Privacy Policy

Eduate Private Limited together with its subsidiaries, associates, and affiliates (collectively “MyEduate”, “we”, “our”, or “us”) values your privacy and is committed to protecting Personal Data in line with applicable privacy laws, including the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and other relevant regulations. This Privacy Policy explains how we collect, use, disclose, transfer, and retain information when you interact with our websites, mobile applications, products, and related services (collectively, the “Services”).

1. Scope

This Policy covers Personal Data we process about

1. visitors to our Sites,
2. customers and their end-users,
3. vendors and business partners,
4. anyone who contacts or otherwise interacts with MyEduate (collectively, “you”).

2. Definitions

• “Personal Data”: Any information that relates to an identified or identifiable individual, including “Sensitive Personal Data” such as financial, health-related, biometric, or child data.
• “Processing”: Any operation performed on Personal Data such as collection, storage, use, disclosure, transfer, retention, or deletion.
• “Sub-processor”:A third party engaged by MyEduate to Process Personal Data on our behalf.
• “Data Principal / Data Subject”: The individual to whom Personal Data relates.

3. Data We Collect

We collect the minimum data necessary to provide and improve the Services, including:

• Identifiers such as name, postal address, email address, telephone number, account credentials, and unique device identifiers.
• Transactional data such as orders, billing information, and communications with us.
• Usage data such as log files, IP address, browser type, pages viewed, and interactions with emails.
• Any other information you voluntarily provide to us, including through surveys, events, or support requests.
• Our Android application may collect and process both precise (GPS-based) and approximate (network-based) location data from your device.

4. Legal Basis & Purpose of Processing

• To perform our contract with you or take steps at your request (e.g., provide the Services, authenticate users, process transactions, and provide customer support).
• To comply with legal obligations (e.g., tax, accounting, and regulatory requirements).
• For our legitimate interests (e.g., improve Services, maintain security, prevent fraud), unless those interests are overridden by your rights.
• With your consent for specific purposes such as direct marketing, which you may withdraw at any time.

5. Sharing & Disclosure

We do not sell Personal Data. We may share your information only as follows and subject to appropriate safeguards:

• Affiliates: Within the MyEduate corporate family for purposes consistent with this Policy.
• Authorised Sub‑processors: Carefully selected service providers that need access to data to perform services for us and are bound by a written Data‑Processing Agreement (DPA) and, where applicable, Standard Contractual Clauses or other lawful transfer mechanisms. A current list of sub‑processors is available on request and we will give at least 30 days’ advance notice of any changes.
• Legal & Regulatory: Government authorities, regulators, courts, or other third parties when required to comply with law or protect rights, safety, or property.
• With your consent for specific purposes such as direct marketing, which you may withdraw at any time.
• Business Transfers:In connection with any merger, sale of assets, financing, or acquisition of all or a portion of our business provided that the recipient agrees to honour the commitments in this Policy.

6. Location Data Collection

This data is collected only with your consent and is used to improve the services provided through our application, such as enabling location-based features and enhancing user experience.

• Location data is not shared with third parties except as required by law or to provide core functionality of the application.
• You can manage or revoke location permissions at any time through your device settings.
• We do not use your location data for marketing or advertising purposes without your explicit consent.

7. International Transfers

Where we transfer Personal Data outside your jurisdiction, we ensure an adequate level of protection, for example by executing Standard Contractual Clauses, relying on adequacy decisions, or obtaining your explicit consent.

8. Security Measures

We employ physical, administrative, and technical safeguards aligned with ISO 27001 controls, including encryption in transit and at rest, least‑privilege access, regular vulnerability scans, annual penetration testing, employee training, and robust incident‑response procedures. We provide executive summaries of independent security audits to enterprise customers upon request.

9. Data Breach Notification

If we become aware of a Personal Data breach affecting you, we will notify you in writing without undue delay and, where feasible, within 72 hours. The notice will describe the nature of the breach, the likely consequences, measures taken, and points of contact for follow‑up.

10. Data Retention & Deletion

We retain Personal Data only for as long as necessary to fulfil the purposes described above or as required by law. Unless otherwise agreed in a DPA, we will delete or anonymise Personal Data within 30 days after the end of our contractual relationship and will provide written confirmation of destruction upon request. We may retain minimal records to prevent fraud, resolve disputes, or enforce agreements in accordance with legal requirements.

11. Marketing Communications

We send marketing emails or display personalised ads only with your prior opt‑in consent. You can opt out at any time by following the unsubscribe link in our emails or contacting us as set out below. Marketing communications are never directed to children under 18 years of age.

12. Children’s Privacy

We do not knowingly collect Personal Data from children under 18 without verifiable parental consent. Where our Services are used by educational institutions, we rely on the institution to obtain required consents. We will promptly delete any child data collected in violation of this Policy and indemnify the institution for any failure by us to comply with applicable child data‑protection laws.

13. Your Rights

• Right to Confirmation & Access – know whether we process your Personal Data and obtain a copy.
• Right to Correction – have inaccurate or incomplete data corrected.
• Right to Data Portability – receive data in a structured, machine‑readable format and transmit it to another controller.
• Right to Deletion (Right to be Forgotten) – request erasure of data when it is no longer needed or consent is withdrawn.
• Right to Restrict / Object – limit or object to Processing under certain circumstances, including direct marketing.
• Right to Withdraw Consent – withdraw any consent given without affecting prior Processing.

14. Automated Decision‑Making

MyEduate does not perform fully automated decision‑making that produces legal or similarly significant effects on individuals without human review.

15. Automated Decision‑Making

MyEduate does not perform fully automated decision‑making that produces legal or similarly significant effects on individuals without human review.

16. Updates to This Policy

We may update this Policy from time to time. If we make material changes that reduce your rights or expand Processing purposes, we will provide at least 30 days’ advance notice by email or prominent notice on our Sites. Continued use of the Services after the effective date constitutes acceptance of the revised Policy.

17. Contact & Grievance Redressal

If you have questions, requests, or complaints regarding this Policy or our privacy practices, please contact our Data Protection Officer (DPO):

• You also have the right to lodge a complaint with the relevant data‑protection authority in Bengaluru jurisdiction.