XpertAuction

Privacy Policy

Effective date:3 July 2026  · Last updated: 3 July 2026

This Privacy Policy (“Policy”) describes how Navodayan Proptech Private Limited (CIN: U68100DL2024PTC433778), operating under the brand XpertAuction(the “Platform”, “we”, “us”, “our”) collects, uses, discloses, transfers, retains and secures your Personal Data, Sensitive Personal Data or Information (SPDI) and Digital Personal Data when you visit, register on, or transact through www.xpertauction.com, the XpertAuction mobile application, or any related service (collectively the “Service”).

This Policy is published in accordance with (a) Rule 3(1) of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 read with Section 43A of the Information Technology Act, 2000; (b) the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and any rules made thereunder as and when notified; and (c) the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

By registering, creating a bidder account, or otherwise accessing the Service, you signify that you have read, understood and unconditionally agree to be bound by this Policy, and that the sharing of your Personal Data as described here is essential to enable your participation in bank e-auctions under the Securitisation and Reconstruction of Financial Assets and Enforcement of Security Interest Act, 2002 (“SARFAESI Act”), the SARFAESI Rules, and applicable Reserve Bank of India (RBI) directions.

1. Nature of the Service

XpertAuction is a technology platform that hosts and aggregates e-auction listings for immovable assets, movable assets, business assets, non-performing loans and any other assets that our client banks, non-banking financial companies, asset reconstruction companies, housing finance companies, co-operative banks, and other financial institutions (collectively “Client(s)”) put up for public auction. We act as (a) an intermediary within the meaning of Section 2(1)(w) of the Information Technology Act, 2000 and (b) a Data Processor and, in limited scenarios, a Data Fiduciary within the meaning of the DPDP Act. The Client is the Data Fiduciary for auction-related regulatory filings and for KYC of the winning bidder.

2. Categories of Personal Data We Collect

Depending on how you interact with the Service, we collect the following categories of data:

  • Identity data:full name (as per PAN and Aadhaar), father's/husband's name, date of birth, gender, photograph, signature specimen, and Permanent Account Number (PAN).
  • Aadhaar & DigiLocker data: your Aadhaar number (masked, i.e. last four digits) captured via the DigiLocker consent flow operated by our identity verification partner. We do not store the full raw Aadhaar number. If you upload an Aadhaar image manually, we mask it before storage.
  • Contact data: email address, mobile number, residential and correspondence address, and pincode.
  • KYC document images: scanned or photographed copies of PAN card, Aadhaar (front and back), correspondence address proof, company incorporation documents, GST certificate, board resolution, and any other document required by the Client for the auction.
  • Biometric / face-match data: a live selfie used for face-match against your Aadhaar-linked photograph for liveness verification, processed via our identity partner. We store only the pass/fail result and confidence score; the selfie is retained solely for the audit period described in Section 8.
  • Financial data: bank account number, IFSC code, UPI VPA, Demand Draft / RTGS / NEFT / IMPS instrument details, EMD payment references, wallet ledger, Razorpay / payment gateway transaction identifiers, invoice details and GST details.
  • Bid data: quote amounts, declaration signatures, e-signed tender forms, bid amounts placed during live auctions, activity logs and timestamps.
  • Device & usage data: IP address, device identifier, operating system, browser type, application version, session cookies, activity logs, crash reports and approximate/precise location if you grant permission.
  • Communication data: SMS one-time passwords, WhatsApp Business template messages, email correspondence, helpline call recordings (where permitted by law and disclosed on the call).

3. Purposes and Lawful Basis

We process the data listed in Section 2 for one or more of the following purposes. Wherever the DPDP Act requires consent, we obtain it through explicit opt-in checkboxes and the DigiLocker/Aadhaar consent artefact. Wherever the processing is required by law or contract (for example, RBI KYC Master Directions, SARFAESI Rules, or the Client's tender terms), we rely on the “legitimate use” and legal obligation exceptions permitted under Section 7 of the DPDP Act:

  • Providing the Service, creating and maintaining your bidder account, and enabling participation in a specific auction.
  • Verifying your identity, KYC status and eligibility to participate in an auction under the SARFAESI Rules and the Client's tender document.
  • Collecting Earnest Money Deposit (EMD) via wallet or manual instrument, and forwarding it to the Client's designated escrow / nodal account.
  • Generating tender forms, capturing your Aadhaar-based electronic signature, and packaging the sealed bid for transmission to the Client.
  • Allowing you to bid in real time during the live auction window and recording every bid for audit.
  • Sharing your qualifying documents with the Client's Authorised Officer for pre-bid qualification review.
  • Complying with directions from RBI, SEBI, IRDAI, the Income Tax Department, the Enforcement Directorate, any court, tribunal or lawful authority.
  • Prevention of fraud, money laundering (PMLA, 2002), financing of terrorism, market manipulation, and other illegal activity, including reporting suspicious activity where required.
  • Sending transactional notifications (auction reminders, outbid alerts, qualification decisions, invoice delivery) over SMS, WhatsApp Business API, email and push notifications.
  • Product analytics, security audits, fraud pattern detection, and improvement of the Service.
  • Legal defence: establishing, exercising or defending our legal rights, including responding to disputes and grievances.

4. Sharing with Client Banks & Financial Institutions

When you register for a specific auction, you unconditionally authorise us to disclose all data required by the Client to perform the tender qualification, auction, sale confirmation and post-sale formalities under the SARFAESI Act. This includes your identity documents, KYC images, bid data, EMD proof, e-signed tender, and post-auction communications. The Client is entitled to further share this data with its auditors, legal counsel, regulators, and empanelled independent verification agencies. Once shared with the Client, the Client becomes an independent Data Fiduciary and its privacy practices apply.

5. Sharing with Sub-processors and Service Providers

We share data with the following categories of processors under written data processing terms:

  • Identity verification: SurePass Technologies (for DigiLocker Aadhaar consent, PAN verification, face-match and Aadhaar-based e-Sign).
  • Payment gateway: Razorpay (for wallet top-up, UPI, card and net-banking flows for EMD).
  • Cloud infrastructure & email/SMS/OTP: Google Cloud, Firebase, transactional SMS aggregators, and WhatsApp Business Solution Providers.
  • Analytics & crash telemetry: Firebase Analytics, Crashlytics and equivalent tools.
  • Professional advisors: chartered accountants, statutory auditors, and legal counsel bound by professional confidentiality.

We do not sell your Personal Data to advertisers, data brokers, or any third party.

6. Cross-border Transfers

Some of our sub-processors host infrastructure outside India (typically in the United States, European Union or Singapore). Where such transfer is necessary to provide the Service, we do so subject to (a) the sub-processor providing contractual data-protection commitments substantially equivalent to those under Indian law, and (b) any restriction notified by the Central Government under Section 16 of the DPDP Act.

7. Cookies, Local Storage and Analytics

We use strictly-necessary cookies for authentication and CSRF protection, functional cookies for preferences, and first-party analytics cookies to understand usage patterns. You may disable non-essential cookies through your browser settings; the Service will still function but some features may be limited.

8. Data Retention — Why Deletion is Restricted

Auction and KYC records cannot be deleted at your request. We are required, under our contractual obligations with the Client, the RBI KYC Master Direction, the SARFAESI Rules, the Prevention of Money Laundering (Maintenance of Records) Rules, 2005, and the Income Tax Act, 1961, to retain bid-related records, KYC documents, e-signed tender forms, audit trails and payment references for a minimum period of ten (10) years from the date of the auction (or such longer period as any regulator, court or Client may direct). The DPDP Act expressly permits retention of Personal Data where required by law or where the Data Fiduciary has a valid legitimate use. You acknowledge and agree that any request for erasure during this retention period will be denied to the extent it conflicts with the aforesaid retention obligations.

Data not covered by a legal retention obligation (for example, marketing preferences you have withdrawn, or a bidder account that never participated in any auction) may be deleted or anonymised on written request as described in Section 10.

9. Data Security

We apply reasonable security practices and procedures under the ISO/IEC 27001-family standard, including transport-layer encryption (HTTPS/TLS), encryption at rest for stored KYC documents, role-based access control, tamper-evident audit logs, and periodic security testing. Passwords are stored as salted hashes using industry-standard algorithms. Despite our best efforts, no method of transmission or storage is fully secure. In the event of a Personal Data Breach that is likely to cause harm to you, we will notify you and the Data Protection Board of India as required under Section 8(6) of the DPDP Act.

10. Your Rights and How to Exercise Them

Subject to Section 8 above and Sections 7 and 17 of the DPDP Act, you may exercise the following rights by written email to privacy@xpertauction.com:

  • Right to access a summary of the Personal Data we hold about you.
  • Right to correction of inaccurate or outdated Personal Data.
  • Right to withdraw consent for future processing that relies on consent. Withdrawal does not affect processing lawfully performed before withdrawal, and does not release you from any auction obligation.
  • Right to nominate another individual to exercise your rights in the event of your death or incapacity.
  • Right to grievance redressal by writing to our Grievance Officer (Section 13).

We will authenticate your identity before acting on any request. Frivolous, repetitive, or unreasonable requests may be refused with reasons.

11. Children and Minors

The Service is not intended for use by any person below the age of eighteen (18) years. By registering, you represent that you are an adult, of sound mind, and legally competent to enter into a binding contract under the Indian Contract Act, 1872. We do not knowingly collect Personal Data of minors; if we discover that we have inadvertently done so, we will delete such data.

12. Third-party Links

The Service may link to third-party websites (Client bank websites, government portals, payment pages, SurePass DigiLocker consent screen). We are not responsible for the privacy practices of those sites; please review their own privacy policies before submitting data to them.

13. Grievance Officer & Contact

In accordance with Rule 5(9) of the Information Technology (Reasonable Security Practices) Rules, 2011 and Rule 3(11) of the Intermediary Guidelines, 2021, our Grievance Officer can be contacted at:

Grievance Officer — XpertAuction
Navodayan Proptech Private Limited
Email: grievance@xpertauction.com
Phone: +91 99991 05933
Response time: within 15 days from receipt of complaint.

14. Changes to this Policy

We may update this Policy from time to time to reflect changes in law, our practices, or the Service. The updated Policy will be posted on this page with a revised “Last updated” date. Material changes will be notified via email or in-app notice. Continued use of the Service after any change constitutes acceptance of the revised Policy.

15. Governing Law and Jurisdiction

This Policy is governed by the laws of India. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts and tribunals at New Delhi, without prejudice to the arbitration clause in the Terms & Conditions.