Privacy Policy

1. Information We Collect

We collect personal data you provide directly, data collected automatically through your use of the Platform, and data received from third parties such as our payment partner and sign-in providers.

• Account & profile data — name, mobile number, email, and, if you choose to add them, date of birth, gender, profile photo, and bio.
• Identity & verification data — for Hosts and certain high-trust bookings: PAN, GSTIN where applicable, and a government-issued photo ID, used to verify identity and enable payouts.
• Booking data— listings viewed, bookings made, responses to a Host's custom intake forms, reviews you leave, and guest details you enter for a booking.
• Payment data — for online bookings, tokenised references and masked details (such as the last four digits) returned by our payment partner. Full card, UPI, and bank numbers are processed and tokenised by Razorpay (a PCI-DSS compliant provider); we do not store the underlying numbers.
• Location & address data — addresses you save (with coordinates), approximate location derived from your IP address, and, in our mobile app, precise device location only when you grant permission.
• Device & technical data — IP address, device identifiers, operating system, browser or app version, and diagnostic / crash logs.
• Communications — messages exchanged through the Platform inbox, support requests, and email/SMS delivery records.
• Preferences & activity — settings such as theme, language, and notification choices, and your recent searches.
• Safety & audit data — limited records (including IP address and device/browser information) kept to secure accounts, prevent abuse, and moderate uploaded content.

2. How We Use Your Information

We process personal data only for the purposes set out below, and only when we have a lawful basis under the DPDP Act — typically consent, performance of a contract, or compliance with a legal obligation.

• Create and operate your account, including verification for Hosts.
• Process bookings, payments, refunds, and payouts.
• Send booking confirmations, reminders, one-time passwords, and receipts via push notification, email, and SMS.
• Improve the Platform — analytics on feature usage and diagnostics. We use aggregated or pseudonymised data for this wherever practical.
• Prevent fraud, detect abuse, moderate content, and comply with our obligations under the IT Act 2000 and other applicable law.
• Send marketing communications, only with your opt-in consent and with a working unsubscribe link in every message.

3. Sharing With Third Parties

We share personal data only with the recipients below, and only where necessary to operate the Platform. We do not sell your personal data.

• Hosts. When you book with a Host, we share your name, contact, and the booking details they need to deliver the experience.
• Payment partner. For online bookings, Razorpay receives tokenised payment instructions and limited identity data to settle the transaction.
• Infrastructure & service providers— application and database hosting (Convex); content delivery, bot protection, and media-file storage (Cloudflare, including R2); transactional email (ZeptoMail); SMS one-time passwords and alerts (MSG91); product analytics (PostHog); crash and error diagnostics (Sentry, when enabled); maps and location services and “Sign in with Google” (Google); and “Sign in with Apple” (Apple). Each receives only the data needed for its function.
• Law enforcement. Only on receipt of a valid written demand from a competent authority under applicable law.
• Successors. In the event of a merger or sale, your data may transfer to the acquiring entity, with notice and the option to delete.

4. Cookies & Similar Technologies

Our website uses cookies, local storage, and similar technologies to keep you signed in, remember your preferences, and measure feature usage. Read our Cookie Policy for full details and to manage your preferences.

5. Data Retention

We retain personal data only as long as necessary to provide the Platform and to satisfy our legal obligations. Different categories follow different schedules:

• Account & profile data — for the lifetime of your account plus a short grace period after deletion (to allow recovery).
• Booking & transaction records — retained for the period required by the Companies Act 2013 and applicable tax law (generally up to 8 years).
• Identity / KYC documents — for the retention period required by applicable law after your account is deactivated.
• Support communications — typically up to 24 months.
• Marketing consent records — until withdrawn, plus a short period for audit.

6. Your Rights

Under the DPDP Act 2023 you are a “Data Principal” and have the following rights. To exercise any of them, write to privacy@allreserve.in — we will respond within the time required by law.

• Right to access — request a summary of the personal data we hold about you.
• Right to correction — ask us to correct inaccurate or outdated information (you can also edit much of it in your profile).
• Right to erasure — request deletion of your account. We will delete or anonymise personal data, subject to overriding legal-retention obligations.
• Right to withdraw consent — where we rely on your consent, you may withdraw it at any time, as easily as you gave it. Withdrawal does not affect processing already carried out.
• Right to grievance redressal — escalate to our Grievance Officer (see Section 10).
• Right to complain to the Board — if your grievance is not resolved to your satisfaction, you may lodge a complaint with the Data Protection Board of India.
• Right to nominate — designate another natural person to exercise rights on your behalf in the event of death or incapacity.

7. International Transfers

Some of our infrastructure and service providers — including Convex, Cloudflare, PostHog, Sentry, and Google — may store or process personal data on servers outside India. Where we transfer personal data outside India, we do so in accordance with Section 16 of the DPDP Act and impose contractual safeguards on those providers. If you access the Platform from outside India, you understand that your data will be processed in India and in the locations of these providers as described above.

8. Children's Privacy

AllReserve is not directed to children under 18, and we do not knowingly collect personal data from children. Where a listing is suitable for minors (a kids' workshop, a family event), the booking must be made by the parent or legal guardian, and any minor's name added to the reservation is treated as the guardian's responsibility.

Consistent with Section 9 of the DPDP Act, we do not knowingly process a child's personal data without verifiable parental or guardian consent, and we do not carry out tracking, behavioural monitoring, or targeted advertising directed at children. If you believe we hold a child's data without such consent, write to privacy@allreserve.in and we will delete it.

9. Security

We apply the Reasonable Security Practices expected under the IT Rules 2011. Personal data is encrypted in transit and at rest, production access is restricted and authenticated, and uploaded content is moderated to detect and remove abusive material. No system is perfectly secure; if a reportable personal-data breach occurs, we will notify affected users and the Data Protection Board of India as required by the DPDP Act. You can report a security concern to security@allreserve.in.

10. Grievance & Contact

For any privacy question, request, or complaint, write to our Grievance Officer at grievance@allreserve.in or to privacy@allreserve.in. We will acknowledge and address your grievance within the timeframe required by the DPDP Act.

11. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in regulation or our services. Material changes will be communicated at least 14 days in advance via email and in-app notice. The “Last updated” date at the top of this page reflects the most recent revision.