RERA & Compliance

DPDP Act and Your Real Estate CRM: A Developer's Guide

How the DPDP Act applies to real estate — consent for leads and KYC, data principal rights, and making your CRM handle customer data the compliant way.

The DPDP Act and real estate intersect at exactly the place developers least expect it: the CRM. Every property lead, every KYC upload, every booking record, and every WhatsApp follow-up is personal data, and India’s Digital Personal Data Protection Act, 2023, sets out how that data must be collected, used, and protected. For a sector that has historically treated buyer phone numbers as a freely traded commodity — bought from portals, passed to channel partners, blasted with bulk WhatsApp — this is a genuine shift in operating habits.

This post explains, in practical terms, how the DPDP Act applies to a real estate sales operation and what to change in the CRM that runs it.

This is general information, not legal advice. The DPDP Rules were notified on 13 November 2025 and roll out in phases, with full compliance widely expected by 13 May 2027 — so the time to fix your data habits is now, not on the deadline. The rules interact with state RERA obligations; confirm specifics with your counsel before relying on any particular interpretation.

Why this lands squarely on real estate

Real estate sales are unusually data-heavy. A single buyer journey accumulates contact details, financial information, identity documents for KYC, family information, and a long communication history. That data flows across your in-house team, channel partners, and integrated portals. The DPDP Act asks you to handle all of it with consent, purpose, and care — which connects directly to the broader obligations in the RERA compliance guide for developers, since RERA already assumes you keep clean, provable records.

The core ideas, in plain language

You don’t need to be a lawyer to grasp the principles. As a category, the Act centres on a few ideas:

  • Consent. Personal data should generally be processed on the basis of the data principal’s consent, obtained for a specific purpose, with notice of what you’re collecting and why.
  • Purpose limitation. Use the data for the purpose it was collected for — don’t quietly repurpose a site-visit inquiry into a bulk-marketing list for an unrelated project.
  • Data principal rights. Individuals get rights regarding their data, including access, correction, and erasure-type requests, and a way to grievance-redress.
  • Security and accountability. You’re expected to protect the data you hold and be able to demonstrate responsible handling. A personal-data breach has to be reported to the affected individuals and the Data Protection Board, and the timeline is tight — within 72 hours of becoming aware of it.

The terminology matters: the person whose data you hold is the data principal; you, deciding how and why to process it, are the data fiduciary. Get the safeguards wrong and the penalties are not symbolic — the Act provides for fines of up to ₹250 crore for a failure to protect personal data.

The biggest behavioural shift is consent at the point of capture. Buying a lead list and cold-blasting it, or scraping numbers off a portal and adding them to a WhatsApp broadcast, sits uncomfortably with a consent-based regime.

Practical moves:

  1. Capture consent where you capture the lead. Web forms, landing pages, and portal integrations should record consent and the purpose, with a timestamp. The mechanics overlap with how you already capture leads from property portals.
  2. Be specific about purpose. “To respond to your inquiry about Project X” is clearer and safer than a vague catch-all.
  3. Make consent provable. A consent you can’t evidence is, in practice, a consent you don’t have — which is exactly the audit-ready records discipline applied to privacy.

Handling KYC and booking documents

KYC pushes you into sensitive territory — identity documents and financial details. Treat this data with extra care:

  • Collect what you need, not everything you can. Data minimisation reduces both risk and storage liability.
  • Control access. Not every rep needs to see every buyer’s documents. Role-based access is a reasonable expectation.
  • Store securely and retrievably. The structured approach in document management for bookings and KYC is what makes this practical.

Data principal rights, operationalised

A buyer may ask what data you hold, ask you to correct it, or ask you to delete it. If that request currently means panicking across spreadsheets and personal phones, you have a problem. To respond reliably you need:

Right (category)What you need to be able to do
AccessFind and present the data you hold on a person
CorrectionUpdate inaccurate details across the record
ErasureDelete data when there’s no lawful reason to keep it
GrievanceReceive, log, and respond to data complaints

This is far easier when customer data lives in one governed system rather than scattered copies. It also pairs with your customer-facing complaint process in handling customer grievances in real estate.

Channel partners and third parties

Your data doesn’t stay inside your four walls — it goes to channel partners, marketing vendors, and integrated tools. Your CRM vendor and cloud host act as data processors, but you remain the data fiduciary, and the responsibility stays with you. The Act’s accountability expectations don’t stop at handoff.

  • Set data expectations during CP onboarding. Partners handling buyer data should understand consent and purpose limits — fold it into onboarding channel partners at scale.
  • Vet integrations. Portal syncs, ad-lead pipelines, and automation tools all touch personal data. The convenience of CRM automation for real estate is real, but automated flows should respect consent and purpose, not bypass them.

Retention: keep less, on purpose

A consent-and-purpose regime sits in tension with the instinct to keep every lead forever. Define a retention policy:

  • Keep what you need for an active relationship or a legal/contractual reason.
  • Set a default expiry for dead leads and clearly closed records.
  • Note the genuine tension with RERA-driven record-keeping — some booking records you must retain for compliance, so retention rules should distinguish active marketing data from compliance records.

The takeaway

The DPDP Act and real estate meet inside the CRM, and the response is mostly about discipline you’d want anyway: capture consent at the source, limit use to stated purposes, control access to KYC and booking data, be able to honour access-correction-erasure requests, and keep only what you genuinely need. Centralising customer data in one governed system — rather than spreadsheets and personal phones — is what turns these obligations from a scramble into a routine.

Next step: make the documents themselves compliant and findable with document management for bookings and KYC.

See it in your workflow

Stop good leads from going cold.

ExeLoop captures every lead, assigns it instantly, and keeps follow-ups moving — with the accountability rules that real estate sales teams actually need.