When you use Orbit Living, you trust us with information about you, your home, and the people you let into your community. That is a serious responsibility, and we take it seriously. Orbit Living was built on a simple principle: your data should serve you, never be sold around you. We do not sell, rent, or trade your personal information to advertisers, data brokers, or marketing networks. Everything we collect, we collect for the purpose of running your society better. This Privacy Policy explains, in detail, what information we collect, why we collect it, how it is protected, and what control you have over it. It is written in formal legal language because it is a legal document. If you would like a plain-English summary, please visit orbitliving.co/privacy-summary.

1. About This Policy

This Privacy Policy describes how Beeyond Tech, a sole proprietorship having its registered office at Unit No. 108 & 108A&B, 1st Floor, Sona Udyog Industrial Estate, Parsi Panchayat Road, Andheri East, Mumbai 400069, India (referred to in this Policy as "Beeyond Tech", "we", "us", or "our"), collects, uses, stores, shares, and protects personal data in connection with the operation of the Orbit Living platform (the "Platform"), which is accessible through the website orbitliving.co and associated mobile applications.

This Privacy Policy is published in accordance with the provisions of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and other applicable laws of India.

By accessing or using the Platform, you acknowledge that you have read, understood, and agreed to be bound by the terms of this Privacy Policy. If you do not agree with any provision of this Privacy Policy, you must not access or use the Platform.

This Privacy Policy applies to all Personal Data collected, received, stored, or processed by Beeyond Tech in connection with the Platform, regardless of the medium through which such Personal Data is collected or processed.

The Platform is intended exclusively for use within the territorial jurisdiction of India and is not directed at or available to individuals outside India. Beeyond Tech does not knowingly process Personal Data of individuals located outside India and reserves the right to refuse service to any User accessing the Platform from outside India.

Key Terms Used in This Policy

• "Data Fiduciary" shall have the meaning ascribed to it under the DPDP Act and refers to any person who, alone or in conjunction with other persons, determines the purpose and means of processing Personal Data.

• "Data Principal" shall have the meaning ascribed to it under the DPDP Act and refers to the individual to whom the Personal Data relates.

• "Data Processor" shall have the meaning ascribed to it under the DPDP Act and refers to any person who processes Personal Data on behalf of a Data Fiduciary.

• "Personal Data" means any data about an individual who is identifiable by or in relation to such data, and includes such other categories of data as may be classified as "personal data" or "sensitive personal data or information" under applicable law.

• "Platform" means the Orbit Living software-as-a-service platform, including the Orbit HQ console, the Resident Welfare Association ("RWA") Dashboard, the Resident Application, the Guard Application, and any associated services, websites, mobile applications, application programming interfaces, and features made available by Beeyond Tech.

• "Resident Welfare Association" or "RWA" means a housing society, cooperative housing society, apartment owners' association, or similar body that subscribes to the Platform for the management of a residential community.

• "Resident" means a flat owner, tenant, or other lawful occupant of a residential unit within a society that uses the Platform.

• "User" means any natural person who accesses or uses the Platform in any capacity, including RWA Administrators, Residents, Security Guards, and Beeyond Tech personnel.

  
  

2. Who We Are and Our Role Under the Law

The Platform operates in a multi-tenant configuration involving multiple categories of Users with distinct relationships to Beeyond Tech. The role of Beeyond Tech under the DPDP Act varies depending on the category of Personal Data being processed.

2.1 When We Are the Data Fiduciary

Beeyond Tech acts as a Data Fiduciary in respect of:

• Personal Data of RWAs and their designated administrators collected at the time of subscription, account creation, and ongoing account management;

• Billing, payment, and financial transaction records relating to the subscription;

• Communications between Beeyond Tech and the User, including support tickets, grievance complaints, and marketing communications where consent has been obtained;

• Usage data, technical data, and analytics data generated through the operation of the Platform;

• Personal Data collected directly from Users for the purpose of operating, securing, and improving the Platform.

  
  

2.2 When We Are the Data Processor

Beeyond Tech acts as a Data Processor in respect of Personal Data of Residents, Security Guards, Society Staff, visitors, family members, and other individuals whose data is entered into the Platform by or on behalf of the RWA. In such cases, the RWA acts as the Data Fiduciary and Beeyond Tech processes such Personal Data solely in accordance with the instructions of the RWA and the terms of the Data Processing Agreement executed between Beeyond Tech and the RWA.

The RWA is solely responsible for ensuring the lawful basis of collection, the validity of consent, and the accuracy of Personal Data uploaded by it or its authorised personnel to the Platform.

3. The Information We Collect

The categories of Personal Data collected by Beeyond Tech vary by User category and the manner in which the Platform is used. The principal categories of Personal Data collected are set out below.

3.1 Information We Collect from RWA Administrators

When an RWA subscribes to the Platform, we collect the following information from its authorised administrator(s):

• Full name, designation within the RWA, and contact details (mobile number, email address);

• Society name, society registration number, complete society address, and total number of flats;

• Identification and authorisation documents, including the society registration certificate and an authorisation letter or board resolution evidencing the administrator's authority to act on behalf of the RWA;

• Payment and billing information processed through third-party payment processors;

• Account credentials, including username, password in hashed form, and authentication tokens.

  
  

3.2 Information We Collect from Residents

Resident accounts may be created either by self-registration following society verification or by the RWA Administrator on the Resident's behalf. The following Personal Data may be collected:

• Full name, mobile number, email address;

• Flat number, building, and society identifier;

• Ownership or tenancy status;

• Optional information including profile photograph, family member details, vehicle details (including registration number, make, and model), and emergency contact information;

• Visitor approvals and entry authorisations issued by the Resident;

• Payment and transaction records relating to maintenance fees and other society dues;

• Communications and complaints raised through the Platform.

  
  

3.3 Information We Collect from Security Guards and Society Staff

Guard and society staff accounts are created and managed exclusively by the RWA Administrator. The Personal Data collected includes:

• Full name, mobile number, photograph;

• Shift schedule and assigned posts;

• Records of activities performed on the Platform, including visitor check-ins, check-outs, and incident reports

  
  

3.4 Information We Collect About Visitors

In the course of operating the visitor management functionality, the Platform may capture Personal Data of visitors to the society, including:

• Visitor name, mobile number, photograph, and purpose of visit;

• Vehicle registration number, where applicable;

• Time of entry and exit;

• Identity of the Resident being visited.

  
  

Such Personal Data is collected by or on behalf of the RWA, which is responsible for ensuring an appropriate legal basis for such collection, including obtaining notice and consent from the visitor where required.

3.5 Technical Information We Collect Automatically

In the course of operating the Platform, we automatically collect certain technical and usage information, including:

• Device identifiers, operating system, browser type, and version;

• Internet Protocol address, approximate location derived from the IP address;

• Log data including access times, pages or screens viewed, and actions taken;

• Crash reports and diagnostic information.

  
  

4. Why We Collect Your Information

Beeyond Tech processes Personal Data for the following purposes:

• To provide, operate, maintain, and improve the Platform and its features;

• To verify the identity of Users and authenticate access to the Platform;

• To process subscription payments and maintain billing records;

• To enable communication between Users in their respective capacities as RWA Administrators, Residents, and Guards;

• To facilitate visitor management, maintenance fee collection, complaint resolution, and other society management functions;

• To respond to support requests, grievances, and other communications from Users;

• To send transactional communications relating to the Platform, including service notices, security alerts, and billing notifications;

• To comply with applicable legal, regulatory, accounting, and reporting obligations;

• To detect, prevent, and respond to fraud, security incidents, and violations of our terms of use;

• To enforce our agreements and protect the rights, property, and safety of Beeyond Tech, our Users, and the public;

• To conduct internal research, analytics, and product development, using aggregated and anonymised data.

  
  

5. The Legal Basis for Using Your Information

Beeyond Tech processes Personal Data only on the basis of one or more of the following lawful grounds, in accordance with the DPDP Act and applicable law:

• The consent of the Data Principal, obtained through clear, informed, specific, and affirmative action;

• Performance of a contract to which the Data Principal is a party, or in order to take steps at the request of the Data Principal prior to entering into a contract;

• Compliance with a legal obligation to which Beeyond Tech is subject;

• Protection of the vital interests of the Data Principal or of another natural person;

• Legitimate uses as may be permitted under applicable law, including the prevention and detection of fraud, network and information security, and the establishment, exercise, or defence of legal claims.

  
  

6. Consent and How to Withdraw It

Where processing is based on consent, Beeyond Tech shall obtain the consent of the Data Principal in a manner that is free, specific, informed, unconditional, and unambiguous, with clear affirmative action. The consent notice shall, in plain language, inform the Data Principal of the Personal Data being collected, the purpose for which it is being processed, and the manner in which the Data Principal may exercise their rights under the DPDP Act.

A Data Principal has the right to withdraw their consent at any time, with the same ease with which it was given. The withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal. Upon withdrawal of consent, Beeyond Tech shall cease processing the relevant Personal Data within a reasonable period, unless such processing is required or authorised under the DPDP Act or other applicable law.

Consent may be withdrawn by contacting our Grievance Officer at the email address set out in Clause 13 of this Privacy Policy.

7. How We Share Your Information

7.1 Who Receives Your Information

Beeyond Tech shares Personal Data only with the following categories of recipients, and only to the extent necessary for the purposes set out in this Privacy Policy:

• Payment processors and financial service providers engaged for processing subscription payments and transactions;

• Communication service providers engaged for the delivery of transactional short message service (SMS), email, and push notifications;

• Cloud hosting, infrastructure, and storage providers engaged as data processors under contract;

• Customer support and helpdesk service providers, where applicable;

• Government authorities, regulators, courts, and law enforcement agencies, where disclosure is required by law or pursuant to a valid legal process;

• Professional advisors, including legal, tax, and accounting advisors, bound by obligations of confidentiality;

• Successors-in-interest in the event of a merger, acquisition, reorganisation, or sale of business assets, subject to the recipient agreeing to honour the terms of this Privacy Policy.

  
  

7.2 We Do Not Sell Your Information

Beeyond Tech does not sell, rent, lease, or trade Personal Data to any third party for monetary or other consideration. Beeyond Tech does not share individually identifying information, contact details, or personal attributes of Users with advertisers, marketing networks, data brokers, other RWAs, or affiliates without separate and specific consent of the Data Principal.

7.3 Use of Anonymised and Aggregated Data

Beeyond Tech may use aggregated and anonymised data, from which all individual and society identifiers have been removed in a manner that does not permit re-identification, for the purposes of product improvement, industry benchmarks, research, marketing materials, and publication of industry insights. Such anonymised data is not Personal Data within the meaning of the DPDP Act.

7.4 In-Platform Communications and Content

Beeyond Tech may, from time to time, display relevant communications, offers, notices, or third-party content within the Platform based on general User attributes such as location, society type, or User category. Any such matching of content to Users shall occur within Beeyond Tech's own infrastructure, and Personal Data of Users shall not be transferred to the parties whose content is displayed. Users shall be entitled to opt out of receiving non-essential communications without losing access to the core functionality of the Platform.

7.5 Where Your Information Is Stored

All Personal Data of Users is stored and processed within India, on cloud infrastructure provided by Amazon Web Services in its Mumbai region. Static frontend assets, which do not contain any Personal Data, may be served via global content delivery networks, including Vercel. Beeyond Tech shall not transfer Personal Data outside India except in compliance with the DPDP Act and any rules, notifications, or directions issued thereunder.

8. How Long We Keep Your Information

Beeyond Tech retains Personal Data only for so long as is necessary for the purposes for which it was collected, or as required under applicable law. The principal retention periods are as follows:

• Active account data: Retained for the duration of the subscription or active use of the Platform.

• Data following account deletion or termination: Retained for a grace period of ninety (90) days from the date of deletion or termination to enable reactivation, following which Personal Data shall be permanently deleted or anonymised, save and except as set out below.

• Financial transaction records: Retained for a period of seven (7) years from the date of the transaction, in compliance with the Income-tax Act, 1961, and other applicable financial and tax legislation.

• Visitor entry and exit logs: Retained for a period of one hundred and eighty (180) days from the date of creation, after which such logs shall be permanently deleted or anonymised.

• Audit logs and security event records: Retained for a period of one hundred and eighty (180) days, or such longer period as may be required under the Information Technology Act, 2000, the directions issued by the Indian Computer Emergency Response Team (CERT-In), or other applicable law.

• Anonymised and aggregated data: May be retained indefinitely, as such data does not constitute Personal Data.

Where Personal Data is required to be retained for the establishment, exercise, or defence of legal claims, or for compliance with a legal obligation, Beeyond Tech shall retain such Personal Data for such longer period as may be necessary.

9. Your Rights and How to Exercise Them

Subject to the provisions of the DPDP Act, every Data Principal has the following rights in respect of their Personal Data:

9.1 Right to Access

The right to obtain a summary of the Personal Data being processed by Beeyond Tech, the processing activities undertaken in respect of such Personal Data, and the identities of all Data Fiduciaries and Data Processors with whom Personal Data has been shared, along with a description of the Personal Data so shared.

9.2 Right to Correction, Completion, and Updation

The right to require Beeyond Tech to correct inaccurate or misleading Personal Data, complete incomplete Personal Data, and update outdated Personal Data, in accordance with applicable law.

9.3 Right to Erasure

The right to require the erasure of Personal Data, except where retention is necessary for the purposes for which the Personal Data was collected or for compliance with any law for the time being in force.

9.4 Right of Grievance Redressal

The right to a readily available means of grievance redressal in respect of any act or omission of Beeyond Tech regarding the performance of its obligations under the DPDP Act.

9.5 Right to Nominate

The right to nominate another individual to exercise the rights of the Data Principal under the DPDP Act in the event of the death or incapacity of the Data Principal.

9.6 How to Exercise Your Rights

A Data Principal may exercise any of the rights set out in this Clause 9 by submitting a written request to the Grievance Officer at the email address set out in Clause 13. Beeyond Tech shall respond to such request within the timelines prescribed under the DPDP Act.

9.7 Specific Modalities for Different User Categories

The following modalities apply to the exercise of rights by Users in their respective capacities:

• Primary Account Holder (RWA Administrator): May access and modify account information through the RWA Dashboard at any time. Self-deletion of the primary account is not permitted on account of society record continuity requirements; account closure shall be effected by Beeyond Tech upon receipt of a verified written request from the RWA, subject to retention obligations and settlement of outstanding payments.

• Residents: May access and modify their information through the Resident Application. Requests for erasure may be submitted through the RWA Administrator or directly to the Grievance Officer. The RWA Administrator may deactivate Resident accounts in connection with society management activities, including upon the sale of a flat or the termination of a tenancy.

• Security Guards and Society Staff: Such Users may access and request correction of their Personal Data by contacting the RWA Administrator or the Grievance Officer. Self-registration and self-deletion of such accounts is not enabled; such accounts are created, managed, and deactivated exclusively by the RWA Administrator.

  
  

10. How We Protect Your Information

Beeyond Tech has implemented reasonable and appropriate technical, physical, and organisational security measures designed to protect Personal Data against unauthorised access, accidental or unlawful destruction, loss, alteration, disclosure, or use. These measures include:

• Encryption of Personal Data in transit using Transport Layer Security (TLS) and at rest using industry-standard encryption algorithms;

• Role-based access control implementing the principle of least privilege;

• Logical segregation and multi-tenant isolation of data between different RWAs;

• Secure password hashing using industry-standard cryptographic functions;

• Comprehensive audit logging of administrative and privileged actions;

• Regular patching of software and operating systems, vulnerability management, and periodic security testing including vulnerability assessment and penetration testing;

• Periodic backup of data and a documented disaster recovery process;

• Non-disclosure obligations imposed on personnel and contractors who have access to Personal Data;

• A documented incident response and breach notification process.

Notwithstanding the foregoing, no method of transmission over the internet or method of electronic storage is fully secure. While Beeyond Tech endeavours to use commercially reasonable means to protect Personal Data, it does not guarantee absolute security.

11. What Happens in Case of a Data Breach

In the event of a personal data breach within the meaning of the DPDP Act, Beeyond Tech shall:

• Notify the Data Protection Board of India within the timelines and in the manner prescribed under the DPDP Act and the rules made thereunder;

• Notify each affected Data Principal as soon as reasonably practicable, in the manner prescribed under applicable law;

• Report the incident to the Indian Computer Emergency Response Team (CERT-In) within the timelines prescribed under the directions issued by CERT-In dated 28 April 2022 or such other directions as may be in force from time to time;

• Take all reasonable steps to mitigate the consequences of the breach and prevent recurrence.

  
  

12. Information About Children and Persons with Disability

The Platform is not intended for use by individuals below the age of eighteen (18) years. Where Personal Data of an individual below the age of eighteen years is processed by or through the Platform on the basis of information submitted by a Resident (for example, family member details), the Resident represents and warrants that they have obtained verifiable consent from the parent or lawful guardian of such individual.

Beeyond Tech shall not undertake any processing of Personal Data of children that is likely to cause any detrimental effect on the well-being of the child. Beeyond Tech shall not undertake tracking, behavioural monitoring, or targeted communications directed at children.

In respect of Personal Data of persons with disability, where consent is given by a lawful guardian, Beeyond Tech shall comply with the requirements of the DPDP Act and the rules made thereunder.

13. Grievance Officer and How to Reach Us

In accordance with the DPDP Act, the Information Technology Act, 2000, and the rules made thereunder, Beeyond Tech has designated a Grievance Officer to address queries, requests, and grievances of Data Principals in relation to the processing of their Personal Data.

Any Data Principal seeking to exercise their rights, withdraw consent, or raise a grievance may contact the Grievance Officer using the following details:

Grievance Officer, Beeyond Tech

Email: info@orbitliving.co

Address: Unit No. 108 & 108A&B, 1st Floor, Sona Udyog Industrial Estate, Parsi Panchayat Road, Andheri East, Mumbai 400069, India.

Beeyond Tech shall acknowledge receipt of each grievance within forty-eight (48) hours of receipt and shall endeavour to resolve such grievance within thirty (30) days, or such other period as may be prescribed under applicable law.

If a Data Principal is dissatisfied with the response of the Grievance Officer, they may approach the Data Protection Board of India in the manner prescribed under the DPDP Act.

14. Third-Party Links and Integrations

The Platform may contain links to, or integrate with, third-party websites, applications, government portals (including those operated by the Bharat Bill Payment System and municipal authorities), payment gateways, identity verification providers, and other third-party services. Such third-party services are not controlled by Beeyond Tech and are governed by their own terms of use and privacy policies. Beeyond Tech does not assume responsibility for the content, security, or privacy practices of any third-party service. Users are advised to review the privacy policies of such third-party services before providing any Personal Data to them.

15. Cookies and Similar Technologies

The web-based components of the Platform, including the Orbit HQ console and the RWA Dashboard, use cookies and similar tracking technologies for purposes including session management, authentication, security, and analytics. The mobile applications use standard software development kit identifiers for the purpose of delivering push notifications and capturing crash and diagnostic data. The use of cookies and similar technologies is governed by our separate Cookie Policy, which forms an integral part of this Privacy Policy.

16. Changes to This Policy

Beeyond Tech reserves the right to amend, modify, or update this Privacy Policy from time to time to reflect changes in its practices, applicable law, or the features of the Platform. Any material change to this Privacy Policy shall be communicated to Users through an in-Platform notice, email to the registered email address, or such other means as Beeyond Tech may consider appropriate, at least thirty (30) days prior to the change taking effect, unless the change is required to be implemented sooner under applicable law.

Continued use of the Platform after the effective date of any amendment to this Privacy Policy shall constitute acceptance of such amendment. The date of last revision is set out at the beginning of this Privacy Policy.

17. Governing Law and Jurisdiction

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Subject to any mandatory provision of applicable law, the courts at Mumbai, India shall have exclusive jurisdiction in respect of any dispute, controversy, or claim arising out of or in connection with this Privacy Policy.

18. How to Contact Us

Should you have any questions, comments, or concerns regarding this Privacy Policy or our data protection practices, you may contact us at:

Beeyond Tech

Attention: Grievance Officer

Unit No. 108 & 108A&B, 1st Floor,

Sona Udyog Industrial Estate,

Parsi Panchayat Road,

Andheri East, Mumbai 400069, India.