Privacy Policy

1. About this Policy

TAG Vault is a real-estate document storage and electronic-signing platform operated in India by VTAG Software Private Limited (the “engineering arm”) under the brand of TAG Projects (the “real-estate parent brand”, slogan “Treasure Your Property”). In this Policy, “TAG Vault”, “we”, “us”, and “our” refer to VTAG Software Private Limited operating the TAG Vault platform on behalf of TAG Projects. “You” or “your” refers to you, the person using TAG Vault.

This Policy is published by us as the Data Fiduciary under §2(i) of the Digital Personal Data Protection Act, 2023 (“DPDP Act”). It also serves as our notice under §5 of the DPDP Act and our privacy-policy publication under Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”).

Applicability. This Policy applies to:

• Visitors to our public pages (including the public document-verification endpoint).
• Account holders who upload, route, or sign documents on TAG Vault.
• Signers who receive a signing invitation by email or WhatsApp and complete a signing ceremony, even if they do not create a permanent account.
• Anyone who contacts us by email or otherwise submits personal data to us.

This Policy does not cover websites we link to. Read their policies separately.

Effective date. This version (1.0) takes effect on 2026-04-25.

Version. 1.0. Older versions, once they exist, will be available on request at privacy@brikbond.com.

2. Notice under §5 DPDP Act

This section is the consolidated notice we provide before, or at the time of, seeking your consent under §6 DPDP Act.

We collect the data in the table below for four reasons: to keep your account secure (login data), to provide the signing service (documents and ceremony details), to maintain legal evidence (audit log and seal), and to prevent fraud (security logs). Technical terms in brackets (TOTP, MFA, KMS, ECDSA, SHA-256) are explained in §8 of this Policy.

Lawyer to confirm exact BSA section number replacing §85B IEA prior to publication.

You may exercise your rights under §§11–14 DPDP Act as described in section 9 below. You may complain to the Data Protection Board of India about how we handle your personal data (see section 16 below).

3. Lawful bases (§§4, 6, and 7)

Under §4 DPDP Act, we may process your personal data only for a lawful purpose with your §6 consent, or for a §7 legitimate use. We rely on the following bases:

• §6 consent. For account creation, document upload, the act of signing (the SIGN button itself is the affirmative consent moment for capturing your signature image), and any optional marketing. Your consent is free, specific, informed, unconditional, unambiguous, and given by clear affirmative action (a tick of an unchecked box, or the act of drawing/typing your signature). It is per-purpose: you can decline marketing while still using the core service. Ceremony attributes (IP, user-agent, screen size, timestamp) are processed under the §7(a) “voluntarily provided” basis intrinsic to your act of signing; 10-year retention of the sealed document is processed under §7(c) (compliance with law). These bases are documented per row in the §2 table.
• §7(a) voluntarily provided. For transactional notifications (OTPs, signature requests, audit confirmations) you have asked us to send by giving us your contact details, and for ceremony attributes you submit when you sign a document.
• §7(c) compliance with law. For retention of sealed documents and audit logs to comply with the Limitation Act, 1963, the Indian Stamp Act, 1899, the Registration Act, 1908, and §65B IEA / §63 BSA evidentiary requirements.
• §7(h) safety. For fraud-prevention logging, IP / user-agent capture for security audit, and protective controls under §8(5).

We do not rely on “deemed consent”, “implied consent”, “bundled consent”, or pre-ticked checkboxes. We do not treat continued use of the platform as consent to a new purpose.

4. What personal data we collect

We organise the personal data we hold about you into the categories below. We do not collect categories not listed here.

4.1 Account profile

Name, email address, mobile phone, organisation name (if you give one), and a password that we never store in clear text — passwords are hashed using Argon2id with per-user random salts.

4.2 Authentication data

A SHA-256 hash of your refresh token (we never store the token itself), your TOTP MFA seed (only if you enable MFA, encrypted with AWS KMS), and session metadata such as last login time, IP, and user-agent.

4.3 Document content

The PDF documents you upload, the document type you classify them as, the property address and survey number you record, and any custom tags you add. Documents are encrypted at rest with SSE-KMS using customer-managed keys.

4.4 Signer ceremony attributes

When you sign a document, we capture: your IP address, user-agent string, screen dimensions, approximate location-by-IP (city / region — not precise GPS), the SHA-256 hash of the consent text shown to you, and UTC timestamps for each step. We capture these because they form the chain of evidence required to defend your signature in court if challenged.

4.5 Signature image

The PNG image of the signature you drew on the canvas, or the rendered PNG of your typed name. This image is embedded into the sealed PDF.

4.6 Cryptographic seal

The ECDSA P-256 signature we compute over the SHA-256 hash of the sealed PDF bytes, plus the key fingerprint. This is a machine-readable tamper-evidence record, not a personal identifier.

4.7 Audit log

An append-only log of every action that affects your envelope or document — uploads, invitations, views, OTP issuance, OTP verification, signature placements, voids, completions, downloads. Implemented with PostgreSQL triggers that reject UPDATE and DELETE at the database engine layer, not just at the application layer.

4.8 Notification logs

Delivery receipts, bounce records, and complaint records returned by AWS SES (email) and Meta WhatsApp Business Cloud API (WhatsApp). We use these to confirm your signing requests actually reached the recipients and to disable broken addresses.

4.9 Security logs

Failed login attempts, IP anomalies, rate-limit triggers, unusual access patterns, and attempts to upload prohibited content (see our Acceptable Use Policy). We use these to detect and prevent fraud, account takeover, and abuse.

We do not collect biometric data, Aadhaar numbers, PAN numbers, bank account numbers, payment-card data, government-ID images, social-media profile data, or browsing-history data from outside our domain. We do not run any third-party analytics, advertising pixel, or behavioural-tracking script.

5. How we use your data

This is the cross-reference of purposes against the data categories above.

We do not, for any purpose:

• Sell your data to anyone.
• Share your data with advertisers, ad networks, or data brokers.
• Train artificial-intelligence or machine-learning models on your document content, ceremony attributes, or any other personal data.
• Profile you for targeted advertising.
• Use third-party tracking pixels, fingerprinting libraries, or behavioural-analytics scripts.
• Engage in behavioural tracking of any user under 18 (see section 11).

We disable Capacitor and Electron framework default telemetry in our production builds. If you have technical evidence to the contrary, please report it to grievance@brikbond.com and we will investigate within 7 days.

6. Sub-processors and recipients

We engage a small number of carefully selected sub-processors to deliver the service. We have a Data Processing Addendum (“DPA”) with each one. Our current list is:

In Phase 2b, we plan to migrate to managed services on the same AWS infrastructure: Amazon RDS (managed PostgreSQL in ap-south-1) and Amazon ElastiCache (managed Redis in ap-south-1). Both remain inside India and inside the AWS sub-processor boundary. We will update this Policy to reflect the migration when it lands and notify account holders by email at least 30 days before the change takes effect. Where a Phase 2b migration involves a new sub-processor or a sub-processor with materially different data handling, you may withdraw consent within the 30-day notice window without prejudice to your access to sealed documents you have already executed; we will provide a data-export tool before any migration.

We do not use any analytics vendor, content-delivery network with data caching, advertising network, third-party tag manager, or customer-data platform.

6.1 Cross-border transfer disclosure (§16 DPDP Act)

Most processing of your personal data occurs on AWS infrastructure in India (Mumbai region for primary, Hyderabad region for disaster-recovery replica) and on our Postgres database on AWS EC2 in India.

Two transmissions involve infrastructure outside India:

• WhatsApp notifications via Meta WhatsApp Business Cloud API: Phone-number metadata and message delivery information are processed by Meta Platforms Inc. servers, which may be located in the United States or other regions. Message content is end-to-end encrypted in transit. We have a Data Processing Addendum with Meta governing this processing.
• Email delivery to recipient mail servers: When you choose an email address hosted outside India (e.g. a Gmail account routed via Google data centres in the United States), the transmitted email content will be received by that mail server outside India. This is an unavoidable consequence of email standards (SMTP) and your choice of mail provider.

The Central Government has not, as of the effective date of this Policy, notified any country as restricted for cross-border data transfer under §16 DPDP Act 2023. We will update this Policy if any restriction is notified.

6.2 Other recipients

We may disclose specific personal data to: (i) a court, regulator, or law-enforcement agency that issues a lawful written order under Indian law; (ii) our professional advisers (lawyers, auditors) under confidentiality obligations, where strictly necessary; (iii) a successor entity in the event of a merger, acquisition, or asset transfer involving the TAG Vault business — in which case we will give you 30 days’ prior notice and an opportunity to export your data and close your account before the transfer takes effect.

7. How long we keep your data

The headline retention values per category are below. The Data Retention Policy has the full schedule, the rationale for each value, and the deletion mechanism for each.

This is a headline summary; the full schedule is in the Data Retention Policy.

The 10-year retention on sealed documents and the certificate-of-completion exists because the Limitation Act, 1963 sets dispute windows up to 12 years for immovable-property matters and the Indian Stamp Act, 1899 read with §65B IEA / §63 BSA requires us to be able to produce a tamper-evident original on demand. This retention is mandated by §7(c) read with the proviso to §8(7) of the DPDP Act (legal-obligation retention). Sealed documents cannot be erased on user request during this 10-year window — they fall within the §7(c) read with the proviso to §8(7) of the DPDP Act carve-out for legal-obligation retention.

Cross-link: Data Retention Policy.

8. Security safeguards (§8(5) DPDP Act)

We take the security of your personal data seriously. The penalty for inadequate security under §8(5) read with the Schedule to the DPDP Act is up to ₹250 crore. Below is what we do — concretely.

• Password storage. Argon2id with per-user random salts; we do not store passwords in clear text and cannot retrieve them.
• Multi-factor authentication. Optional TOTP MFA, with the seed encrypted using AWS KMS envelope encryption.
• Encryption at rest. AES-256 server-side encryption on all S3 buckets via customer-managed AWS KMS keys (tagvault-sse-kms, with annual auto-rotation). Database disks are also encrypted at rest.
• Encryption in transit. TLS 1.2 or higher on every connection between you and us, and between our services and our sub-processors. We do not accept TLS 1.0 / 1.1.
• Tamper-evident storage of sealed documents. AWS S3 Object Lock in COMPLIANCE mode, 10-year retention. Once a sealed PDF is written, neither we nor AWS can modify or delete it before the retention period expires — not even with the AWS root account.
• Cryptographic sealing. Every sealed PDF is signed with ECDSA P-256 over SHA-256 (key tagvault-seal-ecdsa-p256, manual rotation on compromise only).
• Role-based access control (RBAC). Production access is granted on least-privilege basis to a small number of engineers; access events are logged.
• Append-only audit log. PostgreSQL triggers reject UPDATE and DELETE at the database engine layer, not just the application layer. Audit entries cannot be silently rewritten.
• Public verification endpoint. Anyone can hash a sealed PDF and POST /v1/verify to check integrity without an account. Tamper attempts will be detected.
• Secrets management. AWS KMS for keys; secrets never committed to source control; environment-variable injection at deploy time.
• Network controls. Block Public Access on all four toggles for every S3 bucket; private subnets for application servers; security groups locked to least-privilege.
• ISO 27001 alignment. Our control framework is designed against the ISO/IEC 27001:2022 control set and the SPDI Rules, 2011 (Rule 8) “reasonable security practices and procedures” standard. We are not yet ISO-certified at MVP; we will publish the certificate when issued.
• Penetration testing and security review. We conduct security review on every change to authentication, signing, storage, and audit code paths.

No system is impervious. We work hard to keep yours safe, and we tell you promptly if something goes wrong (see section 13).

9. Your rights as a Data Principal (§§11–14 DPDP Act)

You hold the following statutory rights over your personal data. We will not charge you for the first request you make in any calendar year under any of the rights below; we may charge a reasonable fee for further requests in the same calendar year if they are manifestly unfounded or repetitive.

9.1 Right to access (§11)

You may ask us for a summary of the personal data we hold about you and the identities of the recipients with whom we have shared it. We will respond within 30 days of receipt of your request, in line with Rule 13 of the DPDP Rules, 2025 (notified 13 November 2025).

9.2 Right to correction, completion, updating, and erasure (§12)

You may correct inaccurate data, complete incomplete data, update outdated data, and request erasure of personal data that is no longer necessary for the purpose for which it was collected. We will action your request within 30 days. Account profile fields can be self-served from your dashboard within 7 business days.

Limit on erasure of sealed documents. Sealed PDFs and the audit log entries that prove their integrity are retained for 10 and 7 years respectively under §7(c) read with the §8(7) proviso (legal-obligation retention). We cannot erase these on your request during the retention window. We will erase them on schedule.

9.3 Right to grievance redressal (§13)

You may raise a grievance about how we handle your personal data (see section 15 for the Grievance Officer block). We will acknowledge within 48 hours and resolve within 30 days. Complex matters may take an additional 30 days, in which case we will tell you in writing why an extension is needed.

9.4 Right to nominate (§14)

You may nominate one natural person to exercise your rights under this Policy in the event of your death or incapacity. The nomination form is in your account settings. The nominee can identify themselves to us and exercise your access, correction, and erasure rights subject to verification.

9.5 How to exercise these rights

Two ways:

• Email. Write to privacy@brikbond.com from the email address registered to your account. State which right you are exercising and what you want.
• Account dashboard. Sign in and go to Settings → Privacy & Data. Most requests can be filed there; you will receive a ticket number and the 30-day clock will start.

We will verify your identity before acting. If we cannot verify it, we will tell you what additional information we need.

10. Withdrawal of consent (§6(4) DPDP Act)

You may withdraw your consent at any time, and as easily as you gave it. Withdrawal is available from your account dashboard at Settings → Privacy & Data → Withdraw consent, and by email to privacy@brikbond.com.

What is “core consent”. “Core consent” is the consent that authorises us to maintain your TAG Vault account and process documents you have submitted for signing. It is distinct from (a) marketing consent (which you can withdraw without affecting your account), (b) per-envelope signing consent (which you give at each signature ceremony for that envelope only), and (c) sub-processor-change consent (where applicable per §6). Withdrawing core consent triggers account closure with the consequences described above. Withdrawing marketing or sub-processor consent does not close your account.

Consequences of withdrawal:

• We will stop processing your personal data for the purpose to which the withdrawn consent related, unless we have a separate §7 lawful basis (for example, retention of a sealed document under §7(c)).
• The processing we already carried out before your withdrawal remains lawful.
• If you withdraw the core consent that underlies your account (e.g. account creation), we will close your account, erase your account profile within 90 days, cryptographically erase your authentication credentials within 30 days, and retain only the data we are legally required to retain (sealed PDFs, audit log, notification logs as listed in section 7).

Withdrawal of marketing consent does not affect your access to the core service.

11. Children’s data (§9(3) DPDP Act)

TAG Vault is not intended for persons under 18 years of age. We do not knowingly process the personal data of any person under 18.

• Date-of-birth gate. Account creation requires you to enter your date of birth. We calculate your age from this date and refuse to create an account for any user under 18 years. This proactive gate is in addition to the eligibility representation in the Terms of Service §3, and applies even if you would otherwise mis-attest your age. We do not knowingly process the personal data of any person under 18; if we discover such processing, we close the account and erase the data within 30 days.
• No behavioural tracking of minors. We do not track, monitor, or profile the behaviour of any user, and certainly not of any user under 18.
• No targeted advertising directed at children. We do not run targeted advertising at all.
• If you are a parent or guardian and believe your child has created an account or signed a document on TAG Vault, write to privacy@brikbond.com. We will verify the report, close the account, and erase the personal data we hold for the child to the extent permitted by law (sealed documents created using a minor’s purported consent may need to remain pending a legal review).

We are working towards verifiable parental-consent integration via DigiLocker (the Government of India digital-locker service) for any future feature that may need to process personal data of a minor (e.g., a minor’s name appearing as a nominee). Until that integration ships, no minor’s data may be processed on TAG Vault.

12. Cookies

TAG Vault uses exactly one first-party functional cookie — tag_vault_refresh — to keep you signed in across page loads. It is set as HttpOnly, Secure, SameSite=Strict, with a 30-day TTL. We do not set analytics cookies, advertising cookies, or third-party tracking cookies, and we do not load any external script that would set such cookies.

For full detail see the Cookie Policy.

13. Breach notification (§8(6) DPDP Act)

If we become aware of a personal data breach affecting your personal data, we will:

• Notify the Data Protection Board of India immediately on awareness, with a detailed report within 72 hours, in the form prescribed by the DPDP Rules, 2025.
• Notify you within 72 hours of awareness, by verified email and (if available) WhatsApp / SMS as backup. We will not rely on a website notice as the only channel.
• Notify the Indian Computer Emergency Response Team (CERT-In) within 6 hours of becoming aware of the cyber-incident, under the CERT-In directions of 28 April 2022 issued under §70B(6) IT Act.

Our notification will describe the nature, extent, type, and scope of the breach; its likely consequences; the mitigation measures we are taking; recommended steps you should take; and the contact details of our Grievance Officer.

If you signed a document on a Customer’s TAG Vault account (B2B context), your Customer (the Data Fiduciary) leads the breach notification to you per their own §5 notice; we notify the Customer within 24 hours under our DPA.

14. Designated person under §8(8) DPDP Act

The business contact for questions about how this Policy is operationally implemented is:

Designated Person under §8(8) DPDP Act
Vijay Sivanjan
TAG Projects (operated by VTAG Software Private Limited)
Email: dpo@brikbond.com

If we are notified as a Significant Data Fiduciary under §10 DPDP Act in the future, we will appoint an India-resident Data Protection Officer (“DPO”), publish the DPO’s contact details, and update this Policy to reflect that.

15. Grievance Officer (§13 DPDP Act)

If you have a grievance — including a privacy complaint, a request for correction or erasure that we have not actioned, a complaint about a sub-processor, or any other concern about how we have handled your personal data — please contact:

Grievance Officer
Vijay Sivanjan
TAG Projects (operated by VTAG Software Private Limited)
Karnataka, India
Email: grievance@brikbond.com
Email is the preferred contact method.

Service-level commitments:

• Acknowledgement within 48 hours of receipt.
• Resolution within 30 days of receipt, in line with Rule 13 of the DPDP Rules, 2025.
• Extension of up to a further 30 days for complex matters, with reasoned written intimation to you.

The same person also acts as our Grievance Officer under Rule 3(2)(a) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (24-hour acknowledgement, 15-day disposal; 24 hours for non-consensual sexually explicit content under Rule 3(2)(b); 36 hours for general unlawful content under Rule 3(1)(d)) and under Rule 4(5) of the Consumer Protection (E-Commerce) Rules, 2020 (48-hour acknowledgement, 1-month disposal). Where multiple SLAs apply, the shortest SLA applies.

16. Data Protection Board

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India constituted under §18 DPDP Act. The Board’s contact details and complaint procedure are published on its official portal. We will cooperate fully with the Board.

You also retain the right to seek a remedy from any court of competent jurisdiction, the District / State / National Consumer Disputes Redressal Commission under the Consumer Protection Act, 2019, or any other Indian regulator. Nothing in this Policy or our Terms restricts that right; any such restriction would be void under §28 of the Indian Contract Act, 1872.

17. Changes to this Policy

We will keep this Policy current with the law and our actual practice. For material changes — for example, adding a new sub-processor, changing the retention period of any category, expanding the purposes for which we use your data, or any other change that materially affects your rights — we will:

• Give you at least 30 days’ prior notice by email to your registered address and a banner on the dashboard.
• Re-collect consent for any change that materially affects the §5 notice, including new purposes, new categories of personal data, new sub-processors handling identifiable data, longer retention periods, or new recipient categories.
• Not treat continued use of the platform after the change date as deemed consent.

For non-material changes (typo fixes, clarifications, contact-detail updates), we will update the version number and the Last-updated line at the foot of this Policy. The current and immediately prior versions will always be visible. Earlier versions are available on request to privacy@brikbond.com; we maintain the version archive for at least 7 years.

18. Eighth Schedule language availability

This Policy is published in English. Under §6(3) DPDP Act, you have the right to receive this notice in English or in any of the 22 languages listed in the Eighth Schedule of the Constitution of India.

If you would like a copy of this Policy in any of those languages — Assamese, Bengali, Bodo, Dogri, Gujarati, Hindi, Kannada, Kashmiri, Konkani, Maithili, Malayalam, Manipuri, Marathi, Nepali, Odia, Punjabi, Sanskrit, Santali, Sindhi, Tamil, Telugu, or Urdu — please write to privacy@brikbond.com. We will provide a translation within a reasonable time, free of charge for the first request per calendar year. Where there is a discrepancy between the English text and a translation, the English text prevails.

19. Contact

For privacy questions: privacy@brikbond.com

For grievances: grievance@brikbond.com

For abuse / takedown: abuse@brikbond.com

For general support: support@brikbond.com

For legal matters: legal@brikbond.com

Operator: VTAG Software Private Limited, operating the TAG Vault platform on behalf of TAG Projects.