Legal

Data Deletion Policy

Effective 1 June 2026Last updated 1 June 2026

Your right to erasure: Under India’s Digital Personal Data Protection Act, 2023 (DPDP Act), GDPR (for EU/EEA residents), and other applicable laws, you have the right to request that we delete the personal data we hold about you. This page explains exactly how to exercise that right.

Overview

mehman.io is committed to respecting your data rights. When you request deletion of your personal data, we will delete or anonymise it from our active systems within 30 days, subject to the legal retention requirements described in Section 3.

This policy applies to:

Property managers and hosts who hold a mehman.io account.
Guests whose personal data has been processed by mehman.io on behalf of a property manager.
Former users who no longer hold an active account.

What you can request us to delete

Upon a valid deletion request, we will delete or irreversibly anonymise:

Your name, email address, phone number, and profile photo.
Your account credentials and authentication tokens.
Business profile information (property name, GST number, address).
Conversation history and message logs not subject to legal hold.
AI interaction logs that have not already been de-identified.
Marketing preferences and consent records (the consent record itself is retained for compliance, but the associated personal data is removed).
Usage analytics linked to your identity.

You may also request partial deletion; for example, removing conversation logs while retaining booking records. We will endeavour to accommodate specific requests where technically feasible.

What we must retain

Certain data cannot be deleted immediately because we are required by law to retain it. We will inform you of any such data when we process your request.

GST invoices and financial records: retained for 7 years under the Central Goods and Services Tax Act, 2017, and applicable accounting standards.
FRRO / Form C records: retained in accordance with the Foreigners Act, 1946 and Ministry of Home Affairs directives (typically 1 year from the guest’s departure date, unless a longer period is mandated).
Booking confirmation data: retained for the minimum period required for dispute resolution and consumer protection obligations.
Security and fraud logs: retained for up to 2 years for the purposes of detecting and investigating unauthorised access or fraudulent activity.
Legal hold data: where data is subject to an ongoing legal proceeding, regulatory investigation, or court order, deletion will be deferred until the hold is lifted.

Data retained under legal obligations is kept in restricted-access storage and used only for the specific legal purpose. It is deleted as soon as the retention period expires.

How to submit a deletion request

You can request deletion of your data through any of the following channels:

Option A: Account settings (recommended)

Log in to your mehman.io account, navigate to Settings → Privacy → Delete my account and data, and follow the on-screen steps. This initiates an automated deletion workflow for your account data.

Option B: Email request

Send an email to privacy@mehman.io with the subject line “Data Deletion Request”. Include:

Your full name.
The email address associated with your account (or the email used to interact with a property).
A description of the data you want deleted (e.g., full account deletion, specific conversation history).

Option C: Written request

You may submit a written request by post to our registered address (see Section 10). Please include the same information as listed under Option B.

For Facebook / Meta integrations: If you connected mehman.io via a Facebook Login or Meta app integration, you can also submit a deletion request directly through Facebook’s platform. We honour all such requests within 30 days. Use the email method above and reference your Facebook User ID.

Verification

To protect against fraudulent deletion requests, we verify the identity of the requester before processing. Depending on the sensitivity of the request, verification may involve:

A one-time verification code sent to the email address or phone number on record.
Answering security questions linked to your account.
Providing a copy of a government-issued ID (for high-impact requests such as bulk deletion of booking records).

We will never use verification data for any purpose other than confirming your identity for the deletion request.

Processing timeline

Acknowledgement: We will acknowledge receipt of your request within 3 business days.
Completion: We will complete deletion or provide a detailed response (including any data that cannot be deleted and why) within 30 calendar days of receiving a verified request.
Complex requests: Where a request is complex or voluminous, we may extend this period by a further 30 days. We will notify you in writing before the initial 30-day period expires.
Backup purge: Data deleted from active systems may persist in encrypted backup snapshots for up to 90 days, after which it will be purged from backups as well.

Guest data (third-party requests)

When a guest requests deletion of their data, we coordinate with the property manager who controls that data under a data-processing agreement. Because the property manager is the Data Fiduciary for guest data, we will:

Forward the deletion request to the relevant property manager within 5 business days.
Delete or anonymise the guest data we hold on our own systems within 30 days.
Inform the guest of any data that must be retained for legal compliance (e.g., FRRO records).

If you are a guest and you are unsure which property manager holds your data, contact us at privacy@mehman.io and we will help identify the responsible party.

Account termination vs. data deletion

Account termination deactivates your access to the platform. Your data remains on our systems for 90 days to allow for reinstatement, after which it is automatically deleted (subject to legal retention obligations).

Data deletion permanently removes your personal data from our active systems. You cannot re-use the same account after a full data deletion request has been fulfilled.

If you request account termination and also want immediate data deletion, please specify this clearly in your request and we will prioritise the deletion workflow.

After deletion

Once deletion is complete, we will send you a written confirmation. After this point:

You will not be able to log in to or recover your account.
Any active subscriptions will be cancelled and no further charges will be made. Fees already paid are non-refundable unless you have a legal right to a refund.
Data retained for legal purposes will be held in restricted storage until the applicable retention period expires, then permanently destroyed.
We will retain an anonymised record that a deletion request was made and fulfilled, without linking it to your identity, for internal audit purposes.

Contact

If you have questions about this policy or wish to submit a deletion request, please contact our Data Privacy Officer:

Data Privacy Officer, mehman.io

Email: privacy@mehman.io

Subject line: Data Deletion Request

Response SLA: 3 business days for acknowledgement, 30 days for completion.

If you are unsatisfied with our response, you may lodge a complaint with the Data Protection Board of India once constituted under the DPDP Act, or with your national data protection authority if you are located in the EU/EEA or UK.