Privacy Policy

1. WHO WE ARE

Farz Auxiliar Academy Private Limited ("Farz Academy", "we", "us", or "our") is a company incorporated under the Companies Act, 2013, with its registered office at 19A, Dr Suresh Sarkar Road, Ground Floor, Entally Post Office, Kolkata, West Bengal – 700 014, India. We operate an online platform specialising in the preparation of medical professionals for the MRCP (Membership of the Royal Colleges of Physicians) and EDIC (European Diploma in Intensive Care) examinations. For the purposes of applicable Indian data protection law, Farz Auxiliar Academy Private Limited is the data fiduciary / body corporate responsible for your personal data.

2. LEGAL FRAMEWORK

We process personal data in compliance with the following applicable Indian laws and regulations:

• •The Information Technology Act, 2000 ("IT Act"), as amended.
• •The Information Technology (Reasonable Security Practices and Procedures and

Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules").

• •The Digital Personal Data Protection Act, 2023 ("DPDP Act"), and rules thereunder

as notified from time to time.

• •The Consumer Protection Act, 2019, and applicable consumer protection rules.
• •Any other applicable central or state legislation governing data privacy and

information security in India.

3. INFORMATION WE COLLECT

We collect personal data in the following ways:

When you register for an Account, enrol in a Course, subscribe to our newsletter, contact us, or otherwise interact with the Platform, you may provide:

• •Identity data: full name, date of birth, gender.
• •Contact data: email address, mobile/WhatsApp number, postal address.
• •Professional data: medical qualifications, institution, year of study or practice.
• •Account credentials: username and hashed password.
• •Payment data: billing address and transaction reference numbers (we do not store

full card details; these are handled by our payment gateway provider).

• •Communications: any messages, queries, or feedback you send us via email,

contact forms, or WhatsApp.

• •User content: quiz responses, forum posts, testimonials, or other material you

submit on the Platform.

When you access our Platform, we and our third-party service providers automatically collect certain technical data, including:

• •Device data: device type, operating system, browser type and version, unique

device identifiers.

• •Log data: IP address, pages visited, time and date of visits, referring URLs,

clickstream data.

• •Usage data: courses viewed, videos watched, questions attempted, time spent on

each section.

• •Location data: approximate geographic location derived from your IP address.
• •Cookie data: as described in Section 7 below.

Under the SPDI Rules, certain categories of information are classified as sensitive personal data or information. We may collect limited SPDI in the following contexts:

• •Financial information: payment instrument details (processed exclusively by our

PCI-DSS compliant payment gateway provider).

• •Health-related information: you may voluntarily share information about your

medical specialisation or clinical background for course recommendation purposes. We treat any such information with enhanced care and do not use it for any purpose other than providing and improving our educational services. We do not collect biometric data, passwords in plain text, or any other SPDI beyond what is strictly necessary for the provision of our Services.

We may receive limited personal data about you from third parties, such as social media platforms if you choose to link your Account or share our content, or from analytics providers who help us understand how users interact with our Platform.

4. HOW WE USE YOUR INFORMATION

We use your personal data only for lawful purposes and to the extent necessary for those purposes. Specifically, we use your information to: Provide and manage our Services: create and maintain your Account, process enrolments, deliver course content, conduct live classes and webinars, and send you course-related communications. Process payments: facilitate fee payments through our third-party payment gateway, issue receipts, and manage refund requests. Communicate with you: respond to your queries, send enrolment confirmations, session reminders, schedule updates, and service notifications. Send marketing communications: deliver newsletters, promotional offers, and educational updates to users who have subscribed or provided consent. You may opt out at any time. Personalise your experience: tailor course recommendations, track your study progress, and provide mentor support based on your learning activity. Improve our platform and services: analyse usage patterns, conduct surveys, and use aggregated analytics to improve course content, platform functionality, and user experience. Ensure platform security: detect, prevent, and address fraud, security incidents, abuse, and violations of our Terms and Conditions. Comply with legal obligations: meet our obligations under applicable Indian law, respond to court orders, regulatory requests, and enforce our legal rights. Customer support: handle complaints, disputes, and feedback submitted through any channel, including WhatsApp, email, and our online contact form.

5. LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA

Under the DPDP Act, 2023 and SPDI Rules, we process your personal data on one or more of the following grounds:

Legal Basis

When We Rely on It

Consent

Newsletter subscriptions; communications; optional health/professional data.

marketing sharing of

Contract performance

Account creation, course enrolment, payment processing, and delivery of purchased Services.

Legitimate interests

Platform security, fraud prevention, improving our Services, and analytics (where not overridden by your interests).

Legal obligation

Compliance with Indian tax, corporate, and regulatory requirements; responding to court or government orders.

6. SHARING YOUR PERSONAL DATA

We do not sell, rent, or trade your personal data to any third party for their own marketing purposes. We may share your personal data with the following categories of recipients, strictly on a need-to-know basis and subject to appropriate data protection obligations:

To process course fees and other payments, we share your billing information (name, billing address, transaction amount) with our third-party payment gateway providers. These providers are PCI-DSS certified and process payment card data under their own security standards. We do not receive or store your full card number, CVV, or expiry date on our servers.

We use third-party email service providers to send you newsletters, course updates, promotional communications, and transactional emails (such as enrolment confirmations and receipts). These providers process your name and email address on our behalf and are contractually prohibited from using your data for any purpose other than providing these services to us.

We use WhatsApp Business (operated by Meta Platforms, Inc.) as a channel for customer support, advisor communication, and study group interactions. When you contact us via WhatsApp or provide your WhatsApp number, your communications are subject to Meta's privacy policy in addition to this policy. We use WhatsApp only for service-related communications and do not use it for unsolicited marketing without your prior consent.

We use third-party web analytics tools (such as Google Analytics) to help us understand how users interact with our Platform. These tools collect anonymised or pseudonymised usage data, including pages visited, session duration, and referring sources. Analytics providers may use cookies and similar technologies as described in Section 7.

We rely on cloud hosting, content delivery, and other technology service providers to operate the Platform. These providers act as data processors on our behalf and are bound by contractual obligations to process your data only as instructed by us and to maintain appropriate security measures.

Live classes and webinars may be conducted via third-party video conferencing platforms (such as Zoom or Google Meet). Your participation in live sessions is also governed by those platforms' terms of service and privacy policies.

We maintain pages on Facebook, YouTube, LinkedIn, and Pinterest. If you interact with our content on those platforms, your activity is subject to the privacy policies of the respective platforms. We may receive aggregated insights (not individually identifiable data) about how users engage with our social media content.

We may disclose your personal data to courts, law enforcement agencies, regulators, or government authorities if required to do so by law, court order, or legal process, or where we believe disclosure is necessary to protect our rights, enforce our Terms and Conditions, or prevent harm to any person.

In the event of a merger, acquisition, restructuring, or sale of all or part of our business or assets, your personal data may be transferred to the acquiring entity, subject to the same privacy obligations set out in this policy. We will provide reasonable notice before your data is transferred and becomes subject to a different privacy policy.

7. COOKIES AND TRACKING TECHNOLOGIES

Cookies are small text files placed on your device by websites you visit. They are widely used to make websites function correctly, work more efficiently, and provide information to website operators. We also use similar technologies such as web beacons, pixel tags, and local storage objects.

Strictly Necessary Cookies: Essential for the Platform to function. They enable core features such as security, account authentication, and session management. These cookies cannot be disabled. Performance / Analytics Cookies: Help us understand how visitors interact with our Platform by collecting anonymous information about pages visited, time spent, errors encountered, and other usage statistics. We use these to improve Platform performance and content. Functional Cookies: Allow the Platform to remember choices you make (such as language preference or your course progress) and provide enhanced, personalised features. Targeting / Advertising Cookies: May be set through our Platform by our advertising and analytics partners (including Google and Meta). They may be used to build a profile of your interests and show you relevant advertisements on other websites. They do not store directly personal information but are based on uniquely identifying your browser and device.

You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling certain cookies may affect the functionality of the Platform and your ability to access some features. For more information about managing cookies, visit www.allaboutcookies.org. Where required by applicable law, we will seek your consent before placing nonessential cookies on your device. You may withdraw this consent at any time by adjusting your browser settings or contacting us.

8. DATA RETENTION

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. In determining the appropriate retention period we consider the nature and sensitivity of the data, the purposes for which it is processed, and applicable legal requirements. Account data: Retained for the duration of your Account and for 3 years after Account closure, unless a longer period is required by law. Course and transaction records: Retained for a minimum of 7 years to comply with Indian accounting and tax laws (including the Income Tax Act, 1961, and GST records). Marketing data: Retained until you withdraw consent or unsubscribe, after which it is deleted within 30 days.

Legal / compliance records: Retained for such period as required by the relevant law or regulation, which may extend beyond the periods stated above. Server and access logs: troubleshooting purposes.

Typically retained for 90 days for security and

9. DATA SECURITY

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction, in accordance with the SPDI Rules and the DPDP Act. These measures include:

• •Encryption of passwords using one-way hashing algorithms.
• •Secure HTTPS connections for all data transmissions.
• •Restricted access to personal data on a need-to-know basis, with role-based access

controls.

• •Use of PCI-DSS compliant payment processors for all financial transactions.
• •Regular security assessments and vulnerability monitoring.
• •Contractual obligations on third-party service providers to maintain equivalent

security standards. Despite our efforts, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your data and advise you to take precautions such as using a strong, unique password for your Account and logging out after each session. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant authorities and, where required, you as the data principal, in accordance with our obligations under applicable law.

10. YOUR RIGHTS AS A DATA PRINCIPAL

Under the DPDP Act, 2023, and other applicable Indian data protection legislation, you have the following rights in relation to your personal data: Right to access: You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a summary of the personal data we hold about you and the purposes for which it is processed. Right to correction and erasure: You have the right to request correction of inaccurate or incomplete personal data and, in certain circumstances, to request erasure of your personal data. Right to grievance redressal: You have the right to have grievances addressed by our Grievance Officer (see Section 13) and, if unresolved, to approach the Data Protection Board of India.

Right to withdraw consent: Where we process your data on the basis of consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal. Right to nominate: Under the DPDP Act, you have the right to nominate another individual to exercise your rights in the event of your death or incapacity. To exercise any of the above rights, please contact our Grievance Officer as specified in Section 13. We will respond to your request within 30 days, or such other period as may be prescribed under applicable law. We may request verification of your identity before processing your request.

11. CHILDREN'S PRIVACY

Our Services are directed exclusively at medical professionals and individuals aged 18 years and above. We do not knowingly collect personal data from persons under the age of 18. If you are a parent or guardian and believe that your child has provided personal data to us without your consent, please contact us at info@farzacademy.com and we will take prompt steps to delete such information.

12. INTERNATIONAL DATA TRANSFERS

Our primary operations are based in India and we endeavour to store your personal data within India where feasible. However, some of our third-party service providers (such as cloud hosting providers, analytics platforms, and email service providers) may process your data outside India. Where this occurs, we take steps to ensure that your data receives adequate protection, including by requiring the transferee to comply with applicable Indian data protection standards or equivalent safeguards. By using our Services, you acknowledge and consent to the potential transfer of your personal data to countries outside India for the purposes described in this policy, subject to applicable restrictions under the DPDP Act and rules thereunder.

13. GRIEVANCE OFFICER

In accordance with the Information Technology Act, 2000, the SPDI Rules, and the DPDP Act, 2023, we have appointed a Grievance Officer to address any concerns or complaints relating to the processing of your personal data. If you have any grievance regarding this Privacy Policy or our data processing practices, please contact our Grievance Officer:

Name of Grievance Officer: Gaurav Chowdhury Designation: HR Email: info@farzacademy.com Postal Address: 19A, Dr Suresh Sarkar Road, Ground Floor, Entally Post Office, Kolkata, West Bengal – 700 014, India Response Time: We will acknowledge your grievance within 48 hours and endeavour to resolve it within 30 days of receipt. If your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India (to be constituted under the DPDP Act) or such other authority as may be designated under applicable law, or the appropriate Consumer Disputes Redressal Commission under the Consumer Protection Act, 2019.

14. THIRD-PARTY WEBSITES AND LINKS

Our Platform may contain links to third-party websites, social media platforms, and external resources that are not operated by us. This Privacy Policy does not apply to those third-party websites. We encourage you to review the privacy policies of any third-party website you visit. We have no control over, and assume no responsibility for, the content, privacy practices, or security of any third-party website.

15. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or Platform functionality. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this policy and, where appropriate, by sending a notification to your registered email address or displaying a prominent notice on the Platform. Your continued use of the Platform after the updated Privacy Policy takes effect constitutes your acceptance of the revised policy. If you do not agree to the revised policy, please discontinue use of the Platform and contact us to close your Account.

16. CONTACT US

If you have any questions, comments, or requests regarding this Privacy Policy or our privacy practices, please contact us: Company: Farz Auxiliar Academy Private Limited Address: 19A, Dr Suresh Sarkar Road, Ground Floor, Entally Post Office, Kolkata, West Bengal – 700 014, India Email: info@farzacademy.com Telephone: +91 75960 36792

WhatsApp: +91 75960 36792 Website: www.farzacademy.com