PRIVACY POLICY
Four Step Infra
Compliant with the Digital Personal Data Protection Act, 2023 (India)
Effective Date: 04 May 2026 | Version: 2.1
Four Step Infra (“Company,” “we,” “our,” or “us”) is a real estate development entity incorporated and operating in India, with its principal place of business in Vadodara, Gujarat. We are committed to protecting the privacy and personal data of every individual who interacts with us — whether as a website visitor, prospective investor, customer, broker, channel partner, employee, or other stakeholder.
This Privacy Policy (“Policy”) explains how we collect, store, use, share, disclose, transfer, and protect personal information in accordance with applicable Indian laws, including:
By accessing our Services, submitting an enquiry, providing personal information, or otherwise engaging with us, you confirm that you have read, understood, and consented to the practices described in this Policy. If you do not agree, please refrain from using our Services.
For the purposes of this Policy, the following terms shall have the meanings assigned below:
| Term | Meaning |
|---|---|
| Personal Data | Any data about an individual who is identifiable by, or in relation to, such data — as defined under the DPDP Act, 2023. |
| Sensitive Personal Data | Includes financial information (bank account details, PAN), passwords, biometric data, health information, and other categories specified under SPDI Rules. |
| Data Principal | The individual to whom personal data relates — i.e., you, the user. |
| Data Fiduciary | The entity which, alone or jointly with others, determines the purpose and means of processing personal data — i.e., Four Step Infra. |
| Data Processor | Any third party engaged by us to process personal data on our behalf, such as cloud hosting providers, CRM platforms, or payment gateways. |
| Processing | Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, alteration, transfer, or erasure. |
| Services | Our website, mobile app, sales offices, properties, marketing communications, and any related products or services offered by Four Step Infra. |
We collect personal data in three primary ways:
When you interact with us through enquiry forms, site visits, phone calls, WhatsApp messages, emails, or in-person meetings, you may provide:
For Non-Resident Indian (NRI), Person of Indian Origin (PIO), and Overseas Citizen of India (OCI) investors, we collect additional information as required under FEMA and RBI regulations:
When you visit our website or interact with our digital platforms, we automatically collect:
We may receive personal data about you from authorised third parties, including:
We process your personal data only for specified, explicit, and legitimate purposes. Our legal basis for processing under the DPDP Act, 2023 includes:
| Purpose | Description & Legal Basis |
|---|---|
| Service Delivery | Process enquiries, schedule site visits, allocate units, draft and execute Sale Agreements, manage construction milestones. (Basis: Contract performance + Consent) |
| Communication | Send transactional updates, payment receipts, possession notices, RERA-mandated communications, project completion notifications. (Basis: Legitimate interest + Legal obligation) |
| Marketing | Send promotional content about new projects, offers, market insights via email, WhatsApp, SMS — only with your explicit opt-in consent. (Basis: Consent) |
| KYC & Compliance | Verify identity for property transactions, comply with PMLA, FEMA, RBI, RERA, and Income Tax requirements. (Basis: Legal obligation) |
| Loan Processing | Share financial documents with partner banks for home loan applications. (Basis: Consent) |
| Fraud Prevention | Detect and prevent fraudulent transactions, identity theft, and unauthorized access. (Basis: Legitimate interest + Legal obligation) |
| Analytics | Analyse website usage, optimise marketing campaigns, improve user experience. Data is anonymised and aggregated where possible. (Basis: Legitimate interest) |
| Legal Defence | Establish, exercise, or defend legal claims; respond to court orders, regulatory inquiries, or government requests. (Basis: Legal obligation) |
We will not use your personal data for purposes beyond those stated above without obtaining fresh consent, except where required or permitted by law.
Under the DPDP Act, 2023, your consent is the primary basis for most processing activities. We are committed to obtaining and managing consent in a transparent and lawful manner:
You have the right to withdraw your consent at any time. To do so:
Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal. Note that some processing is required to fulfill our contractual or legal obligations and cannot be opted out of (e.g., RERA-mandated communications, payment receipts).
Sensitive personal data (such as financial information, biometric data, or health data) is processed only with your express written consent and only when strictly necessary for the specified purpose.
We do NOT sell your personal data. However, we may share your information in the following limited circumstances:
Our website uses cookies and similar tracking technologies to enhance your browsing experience and analyse site performance. Below is a summary of what we use:
| Cookie Category | Purpose | Opt-Out Available? |
|---|---|---|
| Essential | Required for the website to function — page navigation, form submissions, security features, session management. | No (required for service) |
| Analytics | Help us understand visitor behaviour through Google Analytics 4, Microsoft Clarity. Data is anonymised. | Yes |
| Marketing | Used by Meta Pixel, Google Ads, LinkedIn Insight Tag to show relevant advertisements on other platforms. | Yes |
| Functional | Remember language preferences, form data, login state to improve user experience. | Yes |
You can manage cookies through:
Note: Disabling certain cookies may impact website functionality (e.g., contact forms, language preferences may not save).
We implement industry-standard organisational, technical, and physical security measures to protect your personal data:
In the event of a personal data breach affecting your data, we will:
We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Policy or to comply with legal, accounting, or reporting requirements:
| Data Category | Retention Period | Legal Basis |
|---|---|---|
| Enquiry & Lead Data | Up to 24 months from last interaction, then anonymised | Legitimate interest + Consent |
| Customer Records | Term of investment + 7 years post-transaction | Income Tax Act, 1961 |
| Financial Documents | 8 years after transaction completion | Companies Act, 2013 + IT Act |
| KYC Documents | Minimum 5 years post-relationship | PMLA, 2002 |
| Marketing Subscriptions | Until unsubscribed; deleted within 30 days thereafter | Consent |
| Website Analytics | Aggregated data: indefinite. Individual identifiers: 26 months | Legitimate interest |
| Call Recordings | 12 months from date of call | Legitimate interest + Consent |
| Employee Records | Throughout employment + 7 years thereafter | Labour & Tax Laws |
After the applicable retention period, your personal data is securely deleted, anonymised, or aggregated such that you can no longer be identified.
Under the DPDP Act, 2023 and other applicable laws, you have the following rights regarding your personal data:
You may request a summary of personal data we hold about you and the processing activities undertaken with that data.
You may request correction of inaccurate or misleading data, completion of incomplete data, or erasure of data that is no longer necessary for the purpose it was collected.
As detailed in Section 5.2, you may withdraw your consent for processing at any time.
You may file a grievance with our designated Grievance Officer (see Section 14) or escalate to the Data Protection Board of India.
You may nominate another individual to exercise your rights in case of your death or incapacity, as permitted under the DPDP Act.
To exercise any of these rights:
We will respond within 30 days of receiving a verified request. For complex requests, this period may be extended by an additional 30 days, with notice to you.
There is no fee for exercising these rights, except where requests are manifestly unfounded, excessive, or repetitive — in which case we may charge a reasonable administrative fee or refuse to act on the request.
Our Services are intended for individuals aged 18 years and above. In compliance with the DPDP Act, 2023:
Parents or guardians who believe their child has provided personal information to us may contact privacy@floralwhite-worm-742126.hostingersite.com for immediate removal.
Most of our data processing occurs within India. However, in limited cases, your personal data may be transferred outside India for processing:
All cross-border transfers are conducted in accordance with the DPDP Act, 2023 and only to countries notified by the Central Government as offering adequate protection. Where we transfer data internationally, we ensure equivalent privacy protections through:
Our website and communications may contain links to third-party websites, social media platforms, bank loan portals, property aggregators, and other external services. Examples include:
This Privacy Policy does NOT apply to those external sites. Once you click an external link, our policies no longer govern your interaction. We encourage you to review the privacy policies of every external service before sharing personal information.
Four Step Infra is not responsible for the content, security, or privacy practices of third-party platforms.
In compliance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the DPDP Act, 2023, we have designated a Grievance Officer to address your privacy concerns:
If you are unsatisfied with our response or believe your rights have been violated, you may escalate the matter to the Data Protection Board of India, established under the DPDP Act, 2023.
We may update this Privacy Policy from time to time to reflect:
When we make material changes:
We encourage you to review this Policy periodically. Your continued use of our Services after changes are posted constitutes acceptance of the revised terms.
If you have any questions, concerns, or feedback about this Privacy Policy or our data handling practices, please reach out using any of the following channels:
This Privacy Policy and any disputes arising from or related to it shall be governed by and construed in accordance with the laws of India, without regard to its conflict of laws principles. All disputes shall be subject to the exclusive jurisdiction of the competent courts in Vadodara, Gujarat, India.
By using our Services, you confirm that:
