Privacy
Policy.

1.1 Information You Provide

• Account Information: Phone number (used for Firebase OTP verification), name, email address, profile photo, and RERA registration number (for agents).
• Booking & Hold Data: Customer names, phone numbers, PAN card details (for finance bookings), and payment information submitted during the booking process.
• Task & Visit Data: Notes, comments, checklist responses, and attachments you submit when completing tasks or logging visits.
• Support Communications: Any messages or enquiries you send to our support team.

1.2 Information Collected Automatically

• Location Data: GPS coordinates captured when you log a property visit via the mobile agent app. Location data is recorded only when you actively initiate a visit log.
• Device Information: Firebase Cloud Messaging (FCM) device tokens used to deliver push notifications.
• Usage & Activity Logs: IP address, timestamp, and the specific actions you perform within the platform (creates, edits, status changes). This forms the audit trail.
• Log Data: Browser type, operating system, pages accessed, and access times collected by our web server.

1.3 Information from Third Parties

• Firebase Authentication: We use Google Firebase to verify your phone number via OTP. Firebase may collect device and network information as part of its service. Refer to Google Firebase's Privacy Policy for details.

• Authentication: Verify your identity and maintain your login session using JWT tokens.
• Service Delivery: Enable you to manage plots, bookings, holds, agents, tasks, and field visits.
• Notifications: Send push notifications for hold expiry warnings, task assignments, booking confirmations, and status changes.
• Audit & Compliance: Maintain a complete audit trail of all platform actions for security and dispute resolution purposes.
• Analytics & Reporting: Generate performance dashboards, booking trend reports, and Excel exports for your business use.
• Customer Support: Respond to your support requests and troubleshoot issues.
• Platform Improvement: Analyse usage patterns (in aggregate, anonymised form) to improve features and performance.

Highfly is a multi-tenant platform. Each organisation (tenant) operates in a fully isolated workspace:

• Your organisation's data is logically separated from all other tenants at the database level.
• Users, agents, projects, plots, bookings, and customers within your workspace are never accessible to other tenants.
• Only Highfly platform administrators (super admins) can access cross-tenant data, strictly for support and operational purposes.
• Tenant API keys are used to authenticate mobile agent apps and are specific to each organisation.

We do not sell, rent, or trade your personal information. We may share data only in the following circumstances:

• Within Your Organisation: Admins, staff, and agents within your tenant workspace can access data according to their assigned role and permissions.
• Service Providers: Third-party services we use to operate the platform, including Google Firebase (authentication & push notifications), PostgreSQL hosting provider (database infrastructure), and email/SMTP provider (transactional emails). All providers are bound by confidentiality obligations.
• Legal Requirements: If required by law, court order, or government authority, we may disclose information as necessary.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.

• Account Data: Retained for as long as your account is active. Deleted within 90 days of account closure upon request.
• Booking & Transaction Records: Retained for a minimum of 7 years for financial and legal compliance.
• Audit Logs: Retained for a minimum of 2 years.
• Generated Reports: Excel export files are automatically deleted after the number of days configured in your tenant settings (default: 7 days).
• Location Data: Retained as part of visit records for the lifetime of your account.
• FCM Tokens: Refreshed automatically and old tokens are purged when a device re-registers.

• All data in transit is encrypted using HTTPS/TLS.
• Passwords are never stored in plain text. Authentication uses industry-standard JWT tokens with configurable lifetimes.
• Phone-based OTP authentication via Firebase reduces password-related security risks.
• Role-based access control (RBAC) ensures users can only access data relevant to their role.
• Every data modification is logged in the audit trail with actor identity, timestamp, and IP address.
• We perform regular security reviews and patch known vulnerabilities promptly.

While we implement strong security measures, no system is completely immune to breaches. We will notify affected users promptly in the event of a confirmed data breach.

Depending on applicable law, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to certain types of processing of your personal data.

To exercise any of these rights, contact us using the details in Section 10 below.

• The admin web portal uses session cookies for authentication and CSRF protection.
• We do not use advertising or third-party tracking cookies.
• The mobile agent app stores JWT tokens locally on your device for session persistence.
• You can clear cookies and app storage via your browser or device settings, which will log you out.

Highfly is a professional business platform intended for adults aged 18 and above. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a minor, please contact us immediately so we can delete it.

For privacy-related questions, data requests, or concerns, please contact us:

We aim to respond to all privacy requests within 30 days.

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you via email or an in-app notification. The "Last Updated" date at the top of this page reflects the most recent revision. Continued use of the platform after changes are posted constitutes acceptance of the updated policy.