Legal

Data Security

Last updated: May 21, 2026

Introduction

Mascot Techcrib Private Limited ("EduCrib," "we," "us," or "our") operates the online education discovery platform at www.educrib.com. We connect students, parents, institutions, tutors, consultants, and job seekers across India.

This Data Privacy & Security Policy ('Policy') explains how we collect, use, store, share, and protect your personal data. It is drafted in accordance with India's Digital Personal Data Protection Act, 2023 ('DPDP Act'), the Information Technology Act, 2000, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

By accessing or using EduCrib, you consent to the practices described in this Policy. If you do not agree, please discontinue use of the platform.

1. Who This Policy Applies To

All data in transit between your device and EduCrib is encrypted using TLS 1.2 or higher. Data at rest is encrypted using industry-standard AES-256 on our managed cloud storage.

User Category	Examples of Data Collected
Students & Parents	Name, email, phone, location, academic interests, search history, device data
Institutions (Paid & Free)	Organisation name, authorised contact details, address, registration number, payment info
Tutors & Consultants	Full name, qualifications, ID proof details, bank/payment details, profile content
Job & Internship Applicants	Resume, educational background, work experience, contact details, references

2. What Personal Data We Collect

2.1 Data You Provide Directly

Account Registration: Full name, email address, phone number, password, and profile photo
Institutional Profiles: Organisation name, address, contact person details, registration/accreditation numbers
Tutor/Consultant Profiles: Qualifications, experience, subject expertise, fee structures, identity documents for verification
Enquiry Forms: Contact details and messages submitted to institutions or tutors via EduCrib
Job/Internship Applications: Resume, cover letter, educational history, references
Payments: Billing name and address; card/UPI details are processed by PCI-DSS- compliant third-party gateways — EduCrib does not store payment card data
User-Generated Content: Reviews, ratings, article comments, and forum posts

2.2 Data Collected Automatically

When you use EduCrib, we automatically collect technical and behavioural data including:

IP address, browser type, operating system, and device identifiers
Pages visited, time spent, links clicked, and search queries entered
Referring URLs and exit pages
Geographic location (city/state level, derived from IP)
Session duration and frequency of visits
Crash reports and platform performance logs

2.3 Data from Third Parties

We may receive data about you from:

Social Login (Google, Facebook): Name, email, and profile photo when you use OAuth sign-in
Analytics Providers: Aggregated behavioural data from Google Analytics and Meta Pixel (see Section 6)
Verification Partners: Confirmation of institutional accreditation or tutor credentials

2.4 Sensitive Personal Data

Under India's SPDI Rules, 2011, certain categories of data are classified as 'Sensitive Personal Data or Information' (SPDI). EduCrib may collect the following SPDI only where necessary:

Financial information (for payment processing — handled by third-party gateways only)
Identity documents (for tutor/consultant verification)

EduCrib does not collect biometric data, passwords in plain text, health information, sexual orientation, or political opinions. Where SPDI is collected, explicit consent is obtained separately before collection.

3. Why We Collect Your Data — Purpose & Legal Basis

EduCrib processes personal data only for lawful purposes recognised under applicable Indian law, including consent, voluntary provision for a specific service requested by the user, compliance with legal obligations, and uses reasonably necessary for platform security, fraud prevention, and service operation, subject to the Digital Personal Data Protection Act, 2023and the Rules:

Purpose of Processing	Data Used	Legal Basis
Account creation & management	Name, email, phone, password	Consent
Connecting users to institutions/tutors	Contact details, enquiry content	Contractual necessity
Processing payments	Billing details (via gateway)	Contractual necessity
Personalised search & recommendations	Search history, preferences, location	Consent
Sending transactional emails/SMS	Email, phone number	Contractual necessity
Sending marketing communications	Email, phone number	Consent (opt-in)
Platform analytics & improvement	Usage data, device info	Legitimate interest
Fraud detection & security	IP, device, behaviour patterns	Legitimate interest
Legal compliance & enforcement	Any data as required	Legal obligation
Job/internship application processing	Resume, contact, academic data	Consent

4. How We Share Your Data

EduCrib does not sell your personal data. We share data only in the following circumstances:

4.1 With Institutions, Tutors & Consultants

When you submit an enquiry, your name, contact details, and message are shared with the relevant listing partner to enable them to respond to you. By submitting an enquiry, you consent to this sharing. Partners are contractually bound not to use your data for any purpose other than responding to your enquiry.

4.2 With Technology & Service Providers

We engage trusted third-party vendors who help us operate the platform. These include:

Cloud Hosting: Server infrastructure providers (e.g., AWS, Google Cloud)
Payment Gateways: Razorpay, PayU, or equivalent — PCI-DSS compliant
Email & SMS Delivery: Transactional communication services
Customer Support: Help desk and ticketing platforms

All service providers are bound by Data Processing Agreements (DPAs) and may only process your data on EduCrib's documented instructions.

4.3With Analytics & Advertising Partners

EduCrib uses third-party analytics and advertising tools. These tools may collect data about your behaviour on our platform through cookies and tracking pixels:

Tool	Purpose & Data Shared
Google Analytics 4	Site usage analytics — pages visited, session data, device info. Data is anonymised where possible. Governed by Google's privacy policy.
Meta Pixel (Facebook)	Ad performance measurement and remarketing. Tracks page views and conversion events. Governed by Meta's data policy.
Google Ads / Tag Manager	Conversion tracking for paid campaigns. May use cookies to attribute ad clicks.

You may opt out of analytics tracking at any time via our Cookie Preference Centre (accessible from the website footer) or by using browser-level controls such as the Google Analytics Opt-out Browser Add-on.

4.4 For Legal & Regulatory Requirements

We may disclose personal data to law enforcement, regulatory bodies, or courts when required by law, or where we reasonably believe disclosure is necessary to protect the rights, property, or safety of EduCrib, our users, or the public.

4.5 During Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, user data may be transferred to the acquiring entity. We will notify affected users before any such transfer and ensure the acquirer is bound by equivalent privacy protections.

5. Cookies & Tracking Technologies

5.1 Types of Cookies We Use

Cookie Type	Purpose
Strictly Necessary	Essential for platform operation — login sessions, security tokens, CSRF protection. Cannot be disabled.
Functional / Preference	Remember your settings, language preferences, and recently viewed institutions.
Analytics	Google Analytics — measures site performance and user behaviour to improve the platform.
Marketing / Advertising	Meta Pixel & Google Ads — tracks conversions and enables personalised ad retargeting.

5.2 Managing Cookies

On your first visit, EduCrib will display a cookie consent banner. You may accept all, reject non- essential, or customise your preferences. You can change your preferences at any time via the Cookie Preference Centre in the website footer. Please note: disabling certain cookies may impact platform functionality, such as personalised recommendations or saved searches.

6. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Policy, unless a longer retention period is required by law.

Data Category	Retention Period
Active account data	For the duration of the account, plus 3 years after account closure
Enquiry & communication logs	2 years from date of enquiry
Payment transaction records	7 years (as required under Indian tax and accounting law)
Job/internship application data	1 year from application date, unless hired
Analytics & log data	13 months (Google Analytics default) / 90 days (server logs)
Deleted account data	Purged within 30 days of deletion request (except legally mandated records)

7. Your Rights Under the DPDP Act, 2023

Under India's Digital Personal Data Protection Act, 2023, you have the following rights as a 'Data Principal':

Your Right	What It Means
Right to Access	Request a summary of the personal data EduCrib holds about you and how it is processed.
Right to Correction	Request correction of inaccurate or incomplete personal data.
Right to Erasure	Request deletion of your personal data when it is no longer necessary or when consent is withdrawn (subject to legal retention obligations).
Right to Withdraw Consent	Withdraw previously given consent for specific processing activities at any time. Withdrawal does not affect prior lawful processing.
Right to Grievance Redressal	Lodge a complaint with EduCrib's Grievance Officer. We will respond within 30 days.
Right to Nominate	Nominate a person to exercise your data rights on your behalf in the event of death or incapacity.

To exercise any of these rights, email us at [email protected]with the subject line "Data Rights Request." We will acknowledge your request within 72 hours and respond fully within 30 days.

8. Children's Data & Minor Users

EduCrib shall not permit direct account creation by children under 18 unless and until a verifiable parental consent mechanism and a compliant children’s data workflow are implemented. Until such time, all school and preschool enquiries relating to minors shall be submitted only by a parent, legal guardian, or authorised adult acting on the child’s behalf.

8.1 Current Position

EduCrib does not knowingly collect personal data from children under the age of 13. For users aged 13 to 17, EduCrib recommends that a parent or guardian supervise use of the platform and, where registration is completed by a minor, a parent or guardian must provide verifiable consent.

8.2 DPDP Act Requirements for Children

Under India's DPDP Act, 2023, a 'child' is defined as a person under 18 years of age. The Act imposes strict obligations on Data Fiduciaries when processing children's data:

Verifiable parental or guardian consent must be obtained before collecting any personal data from a child
Processing must not cause detrimental effects on the child's well-being
Behavioural monitoring, targeted advertising, and tracking of children is prohibited
Children's data must be processed with heightened security measures

8.3 EduCrib's Commitments

Regardless of the final policy decision on minor registrations, EduCrib commits that:

No targeted advertising or personalised ad tracking will ever be applied to users identified as minors
Meta Pixel and Google Ads conversion tracking will be configured to exclude minors
If a child's data is collected without proper consent, it will be deleted immediately upon discovery
A parent or guardian may contact us at [email protected] to request deletion of their child's data at any time

The provisions of this Section shall operate as EduCrib’s binding Children’s Data Processing framework unless and until replaced by a formally adopted standalone Children’s Data Processing Policy.

9. Data Security Measures

EduCrib implements administrative, technical, and physical safeguards to protect your personal data from unauthorised access, disclosure, alteration, or destruction, as required under the IT (SPDI) Rules, 2011 and the DPDP Act, 2023.

9.1 Technical Safeguards

Encryption in Transit: All data transmitted between your browser and EduCrib servers is encrypted using TLS 1.2 or higher (HTTPS)
Encryption at Rest: Sensitive data stored on EduCrib servers is encrypted using AES- 256
Access Controls: Role-based access controls (RBAC) ensure staff can only access data necessary for their function
Authentication: Passwords are hashed using bcrypt. Two-factor authentication (2FA) is available for partner accounts
Vulnerability Management: Regular security audits, penetration testing, and patch management cycles
Firewall & DDoS Protection: Web application firewalls (WAF) and DDoS mitigation are deployed on all production infrastructure

9.2 Organisational Safeguards

All EduCrib employees with data access receive mandatory data privacy training
Data access is granted on a need-to-know basis and reviewed quarterly
Third-party vendors are assessed for security compliance before onboarding
A Data Protection Officer (DPO) / Grievance Officer is appointed as required under the DPDP Act

9.3 Incident Response

In the event of a personal data breach, EduCrib will:

Contain and assess the breach within 24 hours of detection
Notify the Data Protection Board of India within 72 hours where required by law
Notify affected users without undue delay, with details of the data involved and steps taken
Conduct a post-incident review and implement corrective measures

Despite our best efforts, no system is 100% secure. We encourage users to use strong, unique passwords, enable 2FA on their accounts, and report suspected security issues to [email protected].

10. Data Localisation & Cross-Border Transfers

EduCrib stores and processes all user data primarily on servers located within India, in accordance with applicable data localisation requirements.

Where we engage international third-party service providers (such as cloud platforms), data transfers are governed by appropriate contractual safeguards including Standard Contractual Clauses (SCCs) or equivalent mechanisms, and are only made to countries notified by the Government of India as providing adequate data protection.

11. Grievance Officer & Data Protection Contact

In compliance with the DPDP Act, 2023 and IT Act, 2000, EduCrib has appointed a Grievance Officer to address data privacy concerns:

Name	Jestin Titus
Designation	Grievance Officer / Data Protection
Registered Office Address	Mascot Techcrib Pvt Ltd, 4th Floor, Trine Towers, Seaport - Airport Rd, Kakkanad, Kochi, Kerala 682021
Contact Number	+91 484 310 8601
Email	[email protected]
Privacy Requests	[email protected]
Website	https://www.educrib.com/privacy
Response Time	Acknowledgement within 72 hours; full response within 30 days

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India, once established under the DPDP Act, 2023.

12. Changes to This Policy

We may update this Policy from time to time to reflect changes in law, technology, or our services. When material changes are made:

Registered users will be notified via email at least 14 days before the change takes effect
A notice will be posted prominently on the EduCrib website
The "Effective Date" at the top of this document will be updated

Continued use of EduCrib after the effective date of any change constitutes your acceptance of the revised Policy. We recommend reviewing this Policy periodically.

EduCrib is committed to being transparent about how we use your data. We believe privacy is a right, not a feature — and we will always seek to collect only the minimum data necessary to provide you with the best education discovery experience in India.

Where EduCrib's systems use automated processing to identify users as potential candidates for specific institutions or to generate lead-sharing triggers, such automated processing shall not have legal or significant effect on the user's rights without human review. Users may request human review of any automated lead-sharing decision by contacting [email protected]

Response time commitments and service delivery obligations shall be suspended during, and for a reasonable period following, any event outside EduCrib's reasonable control, including cloud hosting outages, cyber attacks, DDoS events, force majeure events, government-directed platform restrictions, or interruptions to third-party infrastructure providers.

This document forms part of the EduCrib Policy Suite (Version 2, effective April 20, 2026). Prior versions are archived and available on request from [email protected]. In any dispute, the version of the policy in force at the time of the event giving rise to the dispute shall govern.

Security questions?

Reach our security team at [email protected].