Privacy Policy

iMark CRM is a product of iMark Infotech Pvt. Ltd., headquartered in Chandigarh, India. Growing businesses since 2001 with 500+ digital experts. We provide a cloud-based Customer Relationship Management (CRM) platform purpose-built for Indian real estate companies. This policy explains how we handle your data when you use iMark CRM.

We collect the following categories of information:

• Account information — name, email address, phone number, organisation name, and role within the organisation.
• Business data — leads, deals, customer records, payment transactions, documents, and project details that you or your team enter into the CRM.
• Usage data — login activity, features used, page visits, browser type, and device information collected automatically to improve service quality.

• To provide and operate iMark CRM services, including lead management, deal tracking, and payment processing.
• To send transactional notifications such as booking confirmations, payment reminders, and system alerts.
• To improve the product through usage analytics, bug detection, and performance monitoring.
• To enforce compliance with Indian regulations including RERA, GST, and PMLA requirements.

All data is stored on secure servers located in India (AWS ap-south-1 region). Our multi-tenant architecture ensures that each organisation's data is logically isolated — no organisation can access another's data.

We implement the following security measures:

• Passwords hashed with bcrypt (cost factor 12+).
• JWT RS256 asymmetric token authentication.
• All connections over HTTPS (TLS 1.2+).
• Rate limiting on all API endpoints.
• Comprehensive audit logging for all sensitive operations.

We comply with India's Digital Personal Data Protection Act, 2023. Key practices include:

• Aadhaar protection — we never store full Aadhaar numbers. Only the last 4 digits are retained in masked form for verification purposes.
• Explicit consent — we obtain explicit, purpose-specific consent before collecting personal data or processing KYC documents.
• Breach notification — in the event of a data breach, we will notify the Data Protection Board of India within 72 hours as required by law.
• Data localisation — all personal data is stored exclusively on India-based cloud infrastructure.

Business records, including transaction records and KYC documents, are retained for a minimum of 5 years in compliance with the Prevention of Money Laundering Act (PMLA), 2002.

You may request an export of your data or request deletion of your personal information at any time by contacting us. Please note that we cannot delete records that we are legally required to retain.

We do not sell your data to anyone. We share data only with the following sub-processors, each bound by a Data Processing Agreement (DPA), and only to the extent necessary:

• Amazon Web Services (AWS) — hosting and infrastructure, India (ap-south-1 Mumbai region).
• Razorpay — online payment processing (PCI-DSS certified), India.
• MSG91 — OTP SMS delivery, India.
• Mailgun / AWS SES — transactional email delivery.
• DigiLocker — Aadhaar/PAN KYC verification (MeitY Govt. of India).
• Sentry — error monitoring (headers and authorisation tokens are scrubbed before transmission).
• Legal obligations — we may disclose data when required by Indian law, court order, or government authority.

We provide 30 days' written notice before adding a new sub-processor. The current list is maintained at /sub-processors.

In accordance with the Digital Personal Data Protection Act 2023, we have appointed a Data Protection Officer (DPO) to handle all data-protection matters and respond to data principal requests.

If you are not satisfied with the response of our DPO, you may file a complaint with:

If the matter remains unresolved, data principals may approach the Data Protection Board of India under DPDP Act 2023 Section 27.

In the event of a personal data breach, we will:

• Notify the Data Protection Board of India within 72 hours of detection (DPDP Act Section 8(6)).
• Notify affected data principals without undue delay, with details of the breach, likely consequences, and mitigation measures.
• Maintain a public breach register at /security/breach-register.

As a user of iMark CRM, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data (subject to legal retention requirements).
• Export your data in a machine-readable format.
• Withdraw consent for data processing at any time.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will notify you via email or through a prominent notice within the CRM. We encourage you to review this page periodically.

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: