Compliance & Legal — Recommendations and Posture¶
This is the narrative version of /.cursor/skills/proppie-compliance/SKILL.md — with recommendations, action items, and the SEBI-IA / RA / info-only decision documented.
Disclaimer: This is internal planning, not legal opinion. Anything novel or consequential needs sign-off from counsel.
1. The strategic decision — info-only¶
PropPie B2C (and B2B in user-facing outputs) operates as an information service — not as a SEBI Investment Adviser, not as a Research Analyst, not as a real-estate agent.
This was chosen deliberately:
| Lane | Bar | What we gain | What we sacrifice |
|---|---|---|---|
| Info-only (chosen) | None — operate freely | Speed, no registration, no licensing, no compliance officer | Cannot say "you should buy X" |
| Research Analyst (RA) | Moderate — registration, NISM-XV, compliance officer | Can publish research reports with target prices | Process overhead, ongoing audit |
| Investment Adviser (IA) | High — registration, net worth ₹40-50L, NISM-X-A/B, compliance officer | Can give personalised "you should" advice for fee | Heavy compliance, monitoring, audit, restrictions on commission |
Why info-only is the right call now:
- The Honest Broker positioning requires never saying "you should buy X" anyway — values alignment with regulation
- Speed to market — no 6-12 month registration cycle
- Lower operating cost
- We can revisit if we need personalised advice as a product, but most "wow" outputs we want to ship are information, comparison, or scenario — all info-only compliant
2. The IA / RA escape hatches (for future)¶
If at some point we want to:
-
Recommend specific actions to specific users → register as SEBI IA. 6-12 months, ~₹40-50L net worth requirement, NISM Series X-A and X-B qualifications for personnel, compliance officer. Ongoing audit.
-
Publish formal research notes with target prices / ratings → register as SEBI RA. Lower bar than IA, ~3-6 months, similar qualifications, compliance officer.
Neither is currently on the roadmap. Both options should be re-evaluated annually.
3. SM-REIT compliance (urgent action item)¶
Trigger: SEBI's SM-REIT framework (Mar 2024) makes pooled fractional commercial real-estate investments above certain thresholds mandatorily SM-REIT-registered.
Thresholds: - Scheme size ≥ ₹50 Cr → SM-REIT registration likely mandatory - ≥ 200 investors → SM-REIT regulated - Public solicitation → SM-REIT regulated
Action items (parked in open-questions.md, urgent):
- Audit each currently active PropPie Fractional scheme against SM-REIT thresholds
- Engage SEBI-qualified counsel for opinion on each scheme
- For schemes meeting thresholds: plan SM-REIT registration (sponsor 5% commitment, listing, custodian, trustee)
- For sub-threshold schemes: confirm private-placement / AIF structure compliance
- Communicate plan to investors transparently
Why this is urgent: Operating outside SM-REIT when required is a serious SEBI breach. Property Share/PropShare and others have already restructured. We need clarity before any new asset launch.
4. RERA position¶
We are not a real-estate agent. We do not facilitate sales. We display public RERA project data and analyse it.
If we ever facilitate transactions: RERA agent registration is per-state, with state-level fees. Maharashtra is straightforward; Karnataka and Gujarat have different processes.
Operational rule for now: - Always show MahaRERA number when referencing a specific project - Never advertise pre-RERA or unregistered projects - Never tell users "book through us" — we don't sell
5. DPDP Act 2023 implementation¶
The Digital Personal Data Protection Act 2023 sets the baseline for PII handling.
What we collect (categorise):¶
| Data type | Sensitivity | Source |
|---|---|---|
| Investor PAN, Aadhaar, photo | High (sensitive) | KYC onboarding (Fractional) |
| Email, phone, address | Medium | Signup |
| Investment portfolio | Medium | Internal records |
| Browsing behaviour | Low-medium | Web analytics |
| Promoter PAN, CIN, GST | Low (commercial) | Public RERA filings |
Required policies and processes:¶
- Privacy policy — purpose-specific consent, clear data principal rights
- Consent management — separate consent for KYC, marketing, AI training (granular)
- Data minimisation — only collect what's needed
- PII vault — encrypted store for sensitive PII; pseudonymisation before AI ingestion
- Access logging — who looked at what PII when
- Erasure capability — user can request deletion; AI training data must support re-training without deleted users
- Breach process — incident response, notification to Data Protection Board
- Data Protection Officer (when threshold reached)
- Cross-border — for NRI use cases, data residency considerations; confirm with counsel
Operational rules for engineers and AI agents:¶
- Never log PII in plaintext in code, logs, or examples
- Never include real PII in test data or documentation samples
- Mask PAN as
ABCD****12X; mask Aadhaar always - All AI prompts that include user data must be reviewed for inadvertent PII leakage
- Vendor/LLM API calls with user data require contractual data-handling protections
6. Defamation risk management¶
Derived scores about identified developers/projects carry defamation risk. Three guardrails:
Guardrail 1: Percentile framing¶
- "ABC Developers is unreliable."
+ "ABC Developers' delivery delay is in the 78th percentile among Pune promoters with 10+ MahaRERA projects."
Guardrail 2: Source citation¶
Every claim references a public document (MahaRERA filing, news article, MahaRERA complaint number). We don't say things we can't back.
Guardrail 3: Right of reply¶
Developers can request review of their score with evidence. Corrections are published. This is operational: - Public-facing "request a review" mechanism - 14-day acknowledgement, 30-day response - Public log of corrections (not embarrassing, just transparent)
Words never to use:¶
| Banned | Why |
|---|---|
| "Fraudulent" / "Fraud" | Imputes criminal intent |
| "Scam" / "Scammer" | Same |
| "Shady" / "Dodgy" | Unspecified, defamatory implication |
| "Don't buy from X" | Recommendation + defamation |
| "Worst" / "Bottom" | Superlative; risk-laden |
Words/phrases that are OK:¶
- "Delivery delay percentile"
- "Active complaints registered with MahaRERA"
- "Revised completion date X times"
- "Title chain has a [factual gap]"
- "Withdrew project Y in [year]"
7. FEMA for NRI users (Broker product)¶
When NRI users use PropPie Broker:
- Inform, don't structure transactions
- Explain repatriation rules, TDS, double-taxation avoidance treaties
- Direct to CA for specific advice
- Don't help with structuring that circumvents FEMA (e.g., agricultural land buys)
8. Marketing and advertising compliance¶
ASCI code:¶
- No superlative claims without substantiation
- No misleading comparisons
- No promised returns
Specific rules for us:¶
- Drop "first / only / best" framing without provable proof
- RERA number on every project mention
- AI-generated outputs carry a footer: "Information only, not investment advice. Verify with original sources."
Influencer / affiliate rules:¶
- All paid promotion must be disclosed (ASCI 2021 influencer guidelines)
- Affiliate links must disclose the relationship
9. Vendor / supplier compliance touchpoints¶
| Vendor type | Compliance touchpoint |
|---|---|
| LLM API (OpenAI / Anthropic / Bedrock) | Data Processing Agreement; data residency check; no training on our data |
| Cloud (AWS / Azure) | Mumbai region; encryption; security certifications |
| Payment gateway | RBI compliance |
| Identity verification | DigiLocker / Authentic + DPDP compliance |
| Analytics (GA, Mixpanel etc.) | Cookie consent, DPDP |
| Email / SMS | TRAI DLT compliance for SMS; CAN-SPAM equivalent for email |
10. Internal governance¶
| Item | Status | Owner |
|---|---|---|
| Privacy policy | TODO | Counsel + COO |
| Terms of service | TODO | Counsel + COO |
| Compliance officer role | TODO (designate within team) | CEO |
| Quarterly compliance review | TODO (cadence) | COO |
| Incident response plan | TODO | CEO + COO |
| SM-REIT audit for existing schemes | URGENT TODO | CEO + Counsel |
| Right of reply mechanism for developer scores | TODO before Broker launch | Product + Counsel |
| User AI-output disclaimer | TODO | Product + Engineering |
11. What changes the compliance posture (triggers)¶
| Trigger | Required response |
|---|---|
| Fractional scheme grows past ₹50 Cr / 200 investors | SM-REIT route |
| Product wants to recommend specific assets to specific users | SEBI IA registration |
| Product wants to publish research notes with targets | SEBI RA registration |
| Product wants to facilitate property transactions | RERA agent registration per state |
| Major DPDP rule notification | Privacy policy + breach process refresh |
| User complaint to SEBI / Consumer Forum about us | Incident response, response within statutory window |
| Defamation suit notice | Pause user-facing copy related to that developer; counsel-led response |
| Expansion to another state | State-specific stamp duty, RERA scrape — no compliance shift, mostly data |
12. The annual compliance ritual¶
Once a year: 1. Re-audit compliance status against current regulations 2. Re-evaluate IA/RA registration (do we still want to be info-only?) 3. Re-test data protection processes 4. Update privacy policy if regulations changed 5. External compliance audit (when scale warrants)
See also:
- /.cursor/skills/proppie-compliance/SKILL.md — the operational quick reference
- /.cursor/skills/proppie-honest-broker/SKILL.md — how compliance shows up in voice
- risks-and-open-questions.md — open risks
- ../../docs/90-memory/open-questions.md — open questions awaiting decision