Privacy Policy

FIRST LIVINGSPACES PRIVATE LIMITED
(formerly known as ‘TCG Livingspaces Private Limited’)

Policy Effective Date: 02nd May 2024
Revision Effective Date: 27th February 2026

No part of this documentation may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying or recording, for any purpose without express written permission of First Livingspaces Private Limited.

© 2024, First Livingspaces Private Limited. All Rights Reserved.

Version History

Ver No.Change DescriptionPrepared ByReviewed ByApproved ByDate
FLS/LEG/POL/PRP/V1.New PolicyTaher Ali (Legal)Taher Ali (Legal)NA02nd May 2024
FLS/LEG/POL/PRP/V2Revised PolicyTaher Ali (Legal)Taher Ali (Legal)Taher Ali27th Feb 2026

Last Updated: 27th February 2026

This Privacy Policy (“Policy”) describes how First Livingspaces Private Limited (formerly known as TCG Livingspaces Private Limited) (“Company”, “we”, “us”, “our”) collects, uses, processes, stores, shares and protects personal data in connection with the use of Sirrus.ai (“Platform”).

This Policy is published in accordance with the provisions of:

  1. The Digital Personal Data Protection Act, 2023 (“DPDPA”)
  2. The Information Technology Act, 2000
  3. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
  4. Other applicable laws in India

By accessing or using the Platform, you acknowledge that you have read and understood this Policy.

1. SCOPE AND ROLE UNDER DPDPA

1.1 Definitions

Customer means the legal entity that has entered into a Master Services Agreement (“MSA”) with the Company.

Permitted User means an identified or identifiable natural person authorised by the Customer to access and use the Platform.

Personal Data means any data about an individual who is identifiable by or in relation to such data.

1.2 Our Role

(A) When We Act as Data Fiduciary

The Company acts as a Data Fiduciary under DPDPA in respect of:

  1. Personal data of Permitted Users
  2. Website visitors
  3. Individuals interacting with us for sales, marketing, or support

(B) When We Act as Data Processor

The Company acts as a Data Processor in respect of:

  1. Personal data uploaded, hosted, or processed on the Platform by the Customer
  2. Personal data of Customer’s employees, clients, or end-users

In such cases:

  1. The Customer acts as the Data Fiduciary.
  2. The Company processes such personal data strictly in accordance with the Customer’s documented instructions and applicable law.

Data Principal rights concerning such data must be exercised directly with the Customer.

2. PERSONAL DATA WE COLLECT (AS DATA FIDUCIARY)

We collect the following categories of Personal Data:

2.1 Account & Registration Information

  1. Name
  2. Official email address
  3. Phone number
  4. Designation
  5. Organisation details
  6. Login credentials

Where required for compliance or verification:

  1. Business registration documents
  2. PAN (where legally required)
  3. GSTIN (if applicable)

We collect only such data as is necessary for account creation, verification, contractual performance, or compliance.

2.2 Technical & Usage Data

  1. IP address
  2. Browser type
  3. Device information
  4. Log files
  5. Access timestamps
  6. Clickstream data
  7. System diagnostics

This is collected for:

  1. Security
  2. Fraud prevention
  3. System optimisation
  4. Performance monitoring

2.3 Location Data

We may collect approximate location information derived from IP address for security and analytics purposes.

Precise GPS location is not collected unless explicitly enabled and consented to.

2.4 Payment Information

Where payments are processed:

  1. Payment details are processed through authorised third-party payment service providers.
  2. We do not store full credit/debit card details.
  3. Financial data is handled in accordance with applicable security standards.

2.5 Cookies and Tracking Technologies

We use:

  1. Essential cookies (necessary for functionality)
  2. Analytics cookies (to improve services)
  3. Marketing cookies (only with explicit consent)

You may manage cookie preferences through the cookie consent tool available on the Platform.

3. PURPOSES AND LEGAL BASIS OF PROCESSING

We process Personal Data only for lawful purposes under DPDPA, including:

(a) Performance of Contract

  1. Account setup and management
  2. Providing Services under the MSA
  3. Customer support

(b) Compliance with Legal Obligations

  1. Statutory record keeping
  2. Regulatory compliance
  3. Responding to lawful government requests

(c) Legitimate Uses (as permitted under DPDPA)

  1. Network security
  2. Fraud detection
  3. Prevention of misuse
  4. Business continuity

(d) Consent-Based Processing

  1. Direct marketing communications
  2. Promotional offers
  3. Use of marketing cookies
  4. Interest-based advertisements

You may withdraw consent at any time.

4. DIRECT MARKETING

We may send service-related communications as part of contractual performance.

Marketing communications are sent only with your consent.

You may opt out of marketing communications at any time by:

  1. Using the unsubscribe link
  2. Adjusting preferences within the Platform
  3. Contacting the Grievance Officer

Withdrawal of marketing consent will not affect service-related communications.

5. SHARING OF PERSONAL DATA

We may share Personal Data with:

5.1 Group Entities

For internal administration, security, and service delivery.

5.2 Service Providers

Including:

  1. Cloud hosting providers
  2. Payment processors
  3. Communication service providers
  4. Analytics providers

All service providers are bound by contractual data protection obligations.

5.3 Legal Authorities

Where required by applicable law or lawful order.

5.4 Corporate Transactions

In case of merger, acquisition, restructuring, or sale of assets, subject to confidentiality and applicable law.

We do not sell Personal Data.

6. CROSS-BORDER TRANSFERS

Personal Data may be transferred outside India where necessary for service delivery.

Such transfers shall be undertaken:

  1. In accordance with Section 16 of DPDPA
  2. Subject to Government of India restrictions (if any)
  3. With appropriate contractual safeguards

7. DATA RETENTION

We retain Personal Data only for as long as necessary to:

  1. Fulfil the purpose for which it was collected
  2. Comply with legal obligations
  3. Resolve disputes
  4. Enforce agreements

Upon expiry of retention periods:

  1. Data is deleted or anonymised.

Where acting as Data Processor, data retention is governed by the Customer’s instructions.

8. SECURITY SAFEGUARDS

We implement reasonable security safeguards as required under DPDPA and the IT Act, including:

  1. Access controls
  2. Encryption (where appropriate)
  3. Secure cloud infrastructure
  4. Role-based access management
  5. Periodic security reviews

In the event of a personal data breach:

We will notify the Data Protection Board of India and affected Data Principals as required under applicable law. Where Personal Data is shared with third parties, they are contractually required to process it only as instructed and in compliance with applicable law. If we become aware of any misuse or unauthorized processing, we will take appropriate remedial action, including corrective measures, suspension or termination of engagement, and notification to affected individuals or authorities where required.

9. RIGHTS OF DATA PRINCIPALS

Subject to applicable law, you have the right to:

  1. Obtain confirmation and access to your Personal Data
  2. Seek correction or updating of the inaccurate data
  3. Request erasure of Personal Data
  4. Withdraw consent (where processing is based on consent)
  5. Nominate an individual to exercise rights in case of death or incapacity
  6. Seek grievance redressal

Requests may be submitted through the Platform or to the Grievance Officer.

We may verify identity before processing requests.

10. WITHDRAWAL OF CONSENT

You may withdraw consent at any time.

Withdrawal shall not affect the lawfulness of processing prior to withdrawal.

Where withdrawal makes service delivery impossible, certain functionalities may be discontinued.

11. CHILDREN’S DATA

The Platform is not intended for individuals below 18 years of age.

We do not knowingly collect Personal Data from children.

If we become aware of such collection, we will take steps to delete the data.

12. UNSOLICITED INFORMATION

Any Personal Data received without request shall be processed in accordance with applicable data protection laws.

We do not claim unrestricted rights over unsolicited Personal Data.

13. CHANGES TO THIS POLICY

We may update this Policy periodically.

Material changes will be notified via:

  1. Email (where applicable), or
  2. Notice on the Platform.

Continued use of the Platform after updates constitutes acceptance of the revised Policy.

14. Approval of New Data Collection Mechanisms

Prior to introducing any new mechanism for collecting Personal Data (including new products, features, forms, integrations, analytics tools, or third-party platforms), the Company shall conduct an internal review.

The proposed mechanism shall be reviewed and approved by:

  1. Head Legal (for lawful basis, purpose limitation, consent, and policy alignment);
  2. Chief Technology Officer (for security and data minimisation); and
  3. Relevant Business / Product Head (for necessity and proportionality).

Where the new mechanism materially changes the nature, purpose, or scope of processing, the Privacy Policy and relevant notices shall be updated prior to or at the time of implementation. All approvals shall be documented and maintained as part of the Company’s internal compliance records.

15. GRIEVANCE REDRESSAL

In accordance with DPDPA and the IT Act, the Grievance Officer details are:

Name: Punit Pande
Designation: Head of Operations
Email: grievanceofficer.fls@tcgre.com

We will acknowledge grievances within a reasonable time and endeavour to resolve them within 30 days.

If you are not satisfied with the resolution, you may approach the Data Protection Board of India as per applicable law.

16. Identity Verification

To protect Personal Data, the Company verifies the identity of individuals before processing requests relating to access, correction, erasure, or grievance redressal. Verification may be carried out through:

  1. Account login authentication.
  2. OTP to registered email or mobile number.
  3. Matching account-linked information; or
  4. Limited supporting documentation, where reasonably necessary.

The level of verification shall be proportionate to the sensitivity of the Personal Data involved. Information collected for verification is used solely for authentication and retained only as required for compliance purposes.

Under the Digital Personal Data Protection Act, 2023, you may request access, correction, erasure, withdrawal of consent, grievance redressal, and nomination. Requests will be processed within legal timelines subject to identity verification. We may deny requests where required by law, statutory retention applies, exemptions are invoked, identity cannot be verified, or the request is unfounded or excessive. Where your Personal Data is corrected, updated, or erased pursuant to a valid request, we shall take reasonable steps to communicate such correction or erasure to relevant third parties or Data Processors with whom the data has been shared, where such communication is required under applicable law and is technically feasible and proportionate.

17. Privacy Policy Governance

  1. Review of Policy: This Privacy Policy is reviewed at least once every financial year and additionally upon any material change in data processing practices, introduction of new products or services, engagement of new critical data processors, regulatory amendments, or occurrence of a data breach.
  2. Responsibility: Head Legal acts as the Policy Owner and is responsible for drafting, reviewing, and updating this, Policy. The Chief Technology Officer (CTO) or officer responsible for equivalent role validates technical and security-related disclosures. Relevant functional heads confirm accuracy of operational data processing practices.
  3. Approval: All updates to this Policy are subject to internal review and approval by Head Legal.
  4. Version Control: Each version of this Policy includes a version number, effective date, and summary of material changes. An internal change log is maintained documenting all revisions and approvals.
  5. Publication and Communication: Upon approval, the updated Policy is published on the Company’s website and/or platform. Where required under applicable law, users will be notified of material changes.
  6. Documentation and Retention: All historical versions of this Policy, approval records, and change logs are securely maintained for a minimum period of eight (8) years or such longer period as required under applicable law.

18. CONTACT US

For any privacy-related queries, please contact:

grievanceofficer.fls@tcgre.com

- End of Privacy Policy -