Privacy Policy

Cedr AI Labs ("Cedr", "we", "us") builds products under our own brands, currently RentCare. This Privacy Policy explains what personal data we collect across all our products, what we do with it, and the choices you have. It applies to anyone using Cedr products on the web, mobile, or any other surface we ship.

We follow the Digital Personal Data Protection Act, 2023 (the "DPDP Act") of India, and where applicable, the GDPR. If you are reading this from outside India, the same protections apply.

We collect only what we need to run the product you signed up for. Concretely:

• Account data: your name, phone number, email, and password hash. We never store plain-text passwords.
• KYC data (where applicable): PAN, Aadhaar masking, address proof. Stored encrypted, accessed only to verify compliance.
• Business data you put into the product: your properties, tenants, leases, payment records, maintenance tickets, and tax records. This is yours; you can export or delete it at any time.
• Communications: emails, WhatsApp messages, and support tickets you send us. Stored for at most 36 months unless you ask us to delete them sooner.
• Device & usage: IP address, device type, browser, and anonymised analytics about which screens you visited. We do not sell or rent any of this to third parties, ever.

We use the data above for one of five purposes, never more:

• To run the product you signed up for, including paying tenants, sending reminders, generating receipts, and producing tax reports.
• To verify your identity and our compliance obligations (KYC, GST, TDS).
• To respond when you write to us, and to remember the context of past conversations so you don't have to re-explain.
• To improve the product, debugging, performance, and product analytics. Always aggregated; never tied back to you in a way we share externally.
• To meet legal obligations, court orders, tax notices, anti-fraud requirements.

We do not use your data to train third-party models. We do not sell your data to anyone. We do not pass your data to advertisers.

All Cedr customer data is stored on Indian soil. Specifically:

Primary region

AWS Asia Pacific (Mumbai) · ap-south-1

Backups

3 regions, all within India · 4 times daily

Encryption at rest

AES-256 via Supabase managed Postgres

Encryption in transit

TLS 1.3 minimum on every endpoint

Row-level security

Enforced on every table that contains user data

No customer data is processed outside India. Where we use sub-processors (see §6), we only retain providers with India-region deployments and signed data-processing agreements.

The DPDP Act, 2023 grants you, the Data Principal, the following rights. Cedr provides every one of them through self-serve flows in the product, you should never have to email us to exercise a right that should be a button.

• Right to access: Export your entire dataset as a CSV or JSON archive, any time, from Settings → Data.
• Right to correction: Edit your name, phone, address, KYC, and business records directly from the app.
• Right to erasure: Permanently delete your account and all derived data. We retain anonymised audit logs for 6 years as required by IT and tax law; nothing more.
• Right to portability: The export above is in standard CSV/JSON formats designed to be imported into any other system.
• Right to grievance: Email grievance@cedrailabs.in. We respond within 7 working days; unresolved complaints can be escalated to our Data Protection Officer (dpo@cedrailabs.in).

We use a small number of vetted vendors. Each is bound by a Data Processing Agreement and is restricted to India-region deployment.

Infrastructure

AWS India · ap-south-1 (Mumbai)

Database & auth

Supabase · self-hosted on AWS Mumbai

Email delivery

Amazon SES (Mumbai region)

SMS & WhatsApp

Gupshup · India operations

Payments

Razorpay India · for tier payments only

Analytics

PostHog · self-hosted, no third-party trackers

Account data is retained for the lifetime of your account, plus 6 years after deletion (the period required by the Income Tax Act for tax-relevant records). Marketing emails are deleted within 12 months. Support tickets, within 36 months. Device logs, within 90 days. You can request earlier deletion in writing; we will honour it for non-tax-relevant data.

When we change this policy, we publish the new version here, increment the version number, email every registered user, and keep the prior version accessible at cedrailabs.in/legal/archive for at least 5 years. We never change the policy retroactively in a way that disadvantages you without offering a clear opt-out.