This Privacy Policy is issued by Alcertis Education Ventures Private Limited, the company that operates the website at www.asianschoolofcyberlaws.com under the brand name Asian School of Cyber Laws.
We are a Data Fiduciary as defined under the Digital Personal Data Protection Act, 2023 ("DPDP Act") in respect of the personal data we collect from you through this Website.
This Privacy Policy explains how we collect, use, store, share, and protect personal data that you provide to us or that we collect when you use this Website, enrol in a course, or use the vDPO compliance tool.
It also sets out your rights as a Data Principal under the DPDP Act and how you can exercise them.
This policy does not cover data that you enter into the vDPO tool relating to third parties or other organisations. For that data, you are the Data Fiduciary and we act as your Data Processor. This is explained further in Section 6.
We collect the following categories of personal data:
| Category | Data Elements | When Collected |
|---|---|---|
| Identity data | Full name | At enrolment |
| Contact data | Email address, mobile phone number | At enrolment |
| Financial data | Transaction ID, payment status, GST number, State (for GST invoice purposes) | At payment |
| Account data | Username, hashed password, course access records | On account creation |
| Usage data | Pages visited, time spent, features used, login timestamps | Automatically, during use |
| Communications data | Emails and messages you send us, support queries | When you contact us |
| Marketing preferences | Whether you have opted in to marketing communications | At enrolment or on consent |
We do not collect sensitive personal data as defined under the DPDP Act, including health data, biometric data, caste or religious information, or financial data beyond what is listed above.
We do not receive or store credit or debit card numbers. Payment card data is handled entirely by Razorpay and does not pass through our servers.
We collect personal data through the following means:
Under the DPDP Act, we must have a lawful basis for each processing activity. The table below explains what we do with your data and why:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Processing your enrolment and granting course access | Identity, contact, financial, account data | Performance of contract |
| Processing payment and issuing GST invoices | Financial data, identity data | Performance of contract; legal obligation |
| Managing your account and course access | Account data, usage data | Performance of contract |
| Providing access to the vDPO tool (CDPO students) | Account data, usage data | Performance of contract |
| Sending transactional communications (enrolment confirmation, exam results, access notifications) | Contact data | Performance of contract |
| Sending marketing communications, course updates, event notifications, and quizzes | Contact data, marketing preferences | Consent (you must opt in separately) |
| Improving the Website and understanding how it is used | Usage data, analytics data | Legitimate use / consent where required by applicable law |
| Complying with legal obligations (tax, regulatory requirements) | Identity, financial data | Legal obligation |
| Responding to your queries and providing support | Identity, contact, communications data | Performance of contract; legitimate use |
The vDPO compliance platform is provided to students enrolled in the Certified Data Protection Officer (CDPO) programme. When you use the vDPO tool, you may enter data relating to organisations, processing activities, vendors, data flows, and other compliance matters ("Tool Data").
Your role and ours. In respect of Tool Data that relates to identifiable individuals or organisations other than yourself, you are the Data Fiduciary for that data and we act as your Data Processor. We process Tool Data only on your instructions and solely to provide the Tool's functionality.
By entering Tool Data, you confirm that:
We will not use Tool Data for any purpose other than providing the Tool's functionality to you. We will not share Tool Data with third parties except as required to operate the Tool (such as our hosting provider, DreamHost) or as required by law.
We retain Tool Data for the duration of your access to the vDPO tool. On termination of your access, we will delete or anonymise Tool Data within a reasonable period unless retention is required by law.
We send two types of communications:
Your consent matters. We will not send you marketing communications unless you have affirmatively opted in by ticking a separate, clearly labelled consent checkbox on our enrolment form. Pre-ticked boxes do not constitute valid consent under the DPDP Act.
Withdrawing consent. You may withdraw your consent to receive marketing communications at any time by:
Withdrawal of consent will not affect the lawfulness of any processing carried out before withdrawal. It will not affect transactional communications, which we will continue to send as necessary for your course.
We use cookies and similar tracking technologies on this Website. Cookies are small text files stored on your device that help us understand how visitors use the Website.
Types of cookies we use or may use:
Where required by law, we will seek your consent before placing non-essential cookies on your device. You can control cookies through your browser settings, though disabling certain cookies may affect your experience on the Website.
For information on how Google processes data collected through Google Analytics, please refer to Google's Privacy Policy.
We do not sell your personal data. We share your personal data only in the following circumstances:
| Recipient | Purpose | Data Shared |
|---|---|---|
| Razorpay | Payment processing | Name, email, phone, transaction data |
| SMTP to Go | Email delivery (transactional and marketing) | Name, email address |
| DreamHost | Website and data hosting | All data stored on our servers |
| Google Analytics / Google LLC | Website analytics | Usage data, anonymised where possible |
| Legal and regulatory authorities | Compliance with legal obligations or lawful orders | As required by the specific obligation or order |
All third-party service providers who process personal data on our behalf are engaged as Data Processors and are required to process your data only on our instructions and in accordance with applicable data protection law.
Some of our third-party service providers — including Razorpay, SMTP to Go, DreamHost, and Google — may process or store your personal data outside India. Where such transfers occur, we ensure they take place in accordance with the requirements of the DPDP Act and any transfer-related rules notified by the Central Government.
We will not transfer your personal data to any country that has been restricted by the Central Government under the DPDP Act.
As the DPDP Rules continue to develop post-2027, we will review our cross-border transfer practices and update this policy accordingly.
| Data Category | Retention Period | Reason |
|---|---|---|
| Enrolment and account data | Duration of course access + 3 years | Support, re-enrolment, dispute resolution |
| Payment and transaction data | 8 years from date of transaction | GST and tax compliance obligations |
| Marketing consent records | Until consent is withdrawn + 2 years | Proof of consent |
| Communications and support data | 2 years from last communication | Dispute resolution |
| Website usage / analytics data | As set by the analytics tool (typically 14 months for Google Analytics) | Website improvement |
| vDPO Tool Data | Duration of platform access; deleted or anonymised on termination | Service provision |
When your data is no longer needed for the purposes for which it was collected, we will delete it securely or anonymise it so that it can no longer be linked to you.
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include:
In the event of a personal data breach that is likely to result in harm to any individual, we will notify the Data Protection Board of India within the timeframe required by the DPDP Act and its Rules, and will inform affected individuals as required.
No method of data transmission or storage is 100% secure. While we take our obligations seriously, we cannot guarantee absolute security.
Under the Digital Personal Data Protection Act, 2023, you have the following rights in respect of your personal data:
You may request a summary of the personal data we hold about you and the processing activities we carry out with it.
You may request that we correct personal data that is inaccurate, incomplete, or misleading.
You may request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, subject to our legal retention obligations.
Where we process your data based on consent (e.g., marketing communications), you may withdraw that consent at any time. Withdrawal will not affect prior lawful processing.
You may raise a grievance with our Grievance Officer. We will respond within the timeframe required by the DPDP Act.
You may nominate another individual to exercise your rights on your behalf in the event of your death or incapacity.
To exercise any of these rights, write to our Grievance Officer at info@asianschoolofcyberlaws.com with the subject line "Data Principal Rights Request". We will acknowledge your request within 48 hours and respond substantively within the period required by law.
If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India once it is constituted and operational.
Our courses are intended for individuals who are 18 years of age or older, or who have obtained the consent of a parent or legal guardian where they are below 18.
We do not knowingly collect personal data from children below the age of 18 without verifiable parental consent. Under the DPDP Act, where a Data Principal is a child, we are required to obtain verifiable consent from their parent or legal guardian before processing their personal data.
If you believe we have inadvertently collected personal data from a child without appropriate consent, please contact us immediately at info@asianschoolofcyberlaws.com and we will take prompt steps to delete that data.
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. When we make material changes, we will:
We encourage you to review this policy periodically. Your continued use of the Website after any changes constitutes your acknowledgment of the updated policy.
In accordance with the Digital Personal Data Protection Act, 2023, and the Information Technology Act, 2000, we have designated Shuchi Nagpal, COO, as a Grievance Officer to address complaints and queries relating to personal data processing.
Alcertis Education Ventures Private Limited
Shuchi Nagpal
OF.NO.410, Supreme HQ, Supreme Universal 36/2,
Baner Gaon, Pune – 411045, Maharashtra, India
Email: info@asianschoolofcyberlaws.com
Subject line: Data Principal Rights Request or Privacy Grievance
We will acknowledge all grievances within 48 hours and resolve them within the period required by the DPDP Act and its Rules.