Privacy Policy

1. Definitions

For the purposes of this Policy, the following terms shall have the meanings ascribed to them below:

• — "Personal Data" means any information that relates to a natural person, which either directly or indirectly, in combination with other information available or likely to be available to the Company, is capable of identifying such person, as defined under the Digital Personal Data Protection Act, 2023 ("DPDPA") and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules").
• — "Sensitive Personal Data or Information (SPDI)" means Personal Data consisting of information relating to passwords; financial information such as bank accounts, credit/debit card details; physical, physiological and mental health condition; sexual orientation; medical records and history; biometric information; and any other information collected, received, or stored in connection with the above, as specified under the SPDI Rules.
• — "Data Principal" means the natural person to whom the Personal Data relates.
• — "Data Fiduciary" means FastClick Digital LLP, which determines the purpose and means of processing Personal Data.
• — "Data Processor" means any person or entity who processes Personal Data on behalf of the Company, pursuant to a written contract.
• — "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• — "Consent" means a freely given, specific, informed, and unambiguous indication of the Data Principal's wishes, by a clear affirmative act, signifying agreement to the processing of their Personal Data for specified purposes.
• — "Services" means the performance marketing, lead generation, digital advertising, and ancillary services provided by FastClick Digital LLP to its clients.

2. Information We Collect

We collect Personal Data through multiple channels, including information provided directly by you, information collected automatically through your interactions with our digital properties, and information obtained from third-party sources and partners. The categories of Personal Data we collect include, without limitation, the following:

2.1 Information You Provide Directly

• — Full name, title, email address, phone number, mobile number, and company/organisation name when you submit a contact form, lead inquiry, or service request
• — Business details including property type, development project details, budget range, target buyer demographics, and target geographic markets
• — Billing information, bank account details, or credit/debit card information (processed through secure, PCI-DSS compliant third-party payment processors) when you engage our Services
• — Contents of communications transmitted to us via email, WhatsApp, telephone calls, video conferences, or any other communication channel
• — User-generated content, feedback, testimonials, and survey responses
• — Identity documents and KYC information where required for regulatory compliance or contractual purposes

2.2 Information Collected Automatically

When you access or use our website, we automatically collect certain technical and usage information through cookies, web beacons, pixels, and similar technologies:

• — Log Data: Internet Protocol (IP) address, browser type, browser version, operating system, referring and exit URLs, pages viewed, time spent on pages, links clicked, and timestamps of access
• — Device Information: Hardware model, unique device identifiers (UDID, IMEI), advertising identifiers (IDFA, GAID), mobile network carrier, and screen resolution
• — Location Data: Approximate geographic location derived from IP address; precise GPS location only with your explicit prior consent
• — Tracking Technologies: First-party and third-party cookies, session tokens, web beacons, clear GIFs, pixel tags, and local storage objects (collectively, "Tracking Technologies"), as further described in our Cookie Policy
• — Analytics Data: Behavioural and engagement metrics collected via Google Analytics 4, Meta Pixel, LinkedIn Insight Tag, and other third-party analytics platforms
• — Conversion Events: Form submissions, button clicks, page scroll depth, session recordings (where enabled), and funnel progression events

2.3 Information From Third-Party Sources

• — Audience segments, custom audiences, lookalike audience data, and behavioural signals from Meta Platforms, Inc. (Facebook/Instagram) and Google LLC advertising ecosystems
• — CRM data, lead lists, and prospect databases shared by our clients for the purpose of campaign targeting, retargeting, and optimisation, subject to the client's representations and warranties that such sharing is lawful
• — Publicly available corporate and business information from government registries, MCA21 portal, RERA portals, and other public databases
• — Information from data enrichment providers, market intelligence platforms, and licensed data brokers, subject to compliance with applicable law
• — Referral information from business partners, affiliate networks, or channel partners

3. Legal Basis for Processing Personal Data

We process Personal Data only where a valid legal basis exists under applicable law. Our processing activities are premised on one or more of the following legal grounds:

• — Consent (Section 6, DPDPA 2023): Where you have provided free, specific, informed, unconditional, and unambiguous consent to the processing of your Personal Data for a stated purpose. You retain the right to withdraw such consent at any time, without affecting the lawfulness of processing prior to withdrawal.
• — Contractual Necessity: Processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into such a contract.
• — Legal Obligation: Processing is necessary for compliance with any legal obligation to which the Company is subject, including obligations under the Information Technology Act, 2000; the Companies Act, 2013; the Goods and Services Tax Act, 2017; or any other applicable statute.
• — Legitimate Interests: Processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Principal. Our legitimate interests include fraud prevention, information security, business analytics, product improvement, and direct marketing to existing and prospective business clients.
• — Vital Interests: Processing is necessary to protect the vital interests of the Data Principal or another natural person.
• — Statutory Obligations (Section 7, DPDPA 2023): Certain processing activities are undertaken to comply with obligations under applicable Indian law, including those related to the prevention, detection, or prosecution of offences, or for the enforcement of legal rights or claims.

4. How We Use Your Information

Subject to applicable law and the legal bases identified above, we use the Personal Data we collect for the following specified, explicit, and legitimate purposes:

• — To provide, operate, maintain, and continuously improve our performance marketing and lead generation Services
• — To create, manage, and optimise advertising campaigns across Meta, Google, LinkedIn, programmatic DSPs, and other digital advertising platforms
• — To generate, qualify, route, and deliver real estate buyer leads to our clients in accordance with contracted deliverables
• — To process transactions, generate invoices, collect payments, and send related documentation including receipts and statements of account
• — To authenticate users, manage access credentials, and maintain account security
• — To communicate with you regarding your account, service requests, project updates, campaign performance reports, and operational matters
• — To send promotional communications, newsletters, market intelligence reports, and information about new services, subject to your right to opt out at any time by contacting us or clicking "unsubscribe" in any marketing email
• — To perform statistical analysis, business intelligence, A/B testing, attribution modelling, and performance benchmarking for service improvement
• — To detect, investigate, and prevent fraudulent transactions, click fraud, bot traffic, and other illegal or unauthorised activities
• — To enforce our Terms of Service, Service Agreements, and other contractual arrangements
• — To comply with legal obligations, respond to lawful requests from governmental or regulatory authorities, and cooperate with law enforcement agencies as required under applicable Indian law
• — To conduct due diligence, background verification, and compliance screening of clients, partners, and vendors
• — To aggregate and anonymise data for the creation of non-personally identifiable industry reports, benchmarks, and market insights

5. Disclosure and Sharing of Personal Data

FastClick Digital LLP does not sell, trade, or otherwise transfer Personal Data to third parties for their own independent commercial purposes. We may, however, disclose or share Personal Data in the following circumstances, and only to the extent necessary for the specified purpose:

• — Data Processors and Service Providers: We engage third-party vendors, sub-processors, and service providers to assist in the delivery of our Services, including cloud infrastructure providers (AWS, Google Cloud, Azure), payment processors, CRM platforms, email service providers, analytics vendors, and legal and accounting professionals. All such parties are bound by Data Processing Agreements (DPAs) requiring them to process Personal Data only on our documented instructions and in accordance with applicable law.
• — Advertising Platforms: In connection with campaign execution, certain data (including hashed or anonymised identifiers, pixel event data, and conversion signals) may be transmitted to Meta Platforms, Inc., Google LLC, LinkedIn Corporation, and other advertising platforms. Such transmission is subject to the respective platform's data processing terms and our contractual obligations with clients.
• — Business Clients: Lead data, contact information, and qualified prospect profiles generated through client campaigns are shared with the respective client as an integral deliverable of our contracted Services. Clients assume independent data controller responsibility for such data upon receipt.
• — Legal and Regulatory Compliance: We may disclose Personal Data when required or permitted to do so by applicable law, regulation, court order, governmental directive, or lawful request of a competent authority, including the Ministry of Electronics and Information Technology (MeitY), the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), or other regulatory bodies having jurisdiction.
• — Business Reorganisation: In the event of a merger, acquisition, amalgamation, restructuring, sale of assets, insolvency proceedings, or similar corporate transaction, Personal Data may be transferred to the successor entity, provided that such successor agrees to honour the terms of this Policy or provides notice of any material changes.
• — Protection of Rights: We may disclose Personal Data where we believe, in good faith, that disclosure is necessary to protect the rights, property, or safety of FastClick, our clients, users, or the public; to investigate fraud; or to respond to a government request.
• — Explicit Consent: For any other purpose not described herein, with your prior, explicit, and informed consent.

We require all third parties receiving Personal Data from us to treat such data with the same level of protection as described in this Policy and to use it only for the specified purpose for which it was disclosed.

6. Data Retention and Disposal

We retain Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, regulatory, accounting, audit, or reporting requirements. When determining the appropriate retention period, we consider the nature, volume, and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure, and applicable statutory limitation periods. Our standard retention schedules are as follows:

• — Client and Prospect Contact Data: Retained for the duration of the contractual relationship plus 3 (three) years from the date of termination or expiry of the relevant contract, or for such longer period as may be required by law
• — Campaign Performance and Lead Data: Retained for up to 5 (five) years for the purposes of performance benchmarking, dispute resolution, and regulatory compliance
• — Financial, Billing, and Transaction Records: Retained for a minimum of 7 (seven) years as mandated under the Income Tax Act, 1961; the Goods and Services Tax Act, 2017; and other applicable fiscal legislation
• — Website Analytics and Behavioural Data: Retained for 26 (twenty-six) months from the date of collection, in accordance with Google Analytics default retention settings
• — Legal Correspondence and Regulatory Records: Retained for a minimum of 10 (ten) years or as otherwise mandated by applicable law
• — Consent Records: Retained for the duration of the consent-based processing plus 3 (three) years to demonstrate compliance with consent obligations

Upon expiry of the applicable retention period, Personal Data will be securely deleted, destroyed, or anonymised in a manner that renders it impossible to re-identify the Data Principal, using industry-standard data sanitisation methods including cryptographic erasure, degaussing, or physical destruction as appropriate to the storage medium.

7. Data Security and Technical Safeguards

We implement and maintain comprehensive administrative, technical, organisational, and physical security measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access, in accordance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These measures include, without limitation:

• — Transport Layer Security (TLS 1.2 or higher) encryption for all data transmitted over public networks
• — AES-256 encryption at rest for databases and storage systems containing Personal Data or SPDI
• — Multi-factor authentication (MFA) for all systems and platforms hosting Personal Data
• — Role-based access controls (RBAC) and the principle of least privilege to restrict access to Personal Data on a strict need-to-know basis
• — Regular penetration testing, vulnerability assessments, and security audits conducted by qualified information security professionals
• — Comprehensive audit logging and monitoring of all access to, and processing of, Personal Data
• — Data loss prevention (DLP) controls to prevent unauthorised exfiltration of Personal Data
• — Mandatory data protection and security training for all personnel with access to Personal Data
• — Contractual data protection obligations and information security requirements imposed on all third-party Data Processors
• — Business continuity and disaster recovery plans, including regular data backups and tested restoration procedures

Security Breach Notification: In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of Data Principals, we will notify the relevant regulatory authority (including the Data Protection Board of India, upon its constitution under the DPDPA 2023) within the timeframes prescribed by applicable law. Affected Data Principals will be notified without undue delay where the breach is likely to result in high risk to their rights and freedoms, in accordance with Section 8(6) of the DPDPA 2023.

Notwithstanding the foregoing, no method of electronic transmission or storage is absolutely secure. We cannot guarantee the absolute security of Personal Data. You transmit Personal Data to us at your own risk and are responsible for maintaining the confidentiality of any access credentials associated with your accounts or communications with us.

8. Cross-Border Transfer of Personal Data

Given the international nature of our operations and the global footprint of the advertising platforms we utilise, Personal Data may be transferred to, stored in, or processed in countries outside India, including but not limited to the United States of America, the Republic of Ireland, Singapore, and the United Kingdom. Such transfers may involve countries that do not provide the same level of data protection as India.

Where Personal Data is transferred outside India, we ensure that adequate safeguards are in place in accordance with the DPDPA 2023, the SPDI Rules, and any notifications issued by the Central Government regarding permissible cross-border data transfers. Safeguards employed include:

• — Execution of Standard Contractual Clauses (SCCs) or equivalent contractual mechanisms approved by the relevant data protection authority
• — Transfers to entities in countries designated by the Government of India as providing adequate protection for Personal Data
• — Binding Corporate Rules or Intra-Group Data Transfer Agreements where applicable
• — Your explicit consent to the specific transfer, following disclosure of the associated risks

You may obtain further information regarding cross-border transfers and the safeguards in place by contacting our Grievance Officer at the address specified in Section 13 below.

9. Automated Decision-Making and Profiling

In the course of delivering our advertising Services, we and our platform partners (Meta, Google, etc.) utilise automated processing and algorithmic techniques, including machine learning models and propensity scoring, to:

• — Identify and target high-intent real estate buyer audiences based on behavioural, demographic, and interest signals
• — Qualify and score inbound leads based on engagement depth, response behaviour, and stated preferences
• — Optimise campaign bidding, creative delivery, and budget allocation through algorithmic real-time bidding (RTB) systems
• — Generate lookalike audience models based on existing customer data to identify new high-potential prospects

Where such automated processing produces decisions that produce legal or similarly significant effects on natural persons, we will ensure that adequate human oversight mechanisms are in place and that affected individuals are afforded the rights prescribed under applicable data protection law, including the right to seek review of such decisions.

10. Children's Privacy

Our website and Services are directed exclusively at individuals who are 18 years of age or older. We do not knowingly collect, solicit, or process Personal Data from children or minors below the age of 18 years. In accordance with Section 9 of the DPDPA 2023, we shall not undertake any processing of Personal Data of children that is likely to cause detrimental effects on the well-being of a child, or undertake tracking or behavioural monitoring of children, or targeted advertising directed at children.

If we become aware that we have inadvertently collected Personal Data from a minor without verifiable parental or guardian consent, we will take prompt steps to delete such data from our systems. If you believe we have collected Personal Data from a minor, please contact our Grievance Officer immediately.

11. Rights of Data Principals

Subject to the provisions of applicable law, including the DPDPA 2023 and the SPDI Rules, you have the following rights with respect to your Personal Data processed by us:

• — Right to Access and Summary (Section 11, DPDPA 2023): You have the right to obtain from us a summary of the Personal Data we hold about you and the processing activities undertaken in relation to such data, including the identities of all Data Processors to whom your Personal Data has been disclosed.
• — Right to Correction and Erasure (Section 12, DPDPA 2023): You have the right to request correction of inaccurate, incomplete, or misleading Personal Data, and the right to request erasure of Personal Data that is no longer necessary for the purposes for which it was collected or where processing is based on consent that has been withdrawn.
• — Right to Grievance Redressal (Section 13, DPDPA 2023): You have the right to have grievances addressed by the Company's Grievance Officer, and thereafter to appeal to the Data Protection Board of India.
• — Right to Nominate (Section 14, DPDPA 2023): You have the right to nominate another individual to exercise your rights in the event of your death or incapacity.
• — Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time by contacting us. Withdrawal of consent will not affect the lawfulness of processing carried out prior to such withdrawal.
• — Right to Opt-Out of Direct Marketing: You may object at any time to the processing of your Personal Data for direct marketing purposes, including profiling for such purposes. Upon receipt of such an objection, we will cease processing your Personal Data for marketing purposes.
• — Right to Data Portability: Where technically feasible and to the extent required by applicable law, you may request that we provide your Personal Data in a structured, commonly used, machine-readable format.

To exercise any of the foregoing rights, please submit a written request to our Grievance Officer at fastclick001@gmail.com. We will acknowledge receipt of your request within 72 hours and endeavour to respond substantively within 30 (thirty) days, or such other period as may be prescribed by law. We reserve the right to verify your identity before processing any request and to charge a reasonable administrative fee for manifestly unfounded or excessive requests.

12. Third-Party Websites and Integrated Services

Our website may contain hyperlinks to, or integrations with, third-party websites, applications, or services that are operated by entities independent of FastClick Digital LLP. This Policy does not apply to such third-party properties. FastClick Digital LLP is not responsible for, and has no control over, the privacy practices, data handling procedures, terms of service, or content of any third-party website or service.

We strongly encourage you to review the privacy policies and terms of use of any third-party websites you visit or services you use, including but not limited to the advertising platforms whose pixels and tracking technologies may be deployed on our website or our clients' landing pages. The presence of a hyperlink on our website does not constitute an endorsement of the linked website or its content.

13. Amendments to This Policy

We reserve the right to revise, amend, or update this Privacy Policy at any time at our sole discretion, in order to reflect changes in our business practices, applicable law, regulatory guidance, or technological developments. Material changes to this Policy will be notified by posting the revised Policy on this page with an updated "Last updated" date, and, where practicable, by sending direct notice to registered users or clients via email.

Your continued use of our website or Services following the posting of any revisions constitutes your acceptance of the modified Policy. If you do not agree to the revised Policy, you must discontinue use of our website and Services and may exercise your rights as described in Section 11 above. We encourage you to review this Policy periodically.

14. Grievance Redressal & Contact

In accordance with the Information Technology Act, 2000 and Rule 5(9) of the SPDI Rules, the name and contact details of the Grievance Officer are provided below. Any grievances relating to the processing of your Personal Data, alleged violations of this Policy, or any other data protection matter should be addressed to the Grievance Officer:

If you are not satisfied with the resolution provided by our Grievance Officer, you have the right to escalate your complaint to the Data Protection Board of India (once constituted under the DPDPA 2023) or to approach the competent courts in Navi Mumbai, Maharashtra, India, which shall have exclusive jurisdiction over matters arising from this Policy.