Zappio Team
AI & Real Estate Experts · 7 July 2026 · 12 min read
Zappio Team
AI & Real Estate Experts · 7 July 2026 · 12 min read
The Digital Personal Data Protection Act 2023 (DPDP Act) fundamentally changed the compliance landscape for any Indian business that collects, processes, or stores personal data of Indian residents. For real estate developers running AI Calling campaigns, the implications are specific and operationally significant: every inbound call, every outbound qualification call, and every CRM disposition record generated by an AI Calling Agent involves the personal data of prospective property buyers — their phone numbers, names, budget ranges, family size preferences, and location requirements.
The Act imposes substantive obligations on how consent is obtained before calling, how call recordings are stored, how data is shared with the AI platform vendor, and what happens when a buyer exercises their right to erasure. Developers who deployed AI Calling before the Act's operative provisions came into force — or who assumed existing RERA or telecalling compliance covered voice AI — face specific gaps that must be addressed before each campaign cycle. This article maps the DPDP Act's operative provisions to the real estate AI Calling context and provides an implementation framework for legally compliant voice AI operations in 2026.
The DPDP Act applies to "processing of digital personal data" — and an AI Calling system processes personal data at every stage of the pipeline.
A portal lead from 99acres, MagicBricks, or Housing.com arrives with the buyer's name, phone number, and expressed property preference. This is personal data. The portal's terms of service establish one layer of consent — the buyer agreed when submitting the inquiry form — but the developer processing this data for AI Calling qualification is a separate processing activity requiring its own legal basis.
The AI Calling system records the full conversation, or at minimum transcribes it. A call transcript containing the buyer's name, budget, family size, and current residence location is a detailed personal profile. Call recordings of identifiable voices are treated as biometric data under emerging regulatory interpretations.
The structured qualification data — name, phone, confirmed budget, BHK preference, disposition, site visit scheduled — stored in the CRM constitutes a personal data record linked to a specific individual.
When the developer uses a third-party AI Calling platform, personal data of Indian buyers is shared with a third-party processor. This sharing requires a data processing agreement and potentially a disclosure in the developer's privacy policy.
The DPDP Act requires a legal basis for every processing activity. For real estate AI Calling, two primary bases apply.
The first call to a fresh portal lead sits comfortably on consent or legitimate interest. Calls to leads older than 90 days with no engagement require a renewed legitimate interest assessment; calls after the buyer has requested not to be called are unlawful under both the DPDP Act and DND regulations; and calls where the AI discloses it is recording are required for transparency.
If the AI Calling system records or transcribes calls, which it must for CRM sync and transcript analysis, the buyer must be informed of the recording before it begins. The standard mechanism, at call connection and before the AI qualification script begins:
"Namaste [Name], main [Project] ki taraf se Priya bol rahi hoon. Aapki quality aur service ke liye yeh call record ki ja sakti hai. Kya aap continue karna chahte hain?" — "Hello [Name], this is Priya from [Project]. This call may be recorded for quality and service purposes. Would you like to continue?"
If the buyer does not consent to recording, the platform must either continue the call without recording, or transfer to a human who continues unrecorded. Continuing a recorded call after explicit non-consent is a DPDP Act violation.
CALL OPENING RULE: Begin EVERY call with the consent disclosure before any qualification question: "Namaste [buyer_name]. Yeh call [project_name] ki taraf se hai aur record ki ja sakti hai quality ke liye. Continue karein?" If buyer says NO / "recording mat karo" / "don't record": -> Set session.recording_consent = False -> Stop all recording immediately -> Continue qualification call without recording -> At call end: dispose without transcript; use entity extraction only for CRM
The DPDP Act requires that personal data is retained only as long as necessary for the purpose for which it was collected.
async def enforce_data_retention():
"""
Daily job: enforce data retention policy across all tenant data.
Run at 2:00 AM IST — off-peak, minimal operational impact.
"""
retention_policies = {
"call_audio_raw": 30, # days
"call_transcripts": 365, # days (CRM lifecycle)
"call_recordings": 90, # days
"session_data_redis": 7, # days (Redis TTL)
}
for data_type, max_days in retention_policies.items():
cutoff_date = datetime.utcnow() - timedelta(days=max_days)
# Delete expired records from data store
deleted_count = await data_store.delete_before(
data_type=data_type,
before_date=cutoff_date
)
# Log deletion for audit trail (DPDP requires demonstrable compliance)
await audit_log.write({
"action": "data_retention_deletion",
"data_type": data_type,
"cutoff_date": cutoff_date.isoformat(),
"records_deleted": deleted_count,
"timestamp": datetime.utcnow().isoformat()
})The DPDP Act grants data principals (buyers) three operative rights relevant to AI Calling.
async def handle_erasure_request(buyer_phone: str, requestor_verification: dict):
"""
DPDP Act erasure request: delete all personal data for a buyer.
"""
# Step 1: Verify requestor identity (same number, OTP verification)
if not await verify_requestor(buyer_phone, requestor_verification):
return ErasureResult(status="rejected", reason="Identity verification failed")
# Step 2: Locate all data records
records = await data_store.find_all_by_phone(buyer_phone)
# Step 3: Delete in sequence with audit trail
deletion_log = []
for record in records:
if record.audio_url:
await storage_client.delete(record.audio_url)
deletion_log.append(f"Deleted audio: {record.call_id}")
if record.transcript:
await data_store.delete_transcript(record.call_id)
deletion_log.append(f"Deleted transcript: {record.call_id}")
# Anonymize CRM record (cannot delete if part of active sales contract)
await crm_client.anonymize_lead(
lead_id=record.crm_lead_id,
retain_disposition=True, # Business record integrity
anonymize_pii=True # Replace name, phone with [DELETED]
)
deletion_log.append(f"Anonymized CRM lead: {record.crm_lead_id}")
# Step 4: Confirm erasure to requestor
await notification_service.send_erasure_confirmation(
phone=buyer_phone,
deletion_log=deletion_log,
timestamp=datetime.utcnow()
)
return ErasureResult(status="completed", records_processed=len(records))When the developer uses a third-party AI Calling platform, personal data is shared with a data processor. The DPDP Act requires a contractual framework that governs this relationship.
The processor using developer customer data for any purpose beyond service delivery — including model training, benchmark development, or aggregated analytics shared with third parties without explicit consent.
Request evidence of the processor's security controls annually — a SOC 2 report or equivalent — and include audit rights in the DPA that allow the developer to request evidence of compliance at any time.
| Requirement | Implementation | Status Check |
|---|---|---|
| Consent disclosure at call start | TTS script opens with recording notice | Every call, every tenant |
| Recording non-consent handling | Session flag stops recording; no transcript | Test monthly |
| DND/NCPR exclusion | Pre-call scrubbing via telephony provider | Every campaign batch |
| Raw audio auto-deletion at 30 days | Automated retention job | Daily audit log |
| Transcript retention at 365 days | Data store TTL configuration | Monthly audit |
| Erasure request handling | Process + response within 30 days | Quarterly drill |
| Vendor DPA executed | Signed agreement with AI Calling platform | Pre-go-live |
| Privacy policy updated | Discloses AI calling and third-party processor | Pre-go-live |
| Consent audit trail | All consent decisions logged with timestamp | Continuous |
| Data breach response plan | 72-hour notification protocol defined | Annual review |
The DPDP Act does not treat AI Calling as a special case — it treats it as what it is: a system that processes the personal data of thousands of prospective buyers at scale, continuously. The obligations in this article are not optional add-ons layered onto a working AI Calling deployment; they are the difference between a legally defensible operation and one carrying unquantified regulatory exposure. The developer, as data fiduciary, cannot transfer this responsibility to the AI Calling platform vendor by contract alone — a properly executed DPA reduces risk, but consent design, retention enforcement, and erasure handling remain the developer's operational responsibility. Build these into the deployment from day one rather than retrofitting them after a campaign has already generated thousands of call records.
Disclaimer: This article provides an operational interpretation of the Digital Personal Data Protection Act 2023 as it applies to AI Calling systems in Indian real estate as of Q2 2026. It does not constitute legal advice. The DPDP Act's Rules and operative provisions are subject to ongoing notification by the Government of India — requirements may change after publication of this article. Real estate developers deploying AI Calling systems should obtain specific legal advice from qualified data protection counsel before deployment. All compliance obligations remain the responsibility of the data fiduciary (the developer), not the AI Calling platform vendor.