Privacy Policy

HomesDeck, operated by Krys Con Projects Pvt. Ltd. (“we”, “our”, or “us”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. This policy complies with the Indian Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable data protection laws.

Account Information: When you register, we collect your email address, display name, and encrypted password credentials (managed by AWS Cognito).

Household Data: We store data you enter into the Service, including household names, tasks, calendar events, grocery lists, bills, assets, and contacts.

Vault Data: Vault items (passwords, PINs, notes) are encrypted end-to-end using AES-256-GCM before storage. We cannot read your vault contents.

Usage Data: We may collect logs of API requests, error reports, and performance metrics to operate and improve the Service. This data does not include the contents of your household data.

Payment Information: We do not store payment card details. All payment processing is handled by Stripe (for international payments) and Razorpay (for Indian payments). We receive only transaction confirmation and subscription status from these processors.

We use your information to:

• Create and manage your account and household.
• Provide, maintain, and improve the Service.
• Process subscription payments and manage billing.
• Send transactional emails (account verification, password reset, bill reminders, invite notifications).
• Respond to your support requests.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations.

We do not sell your personal data to third parties. We do not use your data for advertising.

Your data is stored on AWS infrastructure in the Asia Pacific (Mumbai) region (ap-south-1). We implement industry-standard security measures including:

• AES-256-GCM encryption for all vault data at rest.
• TLS encryption for all data in transit.
• AWS Cognito for secure authentication with JWT tokens.
• Access controls limiting who can access production data.
• Regular security reviews of our infrastructure.

While we take these precautions, no security system is impenetrable. We encourage you to use a strong, unique password and enable multi-factor authentication where available.

We share your data only in the following circumstances:

• With household members: Data you add to a household is visible to other members of that household according to their assigned role.
• Service providers: AWS (cloud infrastructure), Stripe and Razorpay (payments), and AWS SES (email delivery). These providers are contractually obligated to protect your data.
• Legal requirements: If required by law, court order, or government authority.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.

Under the Digital Personal Data Protection Act, 2023, you have the following rights:

• Right to Access: You can request a copy of the personal data we hold about you.
• Right to Correction: You can request correction of inaccurate or incomplete personal data.
• Right to Erasure: You can request deletion of your personal data. We will comply within 30 days, subject to legal retention obligations.
• Right to Grievance Redressal: You can contact our Data Protection Officer to raise concerns.
• Right to Nomination: You may nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise these rights, contact us at [email protected].

We retain your personal data for as long as your account is active, or as needed to provide the Service. Upon account deletion:

• Your account and profile data will be deleted within 30 days.
• Household data will be deleted within 30 days, unless other members have not yet transferred ownership.
• Payment records may be retained for up to 7 years to comply with Indian tax law.
• Anonymized usage logs may be retained for analytical purposes.

We use a minimal number of cookies strictly necessary to operate the Service:

• access_token: Stores your authentication token. Session-based, deleted when you sign out.

We do not use advertising or tracking cookies. We do not use third-party analytics cookies.

The Service is not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected such data, please contact us immediately.

We may update this Privacy Policy periodically. We will notify you of material changes by updating the “Last updated” date and, where required, by email. Your continued use of the Service after changes are effective constitutes acceptance of the revised policy.

For privacy-related concerns, to exercise your rights, or to contact our Data Protection Officer as required under the DPDP Act:

Email: [email protected]
Response time: Within 72 hours for general inquiries; within 30 days for formal data requests.