Privacy Policy

We collect and process personal data to deliver, secure, and improve our Services, to fulfil legal obligations, and to communicate with you. We design our practices to comply with applicable Indian data protection law and to apply reasonable safeguards to the personal data entrusted to us.

DPDP notice summary

The personal data we process, the purposes of processing, and the Services enabled by such processing are described in sections 03 and 04. You may withdraw consent, exercise your rights, raise a grievance, or file a complaint with the Data Protection Board of India using the methods described in sections 12 and 15.

PEGS Standards & Systems Private Limited is a company incorporated under the laws of India, with its registered office at 10th Floor, Building 4, North Wing, NESCO IT Park, Western Express Highway, Goregaon East, Mumbai – 400063, Maharashtra, Bharat (India).

For the purposes of the DPDP Act, PEGS is the Data Fiduciary in respect of personal data processed through the Services.

We collect and process only personal data that is necessary for specified purposes connected with the Services.

Account and identity data

• Name
• Email address
• Mobile number
• Account registration details
• Organisation details, where you use the Services on behalf of an entity

Service and property data

• Property or asset information submitted by you
• ESG, verification, certification, or service-request information submitted through PEGS platforms
• Support requests, feedback, and communications sent to PEGS

Authentication and security data

• One-time passwords (OTPs), verification codes, and authentication status
• Login timestamps
• Device identifiers, IP address, browser type, operating system, and security logs

Usage and preference data

• App and website interaction data
• Cookie preferences
• Communication preferences
• Consent and withdrawal records

Payment and billing data

• Invoice reference, transaction reference, payment status, and billing details
• PEGS does not store sensitive card credentials. Payments are processed by authorised payment service providers.

We use personal data for the following specific purposes:

• Account creation, login, identity verification, and user authentication
• Providing the Services, including My Estatez, PEGS websites, APIs, dashboards, ESG services, verification workflows, and related service features
• Sending OTPs, service alerts, security notices, invoices, receipts, policy updates, and other transactional communications
• Processing payments, billing, refunds, and accounting records
• Responding to support requests, grievances, and user-rights requests
• Securing our systems, preventing fraud, detecting misuse, maintaining logs, and responding to incidents
• Improving Service reliability, functionality, and user experience
• Complying with legal, regulatory, tax, accounting, cybersecurity, and law-enforcement obligations
• Sending marketing or promotional communications only where you have explicitly opted in

We do not use OTPs or authentication data for marketing purposes.

Where Indian data protection law applies, PEGS processes personal data on the basis of consent, deemed consent or legitimate uses recognised under applicable law, contractual necessity, compliance with law, and security or fraud-prevention requirements.

Where consent is required:

• consent is requested for specific purposes;
• consent is obtained through clear affirmative action;
• consent can be withdrawn using the methods described in this Policy; and
• withdrawal of consent is made available with ease comparable to the method by which consent was given.

Withdrawal of consent will not affect processing already completed before withdrawal. It may affect PEGS's ability to provide Services that depend on the relevant personal data.

We send service and security communications, including OTPs, account alerts, invoices, receipts, policy updates, and notices necessary for the Services.

Commercial or promotional communications, if any, will be sent only after explicit opt-in and in accordance with applicable telecom, consumer, and data-protection requirements. You may opt out of optional communications through account settings, unsubscribe links, approved telecom consent/revocation mechanisms, or by contacting PEGS.

We do not sell personal data.

We may share limited personal data with:

• hosting, authentication, analytics, payment, billing, communication, customer-support, and security service providers;
• professional advisors, auditors, and compliance service providers;
• regulators, law-enforcement authorities, courts, or government bodies where required by law;
• business partners or institutional clients only where necessary to provide a requested Service or complete a user-authorised workflow.

All sharing is limited to what is necessary for the relevant purpose. Where a third party processes personal data on PEGS's behalf, PEGS requires appropriate contractual, confidentiality, and security obligations.

Some service providers may process or access personal data outside India. Where this occurs, PEGS applies appropriate contractual, technical, and organisational safeguards and complies with applicable Indian data-transfer requirements.

PEGS will not make personal data available to a foreign State, or to any person or entity under the control of or any agency of a foreign State, except in accordance with requirements that may be specified by the Central Government under applicable law.

If PEGS is designated as a Significant Data Fiduciary or if a category of personal data becomes subject to localisation or transfer restrictions, PEGS will update this Policy and its operational practices accordingly.

We retain personal data only for as long as necessary for the purposes described in this Policy, including service delivery, security, accounting, tax, legal, regulatory, audit, dispute-resolution, and fraud-prevention purposes.

Security logs, access logs, and records needed to detect, investigate, and remediate unauthorised access or personal-data breaches may be retained for at least one year, unless a longer period is required by applicable law.

Where a user account or specific purpose is no longer active, PEGS will delete, anonymise, or archive personal data in accordance with applicable retention requirements. Where applicable law requires prior notice before erasure, PEGS will provide such notice through the registered account or contact method.

PEGS implements reasonable technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, loss, or misuse. These measures may include, as appropriate:

• encryption, masking, tokenisation, or other protective controls;
• access controls and role-based permissions;
• logging, monitoring, review, and incident detection;
• backups and continuity controls;
• confidentiality obligations for personnel and processors;
• security provisions in processor and service-provider contracts; and
• incident-response procedures for containment, investigation, reporting, and remediation.

If PEGS becomes aware of a personal-data breach, PEGS will notify affected users without delay through their registered account or communication channel, and will notify the Data Protection Board of India and other authorities as required by applicable law.

We use cookies, analytics, and similar technologies to operate the Services, remember preferences, secure sessions, measure usage, and improve functionality. Where required by law, we collect consent for non-essential cookies through a banner or preference tool. Detailed information is available in our Cookie Policy.

Depending on applicable law, you may have the right to:

• access information about your personal data;
• request correction of inaccurate or incomplete personal data;
• request updating of personal data;
• request erasure of personal data where permitted by law;
• withdraw consent for processing based on consent;
• nominate another individual to exercise your data rights in accordance with applicable law;
• raise a grievance with PEGS; and
• file a complaint with the Data Protection Board of India where permitted by law.

To exercise these rights, contact PEGS using the details in section 15 or use any rights-management tools made available in the app or website. PEGS may request reasonable identifiers, such as your registered email address, mobile number, account ID, transaction ID, or other information needed to verify your identity and process the request.

The Services are not intended for individuals under 18 years of age. PEGS does not knowingly collect or process personal data from children.

If PEGS introduces any Service that involves processing personal data of a child, PEGS will obtain verifiable consent from the parent or lawful guardian before such processing, unless an exemption applies under applicable law. PEGS will not undertake tracking, behavioural monitoring, or targeted advertising directed at children where prohibited by law.

If you believe a child has provided personal data to PEGS, please contact us using the details in section 15.

We may update this Policy from time to time. Material changes will be notified through the Services, by email, or by other reasonable means. The version, last-updated date, and effective date appear at the top of this Policy. Continued use of the Services after the effective date of an updated Policy constitutes acceptance of the updated Policy to the extent permitted by applicable law.

For privacy questions, rights requests, withdrawal of consent, or grievances, contact:

The name and contact details of the designated Grievance Officer are published in the Grievance Redressal Policy.

PEGS will acknowledge and respond to privacy grievances within the period required by applicable law, and in any case within a reasonable period not exceeding ninety days where the DPDP Rules apply.

If you are not satisfied with PEGS's response, you may have the right to file a complaint with the Data Protection Board of India through the official digital mechanism made available by the Board.

• Digital Personal Data Protection Act, 2023
• Digital Personal Data Protection Rules, 2025
• CERT-In Directions dated 28 April 2022
• Consumer Protection Act, 2019
• Information Technology Act, 2000, and rules made thereunder