01
Who we are
Rukiye Zara is a curated short-stay booking platform operated by Rukiyation Hospitality LLP, registered in India. We operate the Rukiye Zara website, mobile application, and hospitality software (PMS, Booking Engine, Channel Manager, and related tools).
For this Privacy Policy, Rukiyation Hospitality LLP is the data fiduciary responsible for personal data processed through our platform.
Registered address: No. 55, Second Floor, Saidulajaib, New Delhi, South Delhi, Delhi — 110030, India.
02
Who this applies to
This policy applies to everyone who interacts with Rukiye Zara in any of these roles:
- Guests
- Elite Hosts
- Paid software hosts
- Visitors
| Who | Description |
|---|---|
| Guests | Anyone who browses, registers, or books through the Rukiye Zara platform or app. |
| Elite Hosts | Property owners or managers onboarded to the marketplace under the Elite Host programme. |
| Paid software hosts | Hosts who subscribe to our PMS, Booking Engine, Channel Manager, or add-on tools as paying customers. |
| Website visitors | Anyone who visits www.rukiyezara.com without creating an account. |
Some hosts may be both Elite Hosts and paid software customers. Where it matters, this policy clarifies what applies to each group.
03
Data we collect
Guests
- Identity: Name, email, phone number.
- Booking: Dates, property, guest count, payment status, reservation history.
- Payment: Transaction reference and status. Card details are processed by our payment gateway (Cashfree); we do not store full card numbers on our servers.
- Device & usage: IP address, device type, OS, browser, and pages visited on the website.
Elite Hosts
- Identity & business: Name, business name, email, phone, registered address.
- Property: Descriptions, photos, rooms, amenities, availability, pricing, house rules.
- Financial: Bank details for payouts, PAN, GSTIN where applicable, tax registrations.
- Performance: Reservations, earnings, reviews, cancellations.
Paid software hosts
- Everything listed for Elite Hosts where relevant.
- Subscription: Plan, billing, invoices.
- Operational: Data entered in PMS, Booking Engine, or Channel Manager (inventory, pricing, reservations, channel mappings).
All users (automatic)
- Website analytics: Pages, session duration, clicks — via Google Analytics and Microsoft Clarity on the website only (not in the mobile app).
- Device: Storage access (hosts uploading listing photos), vibration (notification feedback), OS version.
- Verification: SMS OTP and email codes processed in real time; not retained beyond the verification event.
Payment cards: Rukiye Zara does not store or access your full card details. Cashfree Payments (PCI-DSS compliant) handles card transactions; we receive status and reference identifiers only.
04
How we use your data
Core platform
- Bookings, payments, and reservation management.
- Identity verification and fraud prevention.
- Communication between guests and hosts.
- Host payouts and software subscription billing.
- Providing and improving PMS, Booking Engine, and Channel Manager.
Safety & legal
- Compliance with Indian law, tax, KYC, and the Digital Personal Data Protection Act 2023.
- Disputes, chargebacks, and misuse investigations.
- Lawful requests from government or regulators.
Improvement
- Usage analysis, bug fixes, and feature quality.
- Performance and reliability monitoring.
- Internal research and QA.
Communications
- Transactional: confirmations, receipts, support.
- Service: policy updates, account alerts, payout status.
- Where you have not opted out: promotional or informational email or WhatsApp messages.
05
Data sharing
We do not sell personal data. We share it only as follows:
Between guests and hosts
- After a booking is confirmed, we share the guest's name and contact details with the host.
- Guests see property details, rules, and cancellation terms as part of booking.
Service providers
- Cashfree Payments — payments and host payouts.
- Google Analytics & Tag Manager — website analytics (website only).
- Microsoft Clarity — session behaviour (website only).
- Brevo (Sendinblue) — email delivery.
- AiSensy / WhatsApp Business API — WhatsApp messages.
- SMS gateway — OTP verification.
- Cloud / infrastructure — hosting and operations.
Authorities
- When required by law, court order, or lawful regulatory request.
- When we reasonably believe disclosure protects people, property, or the public.
Processors who handle data on our behalf may only use it for the purposes we specify and in line with this policy.
06
Third-party services
Each provider has its own privacy policy. We are not responsible for their practices; please read their terms.
| Service | Purpose | Data involved |
|---|---|---|
| Cashfree Payments | Payments & payouts | Transactions, bank details (hosts), KYC |
| Google Analytics | Website analytics | Anonymised usage, device, session |
| Google Tag Manager | Tag management | Loads analytics scripts (website only) |
| Microsoft Clarity | Session analytics | Anonymised recordings (website only) |
| Brevo | Name, email | |
| SMS gateway | OTP | Phone (ephemeral) |
| OTA / channel APIs | Channel sync | Inventory, pricing, availability |
07
App permissions (Android)
The app may request:
| Permission | Why |
|---|---|
| Storage | Hosts upload listing photos from the device. Not used for guest data storage. |
| Vibration | Haptic feedback for notifications such as bookings. |
We do not require camera, microphone, contacts, location, or call logs. You can revoke permissions in device settings; some features may stop working.
09
Data retention
We keep data only as long as needed for the purpose collected or as the law requires.
| Data type | Period |
|---|---|
| Guest bookings | 7 years from booking (accounting / legal) |
| Guest identity / KYC | As required by law or while the account is active, whichever is longer |
| Host PMS / operational data | While active + up to 90 days after closure for export |
| Host financial / payouts | 7 years from transaction (tax / GST) |
| Analytics | Up to ~26 months or as configured |
| SMS OTP | Ephemeral — not stored beyond verification |
| Support threads | 3 years from last interaction |
After retention, data is deleted or anonymised. Where law blocks immediate deletion, we restrict use until deletion is allowed.
10
Your rights
Under the DPDP Act 2023 and other applicable Indian law, you may have rights including:
- Access — copy of your personal data.
- Correction — fix inaccurate or incomplete data.
- Erasure — request deletion, subject to legal and operational limits (see section 11).
- Withdraw consent — where processing is consent-based; past processing is unaffected.
- Grievance — contact support if you believe data was mishandled.
- Nomination — you may nominate someone to exercise your rights on death or incapacity, as the Act allows.
Email support@rukiyezara.com with your account details and request. We respond within reasonable timeframes and any statutory deadline.
11
Account & data deletion
Request deletion via rukiyezara.com/delete-account or email support@rukiyezara.com with subject Account Deletion Request and your registered email or phone.
Important: Bookings, listings, payouts, and legal records are linked. We cannot delete everything instantly. Some data must be kept for reservations, GST, disputes, and compliance.
When we accept a request, we will:
- Acknowledge within 7 working days.
- Deactivate the account from active use promptly.
- Delete or anonymise data that is no longer required.
- Retain what the law requires, then delete after that period.
- Tell you if anything cannot be deleted yet and why.
If you have active trips, bookings, or payouts, we may ask you to resolve those first.
12
Minors
We do not knowingly collect data from people under 18. The platform is for adults.
Guests under 18 must stay with a legal guardian, who is responsible for the stay and for any data submitted about the minor.
If we learn we collected a child's data without proper guardian consent, we delete it. Report concerns to support@rukiyezara.com.
13
Communications & marketing
Transactional
We send essential messages (confirmations, receipts, payouts, OTPs, security alerts) regardless of marketing preferences.
Email marketing
We may send offers or updates. Unsubscribe from any marketing email or contact support to opt out.
SMS
SMS is for OTP verification only — not marketing.
14
Data security
We use technical and organisational measures appropriate to the risk, including:
- HTTPS/TLS in transit.
- Role-based access for staff.
- Token-based app authentication.
- PCI-DSS compliant payment processors.
- Monitoring and security reviews.
No system is perfectly secure. If a breach likely affects you, we notify as required by law.
15
Changes to this policy
We may update this policy for practices, technology, law, or operations. For material changes we will:
- Update the "Last updated" date on this page.
- Notify registered users by email or in-app notice when handling of their data changes materially.
Continued use after an update means you accept the revised policy. If you disagree with a material change, you may request account deletion (section 11).
16
Contact & grievances
For privacy questions, data requests, or grievances, contact Rukiye Zara Support. We aim to acknowledge requests within 7 working days.
Phone
Registered address
No. 55, Second Floor, Saidulajaib,
New Delhi, South Delhi,
Delhi — 110030, India
Operating entity
Rukiyation Hospitality LLP
If you are not satisfied with our response, you may later approach the Data Protection Board of India once constituted under the DPDP Act 2023, or another competent authority under applicable law.
This Privacy Policy applies to www.rukiyezara.com, the Rukiye Zara mobile app, and related software operated by Rukiyation Hospitality LLP. For host operational policies, see our Policies page.