Privacy Policy

AVnester is operated by AVNESTER PRIVATE LIMITED, a private limited company incorporated in India, with its registered office at 16/160 Giri Nagar, 1st Street, Kavundampalayam, Coimbatore - 641030, Tamil Nadu, India. This policy explains how we handle personal data on the AVnester website, mobile apps, the public MCP server at mcp.avnester.com, and the ChatGPT Actions integration (together, the "Platform").

For the Digital Personal Data Protection Act, 2023 ("DPDPA") and, where it applies, the EU General Data Protection Regulation ("GDPR"), AVnester is the Data Fiduciary / Controller of the personal data described below.

Account: name, email, phone, role (buyer / seller / agent / builder), city, property preferences. Collected on registration; retained while the account is active and 30 days after a deletion request.

Listings and inquiries: property attributes, photos, RERA numbers where applicable, inquiry messages, and the inquirer's contact details. Listings: active plus 90 days after expiry. Inquiries: 3 years (limitation period under the Indian Contract Act, 1872).

Usage telemetry: pages viewed, searches, device, browser, IP, referrer. 90 days for product analytics; aggregated thereafter.

Session diagnostics: a small percentage of sessions are recorded (clicks, scrolls, masked inputs) by Sentry and PostHog for crash diagnosis and UX research. Form fields, passwords, OTPs, and free-text PII are masked at capture. 30 days.

Voice input (Ava voice assistant): if you choose to speak to the assistant, we capture microphone audio — only after you grant the browser or device microphone permission — and send it for speech-to-text. The resulting transcript is handled like any other assistant message. We log voice-session diagnostics (detected language, provider, confidence, latency, and a short masked transcript snippet) as usage telemetry.

Voice call recording: when you place a voice call with Ava, we record the call — your spoken audio together with Ava's spoken replies — and retain it for up to 90 days, after which it is automatically deleted. We keep it to review conversation quality, investigate problems, and improve the assistant. Stored recordings are encrypted at rest, accessible only to authorised AVnester staff through secure, audit-logged playback (no public links, no downloads), and are never used to train AI models without your separate consent. You can turn voice-call recording off at any time under Settings → Privacy; doing so stops future recording and deletes the call audio already stored for you, usually within 24 hours. Turning it off does not stop you from using Ava by voice or text.

Location: approximate city-level location, only with your explicit consent.

Push tokens: APNs / FCM device tokens, only after you opt in. Deleted when you sign out or revoke notification permission.

Payments: name, billing address, GSTIN if you provide one, and a payment token. Card and UPI numbers are handled by Razorpay and never reach our servers. Invoices: 8 years (GST Act).

Audit logs: access logs, security events, admin actions. 7 years.

Removed or flagged content: 180 days after removal (IT (Intermediary Guidelines) Rules, 2021).

To operate the Platform: account management, listing publication, inquiry routing, search, recommendations, customer support.

To keep the Platform safe: fraud prevention, abuse detection, security investigation, enforcement of our terms.

To meet legal obligations: GST invoicing, RERA-related disclosures, court or regulator orders, IT Act intermediary duties.

To improve the Platform: anonymised analytics, error monitoring, A/B tests on UX changes.

With your separate consent: marketing emails or SMS, location-based suggestions, optional analytics.

We do not sell your personal data. We do not use your personal data to train AI models. Tool calls made by AI clients (Claude, ChatGPT, others) via our public connector are processed to answer the request and are not added to any model-training dataset.

Under the DPDPA we rely on (a) your consent under §6 for processing you have explicitly agreed to — marketing, optional analytics, location, push; and (b) "certain legitimate uses" under §7, specifically: to provide the service you signed up for, to comply with law and court or regulator orders, and to respond to a medical or public-safety emergency.

Where the GDPR applies (EU / EEA / UK users): contract performance (Art. 6(1)(b)), legal obligation (Art. 6(1)(c)), legitimate interests in security and product improvement (Art. 6(1)(f)), and consent for marketing and non-essential cookies (Art. 6(1)(a)).

You may withdraw consent at any time at privacy@avnester.com or in your account settings. Withdrawal does not affect processing already carried out.

Listing owners and agents: when you send an inquiry, your name, contact details, and message are shared with the listing owner so they can respond.

Sub-processors: see the next section. Each is bound by a written data-processing contract limiting use to the purposes we specify.

Law-enforcement and regulators: only on valid legal request (court order, written notice under the IT Act, or DPDPA / sectoral regulator demand).

Successors: in a sale, merger, or restructuring, your data may transfer to the acquirer subject to this policy.

We do not share your personal data with advertisers or data brokers.

Hosting and databases: Amazon Web Services (AWS), Asia Pacific (Mumbai), ap-south-1.

Authentication: Amazon Cognito (ap-south-1).

Email delivery: Resend (US-based; transactional emails only — recipient address and message body).

SMS and OTP: MSG91 (India-based).

Push notifications: Amazon SNS routed to Apple Push Notification service and Firebase Cloud Messaging.

Payments: Razorpay (India-based, RBI-licensed payment aggregator).

Voice (Ava): Sarvam AI (India-based) for speech-to-text and text-to-speech, with Amazon Transcribe and Amazon Polly (AWS, Mumbai ap-south-1) as fallback. On our iOS and Android apps, on-device speech recognition may be provided by Apple or Google under their respective privacy terms.

Error monitoring and session diagnostics: Sentry (US region) and PostHog (US region), with PII masking enabled.

AI inference: Amazon Bedrock for Anthropic Claude text models (us-east-1), Bedrock for embeddings (ap-south-1), Bedrock for image models (ap-northeast-1). The direct Anthropic API and OpenAI API process tool-calling traffic initiated by users of those platforms. None of these providers use AVnester data to train their models under their commercial API terms.

Operational data — accounts, listings, inquiries, payments, audit logs — is stored in AWS Mumbai (ap-south-1).

Some processing necessarily happens outside India: text AI inference (Amazon Bedrock, us-east-1), image AI inference (Amazon Bedrock, ap-northeast-1), error monitoring and session diagnostics (Sentry and PostHog, US), transactional email (Resend, US), and tool-calling traffic initiated by users of the Anthropic or OpenAI APIs (US). Such transfers are made under contractual safeguards (Standard Contractual Clauses or equivalent) and are limited to the data needed to deliver that service.

If the Central Government later restricts cross-border transfers under DPDPA §16, we will comply with the notified list.

Under the DPDPA you may: (a) ask for a summary of the personal data we hold about you and how it has been processed; (b) ask us to correct or update inaccurate data; (c) ask us to erase data we no longer need, subject to retention required by law (e.g., GST invoices for 8 years); (d) nominate a person to exercise these rights on your behalf if you die or become incapacitated; (e) withdraw consent; and (f) file a grievance.

Where the GDPR applies, you also have data portability and the right to object to processing based on legitimate interests.

To delete your account and personal data: if you are signed in, use Settings → Delete account for instant removal; otherwise request deletion without signing in at /delete-account. We erase your data within 30 days of verifying the request, subject to legal retention (e.g., GST invoices for 8 years).

To exercise any other right, email privacy@avnester.com. We respond within 30 days. You may complain to the Data Protection Board of India (DPDPA §27) or, where the GDPR applies, your local supervisory authority.

We use a small set of first-party cookies: essential cookies for login and CSRF protection (always on) and analytics cookies (only after you accept the cookie banner).

You can clear or block cookies in your browser. Blocking essential cookies will break sign-in.

The Platform is not directed to children under 18 and we do not knowingly collect personal data from them. Under DPDPA §9 processing of children's data requires verifiable parental consent and is otherwise restricted. If you believe a minor has registered, please email privacy@avnester.com and we will delete the account.

TLS 1.2+ in transit, AWS-managed encryption at rest (KMS), least-privilege IAM, AWS Secrets Manager for credentials, and continuous dependency scanning. See /legal/security for detail.

No system is perfectly secure. If you suspect a vulnerability, write to security@avnester.com — good-faith disclosure is welcomed and will not be pursued legally.

If a breach affects your personal data, we will notify you and the Data Protection Board of India (and any other regulator we are required to inform) without undue delay, in line with DPDPA §8(6) and CERT-In Directions of 28 April 2022.

When you use AVnester through an AI client via mcp.avnester.com or our ChatGPT Actions, the AI client sends only the structured arguments needed to answer your request — typically city, locality, property type, budget, bedrooms, or listing IDs. AVnester does not receive your chat history, transcripts, or the surrounding conversation.

Tool responses returned to AI clients contain only public listing fields. Internal trace IDs, log identifiers, authentication tokens, and seller private contacts (phone, email) are never sent to AI clients.

Tool inputs are logged at 1% sampling for abuse detection only, with PII patterns (phone numbers, email addresses, OTPs, government IDs) stripped before storage. Retention: 90 days.

AVnester does not receive your identity from Anthropic or OpenAI. The OAuth tier is a rate-limit signal only, not a personalisation signal.

You can opt out of AI-client access by emailing privacy@avnester.com. See /legal/ai-use for the full acceptable-use policy.

In compliance with IT (Intermediary Guidelines) Rules 2021 §3(2) and the DPDPA, our Grievance Officer is:

Vignesh Soundarapandian, Grievance Officer AVNESTER PRIVATE LIMITED, 16/160 Giri Nagar, 1st Street, Kavundampalayam, Coimbatore - 641030, Tamil Nadu, India Email: grievance@avnester.com

We acknowledge complaints within 24 hours and aim to resolve them within 15 days. Unresolved data-protection grievances may be escalated to the Data Protection Board of India (DPDPA §27). Consumer complaints may be filed with the appropriate Consumer Forum under the Consumer Protection Act, 2019. Online complaints under the IT Rules may also be filed at /grievance.

We will update this policy when our practices, providers, or applicable law change. The "Last updated" date above will move and material changes will be flagged on the Platform.

Privacy questions or rights requests: privacy@avnester.com.

Vulnerability disclosure: security@avnester.com.

Connector / MCP / ChatGPT integration: connector-support@avnester.com.