Are co-working spaces allowed to log your visitors’ ID?
At a glance
A co-working space can keep a basic visitor record for security, but demanding an ID copy or logging more than entry needs is over-collection under India’s DPDP Act. Collection has to be tied to a stated purpose, with a clear notice and only the minimum taken — a visitor’s name and who they’re meeting usually suffice; a stored Aadhaar copy rarely does. You, or the member hosting a guest, can ask why each detail is needed, give the minimum, and ask for it to be deleted.
Educational resource only. This explains how co-working spaces logging visitor ID is treated under India’s Digital Personal Data Protection Act, 2023 (DPDP Act); it is not formal legal advice.
On this page
- Who’s responsible for the visitor log?
- What can they require to let a visitor in?
- How long is visitor data kept, and is it secure?
- What you or your host can do
- FAQ
The situation
You visit a co-working space for a meeting, or bring a guest to the one you use, and reception wants an ID copy or a photo of an Aadhaar before anyone goes up. It’s framed as security or building policy. But a stack of visitors’ ID copies on a reception system is a concentrated pile of other people’s personal data — and often the space collected far more than letting someone in actually required.
Who’s responsible for the visitor log?
The co-working operator is the Data Fiduciary — it sets what’s collected, so the duty to visitors sits with it. A visitor’s details are personal data, and the space deciding to collect them is a Data Fiduciary under the DPDP Act, with duties to visitors and guests as much as to its members. That means a clear notice of why it’s collecting (Section 5), and collection limited to what the stated purpose needs (Section 6). The purpose here is straightforward — knowing who is in the building for safety and access — and that purpose is what sets the limit on what can be asked.
What can they require to let a visitor in?
Usually a name and who you’re visiting — not a stored copy of your ID. Confirming a visitor and reaching them if needed rarely requires more than a name, the person or company they’re meeting, and perhaps a contact number. An ID copy — Aadhaar, PAN, passport, driving licence or Voter ID — is a bigger step that has to be justified by the purpose, and “for our records” isn’t a justification. Where the space genuinely needs to verify identity, you can offer a masked Aadhaar (first eight digits hidden) or simply show ID rather than have it photographed and stored.
- Reasonable: a sign-in with name, host, and time; a glance at ID to confirm who you are.
- Questionable: photographing and keeping a full Aadhaar or ID copy for an ordinary visit.
How long is visitor data kept, and is it secure?
Only as long as the security purpose lasts — and while held, it must be kept secure, not left in an open register. The DPDP Act requires a Data Fiduciary to protect the data it holds and erase it once the purpose is served (Section 8). Visitor logs from months ago, with no live reason to keep them, shouldn’t just accumulate — and a paper register anyone at the desk can flip through, or an unsecured spreadsheet of ID copies, is a security failure the operator is answerable for. Data collected to know who’s in the building today doesn’t need to sit on a system indefinitely.
What you or your host can do
Ask what’s needed, give the minimum, and push back on stored ID copies.
- Ask the purpose. “Why is an ID copy needed to visit?” A sign-in serves security; a stored copy usually isn’t necessary.
- Give the minimum. Name and host are typically enough; decline extra fields that don’t serve entry.
- Show, or mask, rather than surrender. Offer to show ID, or give a masked version, instead of having a full copy photographed.
- Members: raise it for your guests. If you host visitors, you can ask the space to justify — or drop — an ID-copy demand on people you bring in.
- Escalate if ignored. The operator is the Data Fiduciary — raise a grievance with it, and you can complain to the Data Protection Board of India if over-collection or hoarding continues.
FAQ
Can a co-working space demand an ID copy from visitors? Only where it’s genuinely needed for a stated purpose. For an ordinary visit, a name and host usually suffice, so a stored ID copy is typically over-collection you can decline.
Is a visitor sign-in itself a problem? No — a basic record of who’s in the building for security is a legitimate purpose. The issue is collecting more than that purpose needs, like a full ID copy or photo.
Can I refuse to let them photograph my Aadhaar? Yes. You can offer to show ID or give a masked Aadhaar instead, and no private business can compel Aadhaar-based biometric authentication.
What happens to the visitor data afterwards? It should be kept secure and deleted once its purpose is over. Old logs with no live security reason shouldn’t linger, and you can ask for deletion.
I’m a member bringing a guest — can I object on their behalf? Yes. You can ask the space to justify what it collects from your guests and to keep it to the minimum, and raise a grievance if it over-collects.
Related Articles
Reviewed by Confidential Dispatch Editorial Team
Last updated 14 July 2026
Not legal advice.