1. Our Commitment to Data Safety
At Ganpati Gurukul, your data is treated with the highest level of care. We implement robust security measures to prevent unauthorized access, breaches, or data loss.
ISO 27001 Aligned | AES-256 Encryption | Regular Audits
GDPR Compliant | EU Representative Appointed
2. GDPR Compliance (EU Users)
If you are located in the European Economic Area (EEA), UK, or Switzerland, you are protected under the General Data Protection Regulation (GDPR). We act as a Data Controller and comply fully with GDPR principles.
Legal Bases for Processing
| Purpose |
Legal Basis (GDPR Art. 6) |
| Account creation & access |
Contract (Art. 6(1)(b)) |
| Personalized learning & progress tracking |
Contract (Art. 6(1)(b)) |
| Payment processing |
Contract (Art. 6(1)(b)) + Legal Obligation (Art. 6(1)(c)) |
| Support & communication |
Legitimate Interest (Art. 6(1)(f)) |
| Analytics & improvements |
Legitimate Interest (Art. 6(1)(f)) – Anonymized |
| Marketing (optional) |
Consent (Art. 6(1)(a)) – Opt-in only |
Your GDPR Rights (Art. 15–22)
You have the right to:
- Access your data (free copy within 30 days)
- Rectify inaccurate data
- Erase ("Right to be Forgotten")
- Restrict processing
- Portability (receive data in JSON/CSV)
- Object to processing based on legitimate interests
- Withdraw consent at any time
- Lodge a complaint with a supervisory authority
3. Data Security Measures
We use the following industry-standard protections:
- Encryption: All data in transit (HTTPS/TLS 1.3) and at rest (AES-256).
- Secure Hosting: AWS India region with VPC isolation and WAF.
- Access Control: Role-based access, 2FA for staff, and least-privilege model.
- Backups: Daily encrypted backups with 30-day retention and offsite storage.
- Monitoring: 24/7 intrusion detection, logging, and anomaly alerts.
- Penetration Testing: Annual third-party security audits.
Your passwords are never stored in plain text — we use bcrypt hashing with salt.
4. Data We Collect & Retention Periods
We retain data only as long as needed for service delivery, legal compliance, or analytics.
| Data Type |
Retention Period |
Reason |
| Account Info (Name, Email, Phone) |
Active + 24 months after inactivity |
User access & support |
| Learning Progress (Scores, Notes, Watch History) |
Active + 12 months |
Personalized learning & analytics |
| Payment Records |
7 years |
Tax & legal compliance |
| Support Tickets & Chat Logs |
12 months |
Quality assurance & dispute resolution |
| Backup Data |
30 days |
Disaster recovery |
| Deleted Accounts |
30 days (soft delete) → Permanent erasure |
Recovery window |
5. Data Deletion & Anonymization
You can request data deletion at any time:
- Go to Settings → Privacy → Delete My Data
- Or email dpo@ganpatigurukul.com
Within 30 days, we will:
- Permanently delete your personal data.
- Anonymize usage stats (no re-identification possible).
- Confirm deletion via email.
6. Incident Response & Breach Notification
In case of a data breach:
- We will notify affected users within 72 hours (per GDPR Art. 33–34 & DPDP Act).
- Provide details on what happened and steps to protect yourself.
- Work with EU supervisory authorities and offer free credit monitoring if needed.
7. EU Representative
As required by GDPR Art. 27, our EU representative is:
8. Third-Party Partners
We only work with GDPR-compliant processors:
- Payment Gateway: Razorpay / Stripe (PCI DSS + DPA)
- Cloud Storage: AWS S3 (SCCs signed)
- Analytics: Anonymized data only
- Email: SendGrid with TLS + DPA
9. Children's Data
For users under 16 in the EEA:
- Data is processed only with verified parental consent (GDPR Art. 8).
- Deleted immediately if consent is withdrawn.
- Never used for marketing or profiling.
10. International Data Transfers
Your data is primarily stored in India. For EU users:
- We use Standard Contractual Clauses (SCCs) approved by the EU Commission.
- Conduct Transfer Impact Assessments (TIAs) per Schrems II.
- Ensure equivalent protection under GDPR and DPDP Act.
11. Your Responsibilities
Help keep your data safe by:
- Using strong, unique passwords
- Enabling 2FA
- Not sharing your account
- Reporting suspicious activity immediately
12. Contact Our Data Protection Officer
For any data-related queries or GDPR requests:
13. Updates to This Policy
We may update this policy to reflect new features or regulations. Changes will be:
- Posted here with the updated date
- Notified via email for material changes (especially to EU users)