for legitimate purposes, under adequate safeguards, and with due regard to their fundamental right to privacy.

Information We Collect

When User interact with or use the ZOYPG Platform, we may collect, store, and process the following categories of information. Such collection is limited to what is necessary for the lawful functioning of our services and in line with the principles of the DPDP Act, 2023, IT Act, 2000, and allied rules.

Purpose of Processing

ZOYPG collects and processes personal information strictly for lawful, necessary, and proportionate purposes, in compliance with the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and other applicable regulations. User's data will be used only for legitimate business functions and in line with the principle of purpose limitation.

Consent & Withdrawal

By accessing, registering on, or using the ZOYPG Platform, User provide User's free, specific, informed, unconditional, and unambiguous consent for the collection, storage, use, disclosure, and processing of User's personal data in accordance with this Privacy Policy. Such consent shall be deemed valid where User voluntarily provide information to us. For example, when creating an account, uploading KYC documents, booking accommodation, or making digital payments after being informed of the specific purposes for which such data is being collected and processed. Further, in cases involving sensitive personal data such as biometric identifiers, health-related information, or any data categorized as "sensitive" under applicable law, ZOYPG shall seek User's explicit and express consent prior to processing.

User have the right to withdraw User's consent at any time by contacting us at [insert email/helpline details] or through the in-app account settings. Once a valid withdrawal request is received, ZOYPG shall immediately cease the processing of User's personal data for those purposes that are based solely on consent. However, such withdrawal shall not affect processing that has already taken place prior to receipt of User's request. In addition, certain services including but not limited to KYC verification, accommodation booking, payment processing, or tenant onboarding may no longer be available if User choose to withdraw consent for essential data use. Notwithstanding User's withdrawal, ZOYPG may continue processing data if required for compliance with legal obligations, contractual necessity, or legitimate business interests expressly permitted under applicable law.

If User withdraw consent in relation to critical service functions (such as KYC documentation, financial information, or accommodation verification data), ZOYPG may be unable to continue offering User services, and User's account may be restricted, suspended, or deactivated in line with our Terms & Conditions. Before acting on such withdrawal, ZOYPG will inform User of the consequences in clear and transparent terms to ensure that User's decision is fully informed.

User may exercise User's right of withdrawal through the following mechanisms:

• • Sending a written request via email to support@zoypg.com
• • Submitting a withdrawal request through the "Privacy Settings" or "Account Management" section of the ZOYPG app or website, or

All requests will be acknowledged within seven (7) working days and processed within the statutory timelines prescribed under the DPDP Act, 2023.

Irrespective of User's overall consent status, User retain the independent right to opt out of marketing communications, newsletters, promotional campaigns, or analytics-based tracking at any time. This can be done by clicking the "unsubscribe" link provided in our communications or by adjusting User's notification preferences through the ZOYPG Platform. Importantly, opting out of such marketing or analytics activities shall not affect User's liability to access and use ZOY's core services such as accommodation bookings, payment facilitation, or customer support.

Data Retention

The Company retains personal data only for as long as it is necessary to fulfil the purposes outlined in this Privacy Policy or as required by applicable laws and regulations. Different categories of information are retained for different periods in order to comply with statutory, financial, and operational requirements. For example, government-issued identification documents and KYC details may be retained for a minimum period of eight (8) years as per regulatory and anti-money laundering obligations. Transactional and payment-related records are generally stored for up to seven (7) years, in line with the Income Tax Act, 1961 and applicable Reserve Bank of India (RBI) guidelines. Customer support communications, feedback, and grievance redressal logs may be preserved for up to three (3) years in order to address disputes and ensure transparency. Marketing and promotional data will be retained only until such time as User opt-out, withdraw consent, or unsubscribe.

In the event that a user deletes their account or withdraws consent, the Company will ensure that personal data is securely deleted, anonymized, or pseudonymized, except where retention is mandated by law. For example, certain records may be preserved in an archival form to comply with audit requirements, fraud detection mechanisms, or enforcement of legal claims. Such archived data will not be actively processed for business purposes and will remain under restricted access.

Wherever possible, the Company may anonymize or aggregate personal data so that it can no longer be linked back to an identifiable individual. Such anonymized data may be retained indefinitely and used for statistical research, internal analytics, service optimization, or lawful commercial purposes, without risk to User's privacy.

Data Sharing and Disclosure

The Company does not sell, rent, trade, or commercially exploit user data in any manner. However, personal information may be shared strictly on a need-to-know basis and only under lawful circumstances. The primary purpose of such sharing is to ensure smooth delivery of services, compliance with legal obligations, and enhancement of operational efficiency.

Personal data may be disclosed to PG Owners, housing associations, and facility managers to enable accommodation services, verification, and tenant onboarding. The Company may also share limited information with investors, affiliates, or business partners, strictly for legitimate business interests such as operational integration, financing, or strategic expansion, and only under binding confidentiality obligations. In compliance with applicable law, data may also be disclosed to regulatory, judicial, or governmental authorities, including but not limited to RBI, SEBI, GST authorities, Income Tax authorities, municipal authorities, law enforcement, and courts, where such disclosure is necessary to fulfil statutory duties or respond to lawful requests.

Further, personal data may be provided to third-party service providers engaged by the Company, such as payment gateway operators, cloud hosting vendors, IT infrastructure providers, KYC verification agencies, logistics support, and marketing agencies. All such third-party processors are contractually bound to comply with strict data protection obligations and may not use the data for purposes beyond the scope of their engagement.

In the event of a merger, acquisition, corporate restructuring, or transfer of business assets, user data may form part of the transferred assets. In such cases, the successor entity will be bound to honour this Privacy Policy or adopt terms that are no less protective.

Where cross-border data transfer is required, such as for cloud hosting or integration with global service providers, the Company will ensure compliance with the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and applicable international safeguards. Data will only be transferred to jurisdictions that provide an adequate level of protection, or where contractual arrangements (such as Data Processing and Transfer Agreements) impose equivalent safeguards.

To ensure transparency, the Company will, wherever feasible, inform users of any material disclosures that significantly impact their privacy rights.

Security Measures

The Company implements robust technical, organizational, and administrative safeguards to protect personal data against unauthorized access, alteration, disclosure, or destruction. All systems and practices are designed to comply with Section 43A of the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, as well as internationally recognized frameworks such as ISO/IEC 27001 for information security management. Technical measures include end-to-end encryption of sensitive data during both transmission and storage, deployment of firewalls, intrusion detection and prevention systems, anti-malware software, and multi-layered authentication protocols. The Company enforces role-based access controls ensuring that only authorized employees or service providers can access personal data on a "need-to-know" basis. Regular penetration tests, vulnerability assessments, and security audits are conducted to proactively identify and address potential risks. All employees, contractors, and third-party partners handling personal data are bound by strict confidentiality agreements and undergo regular training on privacy, cybersecurity, and ethical handling of data.

Despite employing industry-leading safeguards, the Company acknowledges that no system of data transmission over the Internet or electronic storage can guarantee absolute security. Accordingly, while ZOYPG undertakes all reasonable efforts to protect User's personal data, it disclaims liability for incidents that arise due to factors beyond its reasonable control, such as sophisticated cyber-attacks, system vulnerabilities in third-party networks, or acts of force majeure.

User Rights

In accordance with the provisions of the Digital Personal Data Protection Act, 2023, as well as applicable rules and international best practices, every user of the Platform is entitled to exercise certain rights regarding their personal data.

• • Users have the right to request confirmation as to whether the Company is processing their personal data. Upon request, we will provide Users with access to their personal information in a clear and comprehensible format.
• • Users have the right to request the correction, updating, or completion of any inaccurate or incomplete personal data. Further, Users may request the erasure of their personal data when such data is no longer necessary for the purposes for which it was collected, or where processing is based solely on consent and such consent has been withdrawn, subject to applicable legal retention requirements.
• • Subject to applicable law, Users have the right to receive a copy of their personal data in a structured, commonly used, and machine-readable format, and, where technically feasible, to request that such data be transferred directly to another service provider of their choice without hindrance.
• • Where the processing of Users' personal data is based on consent, they may withdraw such consent at any time by contacting us via designated grievance redressal channel. Please note that withdrawal of consent may restrict or limit Users' ability to use certain features of the Platform.
• • Users have the right to lodge complaints or grievances regarding the handling of their personal data. All grievances will be acknowledged within 24 hours and resolved within 7 business days, in compliance with the DPDP Act, 2023.

Cookies and Tracking

The Company may use cookies, tracking pixels, web beacons, and other similar technologies to enhance user experience, perform analytics, and detect or prevent fraudulent activity. Cookies are small data files placed on User's device to recognize repeat visits, personalize services, and analyze Platform performance. User may choose to disable cookies through User's browser or device settings; however, please note that certain essential features of the Platform, such as login sessions, payment processing, and personalized content, may not function properly if cookies are disabled.

We do not use cookies to store sensitive personal data such as passwords, payment details, or government-issued IDs. Information collected through cookies is processed strictly for legitimate purposes and in accordance with this Privacy Policy.

Children's Privacy

The Platform and related services are not intended for, nor directed towards, individuals under the age of eighteen (18) years. We do not knowingly collect, store, or process personal data from minors without appropriate parental or guardian consent.

If it comes to our attention that we have inadvertently collected personal data from a minor without such consent, we will take immediate steps to delete such information from our systems. Parents and legal guardians who believe that a child under their care has provided personal information to the Company may contact us for prompt remedial action.

Updates to Privacy Policy

The Company reserves the right to update, revise, or modify this Privacy Policy at any time to reflect changes in law, technology, or business operations. Any material updates will be notified to users by way of a notice on the Platform, email communication, or any other legally acceptable means of communication. The revised Privacy Policy shall become effective as of the date of publication on the Platform. Continued access or use of the Platform after the publication of changes shall constitute User's deemed acceptance of the updated Privacy Policy.

We strongly encourage User to review this Privacy Policy periodically to stay informed about how User's data is being handled and protected.

Users may submit queries, concerns, or complaints regarding privacy practices, misuse of data, or breach of rights directly through the official contact details provided below. For queries, complaints, or withdrawal of consent, please contact: