Privacy Policy

Last updated: 1 June 2026

This Privacy Policy describes how AI Consultants ("we", "our", "us") collects, uses, shares, and safeguards information when you:

• Visit our marketing website at ai-consultants.in or apps.ai-consultants.in;
• Use our desktop software — Accounts HQ, RWA HQ, or tradeHQ (collectively, "the Software");
• Sign in to the RWA HQ resident portal at resident.ai-consultants.in as a resident of a society that uses RWA HQ; or
• Use any future AI Consultants mobile application for residents.

This policy operates under the Indian Digital Personal Data Protection Act, 2023 ("DPDP Act"). Section 3 below explains when we act as a data controller (fiduciary) versus a data processor on behalf of someone else — that distinction determines who you should approach to exercise your rights.

1. Information we collect

1.1 From software customers (society managers, business owners, traders)

• Account & billing — name, business name, email address, phone number, postal address (where required for tax invoicing).
• Payment information — card / UPI / netbanking details are collected and processed directly by Razorpay, our payment partner. We do not store or have access to your full card number.
• Correspondence — anything you tell us in emails sent for legal or statutory matters, in-app feedback submissions, or forms.

1.2 From residents (RWA HQ resident portal and any AI Consultants resident mobile app)

• Identity & contact — name, mobile phone number, email address, society name, flat / unit number, role (owner / tenant). Most of this is supplied by the society manager when they add you to RWA HQ; some you may update yourself in the resident portal.
• Authentication data — one-time passwords (OTPs) sent to your email when you sign in, and a session cookie thereafter.
• Activity on the resident portal — visitor passes you create, complaints you raise, polls you vote in, profile updates you request, and read receipts for notices.
• Marketing consent (only if you opt in — see section 5) — the timestamp, source, and categories of marketing communications you have agreed to receive.

1.3 Information collected automatically

• Licensing telemetry — when the Software activates a licence key, we receive a one-way hash of your device's machine ID, the licence key, and a timestamp. This is used to enforce seat limits and is not linked to your accounting data.
• Crash & error reports — if the Software crashes, the stack trace and product version may be sent to us. These do not contain the contents of your books, ledgers, documents, or resident records.
• Website & portal analytics — standard server logs (IP address, browser, page visited). We do not use third-party advertising or cross-site tracking cookies.

1.4 What we do NOT collect

Your accounting records, voucher entries, party ledgers, invoices, bank statements, broker statements, and any other business data you enter into the desktop Software stays in your control. For Accounts HQ and tradeHQ this means it remains in a local SQLite database on your machine; we have no copy and no ability to read it. For RWA HQ, society master data and residents' contact details may be synced to our servers so the resident portal can work — see sections 3 and 4 for the exact split.

2. How we use your information

• To deliver the Software and the resident portal, activate licences, and enforce seat limits.
• To process payments and send invoices & receipts.
• To respond to legal and statutory requests received by email, and to triage product feedback submitted via the in-app Feedback tool.
• To send essential service communications (licence keys, payment receipts, login OTPs, security notices, breaking-change announcements, visitor pass notifications to residents on the society's behalf, maintenance reminders to residents on the society's behalf).
• To improve the Software based on crash reports and aggregated usage statistics.
• If — and only if — you have separately and explicitly opted in, to send you marketing communications from us or from third-party advertisers. See section 5.

We do not sell, rent, or trade your personal information to third parties. Advertisers who choose to reach residents through our marketing platform never receive resident contact details — they specify targeting criteria; we dispatch messages on their behalf only to residents who have opted in (section 5).

3. Data controller and data processor roles

Whether we act as a data controller / fiduciary or as a data processor depends on whose data is being handled and why. This matters because data-rights requests should be directed to the controller.

3.1 We are the data controller for:

• Information you give us as a software customer (your name, billing details, legal/statutory correspondence, in-app feedback submissions).
• Licensing telemetry, crash reports, and website analytics.
• Resident accounts on the RWA HQ resident portal and any AI Consultants resident mobile app — when you sign in as a resident, you are entering into a direct relationship with us for those services.
• Marketing consent records you give us (section 5) and any messages sent under that consent.

3.2 We act as a data processor for:

• Resident contact details and society master data that a society manager enters into RWA HQ for the purpose of running their society — the society is the data fiduciary under DPDP Act 2023; we host and process on their instructions. Society managers may sign a separate Data Processing Agreement with us on request.
• Society accounting data inside Accounts HQ used by a society manager.

In practice this means: if you are a resident, you may have two parallel relationships covered by this policy — one with your society (data they entered about you into RWA HQ, where the society is the fiduciary) and one directly with us (your resident-portal login, marketing opt-in, and anything you choose to update yourself, where we are the fiduciary). You can exercise rights with each separately.

4. The RWA HQ resident portal and resident mobile app

When a society activates the RWA HQ resident portal, your society's data (flats, members, notices, visitor passes, complaints, polls, billing balances) is synced from the society manager's desktop installation of RWA HQ to our servers hosted on Fly.io in Mumbai, India. This is what allows you to sign in and interact with the portal or any future AI Consultants resident mobile app.

• Who can see your data: you (about yourself), the society manager / committee members granted access by them, and a strictly limited set of AI Consultants engineers for security investigations and operations only.
• Where it lives: Fly.io servers in the Mumbai (bom) region.
• How long we keep it: for as long as your society's RWA HQ licence is active, and for up to 90 days after the society cancels or stops syncing, after which the synced copy is deleted. Your separate marketing consent record (if any) is kept for the duration of the consent plus seven (7) years thereafter to satisfy auditability of withdrawal.
• Children: we do not knowingly create resident accounts or accept marketing opt-ins from anyone under 18; parents / guardians should manage minors' interactions through their own account.

5. Marketing communications — opt-in only

AI Consultants may, in future, offer residents the option to receive promotional communications from us or from selected local businesses (e.g., grocery, fitness, repair services). This feature operates strictly on an opt-in basis.

• Default state: OFF. You will receive zero marketing communications unless you affirmatively turn them on inside the resident portal or the resident mobile app.
• Granular categories: when you opt in, you choose which categories (e.g., grocery, wellness, household services) you are willing to receive — not a blanket consent.
• What advertisers see: only aggregate targeting criteria (e.g., "residents in 6 Sector X societies who have opted in to grocery offers"). Advertisers never receive your name, phone number, email, or any other contact detail.
• Frequency cap: we cap marketing messages at a small number per resident per week, enforced platform-wide across all advertisers.
• One-click opt-out: every marketing message includes a one-click withdrawal link. Withdrawal applies platform-wide and is permanent unless you opt in again.
• Society-level deny: your society's committee may choose to disable marketing for the entire society regardless of individual opt-ins; in that case no marketing reaches any resident of that society.
• Lawful basis: your specific, informed, affirmative consent under section 6 of the DPDP Act 2023. Withdrawing consent is as easy as giving it.
• Record-keeping: we retain a record of the date, source (which screen / app you opted in from), and categories of your consent for audit purposes (section 4 retention rule).

Until this feature is publicly launched, no marketing communications will be sent regardless of any preference shown in the interface.

6. Sharing with third parties

We share only the minimum information necessary with a small number of service providers:

• Razorpay Software Pvt Ltd — to process payments. Razorpay receives your name, email, billing address, and the amount / plan you are purchasing.
• Email provider (Hostinger SMTP) — to send licence keys, receipts, and resident-portal login OTPs.
• Hosting (Fly.io) — our licence server and the RWA HQ resident portal are hosted on Fly.io in the Mumbai region.
• Meta Platforms (WhatsApp Business) — to deliver visitor pass notifications and other resident communications, we send the recipient's phone number and the message content to Meta's WhatsApp Business API. Meta processes this data on our behalf under Meta's own terms.
• Anthropic, Inc. — if you opt in to AI features inside the Software, the specific text/image you ask AI to process is sent to Anthropic's Claude API. We never send accounting data automatically; only what you submit to an AI feature is forwarded.

We may also disclose information when required by Indian law or to enforce our Terms of Service.

7. Data location and retention

Server data (licence keys, payment receipts, legal correspondence records, in-app feedback submissions, society master data synced to the resident portal, residents' portal-side records) is stored on Fly.io infrastructure in Mumbai, India.

• Billing records — retained as required by Indian tax law (currently 8 years).
• Licence and account data — retained for as long as your licence is active and for up to 12 months after expiry, after which it is deleted or anonymised.
• Resident portal data — retained for as long as your society's licence is active and for up to 90 days after the society cancels.
• Marketing consent & withdrawal records — retained for the duration of consent plus 7 years (audit trail).
• Marketing campaign delivery logs — retained for 3 years for advertiser billing reconciliation.

8. Your rights

You may at any time:

• Request a copy of the personal information we hold about you, broken down by controller / processor role (section 3).
• Ask us to correct inaccurate information.
• Ask us to delete your information, subject to legal retention obligations.
• Withdraw consent for any optional processing (such as marketing communications), while still receiving essential service communications.
• Request portability of your data in a machine-readable format.
• Specific to residents: opt out of all marketing at any time via a one-click link in any marketing message, via the resident portal settings, or by emailing us. You may also request that we delete any data we hold about you as our direct relationship while leaving intact whatever your society holds about you (the society remains the fiduciary for that copy).

To exercise any of these rights, email info@ai-consultants.in. We will respond within 30 days.

9. Security

We protect data in transit with TLS (HTTPS). Broker credentials and other sensitive secrets used by the Software are encrypted on your machine using the Windows Data Protection API (DPAPI). On the server side, secrets are encrypted at rest by Fly.io. Despite these safeguards, no system is impenetrable; we recommend you also protect your own machine with a current OS, antivirus, and strong password.

10. Children

The Software is intended for use by businesses and is not directed at children under 18. We do not knowingly collect information from children. The RWA HQ resident portal and any AI Consultants resident mobile app are likewise not intended for use by anyone under 18; marketing communications under section 5 will not be sent to a resident whose recorded date of birth indicates they are a minor, even if their parent or guardian opts in on their behalf.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced on this page with a new "Last updated" date. Continued use of the Software after the change indicates acceptance.

12. Contact