Privacy Policy

When an adult (18 years or older) registers for or uses our Services, we may collect:

• Identity Data: full name, date of birth, gender
• Contact Data: email address, phone number, postal address
• Account Data: username, password hash, account preferences
• Academic and Career Data: educational qualifications, career interests, aptitude assessment responses, session notes
• Payment Data: transaction reference numbers processed via Razorpay; we do not store full card numbers, CVV, or bank account details on our servers
• Device and Usage Data: IP address, browser type, operating system, pages visited, session duration, referring URL
• Communication Data: messages exchanged with our counselors, emails sent to our support addresses

We take a strongly privacy-protective approach to minors. Our policy is to collect the minimum data necessary, and we require that all contact and identifying information for a Minor User be provided exclusively by and through the parent or legal guardian.

• Parent/Guardian Identity: full name of parent or legal guardian
• Parent/Guardian Contact: email address and phone number of parent or guardian ONLY – we do not request or collect the email address or phone number of the Minor User
• Minor's Profile Data: first name only, age range, grade/class, general academic interests (sufficient for counseling purposes)
• Session Data: counseling session notes and assessment responses pertaining to the Minor User, accessible only to the parent/guardian and assigned counselor

We expressly instruct parents and guardians not to provide the personal email address, personal phone number, or government-issued identification numbers of Minor Users when registering on their behalf. Accounts found to have been registered with a Minor's direct contact details will be flagged for parental verification and may be suspended pending review.

When any user visits our platform, we automatically collect certain technical data through cookies and similar technologies:

• Log files recording server requests, error logs, access timestamps
• Cookies (see Section 12 on our Cookie Policy)
• Session identifiers and authentication tokens
• Approximate geographic region derived from IP address (country/state level only)

We process Personal Data for the following purposes and on the legal bases indicated:

Our platform uses artificial intelligence tools including third-party APIs and proprietary in-house AI modules to assist with career assessment analysis, content generation, and counseling support. The following conditions apply to AI processing:

• Data submitted through AI-powered features may be transmitted to third-party AI servers outside India, subject to their respective data processing terms and privacy policies.
• We do not transmit personally identifiable information to AI APIs beyond what is strictly necessary for the requested function.
• We do not use Minor User data to train or fine-tune any AI model.
• AI-generated outputs are subject to periodic quality review and monitoring by Eccetra; individual outputs are not manually reviewed prior to delivery and do not constitute standalone professional career counseling.
• Users may request that their interactions not be processed through third-party AI APIs by contacting info@eccetra.com.

Our Services are available to users aged 10 years and above. We do not knowingly permit access to children below 10 years of age.

Access by any individual under 18 years of age requires verifiable parental or legal guardian consent before an account is created or any Services are accessed. By registering a Minor User, the parent or guardian:

• Confirms they are the parent or legal guardian of the Minor User
• Provides their own (not the minor's) contact information for all account communications
• Consents to the collection and use of the Minor User's limited profile and session data for the purpose of delivering career counseling services
• Accepts this Privacy Policy on behalf of the Minor User
• Agrees to supervise and remain responsible for the Minor User's use of the platform

We explicitly instruct parents and guardians not to provide the following for any Minor User during registration or in any form submitted through our platform:

• The Minor User's personal email address
• The Minor User's personal mobile or telephone number
• The Minor User's government-issued ID, Aadhaar, passport, or similar document numbers

All account communication will be directed exclusively to the parent or guardian's registered contact details. If we discover that contact information belonging to a Minor User has been submitted directly, we will take immediate steps to delete such data and notify the guardian.

Parents and guardians have the right to:

• Review all personal data held in relation to their Minor User's account by contacting info@eccetra.com
• Withdraw consent at any time, which will result in account suspension and scheduled deletion of the Minor User's data within 30 days
• Request correction or deletion of inaccurate data
• Restrict processing to essential service delivery only

For users in the United States under the age of 13, we comply with the requirements of the Children's Online Privacy Protection Act (COPPA). For users in the European Union or European Economic Area under the age of 16 (or the applicable age in their member state), we require parental consent as mandated by GDPR Article 8. For all users in India below 18 years of age, we comply with the DPDP Act 2023 and applicable IT Act rules concerning minors.

All primary user data is hosted on cloud infrastructure located within the territory of India. This includes:

• User databases and account data
• Session and counseling records
• Application logs
• Email and messaging infrastructure

Our cloud infrastructure provider is independently certified to leading international information security standards and complies with applicable Indian data localisation requirements.

Certain service components may involve transfer of data outside India, including to third-party AI service providers. Such transfers are governed by the data processing agreements and usage policies of the respective providers.

For EU/UK users, Standard Contractual Clauses (SCCs) are relied upon as the transfer mechanism where required. For Indian users, cross-border data transfers are conducted in accordance with applicable provisions of the DPDP Act 2023 and any rules or regulations notified thereunder. We maintain contractual data protection obligations with all third-party processors regardless of jurisdiction.

We retain Personal Data only for as long as necessary for the purposes stated in this Policy, or as required by applicable law:

• Active account data: retained for the duration of the account
• Session and counseling records (adult users): retained for 5 years from the date of the last session for audit and continuity purposes
• Session and counseling records (minor users): retained for 2 years from account closure or attainment of age of majority, whichever is earlier, except where retention is required by law
• Payment transaction records: retained for 8 years as required under Indian financial and tax law
• Communication logs: retained for 3 years
• Minor User data: upon withdrawal of parental consent or closure of account, scheduled for deletion within 30 days, except where retention is required by law
• Anonymized, aggregated analytics data: may be retained indefinitely

We do not sell, rent, or trade Personal Data to third parties for their independent commercial purposes.

We engage the following categories of third-party processors who act on our documented instructions:

• Cloud infrastructure provider: hosting, email, and messaging infrastructure
• Razorpay Software Pvt. Ltd.: payment processing
• Third-party AI service providers: AI-assisted career analysis features
• Communication service providers: SMS and notification delivery
• Analytics tools: anonymized usage analytics for platform improvement

All third-party processors are contractually bound by data processing agreements requiring them to maintain appropriate security measures and to process data only in accordance with our instructions.

We may disclose Personal Data where required to do so by applicable law, regulation, court order, or government authority, including but not limited to disclosure under the Information Technology Act, 2000, or orders from competent Indian judicial or regulatory authorities.

In the event of a merger, acquisition, or sale of all or a substantial part of our assets, Personal Data may be transferred to the acquiring entity, subject to equivalent privacy protections. Affected users will be notified in advance where practicable.

If you are a user in India, you have the following rights as a Data Principal:

• Right to Access: to obtain a summary of Personal Data processed and the processing activities undertaken
• Right to Correction: to have inaccurate or incomplete Personal Data corrected or completed
• Right to Erasure: to have Personal Data erased when it is no longer required for the stated purpose
• Right to Grievance Redressal: to have grievances addressed by our Grievance Officer within prescribed timelines
• Right to Nominate: to nominate another individual to exercise rights on your behalf in case of death or incapacity

If you are a user in the European Union, European Economic Area, or United Kingdom, you additionally have the right to:

• Data portability: to receive your data in a structured, machine-readable format
• Restriction of processing: to request that processing be restricted in certain circumstances
• Object to processing: to object to processing based on legitimate interests
• Withdraw consent: without affecting the lawfulness of prior processing
• Lodge a complaint with a supervisory authority in your country of residence

To exercise any of your rights, contact our Grievance Officer at:

• Email: info@eccetra.com (for all data-related requests and grievances)
• Post: Data Grievance Officer, Eccetra Career Counseling Pvt. Ltd., Door No. 6/671, Eden Plaza, 4/920, Opposite Bharat Matha College, Judgemukku, Thrikkakara, Kochi, Kerala – 682021

We will respond to verifiable requests within 30 days. In complex cases, we may extend this by a further 30 days, with notice. We may require identity verification before processing a request.

In accordance with the Information Technology Act, 2000 and the DPDP Act, 2023, we have designated a Grievance Officer to address any concerns related to the processing of Personal Data:

If you are not satisfied with our response, you may escalate your complaint to:

• India: The Data Protection Board of India (once constituted under the DPDP Act, 2023) or the Ministry of Electronics and Information Technology (MeitY)
• EU/EEA: Your national data protection supervisory authority (e.g., CNIL in France, BfDI in Germany, ICO in the UK)
• United States (COPPA matters): The U.S. Federal Trade Commission (FTC)