Garood

Legal

Privacy Policy

Effective date: 21 June 2026 · Last updated: 21 June 2026

1. About this policy and who we are

Garood ("Garood", "we", "us") is a facilities-management software platform used by residential societies and their staff, committee members, vendors, and residents to manage assets, maintenance, breakdowns, preventive maintenance, and related records.

Garood is currently operated by Kapil B Vishnubhatla, an individual based in Hyderabad, Telangana, India, trading under the name "Garood." Garood is not yet incorporated as a company. When a company is formed, this policy will be updated to name that entity, and you will be notified.

This policy explains what personal data Garood handles, why, how it is stored, how long it is kept, and the rights available to you under India's Digital Personal Data Protection Act, 2023 (DPDP Act) and the Digital Personal Data Protection Rules, 2025 (DPDP Rules).

Contact / Grievance point: Kapil B Vishnubhatla, hello@garood.com. You can write to this address with any question, request, or complaint about your personal data.

2. The two roles Garood plays (please read this first)

How your data is handled — and who is primarily responsible for it — depends on which data we are talking about.

(a) Data belonging to a society's operations — society is in control. When a residential society uses Garood, the society decides what member, staff, vendor, and resident information is entered into the platform and why. For this operational data, the society is the Data Fiduciary (the party that determines the purpose and means of processing), and Garood acts as a Data Processor — we store and process this data on the society's instructions to provide the service. If you are a resident, committee member, facility manager, or vendor of a society, your operational data falls in this category. For requests about this data, you should ordinarily approach your society first; we will also assist as described in Section 8.

(b) Data Garood collects to run its own service — Garood is in control. For information we collect to operate Garood itself — for example, the account and contact details of the person who administers a society's account, records of who agreed to our terms, and enquiries sent through our website — Garood is the Data Fiduciary. This policy is the notice for that data, and we are directly responsible for it.

Why this matters: for most resident, staff, and vendor data, the society is the responsible party and Garood follows its instructions. We have written this single policy to be transparent about both roles during the pilot.

3. Who uses Garood, and what data we handle

Garood is invitation-only. There is no open public sign-up. Access is extended by invitation in sequence — a Society Admin is set up first, who then invites Facility Managers, committee/treasurer/auditor roles, Vendor Managers, Vendor Technicians, and residents. Residents joining is voluntary.

Across all roles — Society Admins, Facility Managers, committee / treasurer / auditor roles, Vendor Managers, Vendor Technicians, and residents — the personal data Garood handles is limited to:

  • Name
  • Email address
  • Phone number
  • Role (e.g. facility manager, technician, resident)
  • Society and/or unit (apartment) association

In addition, the platform records:

  • Operational content you create — maintenance tickets, breakdown reports, complaints, preventive-maintenance entries, comments, and similar work records.
  • Audit and activity logs — for accountability, the system records who performed an action on an asset or record and when. These logs include the actor's name and role and a timestamp.

What Garood does NOT collect. Garood does not collect employee ID numbers, profile photographs, vehicle details, KYC documents, financial or payment data, health data, or biometric data. Garood does not process any data it considers sensitive in nature.

No payments through Garood (pilot). During this pilot, Garood does not process payments and does not integrate any payment gateway (such as UPI or a card processor). Any pilot fees are handled separately, outside the platform.

4. How we collect your data

  • By invitation and account creation. Most data is entered when a society sets up roles and invites people, and when invited users create their Garood account. Each user has a Garood-specific login created for the pilot; Garood does not use third-party social logins (such as "Sign in with Google").
  • From residents, voluntarily. Residents choose whether to participate.
  • From a complaint, with or without an account. A resident can raise a complaint about an asset either while logged in or without logging in. The information collected for a complaint is the minimum needed to act on it: name, apartment/unit identifier, and phone number. A logged-in resident does not re-enter these; they come from the account. When a complaint is submitted without an account, a notice is shown at the point of collection explaining what is collected and why, with a link to this policy.
  • Through the early-access form on our website (garood.com). When you ask to request early access, we collect your name, email address, and city (required), along with an optional phone number, society / community name, and message, so that we can contact you about Garood.

5. Why we use your data (purposes)

We use the data above only to:

  • Provide the facilities-management service to the society — logging and tracking assets, breakdowns, tickets, preventive maintenance, and complaints;
  • Identify who performed an action, for accountability and audit integrity;
  • Communicate with you about the service (for example, invitations, account, and notifications);
  • Respond to early-access requests and enquiries you send us through the garood.com website;
  • Keep the service secure and operate it reliably;
  • Comply with applicable law.

We do not use your personal data for advertising, and we do not sell it.

6. Where your data is stored, and who else handles it

Garood operates two surfaces: the public marketing website at garood.com and the invitation-only app at app.garood.com. Different providers serve each, as set out below.

The Garood app (app.garood.com)

Primary storage. Garood's database is hosted on Supabase, in the South Asia (Mumbai) region (ap-south-1). Supabase runs its managed platform on Amazon Web Services (AWS); the underlying infrastructure for this region is AWS's Mumbai data centres.

Other service providers (sub-processors). To run the app we also use:

  • Vercel (operated by Vercel Inc.) — hosts the Garood web application. Like any web host, it processes technical information such as visitors' IP addresses in its server / edge logs.
  • Resend — used to send invitation, account, and notification emails (sent from the mail.garood.com sending domain). It processes the recipient address and email-delivery metadata for the emails it sends.

Analytics and monitoring. Garood does not currently use third-party analytics or error-monitoring tools.

The Garood marketing website (garood.com)

  • Hostinger — hosts the public marketing website. Like any web host, it processes standard server-log technical data, such as visitors' IP addresses.
  • Google (Apps Script & Google Sheets). The early-access form on garood.com submits the name, email, and city, along with the optional phone number, society / community name, and message you provide, to a Google Apps Script web app, which stores them in a Google Sheet owned by the operator; a notification email is also sent to the operator. Google acts as a sub-processor for this data.
  • Google Fonts. Both the website and the app load the "Inter" font from Google's servers. As a result, Google may receive visitors' IP addresses when the font loads.

Data location and transfers. Garood's core personal data (the app database) is stored in India (Mumbai). Some of the providers above — Vercel and Resend (for the app), and Google and Hostinger (for the website) — are operated by overseas providers and may process limited technical or contact data (such as server / edge-log IP addresses, email-delivery metadata, early-access form entries, and font-loading requests) outside India in the course of providing those services. No core personal data held in the app database is stored outside India. Under the DPDP framework, transfer of personal data outside India is currently permitted by default, except to countries the Government may restrict. We will update this policy if our providers or arrangements change.

7. How long we keep your data (retention)

We keep personal data only as long as it is needed for the purpose it was collected, with one deliberate distinction:

  • Contact details (phone number, email). Deleted when a user is removed from the platform or chooses to delete their profile. These are not retained after a person leaves a society or vendor.
  • Name and role. Retained as part of the asset and maintenance audit trail, even after a person leaves, because removing the actor from a historical record would destroy the integrity of "who did what, when" on an asset. This is the only personal data retained beyond a person's departure, and it is retained solely for audit and accountability, for the life of the asset.

Operational records (tickets, complaints, maintenance history) are retained for as long as the society's record needs them, subject to the above.

8. Your rights

Under the DPDP Act, you have the right to:

  • Access a summary of the personal data we hold about you and how it is processed;
  • Correct, complete, or update your personal data;
  • Erase your personal data where it is no longer needed (subject to the audit-trail exception in Section 7, where retention is necessary for a legitimate accountability purpose);
  • Grievance redressal — raise a complaint with us and have it addressed;
  • Nominate another individual to exercise your rights in the event of death or incapacity.

How to exercise them. If your data relates to a society's operations (Section 2(a)), please raise the request with your society, since the society directs how that data is used. You may also contact us at hello@garood.com and we will act on or forward the request as appropriate. For data where Garood is the Data Fiduciary (Section 2(b)), contact us directly.

We aim to respond to requests within a reasonable period.

9. Children

Garood is intended for adults — society members, staff, and vendors. It is not directed at children, and we do not knowingly collect personal data from anyone under 18. If we learn that we have collected a minor's data, we will delete it.

10. Security

We take reasonable measures to protect personal data, including role-based access controls and database-level access restrictions (row-level security) so that users see only the data appropriate to their role, individual Garood logins for each user, and reliance on the security controls of our infrastructure providers, including protection of data in transit. The production database is operated on a managed Supabase plan in the Mumbai region with automated daily backups.

No system is perfectly secure, and we cannot guarantee absolute security.

11. Data breaches

If a personal-data breach occurs, we will act in accordance with the DPDP Act and DPDP Rules, including notifying the Data Protection Board of India and affected individuals as required. Where Garood acts as a Data Processor for a society (Section 2(a)), we will assist and inform the society as the Data Fiduciary.

12. Changes to this policy

We may update this policy as Garood evolves — for example, when Garood is incorporated as a company, or when new features change what data we handle. Material changes will be notified to account holders, and the "Last updated" date above will change.

13. Contact

Questions, requests, or complaints about this policy or your personal data:
Kapil B Vishnubhatla — hello@garood.com.