Privacy & Data Protection

01. Student Information We Collect

We collect the minimum data needed to deliver courses, verify identity, provide support and improve learning outcomes. Collected data types include:

• Enrollment & Identity: Name, preferred name, date of birth, email address, mobile number, photo (optional, for certificates), education background, and verification documents where a certificate or proctoring requires identity proof.
• Authentication Data: Hashed passwords (if using manual signup), OAuth identifiers and limited profile fields when signing in with Google (name, email, profile ID) — only with your consent.
• Academic & Learning Data: Course enrollments, progress, quiz and test scores, time spent per lesson/module, submission timestamps, feedback and grading metadata.
• Device & Access Data: IP addresses, device type, OS, browser type, approximate geolocation (city-level) derived from IP only when necessary, and device fingerprints used only to detect suspicious activity and prevent account sharing.
• Payment & Billing Data: Payment transaction IDs, billing name and email, payment gateway reference numbers. We do not store raw card numbers or CVVs.
• Support & Communication: Support chat transcripts, emails, call recordings only when you consent or as required for quality assurance.

02. Purpose of Processing & Legal Basis

We process personal data for legitimate educational and operational reasons. Key purposes include:

• Delivering Services: To enrol you in courses, deliver digital materials, manage test series and issue certificates.
• Personalized Learning: To recommend courses, mock tests and practice content based on performance and engagement data.
• Security & Anti-Fraud: To detect cheating, abuse, account sharing, and to enforce academic integrity.
• Payments & Fulfilment: To process purchases, refunds and physical book delivery (where applicable).
• Legal Compliance: To respond to lawful requests from courts, regulators or law enforcement and to comply with tax and accounting obligations.
• Your Consent: Where we rely on consent (e.g., marketing emails, cookies beyond necessary), you can withdraw consent at any time without affecting core service delivery.

Minimization: We avoid collecting unnecessary personal data and delete or anonymize data that is no longer needed for the purpose it was collected.

03. Authentication, Sign-up Options & Account Controls

• Sign-up Methods: Users may create accounts via Google OAuth (recommended) or manual registration (email + password). If you use Google OAuth we only store the OAuth ID and the profile fields you explicitly permit; we do not access your Google password.
• Password Storage: Manual passwords are salted and hashed using strong one-way algorithms (bcrypt/argon2) and never stored in plaintext.
• Session Management: Sessions are token-based. You can view and revoke active sessions from your account settings. We may limit concurrent sessions to prevent account sharing.
• MFA/2FA: We encourage Multi-Factor Authentication where available. If enabled, additional verification data (e.g., OTP) is used only for authentication and not stored beyond immediate verification needs.
• Account Recovery: Account recovery is available via email or phone verification and follows strict verification steps to avoid unauthorized takeover.

04. Payment & Financial Security

For cancellations and refunds, see our dedicated Return & Refund Policy linked on checkout pages. Cardholder disputes must be raised with the payment provider and may require us to provide transaction logs.

05. Sharing, Processors & Third Parties

We limit sharing to the minimum necessary. Categories of recipients include:

1. Service Providers: Payment gateways, SMS/WhatsApp providers, email processors, CDNs and analytics vendors. These entities process data as our processors under contracts requiring confidentiality and security safeguards.
2. Academic & Certification Partners: Only when you consent or where verification of scores/certificates is requested by legitimate authorities.
3. Legal Requests: Disclosure when required by law or by competent authorities (court orders, statutory obligations).

Hosting: Platform data is hosted on secure servers managed by our chosen hosting provider . We select providers that implement strong security and data processing agreements.

06. Cookies, Analytics & Tracking

We and our service providers use cookies and similar technologies for:

• Essential site functionality (sessions, load balancing).
• Performance & analytics (to measure engagement and improve courses).
• Security (fraud detection, bot mitigation).
• Optional marketing (only with your consent).

From account settings you may manage or opt out of non-essential cookies. Blocking essential cookies may affect site usability.

07. Security Measures

We implement multi-layered technical and organizational safeguards, including:

• Transport encryption (HTTPS/TLS) for all data in transit.
• Encryption at rest for sensitive fields and backups.
• Access controls and role-based permissions for staff.
• Regular vulnerability scanning, periodic penetration testing and secure development lifecycle practices.
• Logging and monitoring for security events and anomalous behaviour (rate limits, IP blocks).
• Data minimization and least-privilege for third-party access.

While we strive to protect your data, no system is invulnerable. We follow industry best practices to reduce risk.

08. Retention, Export & Deletion

• Retention Periods: Active course data is retained for the duration of the course plus administrative retention windows. Certificate & marksheet records are retained for a period (e.g., up to 10 years) to support future verification requests.
• Data Export: You may request export of your personal and academic data in machine-readable formats (CSV/JSON) or as PDF summaries via your account or by contacting the DPO. We will respond within 30 days unless a longer period is required by law.
• Deletion/Account Closure: You may request account deletion. Deletion will remove personal data subject to our legal obligations (e.g., financial records needing retention for taxation) and anonymization requirements. Deletion requests may be subject to identity verification.

09. Rights of Users & How to Exercise Them

You have a set of rights over your personal data. To request any of the following, contact the DPO at mayankchawdhari@gmail.com:

• Access: Obtain a copy of your personal data and learning records.
• Rectification: Ask us to correct inaccurate or incomplete data.
• Erasure: Request deletion of personal data (subject to legal/contractual retention requirements).
• Portability: Request a structured export of data you provided.
• Object & Restrict: Object to processing for specific purposes or request restriction of processing.

We aim to respond to verified requests promptly and within statutory timelines. We may require identity verification before fulfilling sensitive requests.

10. Data Breach Notification & Response

In the unlikely event of a data breach we will:

1. Contain the incident and engage security experts to investigate.
2. Notify affected users and the appropriate authorities as required by law without undue delay.
3. Provide guidance to affected users on mitigation steps (password resets, monitoring).
4. Take corrective steps to prevent recurrence and publish a summary of the incident response where appropriate.

11. Data Protection Officer (DPO) & Contact

For privacy requests, complaints, or to report suspected misuse, please contact the DPO. If unresolved, you may approach the statutory authorities or consumer forums as permitted by law.

12. Children & Minors

Our Services are primarily intended for users aged 16 and above. If you are under 18, you must use the platform with parental/guardian consent. We do not knowingly collect personal data from children under the age of 16 without verifiable parental consent. If you believe we have collected data of a minor in violation of this policy, contact the DPO immediately and we will take prompt steps to remove the data.

13. Automated Decision-Making & Profiling

We may use automated systems to recommend learning content, to detect anomalous behaviour and to flag potential account sharing/cheating. These automated assessments are used to support human review — important outcomes (e.g., account suspension or major academic penalties) will include a human review and a right to appeal.

14. Changes to This Policy

We may update this Privacy Policy periodically to reflect legal, technical or operational changes. We will publish the revised policy with an updated effective date. For material changes, we will notify registered users by email or in-app notification.