Privacy Policy

1. Introduction

The Hill Link ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services, visit our website, or engage with our team.

BY USING OUR SERVICES, YOU CONSENT TO THE PRACTICES DESCRIBED IN THIS PRIVACY POLICY. If you do not agree with our policies, please do not use our services.

2. Information We Collect

2.1 Personal Information

We collect the following personal information:

• Contact Information: Name, email address, phone number, mailing address
• Identity Information: PAN card, government-issued ID (Passport, Driving License, Voter ID)
• Aadhaar Collection (Special Consent Required): We collect your Aadhaar number ONLY when required for specific government compliance purposes (such as Bhu Kanoon Act verification with revenue authorities). You will be asked for separate explicit consent before Aadhaar collection. You may refuse Aadhaar sharing if alternative government-issued identification is acceptable for your service needs. Aadhaar is stored with enhanced security measures (encrypted storage, restricted access, separate from other personal data).
• Financial Information: Bank account details (for refunds), payment transaction records
• Property Information: Property addresses, coordinates, seller details, listing links, purchase intent
• Use Case Information: Intended property use (retirement, investment, etc.), budget, timeline

2.2 Technical Information

• IP address, browser type, device information
• Website usage data, pages visited, time spent
• Cookies and tracking technologies (see Cookie Notice)
• Geolocation data (with your consent)

2.3 Third-Party Information

We may collect information about properties from public records, government offices (tehsil, revenue departments, courts), local liaisons, and third-party service providers (surveyors, advocates).

2.4 Ongoing Engagement Data (Ownership Report Plans)

Where you subscribe to an Annual Review, Quarterly Review, or Continuous Review plan, or engage our Caretaker Placement service, we collect and retain data generated through the ongoing engagement. This data is processed under the Digital Personal Data Protection Act, 2023 ("DPDPA") and the DPDP Rules, 2025. (The DPDP Rules, 2025 were notified on 14 November 2025 and are being phased in — Data Protection Board of India provisions from 14 November 2025, Consent Manager provisions from 13 November 2026, and the substantive processing obligations including Rules 6, 7 and 14 from 13 May 2027. Hill Link applies these standards as operational policy pending statutory enforcement.)

• Site Documentation: Site Documentation: geo-tagged photographs, drone imagery, boundary surveys, and field notes from each site inspection over the life of the plan.
• Status Logs: Status Logs: quarterly legal-audit reports, mutation and court-filing tracking, circle-rate and fair-value histories.
• Caretaker Identity Data: Caretaker Identity Data: where you engage Caretaker Placement, we collect (i) PAN card (copy retained), (ii) one of Passport, Driving Licence, or Voter ID (EPIC) as primary identity document, (iii) address proof, (iv) police verification report (where obtained), (v) character references, and (vi) employment history. We do NOT collect, authenticate, or store Aadhaar numbers in any form (see 2.4.4 below).
• Third-Party Access: Third-Party Access: Caretakers placed under our oversight may, by necessity, have access to your property and limited contact information. Access is governed by the Caretaker's written undertaking under the registered Caretaker Agreement (Terms Section 18.3) and is revoked on termination.
• Recurring Payment Tokens: Recurring Payment Tokens: if and when we enable Razorpay recurring mandates (a future feature), the tokenised payment reference is held by Razorpay as payment processor; we store only the mandate ID and status.

Data-Fiduciary and Processor Status. Under DPDPA 2023 Section 2(i), Hill Link acts as an independent Data Fiduciary for caretaker data processing during the due-diligence / vetting lifecycle, because Hill Link determines the purpose and means of vetting (vendor selection for police verification, reference-check criteria, interview structure, retention windows). On placement, you become a joint Data Fiduciary for employment-related processing (payroll, attendance, conduct). For such joint-fiduciary processing, Hill Link acts as a Data Processor under a written Data Processing Addendum satisfying Rule 6 of the DPDP Rules, 2025 (encryption, access control, access logging, breach-support obligations).

Consent Mechanism. Caretaker identity data is collected with the Caretaker's written consent on a Hill Link Notice + Consent form compliant with DPDPA Sections 5 and 6 and provided in English and Hindi. The notice identifies Hill Link as Data Fiduciary, categories of data, purposes (background check, placement, oversight), sharing with you as prospective employer, retention period, Data Principal rights under Sections 11–14, and grievance contact. A separate consent is then collected by you at placement. Hill Link does NOT rely on DPDPA Section 7(i) "employment" legitimate-use exception, which is available only to a Data Fiduciary who is the employer.

No Aadhaar Collection. Consistent with Justice K.S. Puttaswamy (Retd.) v. Union of India, (2019) 1 SCC 1 (Supreme Court, 26 September 2018 — the Aadhaar Constitution Bench judgment reading down Section 57 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 insofar as it permitted body-corporate / private-contract use of Aadhaar), and with the absence of any statutory mandate requiring Hill Link (a private property advisory firm) to collect Aadhaar, Hill Link will NOT demand, collect, authenticate, offline-verify, or store Aadhaar numbers or copies of Aadhaar cards in any form — including masked, partial, XML, tokenised, or reference-ID form — for any client or caretaker. This position is further reinforced by the Aadhaar (Authentication and Offline Verification) Amendment Regulations, 2025 (UIDAI Notification F. No. HQ-30011/5/2025-AU-HO, Gazette of India dated 9 December 2025), which confines Aadhaar verification by private entities to registered Offline Verification Seeking Entities using UIDAI-approved digital channels (QR code, API, Aadhaar app); Hill Link is not, and does not intend to become, an OVSE. Identity verification is performed against PAN, Voter ID (EPIC), Passport, and Driving Licence. Where a banking / payment partner independently requires Aadhaar authentication for KYC compliance, that verification flows between you and the partner directly, with no Aadhaar data touching Hill Link's systems.

Sensitive Data Security. Caretaker identity data is stored with enhanced security measures — encryption at rest and in transit, role-based access control, access logging, segregation from Client data, and regular access audits — consistent with DPDPA 2023 Sections 8(4)–(5) and Rule 6 of the DPDP Rules, 2025.

3. How We Use Your Information

We use your information for:

• Service Delivery: Conducting property verification, preparing reports, providing advisory services
• Communication: Responding to inquiries, providing updates, delivering reports
• Payment Processing: Processing payments, issuing invoices, handling refunds
• Legal Compliance: Complying with Bhu Kanoon Act requirements, tax regulations, and other legal obligations
• Service Improvement: Analyzing service quality, identifying improvement areas
• Marketing: Sending promotional materials (you may opt out anytime)
• Security: Preventing fraud, protecting against unauthorized access

4. Information Sharing & Disclosure

4.1 We May Share Information With:

• Service Providers: Advocates, surveyors, local liaisons, payment processors (under strict confidentiality agreements)
• Government Authorities: When required by law or for legal compliance (e.g., Bhu Kanoon Act verification)
• Legal Proceedings: If required by court order, subpoena, or law enforcement
• Business Transfers: In the event of merger, acquisition, or sale of our business

4.2 We DO NOT:

• Sell your personal information to third parties
• Share your property search details with sellers or brokers
• Disclose your identity to property sellers without your explicit consent
• Use your information for purposes unrelated to our services without consent

5. Data Security

We implement appropriate security measures to protect your information:

• Encrypted data transmission (SSL/TLS)
• Secure password-protected databases
• Access controls limiting employee access to need-to-know basis
• Regular security audits and updates
• Confidentiality agreements with all team members and service providers
• Two-factor authentication for sensitive systems
• Regular backups with encrypted storage

However, NO METHOD of electronic storage or transmission is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

5.1 Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

• Notify You Within 72 Hours: Email notification to your registered email address describing the nature of the breach, data affected, and steps being taken
• Notify Authorities: Report to the Indian Computer Emergency Response Team (CERT-In) and other relevant authorities as required by law
• Remediation Steps: Immediately implement measures to contain the breach and prevent future incidents
• Support: Provide guidance on protective measures you can take (e.g., password changes, fraud monitoring)

You will receive detailed information about: (a) what data was compromised, (b) when the breach occurred, (c) steps we're taking to investigate and remediate, and (d) recommended actions for your protection.

6. Data Retention

We retain your information for:

• Active Clients: Duration of service engagement plus 7 years (for legal and tax compliance)
• Inactive Inquiries: 2 years from last contact
• Truth Reports: 10 years (for warranty and liability purposes)
• Financial Records: 10 years (as per Indian tax laws)
• Ownership Report Plan Data: Duration of the plan plus 3 years post-cancellation, after which site photos, reports, and status logs are archived or anonymised unless a longer period is required by law or by a pending legal matter. The 3-year window aligns with the residuary limitation under Article 113 and the civil-claim period under Article 55 of the Limitation Act, 1963.
• Caretaker Identity Data: Retained while the Caretaker is in active placement plus 3 years post-termination. At the end of the retention window, all identity documents (PAN copy, passport copy, address proof, police verification) are securely deleted; minimal metadata (name, placement dates, termination reason) may be retained for audit purposes for a further 3 years.
• One-Shot Ownership Deliverables: Ownership Snapshot, Certified Valuation Report, and other one-off deliverables — 7 years post-delivery per Section 128 of the Companies Act, 2013 and Rule 6F of the Income-tax Rules, 1962.

After retention periods, we securely delete or anonymize your information unless longer retention is required by law.

7. Your Rights

You have the right to:

• Access: Request a copy of your personal information we hold
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your information (subject to legal retention requirements)
• Opt-Out: Unsubscribe from marketing communications
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to processing of your information for certain purposes

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

8. Cookies & Tracking Technologies

We use only strictly necessary cookies required for website functionality. We do not use marketing or advertising cookies.

User preferences (language, currency) are stored locally on your device and are not transmitted to our servers.

For complete details, see our Cookie Notice.

We use privacy-focused, self-hosted analytics to understand how visitors use our website. Our analytics solution does not use cookies, does not collect personal information, and is fully compliant with GDPR and DPDP Act. We collect only aggregate data: pages visited, referrer source, browser type, device type, and country. No individual tracking or profiling is performed.

9. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these websites. We encourage you to read their privacy policies.

Data Breach Notification

In the event of a personal-data breach as defined in DPDPA 2023 Section 2(u), Hill Link will comply with Rule 7 of the DPDP Rules, 2025:

• Initial intimation: Without delay — initial intimation to each affected Data Principal and to the Data Protection Board of India describing the nature, extent, timing, location, and likely impact of the breach.
• Detailed 72-hour report: Within 72 hours of becoming aware of the breach — a detailed report to the Data Protection Board of India setting out the cause, mitigation steps taken, measures to prevent recurrence, and a summary of the notifications sent to Data Principals.

Where the breach concerns data for which Hill Link acts as Processor under Section 2.4 (placement-stage caretaker data), Hill Link will assist you, as the Data Fiduciary, to meet your notification obligations without delay and at no additional cost.

10. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect information from children. If you believe we have collected information from a child, contact us immediately for deletion.

11. Digital Personal Data Protection Act, 2023 (DPDP Act) Compliance

In compliance with India's Digital Personal Data Protection Act, 2023, we provide the following additional protections and rights:

11.1 Lawful Processing

We process your personal data only for legitimate purposes with your consent or as required by law. When you engage our services, you provide explicit consent for data processing necessary to deliver those services.

11.2 Data Minimization

We collect only the minimum data necessary to provide our services. We do not collect excessive or irrelevant information.

11.3 Purpose Limitation

Your data is used ONLY for the purposes disclosed at the time of collection (service delivery, communication, legal compliance). We will NOT repurpose your data without obtaining fresh consent.

11.4 Data Principal Rights

Under the DPDP Act, you have the right to:

• Access: Obtain information about personal data we hold and how it's processed
• Correction: Request correction of inaccurate or incomplete data
• Erasure: Request deletion of data when retention is no longer necessary (subject to legal retention requirements)
• Grievance Redressal: File complaints with our Grievance Officer or, on escalation, the Data Protection Board of India
• Nominate: Nominate another individual to exercise your rights in case of death or incapacity

11.5 Grievance Officer

For all data privacy requests, contact our Grievance Officer (note: the statutory "Consent Manager" under DPDP Rule 4 is a DPBI-registered intermediary category — operational from 13 November 2026 — and is distinct from this internal grievance role):

11.6 Data Processing Record

We maintain records of all data processing activities including: data categories collected, processing purposes, retention periods, and third-party disclosures. You may request a copy of these records.

11.7 Cross-Border Data Transfer

Your data is primarily stored in India. If we transfer data outside India (e.g., to cloud providers), we ensure adequate safeguards and comply with DPDP Act requirements. We will notify you of such transfers.

11.8 Automated Decision-Making

We do NOT use automated decision-making or profiling that significantly affects your rights. All property assessments and recommendations involve human professional judgment.

12. International Data Transfers

Your information is primarily stored and processed in India. If you are accessing our services from outside India, please note that your information may be transferred to, stored, and processed in India where our servers and service providers are located.

13. Changes to Privacy Policy

We may update this Privacy Policy periodically. Material changes will be notified via email or prominent website notice. The "Last Updated" date indicates when changes were last made. Continued use after changes constitutes acceptance.

14. Contact Us

For privacy-related questions or concerns, contact our Privacy Officer: