Legal

Compliance & Disclosures

Last updated 25 June 2026 · Version 0.4 · Template
Working draft. Structured template published for transparency; an Indian practitioner reviews and adapts the exact text before a paying customer signs.

This page consolidates StageBridge's public compliance posture: the regulatory frameworks we map to, the entity behind the Service, the AI vendors we route to, and the controls we run to back it up.

1. Operating entity

  • Legal name — To be incorporated as Stagebridge Technologies Private Limited under the Companies Act, 2013. Until incorporation, the Service is operated by Lakshay Aggarwal, sole proprietor.
  • CIN — Pending
  • GSTIN — Pending; invoices are issued without GST until registration is completed under the CGST Act, 2017.
  • Registered address — Mumbai, India
  • Contact legal@stagebridge.in

2. Regulatory frameworks mapped

  • Digital Personal Data Protection Act, 2023 — We are a Data Processor for HFC customer data; the HFC is the Data Fiduciary. Our Data Protection Officer and grievance channel are in Grievance Redressal. Processing terms in DPA.
  • Information Technology Act, 2000 (Section 43A, 72A) + SPDI Rules, 2011 — "Reasonable security practices" — implemented as documented in backend/SECURITY.md (TLS 1.2+, AES-256, RLS, audit hash chain). Reviewed every six months.
  • IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — Grievance Officer published; complaint response within 15 days; quarterly transparency report planned once volumes warrant.
  • NHB Master Direction — Housing Finance Companies (RBI) Directions, 2021 — The HFC remains the regulated entity. We operate as an outsourced service provider; the HFC's outsourcing policy applies; audit log designed to survive an NHB inspection.
  • RBI Master Direction on Outsourcing of Information Technology Services (April 2023) — Where an HFC outsources verification to us, the RE-vendor model applies. We assist the HFC's annual outsourcing review.
  • Prevention of Money Laundering Act, 2002 — We do not perform KYC and do not handle customer funds. We retain audit records for seven years.
  • Real Estate (Regulation and Development) Act, 2016 — Our RERA cross-check endpoint compares HFC-declared stage to the state RERA portal's filing. Statutory architect / engineer / CA certifications are not replaced — they remain with the HFC's appointed professionals.
  • Aadhaar Act, 2016 — We do not collect, store, or process Aadhaar numbers or biometric data. KYC remains with the HFC.
  • Goods and Services Tax Act, 2017 — Tax invoices issued under Rule 46 once GSTIN is registered. Place-of-supply rules applied per CGST Rules.
  • Consumer Protection Act, 2019 — Refund and grievance pages reflect the e-commerce intermediary obligations.
  • Bharatiya Sakshya Adhiniyam, 2023 — Electronic records (audit hash chain) are produced in a form admissible under Section 63 of the BSA, 2023 and Section 65B of the (former) Evidence Act where invoked.

3. AI vendor disclosure

  • Anthropic PBC — Multimodal AI verdict on photographs; support-ticket triage. Region: United States. Default: Yes (primary).
  • Google LLC (Gemini) — Secondary multimodal AI verdict in ensemble mode. Region: United States. Default: Opt-in (per HFC).

Disagreement between the primary and secondary verdicts forces the verification to manual review. The HFC can disable any vendor for its organisation via an admin setting; the system will route only to the remaining vendors.

Cross-border posture. Anthropic (United States) is the only routine cross-border recipient of borrower photographs; it is a disclosed sub-processor consented to by the HFC in the DPA. Only the photograph bytes are sent — by short-lived signed URL, with no borrower identifiers attached. The vendors retain nothing beyond the request and do not train on the input. Transfer is subject to Section 16 of the DPDP Act; if the Central Government restricts a country we use, we reconfigure the vendor list and notify affected HFCs.

No shared model on identifiable PII. As a hard rule, we never use a borrower's identifiable personal data to train, fine-tune, or evaluate a machine-learning model shared between HFCs or offered to third parties. Any in-house model trains only on per-client isolated data, fully de-identified images (faces blurred, EXIF stripped, no identifiers, no cross-client mixing), or under an explicit written carve-out.

4. Data residency

  • Primary database (Supabase Postgres) — Mumbai, ap-south-1.
  • Object storage (verification photographs) — Mumbai, ap-south-1.
  • Compute (Fly.io api + worker) — Mumbai, bom region.
  • Email delivery (Resend) — egress to United States; payload is the email body only.
  • AI vendor calls — egress to the regions stated in Section 3 for the lifetime of the API request only; vendors instructed not to retain data beyond the API session.

5. Audit and retention

Append-only audit table with hash-chained rows. Hash chain re-verifiable offline via the operator CSV export. Retention: seven years from the date of the relevant disbursement decision under NHB / PMLA. Deletion process documented in the DPA.

6. Security model

Full technical model in backend/SECURITY.md. Key controls:

  • HS256 JWT verification on every API request; role and org resolved server-side from public.profiles.
  • Row-Level Security keyed to org_id; per-request SET LOCAL request.jwt.claims wired to Postgres.
  • HMAC-bound upload nonces; signed object URLs with 10-minute TTL.
  • Per-IP rate limit on hook endpoints; per-user rate limit on hot mutation routes.
  • Constant-time secret comparisons; secrets sourced from environment variables only.
  • Append-only audit log; INSERT-only via RLS policy, no UPDATE or DELETE grants.
  • Annual penetration test; vulnerabilities tracked to closure.

7. Sub-processors

Listed in DPA Annexure A. 30-day prior notice for any addition.

8. Insurance

Professional indemnity and cyber-liability insurance to be procured before first paying customer engagement. Certificate available to the Customer Institution on request.

9. Contact