Privacy Policy

Wishki — A Product of Wishdone Private Limited

Wishdone Private Limited ("Company," "We," "Us," or "Our"), a company incorporated under the laws of India, having its registered office at 401, Jeevan Parisar, Rajeev Nagar, Raipur, Chhattisgarh 492004, owns and operates the platform known as "Wishki" (hereinafter referred to as the "Platform"), accessible via mobile applications (iOS and Android) and the website [www.wishki.com] (collectively, the "Services").

Wishki is a professional networking ecosystem for the real estate industry, connecting brokers, real estate builders, buyers, sellers, tenants, architects, painters, plumbers, and other real estate professionals across India.

This Privacy Policy ("Policy") describes how We collect, use, store, share, and protect your personal data when you access or use the Platform. This Policy is published in compliance with:

The Information Technology Act, 2000 ("IT Act");

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this Policy, please do not access or use the Platform.

For the purposes of this Policy, "You," "Your," or "User" refers to any individual who accesses, browses, or uses the Platform in any capacity, including but not limited to buyers, sellers, tenants, landlords, brokers, builders, architects, interior designers, painters, plumbers, contractors, and other real estate professionals or service providers.

In this Privacy Policy, unless the context otherwise requires:

"Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data, as defined under Section 2(i) of the DPDP Act.

Wishdone Private Limited is the Data Fiduciary for Personal Data collected through the Platform.

"Data Principal" means the individual to whom the Personal Data relates, as defined under Section 2(j) of the DPDP Act. You are the Data Principal in relation to Your Personal Data.

"Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under Section 2(t) of the DPDP Act. This includes but is not limited to name, email address, phone number, photographs, device identifiers, and location data.

"Processing" means wholly or partly automated operation or set of operations performed on digital personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment, combination, indexing, sharing, disclosure, restriction, erasure, or destruction, as defined under Section 2(x) of the DPDP Act.

"Sensitive Personal Data or Information" ("SPDI") means personal information as defined under Rule 3 of the SPDI Rules, including passwords, financial information, health data, biometric data, and sexual orientation.

"Content" means any information, data, text, photographs, videos, audio files, floor plans, property documents, posts, updates, stories, comments, messages, reviews, listings, or other materials uploaded, posted, shared, or transmitted through the Platform.

We collect information in the following categories when You access or use the Platform:

(a) Registration and Profile Information: When You create an account on Wishki, We collect Your name, email address, mobile phone number, password, profile photograph, city, and professional category (such as broker, builder, buyer, seller, tenant, architect, painter, plumber, or other real estate professional). If You register using third-party login services (Google Sign-in, Apple Sign-in, or Facebook Login), We receive Your name, email address, and profile picture from the respective third-party service, subject to that service's privacy settings and policies.

(b) Identity and KYC Documents: For professional users including brokers, builders, architects, and other service providers, We may collect identity verification and KYC documents including Aadhaar number (provided voluntarily — Wishki does not mandate Aadhaar submission), PAN (Permanent Account Number), GSTIN (Goods and Services Tax Identification Number), and RERA (Real Estate Regulatory Authority) registration number. These documents are collected for the purpose of identity verification and building trust on the Platform. Aadhaar data, if provided, is stored in compliance with UIDAI (Unique Identification Authority of India) norms in an encrypted Aadhaar Data Vault and is never publicly displayed, shared with third parties, or used for any purpose other than identity verification.

(c) User-Generated Content: We collect Content that You create, upload, post, share, or transmit on the Platform, including posts and updates, stories, comments, likes, shares, property photographs and videos, floor plans, property documents, profile descriptions, and any other materials You contribute to the Platform.

(d) Direct Messages: We collect the content of direct messages ("DMs") exchanged between Users on the Platform. Your direct messages on Wishki are NOT end-to-end encrypted. Wishki's messaging feature is built on Firebase infrastructure, and the Company retains the technical ability to access, review, and moderate the content of direct messages for the purposes described in Section 4 of this Policy.

(e) Directory and Professional Information: If You register as a professional on the Platform, We collect information for Your directory listing, including business name, areas of operation, specialisations, years of experience, services offered, certifications, and professional credentials.

(f) Communications with Us: We collect information You provide when You contact our support team, report issues, provide feedback, respond to surveys, or otherwise communicate with Us, including the content and metadata of such communications.

(a) Device and Technical Information: When You access the Platform, We automatically collect device information including device model, operating system and version, unique device identifiers (including advertising identifiers), mobile network information, browser type and version, screen resolution, language preferences, and time zone settings.

(b) Usage and Interaction Data: We collect information about how You interact with the Platform, including pages and content viewed, features used, search queries, time spent on pages, click patterns, scroll behaviour, interaction with posts (likes, comments, shares), story views, profile visits, directory searches, and navigation paths.

(c) Location Data: With Your explicit consent, We collect precise GPS location data from Your device. This data is used to provide location-relevant content, nearby property listings, local professional recommendations, and geographically personalised search results. You may disable location services through Your device settings at any time; however, this may limit certain location- dependent features of the Platform. We may also infer approximate location from Your IP address.

(d) Log and Server Data: Our servers automatically record information including Your IP address, access dates and times, app crashes and diagnostics, referring and exit pages, and HTTP request information.

(a) Third-Party Login Providers: When You sign in using Google, Apple, or Facebook, We receive limited profile information as authorised by You and permitted by the respective provider's terms. We do not receive or store Your third-party login passwords.

(b) Analytics and Tracking Services: We use the following third-party analytics services that independently collect data through the Platform:

Firebase Analytics and Crashlytics (Google LLC): Collects app usage data, crash reports, device information, and performance metrics.

Google Analytics (Google LLC): Collects browsing behaviour, session data, traffic sources, demographic information, and interest categories.

Meta Pixel / Facebook SDK (Meta Platforms, Inc.): Collects information about Your interaction with the Platform for analytics and measuring the effectiveness of advertising campaigns. Meta Pixel activates only after Your explicit consent is obtained (including through the App Tracking Transparency prompt on iOS devices).

Each of these third-party services processes data in accordance with their own privacy policies, which We encourage You to review.

We process Your Personal Data for the following lawful purposes:

To create and manage Your account; to enable You to post content, share updates, publish stories, send and receive direct messages, search content, browse the professional directory, and use all features of the Platform; to personalise Your experience and content feed; and to facilitate connections between Users.

To verify the identity and professional credentials of brokers, builders, architects, and other professionals using KYC documents; to display verified badges or trust indicators on professional profiles; and to reduce fraud and misrepresentation on the Platform.

To provide AI-powered content creation, search, and verification features on the Platform. Wishki's AI features process Your requests on-demand and in real time. We do NOT use Your Personal Data, Content, inputs, or any other information to train, fine-tune, retrain, or otherwise improve any AI or machine learning models. AI inputs and outputs are not retained for model training purposes.

To review, moderate, and, where necessary, remove Content that violates our Terms and Conditions, Community Guidelines, or applicable law; to monitor direct messages for spam, fraud, harassment, illegal activity, or content that threatens the safety of Users; to detect and prevent fake listings, impersonation, and fraudulent activity; and to comply with content takedown requirements under the IT Act and IT Intermediary Rules.

To send You service-related notifications including account verification, security alerts, and transactional messages; to send push notifications about activity on Your posts, messages, and connections (which You may disable in device settings); and to send promotional communications about Platform features or updates (with Your consent, and with the option to opt out at any time).

To understand how Users interact with the Platform; to analyse usage patterns, trends, and preferences; to improve Platform functionality, user interface, and user experience; to conduct internal research and development; and to generate aggregated, anonymised, and non-identifiable statistical data.

To comply with applicable laws, regulations, legal processes, or governmental requests; to enforce our Terms and Conditions; to respond to claims or legal proceedings; to protect the rights, property, or safety of Wishdone Private Limited, its Users, or the public; and to cooperate with law enforcement and regulatory authorities as required by law.

We process Your Personal Data under the following legal bases as applicable under the DPDP Act 2023 and SPDI Rules 2011:

(a) Consent: We obtain Your explicit, free, specific, informed, and unambiguous consent at the time of registration and before collecting specific categories of data (including KYC documents, precise location, and analytics tracking). You may withdraw Your consent at any time by contacting Us or through the Platform settings. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to such withdrawal.

(b) Legitimate Uses: We process certain data for "legitimate uses" as specified under Section 7 of the DPDP Act, including processing necessary for performance of obligations under law, compliance with court orders, responding to medical emergencies, and employment-related purposes where applicable.

(c) Contractual Necessity: Processing necessary for the performance of our agreement with You (i.e., providing the Services described in our Terms and Conditions).

Cookies are small text files placed on Your device when You access the Platform through a web browser. Similar technologies include pixels, web beacons, local storage, and device fingerprinting.

(a) Strictly Necessary Cookies: Essential for the operation of the Platform, including authentication, session management, security, and load balancing. These cannot be disabled without affecting Platform functionality.

(b) Analytics Cookies: Used by Firebase Analytics and Google Analytics to collect information about how You use the Platform, including pages visited, time spent, and navigation paths. This data is used to improve Platform performance and user experience.

(c) Advertising and Tracking Cookies: Meta Pixel / Facebook SDK places cookies and pixels to measure the effectiveness of advertising campaigns and understand user interaction patterns. These cookies are activated only after Your explicit consent.

You may manage or disable cookies through Your browser or device settings. Disabling certain cookies may affect the functionality of the Platform. On iOS devices, the App Tracking Transparency prompt allows You to opt out of tracking by Meta Pixel and similar services.

Wishdone Private Limited does NOT sell, rent, or trade Your Personal Data to third parties for their marketing or advertising purposes.

We may share Your information in the following limited circumstances:

Your profile information, posts, stories, comments, likes, shares, and directory listing (if applicable) are visible to other Users of the Platform as per Your privacy settings. Direct messages are visible only to the participants of the conversation.

We engage trusted third-party service providers who process data on Our behalf to operate and maintain the Platform. These include Amazon Web Services (AWS) for cloud hosting and data storage; Firebase (Google LLC) for messaging infrastructure, analytics, and crash reporting; Google for analytics and authentication services; Apple for authentication services; Meta Platforms for analytics; and other service providers for email delivery, push notifications, and customer support. All service providers are contractually bound to process Your data only as instructed by Us and in compliance with applicable data protection laws.

We may disclose Your information when required by law, regulation, legal process, court order, or governmental authority; when We believe in good faith that disclosure is necessary to protect the safety, rights, or property of Wishdone Private Limited, its Users, or the public; to enforce our Terms and Conditions; to detect, prevent, or address fraud, security, or technical issues; and to respond to a data request from the Data Protection Board of India or any other regulatory authority.

In the event of a merger, acquisition, reorganisation, sale of assets, or bankruptcy involving Wishdone Private Limited, Your Personal Data may be transferred to the acquiring or successor entity. We will provide notice of any such transfer and any changes to applicable privacy terms through the Platform and via email.

We may share aggregated, de-identified, or anonymised data that cannot reasonably be used to identify You, for industry analysis, market research, demographic profiling, and Platform improvement purposes.

We retain Your Personal Data only for as long as is necessary to fulfil the purposes for which it was collected, as described in this Policy, subject to the following:

(a) Active Accounts: We retain Your Personal Data for as long as Your account remains active on the Platform.

(b) Inactive Accounts: If Your account is inactive (no login or activity) for a continuous period of three (3) years, We will initiate the deletion of Your Personal Data in compliance with Rule 8 of the DPDP Rules, 2025. You will receive a notification at least forty-eight (48) hours prior to such deletion.

(c) Post-Deletion Retention: Following account deletion (whether by You or by Us), We will delete or anonymise Your Personal Data within ninety (90) days, except to the extent that retention is required for compliance with legal obligations, resolution of disputes, enforcement of our Terms, or exercise or defence of legal claims.

(d) Legal Retention Requirements: Certain data may be retained beyond the above periods where required under applicable law, including tax and accounting records under the Income Tax Act, 1961, and the Companies Act, 2013; records required for compliance with the IT Act, IT Intermediary Rules (including 90-day retention of records of blocked content); and records required in connection with pending or anticipated legal proceedings.

(e) Content Retention: User-generated Content that was publicly shared, commented upon, or redistributed by other Users may persist on the Platform after Your account deletion to the extent it has been incorporated into the activity of other Users, though it will be de-identified and no longer attributed to Your account.

Under the DPDP Act 2023 and SPDI Rules 2011, You have the following rights in relation to Your Personal Data:

You have the right to obtain from Us a summary of Your Personal Data being processed and the processing activities undertaken with respect to such data. We will respond to access requests within seven (7) days, as required under Rule 14 of the DPDP Rules.

You have the right to request correction of inaccurate or misleading Personal Data, and to have incomplete Personal Data completed. You may update most account information directly through Your profile settings.

You have the right to request erasure of Your Personal Data. Upon receiving a valid erasure request, We will delete Your data in accordance with the timelines specified in Section 8 of this Policy, except where retention is required by law.

You have the right to withdraw Your consent to the processing of Your Personal Data at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Upon withdrawal, We will cease processing Your data for the purpose(s) to which consent was withdrawn, which may result in limited access to or termination of certain Platform features.

You have the right to register a grievance with Our Grievance Officer (see Section 14). If You are not satisfied with the resolution provided by Our Grievance Officer, You may file a complaint with the Data Protection Board of India as established under the DPDP Act.

You have the right to nominate any individual who shall, in the event of Your death or incapacity, exercise Your rights under this Policy and the DPDP Act on Your behalf. You may register a nominee through the Platform or by writing to Our Grievance Officer.

You may exercise any of the above rights by contacting Our Grievance Officer at support@ wishki.com or by writing to Us at the address specified in Section 14. We may require You to verify Your identity before processing Your request.

We implement and maintain reasonable security practices and procedures, aligned with IS/ISO/IEC 27001 standards, as required under Rule 8 of the SPDI Rules and Section 8 of the DPDP Act:

(a) Encryption: Personal Data is encrypted both in transit (using TLS/SSL protocols) and at rest (using AES-256 or equivalent encryption) on Our cloud infrastructure hosted on Amazon Web Services (AWS).

(b) Access Controls: Access to Personal Data is restricted to authorised personnel on a need-to- know basis, with role-based access controls, multi-factor authentication, and comprehensive audit logging.

(c) Infrastructure Security: Our AWS infrastructure employs industry-standard security measures including firewalls, intrusion detection systems, network segmentation, and regular vulnerability assessments.

(d) Aadhaar Data Security: Aadhaar numbers, if provided, are stored in a separate encrypted Aadhaar Data Vault in compliance with UIDAI Circular dated 15 July 2017 and the Aadhaar (Sharing of Information) Regulations 2016, with restricted access and complete audit trails.

(e) KYC Document Security: KYC documents (PAN, GSTIN, RERA certificates) are stored in encrypted form with access restricted to authorised verification personnel only.

(f) Regular Audits: We conduct periodic security audits and assessments of Our information security practices and infrastructure, including audits by independent external auditors as required under the SPDI Rules.

In the event of a personal data breach, We will notify the Data Protection Board of India and affected Data Principals within seventy-two (72) hours of becoming aware of the breach, in accordance with Section 8(6) of the DPDP Act and Rule 7 of the DPDP Rules. The notification will include the nature of the breach, the categories and approximate number of data principals affected, likely consequences, and measures taken or proposed to address the breach.

The Platform is intended solely for individuals who are eighteen (18) years of age or older. We do not knowingly collect, process, or store Personal Data of individuals below the age of eighteen (18) years. If We become aware that We have collected Personal Data from an individual under the age of 18, We will take immediate steps to delete such data from Our systems. If You believe that a minor has provided Personal Data to Us, please contact Our Grievance Officer immediately at support@wishki.com

Under Section 9 of the DPDP Act, processing of children's data requires verifiable parental consent. Since the Platform does not permit registration by individuals below 18 years of age, this provision is addressed through Our age verification measures at the time of registration.

The Platform's primary data infrastructure is hosted on Amazon Web Services (AWS) with data centres located in India (Mumbai region). We endeavour to store and process Your Personal Data within India to the maximum extent possible.

In certain circumstances, Your data may be processed in jurisdictions outside India by Our third- party service providers (such as Firebase/Google, Meta Platforms, and Apple) for the specific purposes described in Section 7.2 of this Policy. Any such transfer of Personal Data to a country outside India shall be carried out in compliance with Section 16 of the DPDP Act and only to countries or territories not restricted by the Central Government of India through notification.

We may update this Privacy Policy from time to time to reflect changes in Our practices, technologies, legal requirements, or for other operational reasons.

(a) Notification of Changes: We will notify You of any material changes to this Policy at least fifteen (15) days before such changes take effect, through email notification to the email address associated with Your account, push notification on the Platform, and a prominent notice on the Platform.

(b) Effective Date: The updated Policy will state the effective date at the top of the document.

(c) Continued Use: Your continued use of the Platform after the effective date of the updated Policy constitutes Your acceptance of the revised terms. If You do not agree with any changes, You may discontinue use of the Platform and request deletion of Your account.

In accordance with Section 5(2) of the IT (Intermediary Guidelines) Rules, 2021, Rule 3(2) of the SPDI Rules, and Section 8(10) of the DPDP Act, We have appointed the following Grievance Officer:

Name: Vikas Agarwal Designation: Grievance Officer Address: 401, Jeevan Parisar, Rajeev Nagar, Raipur, Chhattisgarh 492004 Email: support@ wishki.com Phone: +91 9302224000

Response Timelines:

Acknowledgment of complaint: Within twenty-four (24) hours of receipt.

If You are dissatisfied with the resolution provided by the Grievance Officer, You may escalate Your complaint to the Data Protection Board of India as constituted under the DPDP Act 2023.

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the dispute resolution mechanism specified in Our Terms and Conditions.

If You have any questions, concerns, or requests regarding this Privacy Policy or Our data practices, You may contact Us at:

Wishdone Private Limited 401, Jeevan Parisar, Rajeev Nagar, Raipur, Chhattisgarh 492004

Email: support@ wishki.com Phone: +91 9302224000

© 2026 Wishdone Private Limited. All rights reserved.