Privacy policy and consent notice.

About this notice.

99sqyd takes the privacy of its members, principals and visitors seriously. The nature of our service — verifying identity, evaluating accreditation, facilitating large-ticket property transactions, and curating off-market opportunities — means we necessarily handle a meaningful amount of personal and financial information about you. This notice sets out, in plain terms, what we collect, why, how long we keep it, who we share it with, and the choices you have.

This notice should be read together with our Terms & Conditions and Disclaimer, which together govern your use of the Platform. Defined terms not explained here have the meanings given in those documents.

By using the Site, the App, the member portal, the data room, the concierge desk, our WhatsApp number or any other service offered by 99sqyd, you confirm that you have read, understood and consented to the collection, processing and use of your personal data as described in this notice, to the extent such consent is required under applicable law.

Who we are and how to contact us.

For the purposes of the Digital Personal Data Protection Act, 2023 (the “DPDP Act”) and the Information Technology Act, 2000 with rules thereunder, the Data Fiduciary in respect of personal data processed through the Platform is:

• Entity: Skill Block LLP (operating the 99sqyd platform)
• Registered office: 405, JMD Suburbio 2, Sector 67, Gurugram, Haryana 122102, India
• Email: privacy@99sqyd.com (data protection enquiries) · info@99sqyd.com (general)
• Phone: +91 70424 33099
• Grievance Officer / DPO contact: see Section 20

For privacy enquiries, please use the dedicated privacy@99sqyd.com mailbox in the first instance — this routes directly to the Grievance Officer's queue and is the fastest way to have a privacy matter addressed.

Key terms used in this notice.

• You / Data Principal: the natural person to whom personal data relates — whether you are a visitor, a member, an NRI principal, a seller, a family-office representative, an authorised signatory or a partner contact.
• Personal Data: any data about you by which you are identified or identifiable, whether directly or in combination with other information.
• Sensitive Personal Data or Information (SPDI): the categories of personal data classified as “sensitive” under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, including financial information, biometric data and certain identifiers.
• Processing: any operation performed on personal data, including collection, storage, organisation, use, disclosure, transfer, retention and erasure.
• Data Fiduciary: the entity that determines the purpose and means of processing — in this notice, Skill Block LLP / 99sqyd.
• Data Processor: a third party that processes personal data on behalf of a Data Fiduciary — for instance, our cloud hosting provider, KYC verification provider, payment processor, email or SMS gateway, or analytics partner.
• Consent Manager: a person registered with the Data Protection Board of India to enable Data Principals to give, manage, review and withdraw consent through an accessible, transparent and interoperable platform.

Personal data we collect.

The categories of personal data we collect, and what each typically contains, are summarised below. We do not collect more data than we need for a stated purpose, and not every member will provide every category — the data we ask for depends on the membership tier, the type of transaction and the level of verification required.

You are not under any statutory obligation to provide most of the above — but if you do not provide identity, contact and verification information when requested, we may not be able to register you, grant access to off-market inventory, list your property, or facilitate a transaction.

How we obtain your personal data.

We obtain personal data about you from the following sources:

• Directly from you — when you submit an invitation request, register an account, fill an enquiry form, upload documents to the data room, list a property, schedule a viewing, attend a private event, or correspond with us by email, WhatsApp, telephone or in person.
• From your devices — through cookies, log files, mobile-app SDKs and similar technologies that record technical and behavioural data when you interact with the Site or the App (see Section 10).
• From third-party verification services — we use regulated KYC providers (for example, providers that use NSDL, UIDAI, CKYCR or other accredited rails) to verify the documents you submit. Such providers return verification results to us.
• From public records — RERA Authority websites, Sub-Registrar records, MCA filings, court records, sanctions lists, media reports, and similar sources, where consulted as part of due diligence on listings, members or counterparties.
• From referrers — where an existing member, channel partner, developer or service partner introduces you to us, that referrer may share basic identity and contact information.
• From third-party platforms — if you connect a third-party account (for example, when you message us via WhatsApp Business, click a Google or LinkedIn advertisement, or accept an email-calendar invitation), we may receive limited information about that interaction.

Why we process your personal data.

We process personal data for specific, lawful and clearly identified purposes, and only on a lawful basis under the DPDP Act — that is, with your consent, for the performance of a contract with you, to comply with a legal obligation, or for a recognised legitimate use. The principal purposes are:

• To operate the Platform and your account — account registration, authentication, authorisation, tier management, member-portal access, dashboard personalisation.
• To verify your identity, accreditation and source of funds — KYC, AML and sanctions screening, net-worth verification, beneficial-owner identification, FATCA / CRS classification where applicable. These activities also fulfil our legal obligations under the Prevention of Money Laundering Act, 2002, RBI directions and other applicable law.
• To facilitate transactions and introductions — arranging viewings, exchanging documents through the data room, executing NDAs, coordinating with sellers, lawyers, accountants, lenders, escrow agents and other partners.
• To deliver concierge and relationship-manager services — including assignment of a dedicated RM, maintaining service notes, handling enquiries.
• To curate inventory and intelligence for you — recommending listings, sending the weekly intelligence briefing, alerts on saved searches, and bespoke notes to your stated investment thesis.
• To process payments and invoices — collecting membership and transaction fees, issuing GST-compliant invoices, applying TDS, tracking dues.
• To send service communications — transactional alerts, account notices, security warnings, statutory communications, viewing confirmations, document-ready notifications.
• To send marketing communications — new launches, off-market drops, private events, the journal — only where you have provided consent. You may withdraw such consent at any time (Section 11).
• To detect, prevent and investigate fraud, misuse and security incidents — including unauthorised access, scraping, off-market circumvention, money laundering or impersonation.
• To comply with legal and regulatory obligations — including record-keeping under the Income-tax Act, 1961, response to subpoenas, court orders, RBI / FIU-IND requests, and regulatory inspections.
• To defend and enforce legal claims — including arbitration, litigation, recovery of dues, enforcement of anti-circumvention undertakings.
• To improve the Platform — through usage analytics, A/B testing, debugging, capacity planning. Wherever feasible, we use anonymised or aggregated data for these purposes.
• For business transfers — in the event of a merger, restructuring, sale or transfer of all or part of Skill Block LLP's business.

AI, profiling and automated processing.

Parts of the Platform make use of statistical models, ranking algorithms and AI-assisted tooling. Specifically:

• AI valuation and Investment Score: we use models trained on historical transactions, listing data, builder track-record signals and micro-market indices to generate indicative valuations, projected IRRs and the “Investment Score” that appears on certain listings.
• Personalised recommendations: based on the listings you view, save and compare, and the parameters of your saved searches, we may recommend other listings that we consider relevant to your stated thesis.
• Risk and fraud signals: we use automated checks to flag unusual sign-in patterns, suspected scraping, and behaviour suggesting circumvention of off-market undertakings.

Decisions that produce significant legal or material effects on you (for example, a decision to suspend your membership, to refuse access to off-market inventory, or to reject a listing) are not taken by automated means alone — a human reviewer is in the loop and you may request the human review of any such decision by writing to privacy@99sqyd.com.

You can read more about the limits of AI valuations and Investment Scores in our Disclaimer.

Sharing your personal data.

We share your personal data only with the categories of recipients listed below, and only to the extent necessary for the stated purpose. We do not sell, rent or trade your personal data to anyone.

• Sellers, developers and channel partners — where you have expressed interest in a specific listing, we may share your name, contact details, broad ticket-size range and qualification status with the relevant seller or partner so they can prepare for a viewing or send a data pack. We do not share your KYC documents or financial accreditation evidence with sellers without your explicit consent.
• Buyers (for Sellers) — with your permission as a Seller, we may share certain listing details and, where you have consented, your contact details, with verified buyer-members or their authorised representatives.
• Empanelled professionals and partner network — lawyers, chartered accountants, tax advisors, property valuers, architects, interior designers, property managers, lenders, escrow agents and private bankers, where you have requested an introduction or where their input is needed to progress a transaction.
• KYC and verification providers — regulated KYC service providers that verify documents you submit. These are bound by confidentiality and data-protection obligations.
• Payment, banking and escrow partners — where applicable to a transaction or to fee collection.
• Communication infrastructure providers — WhatsApp Business API providers, SMS gateways, email service providers, calendar integrations.
• Hosting and IT service providers — cloud infrastructure, content-delivery network, database, file storage, identity management, application monitoring and security tooling.
• Analytics providers — for measurement and improvement of the Platform (see Section 10).
• Professional advisors — our own legal counsel, auditors, tax advisors and insurance providers, on a confidential basis.
• Government authorities, regulators and courts — where we are required to disclose by law, court order, regulatory direction (including from the Data Protection Board of India, the Reserve Bank of India, FIU-IND, the Income-tax Department, the Enforcement Directorate, the SEBI, or any State RERA Authority) or to protect the safety, rights or property of 99sqyd, our members, our staff or the public.
• Acquirers and merger counterparties — in the context of a corporate transaction, where the counterparty is bound by equivalent confidentiality obligations.

All Data Processors engaged by us are required, by contract, to process personal data only on our instructions, to maintain reasonable security practices, and to assist us in responding to Data Principal rights and breach situations.

International and cross-border transfers.

The Platform is primarily hosted in India. However, in the ordinary course of operating a Platform that serves NRI investors and relies on global software infrastructure, personal data may be transferred to, accessed from, or processed in jurisdictions outside India. Specifically:

• Certain cloud, analytics, communications and security service providers may store or process data on infrastructure located outside India (typically Singapore, the European Union or the United States).
• If you are an NRI member residing outside India, your interaction with the Platform involves data flows between your country of residence and India.
• Where you are introduced to an overseas advisor (for example, a tax counsel in your country of residence), data relevant to that introduction will be transferred to that advisor.

Any cross-border transfer is conducted in accordance with Section 16 of the DPDP Act and any restrictions notified by the Central Government from time to time. Where data is transferred to a Data Processor outside India, we put in place appropriate contractual safeguards designed to ensure that the data continues to be protected to a standard equivalent to that required under Indian law.

If you wish to know specifically which Data Processors we use and where, we are happy to share an up-to-date list on request to privacy@99sqyd.com.

Cookies, analytics and tracking.

We and certain authorised third parties use cookies and similar technologies (web beacons, local storage, mobile-app SDKs, fingerprinting in limited circumstances) on the Site and the App. The categories we use are:

• Strictly necessary cookies — required for the Platform to function, for example session cookies that keep you logged in, anti-CSRF tokens, and consent-state cookies. These are set by default and cannot be disabled without breaking core functionality.
• Functional cookies — remember your preferences (language, region, saved searches, recently viewed listings).
• Performance and analytics cookies — help us understand which pages and listings are visited, which features are used, where errors occur. We may use Google Analytics, Google Tag Manager and similar tools for this purpose. We configure these tools to anonymise IP addresses wherever supported.
• Marketing and remarketing cookies — allow us, and the advertising platforms we work with (such as Google Ads, Meta and LinkedIn), to measure campaign effectiveness and serve you relevant content. These are set only where you have provided consent through our cookie banner or preference centre.

You can manage your preferences at any time through the cookie preference centre accessible from the footer of the Site, through your browser settings (in particular, by blocking or deleting cookies), through “Limit Ad Tracking” or equivalent settings on your mobile device, or by writing to privacy@99sqyd.com.

Disabling certain categories of cookies may affect the functionality and personalisation of the Platform.

Communications and marketing preferences.

We communicate with you through email, SMS, WhatsApp, in-platform notifications, telephone calls and (occasionally) postal mail. There are two broad categories of communication:

• Service communications are essential to your use of the Platform and include account notifications, security alerts, KYC requests, document-ready alerts, viewing confirmations, invoices, statutory notices and similar messages. You cannot opt out of service communications without closing your account.
• Marketing communications include the weekly intelligence briefing, the journal, new-launch alerts, off-market drops, private event invitations, and partner offers. We send these only where you have provided consent. You may withdraw your consent at any time by:

• clicking the “unsubscribe” link in an email;
• replying “STOP” to an SMS;
• using the unsubscribe option in our WhatsApp messages;
• updating your communication preferences in your member portal; or
• writing to privacy@99sqyd.com.

Withdrawal of marketing consent does not affect the lawfulness of processing carried out before withdrawal, and does not affect service communications.

Data retention.

We retain personal data only for as long as we need it for the purpose for which it was collected, or for any other legitimate and lawful purpose. The default retention periods we apply are:

• Account data: for the duration of your membership, and for up to 24 months after closure, to allow re-activation, audit and dispute resolution.
• KYC, AML and source-of-funds documentation: for a minimum of five (5) years from the end of the relationship, and longer where required by applicable law (for example, under PMLA requirements).
• Transaction and financial records: for a minimum of eight (8) years from the end of the relevant financial year, in line with the Income-tax Act, 1961.
• Communication records (email, WhatsApp, call logs, concierge notes): for up to seven (7) years.
• Browsing and behavioural data: generally for 13 to 25 months, subject to the cookie used.
• Server logs and security telemetry: typically up to 12 months.
• Marketing consent records: for the duration of consent and for a reasonable period after withdrawal, to evidence compliance.

Where we are required by law to retain data for longer (for example, in connection with ongoing litigation or a regulatory investigation), we will retain it for that longer period. When the retention period ends, we securely delete or irreversibly anonymise the data.

Security.

We implement reasonable technical and organisational measures, designed to align with the “reasonable security practices” standard contemplated under the IT Act and DPDP Act, to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. These include:

• encryption of personal data in transit (TLS) and at rest where appropriate;
• role-based access controls, least-privilege principles, and multi-factor authentication for staff;
• segregation of production data from development and test environments;
• periodic vulnerability scanning, penetration testing and code review;
• secure software development practices and dependency management;
• logging and monitoring of administrative and data-access events;
• contractual security requirements imposed on our Data Processors;
• internal information-security policies and staff training;
• incident-response and business-continuity plans.

No method of transmission over the internet, or method of electronic storage, is fully secure. While we take security seriously, we cannot guarantee absolute security. You are responsible for keeping your account password confidential, using a strong unique password, enabling multi-factor authentication where offered, and notifying us promptly of any suspected unauthorised access.

Your rights as a Data Principal.

Subject to the DPDP Act and other applicable law, you have the following rights in respect of your personal data:

• Right to access — obtain a summary of the personal data we process about you, the purposes for which it is processed and the identities of Data Fiduciaries and Data Processors with whom it has been shared.
• Right to correction and erasure — request correction of inaccurate or incomplete data, updating of out-of-date data, or erasure of data that is no longer necessary for the purpose for which it was collected.
• Right to grievance redressal — raise a complaint about how we have handled your personal data and have it addressed through our Grievance Officer (Section 20). This is the necessary first step before approaching the Data Protection Board of India.
• Right of nomination — nominate any other person to exercise your rights under the DPDP Act in the event of your death or incapacity.
• Right to withdraw consent — where we process data on the basis of your consent, you may withdraw that consent at any time, with the consequences described in Section 15.
• Right to human review — ask for a human review of decisions taken about you that have significant effects, where such decisions are made wholly or partly by automated means (Section 7).
• Right to lodge a complaint with the Data Protection Board of India, if you are not satisfied with the response received from our Grievance Officer.

If you are based outside India, you may also have rights under the data-protection law of your country of residence (such as the GDPR, for residents of the European Economic Area, or the UK GDPR for UK residents). Where such laws apply alongside the DPDP Act, we will honour those rights to the extent we are required to do so by law.

Exercising your rights — how to write to us.

To exercise any of the rights described above, please write to privacy@99sqyd.com from the email address registered to your account, or send a signed request by post to the Grievance Officer at the address in Section 20. Your request should:

• identify you (so we can be confident the request is genuine and not a fraudulent attempt by a third party);
• state the right you wish to exercise; and
• provide enough detail for us to understand and process your request.

We will acknowledge a privacy request within 48 hours of receipt and respond substantively within 30 days, unless your request is complex, in which case we may take an additional reasonable period and will tell you so. We may need to verify your identity before fulfilling certain requests, particularly where they involve sensitive data or significant personal data.

If we are unable to act on your request, we will explain why. If you remain dissatisfied, you may approach the Data Protection Board of India in accordance with the DPDP Act.

Children and minors.

The Platform is intended exclusively for use by adults who are at least 18 years of age. We do not knowingly collect personal data of children (defined under the DPDP Act as persons under 18) or persons with disabilities who have lawful guardians, except where required for verifiable parental or guardianship consent or for the limited purpose of properly identifying family members of an adult account holder in a Family Office context (and only with the consent of the relevant parent or guardian).

We do not undertake behavioural tracking, targeted advertising or processing likely to cause detrimental effects in respect of children. If you believe that we have inadvertently collected personal data of a child without verifiable parental consent, please contact privacy@99sqyd.com and we will take prompt steps to delete such data.

Third-party links and integrations.

The Site, the App, the journal and our communications may contain links to third-party websites (for example, RERA Authority portals, partner websites, news sources) and may integrate with third-party services (for example, WhatsApp, calendar applications, map services). This Privacy Policy does not apply to such third-party sites or services. We encourage you to review the privacy notices of any third-party services before providing them with personal data.

Personal data breaches.

In the unlikely event of a personal data breach affecting your personal data, we will:

• investigate the incident promptly and contain the breach;
• notify the Data Protection Board of India where required by the DPDP Act;
• notify affected Data Principals where required, by email or in-platform notice, with sufficient information to allow them to take protective steps; and
• cooperate with regulators in any consequent investigation.

If you suspect a breach affecting your account or your personal data — for example, unauthorised access, phishing attempts impersonating 99sqyd, or unusual messages purporting to come from us — please write to security@99sqyd.com or call the concierge desk immediately.

Changes to this notice.

We may revise this Privacy Policy from time to time to reflect changes in our practices, in the Services we offer, in applicable law (including in the DPDP Act and its rules as they evolve), or in response to regulatory guidance. The version number and effective date at the top of this notice indicate the current edition.

Material changes will be notified to registered members by email or in-platform notice in advance of the effective date. Continued use of the Platform after the effective date of a revised notice constitutes acceptance of the revised notice.

Grievance Officer and Data Protection Officer.

In accordance with the Information Technology Act, 2000 (and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021) and the Digital Personal Data Protection Act, 2023, we have designated a Grievance Officer to address privacy and data-protection concerns from Data Principals. Where 99sqyd is in due course notified as a Significant Data Fiduciary under the DPDP Act, we will additionally appoint a Data Protection Officer based in India whose contact details will be published here.

• Address: Skill Block LLP, 405, JMD Suburbio 2, Sector 67, Gurugram, Haryana 122102
• Email: grievance@99sqyd.com · privacy@99sqyd.com
• Phone: +91 70424 33099 (Monday to Friday, 10:00 to 18:00 IST)

Privacy-related complaints will be acknowledged within twenty-four (24) hours of receipt and resolved within fifteen (15) days, subject to the nature of the complaint and any documentation reasonably required from you. If you are dissatisfied with the response received from our Grievance Officer, you may lodge a complaint with the Data Protection Board of India in accordance with the DPDP Act.