Privacy Policy

Under the DPDPA 2023, Pathfolio Tech Private Limited acts as the Data Fiduciary responsible for your personal data. Please contact us with any privacy concerns:

Under the DPDPA 2023 and IT (SPDI) Rules, we process personal data only on one or more of the following lawful bases:

• Consent: You have given free, specific, informed, and unambiguous consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.
• Contractual Necessity: Processing is necessary to enter into or perform a contract with you (e.g., providing Services you have signed up for).
• Legal Obligation: Processing is required to comply with applicable law, court order, or regulatory authority directive.
• Legitimate Use: Processing is necessary for purposes related to employment, educational services, public interest, and platform safety.
• Vital Interest: Processing is necessary to protect life, health, or safety in case of emergency.

• Service Delivery: To provide, personalize, and improve AI-powered career guidance, mentor matching, portfolio tools, and all requested Services.
• Communication: To send you account notifications, Service updates, educational resources, product announcements, and responses to your inquiries.
• AI Model Training: To train and improve AI algorithms using anonymized, aggregated data — never individual identifiable data without explicit separate consent.
• Analytics & Research: To analyze platform usage, identify trends, measure Service performance, and conduct educational research to improve outcomes.
• Security & Safety: To prevent fraud, detect security threats, protect against abuse, and enforce our Terms and applicable laws.
• Legal Compliance: To comply with applicable laws, regulations, court orders, and government requests.
• Marketing: To send marketing communications, surveys, and promotional offers where you have opted in; you may opt out at any time.
• Institutional Reporting: To provide schools and universities with aggregated and individual student progress data as per institutional agreements.
• Feedback & Improvement: To collect feedback on your experience and make data-driven improvements to the Platform.

• Mentors: Relevant student profile data (name, qualifications, interests, goals) is shared with matched mentors only to the extent necessary for mentorship delivery. Mentors are bound by confidentiality obligations.
• Educational Institutions: Aggregated and individual student progress data is shared with the student's registered school/university based on institutional subscription agreements and valid consents.
• Service Providers: We engage third-party processors (cloud hosting providers, payment gateways, analytics platforms) under strict Data Processing Agreements (DPA) with appropriate technical and organizational safeguards.
• Legal Authorities: We may disclose data when required by law, court order, regulatory request, or to comply with a valid legal process.
• Business Transfer: In the event of merger, acquisition, bankruptcy, or sale of assets, your data may be transferred as a business asset, subject to notice and the same privacy protections.
• Aggregated & Anonymized Data: We may share aggregated, de-identified data with third parties for research, analytics, and business purposes.
• No Sale of Data: We do not sell, trade, or rent personal data to third parties for their independent marketing or commercial purposes.

Important: All service providers are contractually required to process data only on our instructions and under strict confidentiality.

• General Rule: Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law.
• Active Accounts: Data for active accounts is retained throughout the subscription period.
• Closed Accounts: Upon account closure or deletion request, personal data is deleted within 90 calendar days, unless legally required to be retained longer.
• Transaction Records: Financial and transaction data is retained for 7 years as required under Indian tax and financial regulations.
• AI Training Data: AI interaction logs may be retained in anonymized, aggregated form for up to 3 years for model improvement purposes.
• Legal Holds: Where a legal hold is in place (litigation, investigation), data is retained for the duration of the hold.
• Cookies & Tracking: See Section P11 for cookie retention periods.

As a Data Principal under the DPDPA 2023, you have the following rights:

How to Exercise Your Rights: Send a request to privacy@pathfolioai.com with "Data Subject Request" in the subject line. Include: (1) Your full name, (2) Account email, (3) Type of request, (4) Details of what you're requesting. We will respond within 30 calendar days.

• Age Restrictions: We do not knowingly collect personal data from children under 13 without verifiable parental consent. For users aged 13–17, processing is permitted only with appropriate consent from a parent, legal guardian, or authorized institutional administrator.
• Institutional Registration: Schools and universities registering students under 18 must certify that they have obtained all required parental and/or student consents under DPDPA 2023 and relevant education laws.
• No Profiling of Minors: We do not conduct behavioral profiling, targeted advertising, or commercial tracking of identified minors.
• Restricted Use: AI recommendations for minors focus on educational and career guidance, not sales or commercial manipulation.
• Parental Access: Parents or legal guardians may request access to, correction of, or deletion of their child's data by contacting privacy@pathfolioai.com with proof of parental status.
• Institutional Contact: For students at schools/universities, institutional administrators serve as the authorized point of contact for parental requests.
• No Third-Party Marketing: We do not share a minor's personal data with third parties for marketing purposes.

We implement reasonable security measures as required under the IT (SPDI) Rules, 2011, including:

• Encryption: AES-256 encryption for data at rest and TLS 1.2+ encryption for data in transit.
• Access Control: Personal data access is restricted to authorized personnel on a strict need-to-know basis. All access is logged and monitored.
• Authentication: Multi-factor authentication (MFA) is available and recommended for user accounts. Strong password policies are enforced.
• Infrastructure Security: Regular security audits, vulnerability assessments, and penetration testing are conducted by third-party security firms.
• Incident Response: We maintain an incident response plan to detect, respond to, and mitigate data breaches.
• Staff Training: All employees handling personal data receive mandatory data protection and privacy training.
• Third-Party Security: Service providers are contractually required to implement equivalent security measures and undergo regular audits.

• Primary Storage in India: All personal data is primarily stored and processed on servers located within Indian territory in compliance with DPDPA 2023.
• Limited International Transfers: Where we engage cloud infrastructure providers (AWS, Google Cloud, Microsoft Azure) or other third parties located outside India, such transfers are made only with appropriate safeguards.
• Contractual Safeguards: All cross-border transfers are governed by Data Processing Agreements that mandate equivalent levels of privacy protection as required under Indian law.
• Adequacy Determination: We only transfer data to jurisdictions deemed to provide an adequate level of data protection under applicable Indian law and regulations.
• Future Expansion: Upon expansion to USA and UK, we will comply with local data localization and cross-border transfer requirements (e.g., GDPR adequacy for UK, state laws for USA).

• Essential Cookies: Required for the Platform to function (session management, authentication, security). These are automatically set and cannot be disabled without losing functionality.
• Performance/Analytics Cookies: Track how users interact with the Platform (pages visited, features used, session duration). These help us understand and improve performance and require your consent.
• Preference Cookies: Remember your choices (language, theme, notification preferences). These require your consent.
• Marketing Cookies: Enable us to serve relevant content and measure campaign effectiveness. These require explicit consent and may be set by third-party partners.
• Cookie Management: You can manage cookie preferences through your browser settings or our cookie consent manager on the Platform. Disabling certain cookies may limit Platform functionality.
• Retention: Cookies are retained for varying periods: Essential (session-based), Performance (12 months), Preference (2 years), Marketing (12–24 months).
• Similar Technologies: We may use web beacons, pixels, local storage, and similar technologies for tracking and analytics purposes, subject to the same consent requirements as cookies.

• Notification Obligations: Upon discovery of a data breach affecting personal data, we will notify affected Data Principals and the competent data protection authority within the timeframes prescribed by DPDPA 2023 and applicable law (generally within 30 days or as specified).
• What We'll Tell You: Our notification will include: (1) Nature of the breach, (2) Likely consequences, (3) Measures we're taking to address it, (4) Your rights and remedies, (5) Contact information for our Data Protection Officer.
• Institutional Notification: Schools and universities will be notified if student data is affected, so they can inform parents as required.
• Public Disclosure: Where required by law or where breach affects a large number of individuals, we may make a public announcement.
• Investigation: We conduct a full investigation of any data breach, preserve evidence, and implement remedial measures to prevent recurrence.

• We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
• For material changes (those that significantly affect your privacy rights), we will provide notice via email to your registered address and/or an in-app notification at least 30 days before changes take effect.
• For non-material changes (clarifications, minor updates), we may update the policy with immediate effect.
• The date of the most recent update is displayed at the bottom of this page. We encourage you to review this policy periodically.
• Your continued use of the Platform after changes take effect constitutes acceptance of the updated Privacy Policy. If you do not agree, you may request account deletion.
• Roadmap: Upon expansion to USA and UK, we will publish supplementary privacy policies compliant with CCPA/CPRA (USA) and UK GDPR. Roadmap