Effective Date: 27 March 2026

Last Updated: 26 March 2026

Operator: Skillapido (Sole Proprietorship)

Principal Place of Business: Not Applicable. As of 27 March 2026, we operate as a fully online platform. This will be updated if we decide to adopt a Hybrid Model in the future.

1. Introduction & Commitment to Privacy

Skillapido (“we,” “us,” “our,” or “Company”) is committed to protecting your privacy and ensuring transparency in how we collect, process, use, and safeguard your personal data. This Privacy Policy explains our data practices when you visit our website (https://skillapido.com), use our platform, purchase Rapid Action Micro-Guide (RAM) learning materials, or interact with our services.

We are a Data Fiduciary under India’s Digital Personal Data Protection Act, 2023 (hereinafter “DPDP Act”). We comply with the DPDP Act, its Rules (2025), and other applicable data protection laws, including GDPR, where applicable to international users.

Your privacy matters. We’ve designed this policy to be clear, transparent, and user-centric. If you have questions or concerns, please contact us (see Section 14).

2. Scope & Applicability

This Privacy Policy applies to:

• Our website and all web-based services accessible through https://skillapido.com
• Our mobile application (planned launch 2027)
• Payment and transaction processing
• Email communications and customer support
• All personal data collected directly from you

Not covered by this policy:

• Third-party websites linked from our platform (we are not responsible for their privacy practices)
• Content you create or share on third-party platforms (e.g., social media), even if linking to Skillapido

Geographic scope: This policy complies with:

• India (Primary): Digital Personal Data Protection Act, 2023 & Rules, 2025
• EU/EEA (if applicable): General Data Protection Regulation (GDPR)
• Other jurisdictions: Applicable local data protection laws 

3. Information We Collect

3.1 Categories of Personal Data

We collect only personal data that is necessary, lawful, and aligned with our stated purposes. Personal data includes any information that identifies you or can be used to identify you.

A. Identity & Account Information

B. Authentication & Account Access

C. Payment & Transaction Information

Note: We do NOT store full credit card numbers. Payment processing is handled by PCI-DSS compliant third-party processors (detailed in Section 5).

D. Learning & Usage Data

E. Communication & Support Data

F. Marketing & Preference Data

G. Technical & Analytics Data

H. Special Category Data (If Applicable)

We do NOT intentionally collect special category data (health, religion, caste, sexual orientation, biometric data) except where necessary and with explicit consent. If you share this data in feedback or support, we’ll handle it with heightened security and use it only to address your specific concern.

3.2 Data Collection Methods

Direct Collection:

• User registration and account creation
• Purchase transactions
• Support requests and feedback
• Survey responses
• Newsletter subscriptions

Automated Collection:

• Cookies, web beacons, and similar tracking technologies (see Section 8)
• Server logs and IP addresses
• Device and browser information
• Usage analytics

From Third Parties:

• Payment processors (transaction confirmation only)
• Email service providers (for delivery confirmation)
• Analytics platforms (anonymised, aggregated data only)

3.3 Information You Are NOT Required to Provide

Certain data fields are optional. Declining to provide optional information will not prevent you from using the platform, though it may limit some features (e.g., without a phone number, SMS notifications won’t be available).

Mandatory data (required for account creation and transactions):

• Full name
• Email address
• Payment information (if purchasing)

All other data is optional and collected only with your explicit consent.

4. Purpose Limitation: How We Use Your Data

We use your personal data ONLY for the following lawful purposes:

4.1 Service Delivery (Primary Purpose)

• Creating and managing your user account
• Delivering RAM learning materials in all 6 formats (PDF, video, slides, audio, infographic, quiz)
• Processing purchases and issuing invoices
• Sending order confirmations and download links
• Managing subscriptions and bundles
• Providing customer support and technical assistance
• Tracking your learning progress (if you opt-in)

4.2 Security & Fraud Prevention

• Detecting and preventing fraudulent transactions
• Monitoring for unauthorised account access
• Protecting against malicious activity (DDoS, hacking attempts)
• Enforcing our Terms of Service
• Complying with legal obligations (court orders, law enforcement requests)

4.3 Platform Improvement & Analytics

• Analysing user behaviour to improve platform design and functionality
• Identifying popular RAMs and engagement patterns
• Testing new features (beta testing with explicit consent)
• Fixing bugs and improving performance
• Personalising learning recommendations based on your interests
• Conducting satisfaction surveys and gathering user feedback

4.4 Communication & Marketing (With Consent Only)

• Sending newsletter updates about new RAMs and skill releases
• Promotional emails and special offers (only if you’ve opted in)
• Important account notifications (password resets, security alerts)
• Responses to your inquiries and support requests
• Occasionally inviting you to participate in product research or beta features

You have full control over marketing communications. See Section 11 for opt-out options.

4.5 Legal & Compliance Obligations

• Complying with the DPDP Act, Rules, and other applicable laws
• Responding to legal process (court orders, government requests)
• Tax and financial reporting
• Record-keeping for regulatory audits
• Enforcing contracts and resolving disputes

4.6 Business Intelligence & Product Development

• Aggregated analytics (anonymised, non-identifiable) to understand market trends
• Identifying which skills are in demand
• Planning new RAM categories and content
• Benchmarking platform performance against industry standards

We will NOT use your data for any purpose outside this list without obtaining your additional explicit consent.

5. Data Sharing & Third Parties

We are committed to data minimisation—we share your data only when necessary and with strict contractual protections.

5.1 Service Providers & Data Processors

We engage third-party vendors who process your data on our behalf and under our instructions. They are contractually bound to maintain confidentiality and use data only for the purposes we specify.

All processors are bound by Data Processing Agreements (DPAs) that enforce:

• DPDP Act compliance
• Confidentiality obligations
• Security standards (encryption, access controls)
• Limited retention periods
• Sub-processor restrictions

5.2 Educational Institutions & Corporate Partners [Planned Feature]

If you purchase a corporate license or if your educational institution uses Skillapido RAMs, we may share aggregated learning analytics with your institution’s administrator (e.g., completion rates, most-used RAMs) only with your explicit consent or your institution’s authorisation. We will NOT share individual assessment data without your consent.

5.3 Legal Disclosures

We may disclose your personal data when legally required:

• Court orders or subpoenas: If compelled by a court of law
• Law enforcement requests: To comply with police investigations, DPDP Board notices
• Government authorities: To fulfil statutory obligations (tax, financial regulations)
• Business transfers: In the event of a merger, acquisition, or sale (with advance notice to you)

We will resist unreasonable requests and notify you of legal demands unless prohibited by law.

5.4 NO SALE OF PERSONAL DATA

We explicitly do NOT sell, rent, or trade your personal data to marketing firms, data brokers, or advertisers. Your data is not a commodity.

5.5 User-Generated Content & Public Sharing

If you choose to post reviews, testimonials, or feedback on our platform, that content may be publicly visible. We will identify you only as your registered name (or anonymously if you prefer). You control what you share publicly.

6. Data Retention: How Long We Keep Your Data

We retain personal data only as long as necessary for the purposes outlined in Section 4. Here’s our retention schedule:

6.1 Early Deletion

You may request deletion of your data at any time (see Section 12 for the Right to Erasure). Upon deletion:

• We remove all personal identifiers and link them to a generic reference code
• Account data is retained only as required by law (e.g., for tax audits)
• Learning records are anonymised and retained for product improvement

6.2 Tamper-Proof Logs

Under the DPDP Act, we maintain one-year tamper-proof logs of all data access, processing, and sharing events for audit and compliance purposes. These logs are encrypted and accessible only to authorised personnel.

7. Data Security: How We Protect Your Information

We implement appropriate technical and organisational security measures to protect your personal data from unauthorised access, disclosure, alteration, and destruction.

7.1 Encryption

• Data in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (industry standard)
• Data at Rest: Sensitive data (passwords, payment info, learning records) is encrypted using AES-256 encryption
• Database encryption: All databases are encrypted with encryption keys managed separately from the database itself

7.2 Access Controls

• Role-Based Access Control (RBAC): Only authorised employees can access personal data, and only the data necessary for their role
• Multi-factor authentication (MFA): Employees use MFA for system access
• Principle of least privilege: No employee has access to all data; access is strictly limited
• Admin accounts: Monitored separately with additional security protocols

7.3 Infrastructure Security

• Firewalls & intrusion detection: Network-level monitoring to prevent unauthorised access
• DDoS protection: Distributed denial-of-service attack mitigation
• Regular penetration testing: Third-party security audits to identify vulnerabilities
• Secure servers: Hosted on PCI-DSS compliant cloud infrastructure (AWS, Google Cloud)
• Automatic backups: Encrypted backups stored in geographically separate locations for disaster recovery

7.4 Employee & Vendor Security

• Data protection training: All employees complete privacy and security training
• Confidentiality agreements: All staff sign NDAs
• Vendor audit: Third-party vendors undergo security assessments before onboarding
• Vendor contracts: All contracts include strict data security and confidentiality clauses

7.5 Secure Password Practices

• Password storage: User passwords are hashed using bcrypt (one-way hashing; we cannot even see your password)
• No password retrieval: We cannot recover your password; you can reset it via email
• Session management: Login sessions expire after inactivity; you’re logged out for your protection

7.6 Limitations

While we implement robust security, no system is 100% secure. We cannot guarantee absolute protection against sophisticated cyberattacks. However, we are committed to responding rapidly to breaches (see Section 9).

8. Cookies & Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us remember your preferences, keep you logged in, and improve your experience.

8.2 Types of Cookies We Use

8.3 Your Cookie Choices

On Your First Visit: A cookie consent banner appears. You can:

• Accept All: All cookies enabled (recommended for full feature access)
• Essential Only: Only essential cookies; analytics and marketing disabled
• Customise: Pick and choose which categories to enable

After Initial Consent: You can change your cookie preferences at any time in your account settings (Account → Privacy Settings → Cookie Preferences).

Browser-Level Controls:

• Most browsers allow you to block or delete cookies
• Disabling cookies may limit platform functionality (e.g., you may need to log in repeatedly)
• See your browser’s help documentation for specific instructions

8.4 Do Not Track (DNT)

If your browser sends a “Do Not Track” signal, we respect it. However, third-party analytics services may not. You can control their data collection via their privacy settings.

8.5 Tracking Pixels & Web Beacons

We may use tracking pixels (invisible 1×1 images) in emails and on our website to:

• Track email open rates (to improve email communication)
• Measure conversion funnels (did you purchase after clicking an email link?)
• Monitor webpage engagement

You can disable pixel tracking by:

• Disabling images in your email client
• Using email privacy plugins
• Opting out of marketing communications

9. Data Breach Notification & Incident Response

9.1 Our Breach Response Protocol

A breach is any unauthorised access, disclosure, alteration, or destruction of personal data. We take breaches very seriously.

If a breach occurs, we will:

• Immediate Response (within 24 hours):
• Contain the breach (shut down compromised systems, revoke access)
• Preserve evidence for investigation
• Notify senior management and our Data Protection Officer
• Investigation (within 72 hours):
• Determine which data was compromised
• Identify affected users
• Assess the risk and impact to individuals
• Document the incident comprehensively
• Regulatory Notification (within 72 hours of discovery):
• Notify the Data Protection Board of India (DPBI) as mandated by Section 8 of the DPDP Act
• Provide incident details, data affected, and remedial measures taken
• User Notification (within 7 days):
• Send written notice to affected individuals via email (at minimum)
• Clearly describe what happened, which data was compromised, and the risks
• Provide mitigation steps (change password, monitor account, etc.)
• Include our contact details for questions

9.2 Incident Report Contents

Breach notifications will include:

• What happened: Clear description of the incident (hacking, data loss, employee negligence, etc.)
• When it occurred: Date and time of discovery
• Which data was affected: Specific types of data compromised (email, password, payment info, etc.)
• How many people: Number of affected data principals
• Risk assessment: What could happen if data is misused?
• Remedial steps: What are we doing to prevent recurrence?
• Your actions: Steps you should take to protect yourself
• Contact information: How to reach us with questions or concerns

9.3 No Unnecessary Alarm

We distinguish between actual breaches and potential vulnerabilities:

• A breach requires notification (unauthorised access actually occurred)
• A vulnerability (e.g., a security researcher finds a potential flaw) is addressed, but may not trigger mandatory notification if no data was actually accessed

9.4 Insurance & Liability

Skillapido maintains cyber liability insurance to cover damages in case of a breach. If you suffer verifiable harm as a result of our negligence, we are committed to working toward a fair resolution.

10. Legal Bases for Processing (DPDP Act & GDPR)

We process your personal data under the following legal bases:

10.1 Consent

Where you explicitly opt-in:

• Creating a user account
• Subscribing to newsletters
• Marketing emails and promotional offers
• Optional analytics and personalisation features

You can withdraw your consent at any time (see Section 11).

10.2 Contractual Necessity

Where processing is necessary to fulfil a contract with you:

• Processing your purchase and delivering RAMs
• Sending order confirmations and invoices
• Providing customer support
• Managing your subscription

10.3 Legal Compliance

Where we’re required by law:

• Tax and financial record-keeping (GST, Income Tax)
• Responding to court orders or government requests
• Anti-money laundering (AML) compliance
• Fraud prevention and investigation

10.4 Legitimate Interest

Where we have a justified business interest that doesn’t override your rights:

• Platform security and fraud prevention
• Analytics and product improvement
• Troubleshooting technical issues
• Defending against legal claims

10.5 Special Provisions for Children’s Data (DPDP Act Section 9)

Our platform is intended for users aged 18 and above.

If you are under 18:

• We require verifiable parental consent before processing your data
• We will not use your data for marketing or behavioural profiling
• Your parent/guardian has the right to request access, correction, or deletion
• We conduct no harm assessment before collecting data from minors

How we verify age:

• Self-declared age at registration
• Government ID verification (for sensitive operations)
• Virtual tokens or Digi Locker verification (if available)

If a minor’s data is collected without parental consent, we delete it immediately upon discovery.

11. Your Rights as a Data Principal (DPDP Act & GDPR)

The DPDP Act and GDPR grant you seven fundamental rights regarding your personal data:

11.1 Right to Access (Section 12 of DPDP Act)

You have the right to know what data we hold about you.

How to exercise:

• Email us at privacy@skillapido.com with subject line “Data Access Request”
• We will provide your data in a machine-readable format (JSON or CSV) within 30 days

What you’ll receive:

• All personal data we hold about you
• Categories of data and purposes for processing
• Recipients of your data
• Retention periods

11.2 Right to Correction (Section 13 of DPDP Act)

You have the right to correct inaccurate or incomplete data.

How to exercise:

• Log into your account → Profile → Edit Details
• Or email us at privacy@skillapido.com with the corrections you request
• We will update your data and confirm within 7 days

Example: If your email address is misspelt, you can correct it.

11.3 Right to Erasure (“Right to Be Forgotten”)

You have the right to request deletion of your personal data.

How to exercise:

• Email us at privacy@skillapido.com with subject line “Data Deletion Request”
• We will confirm receipt and begin deletion within 7 days

Important exceptions (data we may retain despite deletion requests):

• Tax/financial records: We retain for 7 years (legal requirement)
• Legal proceedings: If you’re involved in a dispute, we retain as evidence
• Fraud investigation: If you’re suspected of misusing the platform
• Aggregated/anonymised data: Cannot identify you, so continues to be used

After deletion:

• Your account is permanently closed
• You lose access to purchased RAMs (though you may retain downloaded files)
• We cannot reactivate your account

11.4 Right to Withdraw Consent

You can withdraw consent for any processing at any time.

How to exercise:

• Email us at privacy@skillapido.com stating which consents to withdraw
• Use the “Unsubscribe” link at the bottom of any marketing email

Effect of withdrawal:

• Marketing emails stop immediately
• Preference data collection stops
• Some platform features may be unavailable (e.g., personalised recommendations)
• Withdrawal does NOT affect past processing (already lawful)

11.5 Right to Data Portability

You have the right to receive your data in a portable, machine-readable format and transfer it to another service.

How to exercise:

• Email privacy@skillapido.com with subject “Data Portability Request”
• We’ll provide data in CSV, JSON, or other structured format within 30 days

Included data:

• Account information
• Learning progress and quiz scores
• Purchase history
• Preferences and settings

Data NOT portable: Third-party analytics data (anonymised, cannot be linked to you)

11.6 Right to Grievance Redressal (Section 14 of DPDP Act)

If you have a privacy concern or feel your rights have been violated, you have the right to lodge a grievance.

How to exercise:

• Email us at grievance@skillapido.com with a detailed description
• We will acknowledge receipt within 7 days and investigate within 30 days

Escalation: If you’re unsatisfied with our response, you can escalate to the Data Protection Board of India (DPBI) after we’ve had 60 days to respond.

11.7 Right to Nominate

Under the DPDP Act, you can nominate someone (e.g., a family member or lawyer) to exercise your rights after you pass away.

How to exercise:

• Email us at privacy@skillapido.com with your nominee’s details and a legal document (will, power of attorney, etc.)
• Your nominee can then request access, correction, or deletion after your passing

12. Consent Management