Data Compliance
Effective date: 1 June 2025
This page describes how AceNEET complies with applicable data protection and privacy laws, including India's Digital Personal Data Protection Act 2023 (DPDP Act), the EU/EEA General Data Protection Regulation (GDPR), and related regulations. It supplements our Privacy Policy and is intended to provide transparency about our data governance practices.
1. India — Digital Personal Data Protection Act 2023 (DPDP Act)
The DPDP Act is India's primary legislation governing the processing of digital personal data. AceNEET acts as a Data Fiduciary under the Act, meaning we determine the purpose and means of processing your personal data.
1.1 Grounds for Processing
We process personal data only on the following lawful grounds under the DPDP Act:
- Consent: We obtain your explicit, free, informed, and specific consent before processing data for purposes beyond service delivery (e.g., marketing communications). You may withdraw consent at any time.
- Legitimate Uses: Processing is permitted without consent for: fulfilment of a contract with you, compliance with a legal obligation, protecting vital interests, and responding to medical emergencies.
1.2 Notice
At the point of data collection (registration, payment), we provide clear notice of: the personal data being collected, the purpose of processing, the identity of our Data Protection Officer, and your rights as a Data Principal.
1.3 Data Principal Rights
As a Data Principal under the DPDP Act, you have the right to:
- Access information about your personal data being processed.
- Correction and erasure of inaccurate or incomplete data.
- Grievance redressal: Raise a complaint with our Data Protection Officer within 30 days. If unsatisfied, you may escalate to the Data Protection Board of India once operational.
- Nominate a nominee to exercise your rights in the event of death or incapacity.
To exercise these rights, contact: privacy@ace-neet.com
1.4 Children's Data
The DPDP Act defines a "child" as a person under 18 years. Where we know or reasonably believe a user is under 18, we obtain verifiable parental consent before processing their data. We do not conduct behavioural monitoring or serve targeted advertising to children. Users may not register without confirming they are 13 or older.
1.5 Significant Data Fiduciary
If AceNEET is designated a Significant Data Fiduciary by the Government of India (based on volume or sensitivity thresholds), we will appoint a Data Auditor, conduct Data Protection Impact Assessments, and comply with additional obligations as prescribed.
2. EU/EEA — General Data Protection Regulation (GDPR)
While AceNEET is primarily an India-based service, we acknowledge that some users may access the Platform from the EU/EEA. Where GDPR applies, we comply with its requirements.
2.1 Legal Basis for Processing
- Contract (Article 6(1)(b)): Processing necessary for providing the Platform services you subscribed to.
- Legitimate Interests (Article 6(1)(f)): Security monitoring, fraud prevention, and product improvement via aggregated analytics.
- Consent (Article 6(1)(a)): Marketing communications. Consent is freely given, specific, informed, and withdrawable at any time.
- Legal Obligation (Article 6(1)(c)): Retention of payment records per tax law.
2.2 GDPR Rights Summary
| Right | How to Exercise |
|---|---|
| Right of Access (Art. 15) | Email privacy@ace-neet.com |
| Right to Rectification (Art. 16) | Update in account settings or email us |
| Right to Erasure / "Right to be Forgotten" (Art. 17) | Email privacy@ace-neet.com |
| Right to Restrict Processing (Art. 18) | Email privacy@ace-neet.com |
| Right to Data Portability (Art. 20) | Request JSON/CSV export via email |
| Right to Object (Art. 21) | Email privacy@ace-neet.com |
| Right to lodge complaint with supervisory authority | Contact your local DPA |
2.3 International Data Transfers
Our primary data processing occurs in India. Where personal data of EU/EEA users is processed, we rely on the following safeguards for any transfers outside the EEA:
- Standard Contractual Clauses (SCCs) with sub-processors where required.
- Adequacy decisions by the European Commission where applicable.
For a list of current sub-processors or to request a copy of applicable SCCs, email privacy@ace-neet.com.
3. Data Storage & Localisation
We store user personal data on servers hosted within India where feasible and required by applicable law. Third-party processors (e.g., Cloudinary) may process certain non-personal technical data (e.g., image files) outside India. Payment data processed by Razorpay is governed by Razorpay's data localisation practices, which comply with RBI guidelines.
4. Technical & Organisational Security Measures
We implement the following controls in accordance with Article 32 GDPR and the DPDP Act's security obligations:
- Encryption in transit: All communications use TLS 1.2 or higher. HTTPS is enforced on all production endpoints.
- Encryption at rest: Databases are encrypted at rest using the cloud provider's native encryption.
- Access controls: Production database access is restricted to backend services; no direct public internet access. Role-based access control is enforced internally.
- Authentication security: Passwords are bcrypt-hashed (factor 12). JWT access tokens expire in 15 minutes. Refresh tokens are rotated on each use and revoked on logout.
- Rate limiting & abuse prevention: Login attempts are limited to 5 per minute per IP. Account creation is limited to 3 per minute per IP.
- Security logging: Failed login attempts, unusual access patterns, and API errors are logged for 90 days for forensic review.
- Dependency management: Third-party dependencies are regularly updated to patch known vulnerabilities.
- Data minimisation: We collect only the personal data necessary for the stated purpose.
5. Data Breach Response
In the event of a personal data breach, we will:
- Contain the breach and assess its scope within 24 hours of discovery.
- Notify the relevant supervisory authority (Data Protection Board of India; or relevant EU DPA for GDPR-covered users) within the timeframes mandated by law (72 hours under GDPR).
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
- Document the breach, its effects, and the remedial actions taken.
To report a potential security vulnerability, email: security@ace-neet.com
6. Data Protection Impact Assessments (DPIA)
We conduct DPIAs before introducing new processing activities that are likely to result in a high risk to users' rights (e.g., large-scale processing of sensitive data, use of new AI profiling features). DPIAs are reviewed annually or following significant changes to the Platform.
7. Information Technology Act 2000 (India)
As an Indian intermediary under the Information Technology Act 2000 and the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, we:
- Publish and enforce our Terms of Use, Privacy Policy, and this Data Compliance policy.
- Respond to lawful orders from competent courts or government agencies within the prescribed timeframes.
- Do not knowingly host or transmit unlawful content.
- Maintain a Grievance Officer for users to report violations (see Section 8).
8. Grievance Officer & DPO Contact
Under the IT Rules 2021 and the DPDP Act, you may raise concerns with:
Grievance Officer / Data Protection Officer
AceNEET
Email: privacy@ace-neet.com
Response time: within 30 days of receipt (within 72 hours for security incidents).
If your concern is not resolved to your satisfaction, you may escalate to the Data Protection Board of India (once notified and operational under the DPDP Act), or your local data protection authority if you are an EU/EEA resident.