Data Processing Agreement (DPA)

Introduction
Definitions
Legal Basis for Processing
Data We Collect
Data Processing Activities
Data Sharing & Recipients
International Data Transfers
Data Retention
Your Rights as Data Subject
Data Security
Third-Party Data Processors
Data Controller Information
Changes to This Agreement
Contact & Complaint

1. Introduction

This Data Processing Agreement ("DPA") sets forth the terms under which EduMitra Education ("Data Controller" or "Company") and the Student/User ("Data Subject") engage in personal data processing in compliance with applicable data protection laws.

Applicable to:

GDPR (General Data Protection Regulation) – EU/UK users
CCPA (California Consumer Privacy Act) – California residents
DPDPA (Digital Personal Data Protection Act) – India
Other applicable privacy laws and regulations

2. Definitions

Data Controller: EduMitra Education, the entity determining the purposes and means of data processing.

Data Processor: Third-party service providers (e.g., payment gateways, email services, analytics tools) processing data on our behalf.

Data Subject: You, the student/user whose personal data is being processed.

Personal Data: Any information relating to an identified or identifiable person (for example: name, email, educational records, payment information).

Processing: Any operation performed on personal data (collection, storage, analysis, transmission, deletion, etc.).

Sensitive Data: Data concerning race, ethnicity, political opinions, religious beliefs, health, biometric data, or sexual orientation.

Third Country Transfer: Moving data outside your country’s jurisdiction (e.g., India to USA).

3. Legal Basis for Processing

3.1 Legal Bases (GDPR Article 6)

EduMitra processes your personal data based on the following legal grounds:

1. Contract Performance (Article 6(1)(b))

Processing necessary to enroll you in courses and programs.
Processing essential to deliver educational and support services.
Processing required to manage and maintain your account.
Examples: Name, email, educational background, payment information.

2. Legal Obligation (Article 6(1)(c))

Compliance with Indian laws and regulations.
Tax and accounting requirements.
Government agency requests (with valid legal basis).
Know Your Customer (KYC) and identity verification requirements.
Examples: Identification documents, address verification.

3. Legitimate Interests (Article 6(1)(f))

Improving our Platform and services.
Preventing fraud, abuse and security threats.
Basic analytics and usage tracking.
Non-intrusive marketing and communications.
Examples: Usage data, device information, behavioral analytics.
Balancing test: Our interests do not override your fundamental privacy rights and freedoms.

4. Explicit Consent (Article 6(1)(a))

Marketing communications (email, SMS, phone calls).
Cookies and tracking technologies for analytics/ads.
Special data processing beyond what is necessary for contract performance.
Your right: You may withdraw consent at any time without affecting prior lawful processing.

3.2 Special Categories of Data

We process sensitive personal data only when:

You provide explicit consent, e.g., health information for accessibility needs.
It is necessary for legitimate educational purposes, e.g., academic performance records.
It is required by law or to protect vital interests.

Such data is protected with enhanced safeguards such as encryption, strict access control and regular security audits.

4. Data We Collect

4.1 Categories of Personal Data

Identity Data

Name, date of birth, gender
Postal address, phone number
Email address
Government ID numbers (Aadhaar, PAN, Passport – where legally required)

Educational Data

Educational background and qualifications
Enrollment information and program details
Course selections, attendance and progress
Exam results, grades and assessments
Certificates, transcripts and academic performance metrics

Financial Data

Payment method details (card/bank information – processed via secure gateways)
Transaction history and billing address
Invoice details
EMI / installment information

Communication Data

Emails, messages and support tickets
Call recordings (with notification/consent)
Chat logs with counselors and support staff
Feedback forms and survey responses

Technical Data

IP address and device identifiers
Browser type and version
Pages visited and time spent
Cookies and tracking pixels
Operating system and device specifications
Approximate location data (e.g. city/country)

Marketing Data

Email/SMS marketing preferences
Advertising interactions and interests
Referral source and campaign tags

Inferred Data

Learning patterns and preferences
Predicted academic performance
Interest-based segments and personalization profiles

4.2 How Data Is Collected

Directly from you: Registration, enrollment forms, profile setup, assignments, assessments, surveys, payments, support interactions.
Automatically: Cookies, server logs, analytics tools and device data.
From third parties: University partners, payment providers, referral partners and publicly available sources.

5. Data Processing Activities

5.1 Enrollment & Account Management

Purpose: Create and manage your student account and enrollment.

Legal Basis: Contract Performance, Legal Obligation.

Data Used: Identity, Educational, Financial, Communication.

Retention: Active account duration + 6 years (for legal obligations).

Recipients: University partners, payment processors, authorized staff.

5.2 Course Delivery & Learning Management

Purpose: Deliver educational content, track learning, manage assignments and exams.

Legal Basis: Contract Performance.

Data Used: Identity data, educational records, technical usage data.

Examples: Recording lecture attendance, tracking completion, generating grade reports, providing learning analytics.

5.3 Payment Processing

Purpose: Process payments and manage billing.

Legal Basis: Contract Performance, Legal Obligation.

Data Used: Financial data, identity data.

Retention: 7 years (tax and compliance requirements).

Security: PCI-DSS compliant gateways, tokenization, encrypted transmission.

5.4 Marketing & Communication

Purpose: Communicate course information, updates and promotional offers.

Legal Basis: Legitimate Interests (transactional), Explicit Consent (promotional).

Transactional: Course updates, exam schedules, account notifications.
Promotional: New programs, offers, newsletters (only with your consent).

You can opt-out of promotional communications at any time.

5.5 Analytics & Optimization

Purpose: Understand user behavior and improve Platform performance.

Legal Basis: Legitimate Interests.

We use anonymized/aggregated analytics to improve content, usability and performance. You can control analytics cookies via our cookie settings.

5.6 Fraud Prevention & Security

Purpose: Protect user accounts, prevent fraud, and comply with security obligations.

Legal Basis: Legal Obligation, Legitimate Interests.

We monitor suspicious activities, verify identity, and may temporarily lock accounts in case of suspected misuse or fraud.

5.7 Legal & Compliance

Purpose: Comply with laws, respond to lawful requests, and defend legal claims.

Legal Basis: Legal Obligation.

6. Data Sharing & Recipients

6.1 University Partners

We share your relevant personal and educational data with UGC-approved university partners for:

Enrollment and registration
Exam and assessment management
Transcript and certificate generation

6.2 Payment Processors

We share limited financial and identity data with secure payment providers (such as Razorpay, PayU, Stripe) to process your payments in compliance with PCI-DSS and applicable laws.

6.3 Communication Service Providers

We use email and SMS service providers (e.g., Mailchimp, SendGrid, Twilio) to send permitted communications. Only necessary contact and message-related data is shared.

6.4 Analytics & Optimization Services

We may share pseudonymized or anonymized usage data with analytics providers such as Google Analytics, Hotjar or Mixpanel to improve our services.

6.5 Support & CRM Systems

CRM and helpdesk platforms may process your communication and support data to provide efficient and traceable support.

6.6 Mandatory Disclosures

We may disclose personal data to governmental or regulatory authorities, courts or law enforcement agencies when required by law, valid court order or to protect our legal rights and interests.

6.7 Data We Do NOT Share

We do not sell your personal data.
We do not share data with data brokers or unrelated advertisers.
We do not share data with employers or insurance companies without your explicit consent.

7. International Data Transfers

7.1 Storage Locations

Primary storage: India (e.g., AWS, hosting providers).

Secondary/processing locations: USA, EU, Singapore, depending on individual vendors and services.

7.2 For EU/UK Users (GDPR)

Where data is transferred outside the EU/EEA/UK, we rely on Standard Contractual Clauses (SCCs) and appropriate technical and organizational measures to protect your data.

7.3 For California Residents (CCPA)

We act as a “business” under CCPA and do not sell your personal information. Data is shared only with service providers under strict contractual limitations.

7.4 For Indian Users (DPDPA 2023)

Primary data is stored in India. Cross-border transfers are made in compliance with applicable Indian data protection regulations and subject to adequate safeguards.

8. Data Retention

8.1 Retention Periods

Account & Identity Data: For the duration of your account + 6 years.
Educational Records: Course duration + up to 7 years (or longer if legally required). University transcripts may be maintained permanently by universities.
Financial & Payment Data: 7 years for accounting and tax compliance.
Communication Records: 1–3 years depending on purpose.
Marketing Data: Until you unsubscribe, plus a short compliance hold.
Analytics & Logs: From 30 days (raw logs) up to 24 months (aggregated analytics).

8.2 Deletion Process

Upon your request (and subject to legal obligations), we securely delete or anonymize your personal data. We may retain some information where required by law, dispute resolution, or legitimate interests as permitted by applicable regulations.

9. Your Rights as Data Subject

Depending on your jurisdiction (GDPR, CCPA, DPDPA and other laws), you may have some or all of the following rights:

9.1 Right to Access

You can request a copy of the personal data we hold about you, along with information on how it is processed and shared.

9.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data where it is no longer necessary, where you withdraw consent, or where it has been unlawfully processed. Legal and contractual exceptions may apply.

9.4 Right to Restrict Processing

You may request that we limit the processing of your personal data in certain circumstances (for example, while accuracy is being verified).

9.5 Right to Data Portability

You may request a machine-readable copy of certain personal data and have it transferred to another service provider, where technically feasible.

9.6 Right to Object

You may object to processing based on legitimate interests or direct marketing. We will honor such objections unless compelling legitimate grounds override your interests, or processing is required by law.

9.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that significantly affect you, and you may request human review of such decisions where they occur.

9.8 Right to Withdraw Consent

Where processing is based on your consent, you can withdraw it at any time. This will not affect the lawfulness of processing prior to withdrawal.

9.9 Right to Lodge a Complaint

You have the right to lodge a complaint with your local Data Protection Authority or regulator if you believe your rights have been violated. We encourage you to contact us first so we can attempt to resolve the issue.

10. Data Security

10.1 Security Measures

We implement technical, administrative and physical safeguards to protect your data, including but not limited to:

Encryption in transit (SSL/TLS) and at rest (e.g., AES-256).
Secure hosting infrastructure and firewalls.
Role-based access control and least-privilege principles.
Regular security patching and vulnerability assessments.
Employee training and confidentiality obligations.
Backups, disaster recovery and business continuity planning.

10.2 Data Breach Notification

If a data breach occurs that impacts your personal data, we will:

Investigate and contain the incident.
Notify relevant authorities where required (e.g., within 72 hours under GDPR).
Inform affected users without undue delay with details and recommended protective steps.

11. Third-Party Data Processors

11.1 Processor Agreements

All third-party processors engaged by EduMitra operate under written data processing agreements that require them to:

Process data only on our documented instructions.
Implement appropriate security measures.
Maintain confidentiality and limit sub-processing.
Assist us in fulfilling data subject rights requests.
Delete or return personal data upon contract termination.

11.2 Key Processors

Examples of our key processors include (non-exhaustive):

Cloud hosting providers (e.g., AWS).
Payment gateways (e.g., Razorpay).
Email and SMS service providers (e.g., Mailchimp, SendGrid).
Analytics tools (e.g., Google Analytics, Hotjar).
CRM and support platforms.

12. Data Controller Information

Data Controller:

EduMitra Education
[Office Address]
[City, State], India
Email: privacy@edumitra.com
Phone: +91 9876543210

Data Protection Officer (DPO):

Name: [DPO Name]
Email: dpo@edumitra.com
Office: [DPO Office Address]

13. Changes to This Agreement

We may update this DPA from time to time to reflect changes in legal requirements, our processing activities, technologies or service providers.

When we make changes, we will:

Update the "Last Updated" date at the top of this DPA.
Provide notice via email, website banner or in-platform notification for material changes.
Make prior versions available upon request where required.

Your continued use of EduMitra’s services after any changes indicates your acceptance of the updated DPA.

14. Contact & Complaint

If you have questions, requests or complaints related to this Data Processing Agreement or your personal data, you may contact us at:

Email: privacy@edumitra.com

Phone: +91 9876543210

Mailing Address: EduMitra Education, [Office Address], India

You also have the right to contact your local Data Protection Authority or relevant regulator (for example, an EU Data Protection Authority, the UK ICO, the California Attorney General, or the appropriate authority under India’s DPDPA) if you believe your rights have been infringed.

Document Version: 1.0 | Last Updated: December 8, 2025 | Next Review: June 8, 2026