Privacy Policy | NEET EDGE - Powered by LearningPad

This Privacy Policy ("Policy") describes how the Company ("Company", "we", "us", "our") collects, processes, stores, and protects personal data of Users ("you", "your", "Data Principal") who access the NEET Test Prep Platform ("Platform"). This Policy is compliant with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and all applicable Indian data protection regulations.

By using the Platform, you consent to the collection and processing of your personal data as described in this Policy.

1. Data Fiduciary Information

Under the DPDP Act, 2023, the Company acts as the Data Fiduciary responsible for processing your personal data.

Address: Hyderabad, Telangana, India

2. Personal Data We Collect

2.1 Data You Provide Directly

We collect personal data that you voluntarily provide to us, including:

Identity Data: Full name, date of birth, gender, and profile photograph.
Contact Data: Email address and mobile phone number.
Academic Data: Class/standard, NEET target year, preferred medium of instruction, and self-reported previous exam scores.
Payment Data: Transaction details (processed via third-party gateways; we do not store card details). GST/billing information where applicable.
Communication Data: Queries, doubt submissions, feedback, and support communications.

2.2 Data Collected Automatically

When you use the Platform, we automatically collect:

Usage Data: Pages visited, tests attempted, scores, time spent per session, feature interactions.
Device & Technical Data: IP address, browser type, operating system, device identifiers, and session data.
Log Data: Error logs, crash reports, and performance monitoring data.
Cookie Data: Session cookies and functional cookies to maintain your session and preferences. We do not use tracking or advertising cookies.

2.3 Data We Do NOT Collect

We explicitly do not collect the following categories of Sensitive Personal Data except where required by law:

Passwords (stored in hashed form only; never in plain text).
Biometric data or facial recognition data.
Financial statements or bank account details.
Religious, political, or community affiliation data beyond what you voluntarily provide.

2.4 Deemed Consent

Processing of personal data may also be carried out under "deemed consent" for purposes such as fraud prevention, network security, legal compliance, and enforcement of legal rights, in accordance with the DPDP Act, 2023.

3. Purposes of Processing Personal Data

We process your personal data solely for the following lawful purposes:

Purpose	Data Used	Legal Basis (DPDP Act)
Account Registration & Management	Identity, Contact	Consent / Contractual Necessity
Delivering Platform Services & Content	Academic, Usage	Contractual Necessity
Processing Payments & Issuing Invoices	Payment, Contact	Contractual Necessity / Legal Obligation
Performance Analytics & Progress Tracking	Usage, Academic	Consent / Legitimate Use
AI Feature Functionality (doubt resolution, recommendations)	Usage, Academic	Consent
Customer Support & Grievance Redressal	Identity, Contact, Communication	Legal Obligation / Contractual Necessity
Platform Security & Fraud Prevention	Technical, Log	Legitimate Use / Legal Obligation
Sending Platform & Service Notifications	Contact	Consent
Legal Compliance & Regulatory Obligations	As Required	Legal Obligation

3.1 AI Features — No Personal Data for Model Training

We affirm that personal data collected on the Platform is NOT used to:

Explicitly train, fine-tune, or update any AI/ML models, whether proprietary or third-party.
Deliver personalised advertising, third-party marketing, or profiling for commercial purposes unrelated to your NEET preparation.
Share with third-party AI model providers in any identifiable form.

AI features on the Platform use anonymised, aggregated, or purpose-specific data processing that cannot be linked back to any individual User.

3.2 Deemed Consent

3.3 Automated Decision Making

Certain features may involve automated processing (including AI-based recommendations and analytics). Such outputs are indicative in nature and do not constitute binding decisions.

4. Data Sharing and Third-Party Disclosure

4.1 General Principle

We DO NOT sell, rent, or trade your personal data to any third party for commercial purposes. Your data is not monetised.

4.2 Limited Sharing

We may share your personal data only in the following limited circumstances:

Service Providers: With trusted third-party vendors (payment gateways, cloud hosting providers, analytics services, communication platforms) under strict contractual data processing agreements that prohibit secondary use.
Legal Requirements: Where required by law, court order, government directive, or in response to lawful requests by public authorities.
Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred to the successor entity, and you will be notified in advance.
Safety: Where necessary to protect the vital interests of any person.

4.3 Anonymised / Aggregated Data

We may use and share anonymised, aggregated, or de-identified data (which cannot be attributed to any individual) for research, product improvement, and business analytics purposes.

5. Cookies and Tracking Technologies

We use essential session cookies to maintain your logged-in state and functional cookies to remember your preferences. We do NOT use:

Third-party advertising cookies or pixel trackers.
Cross-site tracking technologies.
Behavioural profiling cookies for advertising.

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the Platform.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this Policy, or as required by applicable law:

Data Category	Retention Period
Account / Identity Data	Duration of account + 3 years post-deletion
Academic / Usage Data	Duration of active subscription + 1 year
Payment / Transaction Data	8 years (as required under Income Tax Act, GST law)
Communication / Support Data	3 years from last interaction
Log / Technical Data	180 days on rolling basis
Anonymised Analytics Data	Indefinitely (non-personal)

After the applicable retention period, personal data will be securely deleted or irreversibly anonymised.

7. Rights of Data Principals (Your Rights)

Under the DPDP Act, 2023, you have the following rights with respect to your personal data processed by us. To exercise any of these rights, contact us through the Platform:

Right to Access: Request confirmation and a summary of your personal data being processed and the processing activities undertaken.
Right to Correction and Erasure: Request correction of inaccurate or incomplete personal data, or erasure of personal data that is no longer necessary.
Right to Grievance Redressal: Lodge a grievance with our designated Grievance Officer, who shall respond within 15 working days.
Right to Nominate: Nominate any individual to exercise your rights in the event of your death or incapacity.
Right to Withdraw Consent: Withdraw your consent for any specific processing activity at any time. Withdrawal shall not affect the legality of processing conducted prior to withdrawal.
Right to Complain to the Data Protection Board: If you are unsatisfied with our response, you may lodge a complaint with the Data Protection Board of India, once constituted.

We will respond to all valid requests within 30 days. Identity verification may be required before processing requests.

7.1 Data Portability (Optional Future-Proofing)

Where technically feasible, the Company may provide data portability features at its discretion.

8. Data Security

We implement industry-standard technical and organisational security measures to protect your personal data from unauthorised access, disclosure, alteration, or destruction:

Encryption: All data in transit is protected using TLS 1.2/1.3 (HTTPS). Sensitive data at rest is encrypted using AES-256 encryption.
Access Controls: Role-based access controls (RBAC) ensure that only authorised personnel can access personal data on a need-to-know basis.
Password Security: Passwords are stored using industry-standard hashing algorithms (bcrypt/Argon2). We never store passwords in plain text.
Penetration Testing: Regular vulnerability assessments and penetration testing are conducted by qualified security professionals.
Incident Response: We maintain a documented data breach response plan. In the event of a breach affecting your rights, we shall notify you and the Data Protection Board in accordance with the DPDP Act.
Vendor Security: All third-party service providers are required to maintain adequate security standards under contractual obligations.

While we take all reasonable precautions, no system is completely infallible. If you suspect any security compromise, please notify us immediately through the Platform.

8.1 Deemed Consent (Legally Powerful under DPDP)

8.2 Limitation of Data Liability

To the extent permitted by law, the Company shall not be liable for any indirect, incidental, or consequential damages arising from unauthorised access despite reasonable security safeguards.

9. Children's Privacy

The Platform may be used by students below 18 years of age (minors). Under the DPDP Act, 2023, the processing of personal data of a child (below 18 years) requires verifiable parental consent. We shall:

Obtain verifiable parental consent before processing personal data of Users identified as minors.
Not process personal data of children in a manner that is harmful or that tracks their behaviour across the internet.
Implement appropriate safeguards for minors' data in accordance with the rules notified under the DPDP Act.

Parents or guardians who believe their child's data has been processed without consent should contact us through the Platform for immediate remediation.

10. Cross-Border Data Transfers

Your personal data is primarily stored on servers located within India. To the extent any data processing occurs outside India (e.g., through cloud service providers or AI processing pipelines), such transfers shall be conducted only to countries notified by the Central Government under Section 16 of the DPDP Act, 2023, or through appropriate contractual safeguards ensuring equivalent data protection standards.

11. Changes to This Policy

We reserve the right to update this Privacy Policy from time to time to reflect changes in law, our practices, or the Platform's features. Material changes will be notified to you via email or through a prominent notice on the Platform at least 7 days before the changes take effect. Continued use of the Platform after the effective date of the revised Policy constitutes your acceptance.

12. Contact and Grievance Redressal

For privacy-related queries, requests, or complaints, please contact us through the Platform.

Postal Address: Hyderabad, Telangana, India
Response Time: Within 15 working days of receipt of your request.