Privacy Policy

Quroot Innovations Pvt Ltd ("GuardPe") is the data controller for personal information collected through the GuardPe platform. We are registered in India and operate under applicable Indian data protection laws including the Information Technology Act, 2000, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

We collect the following categories of data:

We use your data to:

• Authenticate your identity and maintain your account securely.
• Process payments and manage the escrow lifecycle for each deal.
• Conduct KYC verification through our payment partner (Cashfree).
• Detect and prevent fraud, money laundering, and platform abuse.
• Resolve disputes and provide customer support.
• Comply with legal obligations including tax filings and RBI reporting requirements.
• Send transactional notifications (OTPs, deal updates, payout confirmations).

We do not use your data for advertising or sell it to third parties.

In keeping with UIDAI guidelines and data minimisation principles:

• We do not collect or store full Aadhaar numbers.
• We do not store raw bank account numbers — they are encrypted at the column level using AES-256-CBC before being written to our database.
• We do not collect passwords — authentication uses one-time codes sent to your mobile number.
• We do not record payment card numbers — card processing is handled entirely by Cashfree.

We process your data under the following legal bases:

• Contract performance: Processing needed to deliver the escrow service you requested.
• Legal obligation: Compliance with RBI guidelines, GST requirements, and AML/KYC obligations.
• Legitimate interests: Fraud detection, platform security, and service improvement.
• Consent: Marketing communications (which you may opt out of at any time).

We share your data only with:

• Cashfree Payments India Pvt. Ltd. — our payment processing partner. They receive identity and bank account data necessary to process payouts and complete KYC. Cashfree is independently bound by RBI regulations.
• Cloud infrastructure providers — our database and application servers are hosted on Neon.tech (PostgreSQL) and Vercel. Data is encrypted in transit and at rest.
• Law enforcement / regulators — when required by law, court order, or a legitimate government request.

We do not share your data with any other third party without your explicit consent.

We retain your personal data for as long as your account is active or as required by law. Specifically:

• Deal records and transaction data: 7 years (as required by Indian tax law).
• KYC documents and audit logs: 5 years after account closure.
• Support and dispute records: 3 years after resolution.
• OTP and session tokens: Deleted within 24 hours of creation or use.

If you request account deletion, we will anonymise your personally identifiable information within 30 days, retaining only data required for legal compliance.

You have the right to:

• Access — request a copy of the personal data we hold about you.
• Correction — request correction of inaccurate data.
• Deletion — request deletion of your account and associated data (subject to legal retention requirements).
• Portability — receive your deal history in a machine-readable format.
• Objection — object to processing based on legitimate interests.

To exercise any of these rights, email privacy@guardpe.com. We will respond within 30 days.

GuardPe uses only essential cookies necessary for authentication (session tokens, CSRF protection). We do not use advertising cookies, third-party trackers, or analytics scripts that share data with external parties.

We implement industry-standard security controls including:

• TLS 1.3 for all data in transit.
• AES-256-CBC column-level encryption for sensitive fields (bank account numbers).
• Bcrypt-hashed OTP codes with automatic expiry.
• Role-based access control for internal staff.
• Immutable audit logs for all critical actions.

Despite these measures, no system is fully immune to breaches. We will notify affected users within 72 hours of discovering any material data breach.

We may update this Privacy Policy from time to time. We will notify you of significant changes via your registered mobile number or platform notification. The "Last updated" date at the top reflects the most recent revision.

For privacy-related queries or to exercise your rights: