Hostora
Home

Privacy Policy

Hostora is operated by PRODM IT SOLUTIONS ("PRODM", "we", "us", "our"). We are committed to protecting personal data in line with the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable Indian law. This Policy explains what we collect, why, how we protect it, and your rights.

1. Who we are and our two roles

Hostora is a property-management platform sold to PG / hostel / co-living owners and managers ("Customers"). We handle personal data in two different roles:

  • As Data Fiduciary — for data about the Customer/account itself (the owner, managers and staff who log in, and billing details). We decide how this data is used and are responsible for it.
  • As Data Processor — for data about residents, students and their guardians ("Resident Data") that a Customer manages in Hostora. Here the Customer is the Data Fiduciary: they decide what to collect and must obtain the necessary consents (including verifiable guardian consent for minors). We process Resident Data only on the Customer's instructions to provide the service.

If you are a resident or guardian, the property that manages you is your first point of contact for your data. We will support lawful requests routed through that Customer.

2. Data we collect

Customer / account data (we are Fiduciary): name, mobile number, email (if provided); password stored only as a salted scrypt hash, never in plain text; organisation/property name, type and structure; subscription and billing details.

Resident Data (we are Processor, on the Customer's behalf): resident name, contact, room/bed, tenancy and payment records, attendance, complaints, leave and food/amenity usage; KYC identity documents (government ID type and number such as Aadhaar, PAN, passport, driving licence, voter ID, and uploaded ID images); guardian/parent name and contact.

Technical data: a signed, httpOnly authentication cookie; device/browser metadata; IP address; and security/audit logs.

We do not use third-party advertising trackers and we do not sell personal data.

3. Why we use data

To provide, operate and secure the service; to authenticate users and prevent abuse (such as rate-limiting login attempts); to process subscriptions and send service communications; to enable features the Customer chooses to use (invoices, receipts, reminders, safety alerts, payments); to provide support; and to comply with legal obligations. We process data on the basis of consent and/or where necessary for the service or required by law, as recognised under the DPDP Act.

4. Children's and minors' data

Where Resident Data concerns a person under 18, the Customer must obtain verifiable consent from a parent or legal guardian before collecting the minor's data. Hostora provides guardian-KYC and consent features to support this; using them lawfully is the Customer's responsibility. We do not undertake any tracking, behavioural monitoring or targeted advertising directed at children, consistent with the DPDP Act. Guardian contact details are used only for legitimate purposes such as alerts, in-time notifications and emergencies.

5. Sensitive identifiers (Aadhaar / PAN)

Government ID numbers are encrypted at rest using AES-256-GCM field-level encryption and transmitted only over HTTPS/TLS. Access is restricted by role-based access control to authorised users of the relevant property. Aadhaar is handled only for the Customer's stated identity-verification purpose, and Customers must follow applicable Aadhaar/UIDAI usage rules.

6. Who we share data with

We share data only as needed to run the service: hosting and database providers; payment providers (where a Customer enables online payments, the Customer's chosen gateway and UPI rails, run under the Customer's own merchant account); messaging providers (WhatsApp Business and DLT-registered SMS, where enabled); and authorities where required by law. We do not sell or rent personal data.

7. Data location and transfers

Hostora may store and process data on infrastructure located outside India. Such transfers are made consistent with the DPDP Act (which permits transfer except to countries restricted by the Government of India), with safeguards including encryption in transit and at rest.

8. Retention

Customer/account data is retained while the account is active and for a reasonable period afterwards for legal, accounting and dispute-resolution needs. Resident Data is retained for as long as the Customer maintains it. When a Customer deletes data or closes their account, we delete or de-identify the associated data within a reasonable period, except where retention is required by law.

9. Security

We use industry-standard safeguards including encryption in transit (HTTPS) and at rest for sensitive identifiers, salted password hashing, role-based access control, signed session cookies, login/sign-up rate limiting, and a Content-Security-Policy with other security headers. No system is perfectly secure, but we work to protect your data and to detect and respond to incidents. In the event of a personal-data breach, we will notify the Data Protection Board and affected persons as required by the DPDP Act.

10. Your rights (Data Principal rights)

Subject to applicable law, you may access a summary of your personal data; correct, complete or update it; erase it where no longer needed; nominate another person to exercise your rights; seek grievance redressal (below) and approach the Data Protection Board of India; and withdraw consent at any time (without affecting prior lawful processing). Residents/guardians should route requests through the property that manages them; we will assist them in fulfilling lawful requests.

11. Cookies

We use a single essential, signed, httpOnly cookie to keep you logged in. We do not use advertising or cross-site tracking cookies.

12. Grievance Officer

In accordance with the DPDP Act and the Information Technology Act, 2000:

  • Grievance Officer: [GRIEVANCE OFFICER NAME]
  • Email: prodm.itsolutions@gmail.com
  • Phone: [GRIEVANCE PHONE]
  • Address: [REGISTERED ADDRESS]

We aim to acknowledge grievances within 48 hours and resolve them within the timelines prescribed by law.

13. Changes

We may update this Policy from time to time. Material changes will be notified in-app or by email.

14. Contact

PRODM IT SOLUTIONS, [REGISTERED ADDRESS]. General: prodm.itsolutions@gmail.com · Privacy: prodm.itsolutions@gmail.com · Web: https://stayops.prodmtech.in

This document is a draft and does not constitute legal advice. Have it reviewed by a qualified lawyer before relying on it.

Last updated: 21 June 2026