INTUCATE

1. Introduction

Welcome to Intucate, the online learning platform operated by Dharia Enterprises Private Limited (hereinafter referred to as 'Company', 'we', 'us', or 'our'), a company incorporated under the Companies Act, 2013, having its registered office at 901, Narayan Apartments, Main Avenue Road, Santacruz (West), Mumbai, Maharashtra - 400054, India.

Intucate is a dedicated EdTech platform offering structured online courses, mock tests, live classes, community engagement features, and digital resources designed specifically for students pursuing the Chartered Accountancy (CA) programme as regulated by the Institute of Chartered Accountants of India (ICAI).

This Privacy Policy ('Policy') describes how we collect, process, store, use, share, and protect your personal data when you access or use our websites (www.intucate.com and associated subdomains), mobile applications, and any related products or services (collectively, the 'Platform'). It also explains your rights as a Data Principal under applicable law.

By creating an account, accessing our Platform, enrolling in any course, or otherwise interacting with our services, you acknowledge that you have read, understood, and agreed to the terms of this Privacy Policy. If you do not agree with any part of this Policy, please refrain from using the Platform.

This Policy is intended to comply with:

• The Digital Personal Data Protection Act, 2023 ('DPDPA') and any rules or regulations framed thereunder;
• The Information Technology Act, 2000 ('IT Act') and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ('SPDI Rules');
• The General Data Protection Regulation (EU) 2016/679 ('GDPR'), to the extent applicable to Data Principals located in the European Union or European Economic Area;
• Any other applicable laws, regulations, and guidelines issued by competent authorities in India or other applicable jurisdictions.

2. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings assigned to them below:

3. Information We Collect

We collect different categories of information to provide, maintain, and improve our Platform. The categories of data we collect are described below:

3.1 Personal Information

• Full name as provided during registration;
• Email address;
• Mobile phone number;
• Date of birth (to verify age eligibility);
• Gender (optional, for personalisation purposes);
• Profile photograph (optional);
• Postal address (for invoicing and correspondence);
• Government-issued identification number (e.g., PAN, Aadhaar number) where required for payment compliance or KYC, stored in encrypted form.

3.2 Academic and Course Information

• CA examination level and attempt history (Foundation, Intermediate, Final);
• Course enrolment history and progress data;
• Quiz, test, and assessment scores;
• Study time logs, session duration, and learning milestones;
• Notes, annotations, and bookmarks saved within the Platform;
• Certificates and credentials issued through the Platform.

3.3 Device and Technical Data

• IP address;
• Device type, operating system, and version;
• Browser type and version;
• Unique device identifiers (UDID/IMEI for mobile);
• Time zone and language settings;
• Crash reports and diagnostic information.

3.4 Usage Data

• Pages and content viewed on the Platform;
• Features accessed and navigation patterns;
• Search queries entered within the Platform;
• Click-stream data and session recordings (where applicable and disclosed);
• Interactions with community features (posts, comments, replies).

3.5 Financial and Payment Data

• Transaction identifiers and order history;
• Payment method type (e.g., UPI, card, net banking) - note: full card or account details are not stored on our servers and are processed exclusively by our payment processors;
• Billing name, address, and GST number (for B2B users).

3.6 Cookies and Tracking Technologies

We use cookies, web beacons, pixel tags, and similar tracking technologies on the Platform. Please refer to Section 9 for a detailed description of the types of tracking technologies used and how you may manage your preferences.

4. How We Collect Data

4.1 Account Registration

When you create a user account on the Platform, you voluntarily provide personal information including your name, email address, and mobile number. We use this information to create and maintain your account, authenticate your identity, and communicate with you.

4.2 Course Purchases and Enrolment

When you purchase a course or subscribe to a plan, we collect payment and billing information through our integrated payment gateway partners. Transaction details are stored for record-keeping, invoicing, and compliance with Indian tax laws including the Goods and Services Tax Act, 2017.

4.3 Platform Usage and Learning Activity

We automatically collect usage data when you interact with the Platform, including your learning progress, assessment results, time spent, and engagement with course materials. This data is collected through server logs, cookies, and analytics integrations and is used to personalise your experience and improve our services.

4.4 Communications with Us

When you contact our support team, raise a grievance, participate in surveys, or correspond with us via email or in-app chat, we collect the content of those communications and your contact information for the purpose of resolving your query and improving our support processes.

4.5 Community and User-Generated Content

When you post questions, answers, comments, or study materials in our community forums, the content you submit is collected and may be visible to other users of the Platform. Please exercise caution about the personal information you disclose in public areas of the Platform.

4.6 Third-Party Integrations and Social Login

If you choose to register or log in using a third-party service (such as Google), we receive certain profile information from that service in accordance with your authorisation and their terms. We may also receive data from analytics providers, advertising networks, and other service partners as described in Section 14.

5. Purpose of Data Processing

We process your personal data only for specific, lawful, and legitimate purposes. The following sets out the primary purposes for which your data is used:

5.1 Provision of Platform Services

• Creating and maintaining your user account;
• Enabling access to purchased courses, study materials, and live classes;
• Delivering, tracking, and certifying your learning progress;
• Processing payments and issuing invoices and receipts.

5.2 Personalised Learning Experience

• Analysing your learning patterns, performance, and engagement data to provide personalised course recommendations;
• Adapting content difficulty and sequencing to individual learner needs;
• Using algorithmic and AI-based tools to suggest study schedules, revision plans, and practice tests relevant to your CA examination stage.

5.3 Customer Support and Grievance Redressal

• Responding to your queries, complaints, and requests;
• Resolving technical issues reported by you;
• Communicating updates, policy changes, and service notifications.

5.4 Platform Security and Fraud Prevention

• Monitoring for suspicious activity, unauthorised access, or violations of our Terms and Conditions;
• Implementing and maintaining security measures to protect user data and platform integrity;
• Investigating and responding to data breaches or security incidents.

5.5 Legal and Regulatory Compliance

• Maintaining records as required under applicable tax, accounting, and corporate laws;
• Responding to lawful requests, court orders, or directions from government authorities;
• Exercising or defending legal rights and claims.

5.6 Marketing and Promotional Communications

• Sending you information about new courses, offers, CA exam updates, and Company announcements, where you have provided consent or where permitted by applicable law;
• Conducting surveys, feedback collection, and market research.

You may opt out of marketing communications at any time by clicking the unsubscribe link in our emails or updating your notification preferences in your account settings.

6. Legal Basis for Processing

We process your personal data on the following lawful bases:

6.1 Consent (Section 6, DPDPA 2023)

Where we rely on your consent to process personal data - such as for marketing communications, use of non-essential cookies, or the collection of certain optional profile data - we will request your explicit, informed, and freely given consent. You may withdraw consent at any time, and withdrawal shall not affect the lawfulness of processing prior to withdrawal.

6.2 Contractual Necessity

Processing of your personal data is necessary for the performance of a contract to which you are a party - specifically, the provision of learning services following your enrolment or purchase of a course or subscription plan on the Platform.

6.3 Legitimate Interests

We process certain personal data on the basis of our legitimate business interests, provided that such interests are not overridden by your rights and interests. Such processing includes platform security monitoring, fraud prevention, product improvement, and aggregated analytics. We conduct a Legitimate Interests Assessment ('LIA') before relying on this basis.

6.4 Legal Obligations

We process personal data where necessary to comply with a legal obligation to which we are subject, including obligations under Indian tax law, corporate law, anti-money laundering regulations, and court or regulatory orders.

7. Sharing of Information

We do not sell your personal data to third parties. We may share your information with the following categories of recipients in the circumstances described below:

7.1 Payment Processors

We use Razorpay Payments Private Limited ('Razorpay') and/or such other payment service providers as engaged from time to time, to process payment transactions. These processors receive limited payment and transaction data necessary to facilitate the transaction and are contractually bound by their own privacy policies and applicable financial regulations. We do not store complete card or bank account details on our servers.

7.2 Cloud Hosting and Infrastructure Providers

Our Platform is hosted on Amazon Web Services, Inc. ('AWS') servers and cloud infrastructure. AWS processes data on our behalf under a Data Processing Agreement and in accordance with its security certifications (including ISO 27001 and SOC 2 Type II). Data may be stored on servers located in India or in other jurisdictions operated by AWS, subject to safeguards described in Section 8.

7.3 Analytics and Marketing Service Providers

• Google Analytics (Google LLC) - for aggregate usage analytics and platform performance monitoring;
• Meta Pixel / Facebook Ads (Meta Platforms, Inc.) - for advertising attribution and audience measurement, subject to your cookie consent preferences;
• Such other analytics providers as may be engaged and disclosed through our Cookie Policy.

7.4 Communication Service Providers

We may share your email address or mobile number with communication service providers (such as email delivery platforms and SMS gateway providers) solely for the purpose of delivering transactional and marketing communications on our behalf.

7.5 Government and Regulatory Authorities

We may disclose your personal data to law enforcement agencies, regulatory bodies, courts, or governmental authorities where required by applicable law, pursuant to a court order or regulatory direction, or in connection with legal proceedings in which the Company is involved.

7.6 Corporate Transactions

In the event of a merger, acquisition, restructuring, or sale of assets involving the Company, your personal data may be transferred to the successor entity, provided that the successor entity undertakes to process your data in accordance with a privacy policy no less protective than this one.

7.7 With Your Consent

We may share your data with third parties not listed above where you have provided explicit consent for such sharing. All third-party recipients who process personal data on our behalf are required to enter into appropriate data processing agreements and to implement adequate technical and organisational security measures.

8. International Data Transfers

Intucate is operated primarily from India, and your personal data is primarily stored and processed within India. However, some of our third-party service providers (including Google, Meta, and AWS) may transfer or process data outside India in connection with their global operations.

Where personal data is transferred outside India, the Company shall ensure that such transfer complies with the requirements of the DPDPA 2023, including any restrictions on cross-border data transfer notified by the Central Government, and that adequate safeguards are in place to protect the rights of Data Principals.

For Data Principals located in the European Union or European Economic Area, transfers of personal data to countries not recognised as providing adequate protection shall be made pursuant to Standard Contractual Clauses ('SCCs') approved by the European Commission or other lawful transfer mechanisms under Chapter V of the GDPR.

9. Cookies and Tracking Technologies

9.1 Types of Cookies Used

We use the following categories of cookies and tracking technologies:

• Strictly Necessary Cookies: These cookies are essential for the operation of the Platform, enabling core functionality such as user authentication, session management, and security. These cannot be disabled without affecting the usability of the Platform.
• Performance and Analytics Cookies: These cookies collect aggregated, anonymised data about how users interact with the Platform, helping us identify areas for improvement. We use Google Analytics for this purpose. You may opt out of Google Analytics tracking by installing the Google Analytics Opt-Out Browser Add-on.
• Functional Cookies: These cookies remember your preferences (such as language, video quality settings, and study reminders) to provide a more personalised experience.
• Marketing and Advertising Cookies: With your consent, we place marketing cookies, including the Meta Pixel, to measure the effectiveness of our advertising campaigns and to serve relevant promotional content to users who have previously visited the Platform. These cookies are only activated upon your explicit consent.

9.2 Cookie Consent and Management

Upon your first visit to the Platform, you will be presented with a Cookie Consent Notice allowing you to accept, reject, or customise your cookie preferences for non-essential categories. You may update your preferences at any time through the Cookie Settings option available in the Platform footer.

You may also manage cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform. For detailed guidance on managing cookies in popular browsers, please refer to the respective browser's help documentation.

10. Data Retention Policy

We retain personal data for no longer than is necessary for the purposes for which it was collected, or as required by applicable law. Our standard retention periods are as follows:

Upon expiry of the applicable retention period, personal data shall be securely deleted or anonymised in accordance with our data disposal procedures. Where deletion is not immediately feasible due to technical constraints, data will be isolated and protected from further processing until deletion is completed.

11. Data Security Measures

The Company implements appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, alteration, disclosure, or unlawful processing. Our security measures include, but are not limited to:

11.1 Encryption

• All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS 1.2 or higher) protocols;
• Sensitive personal data, including passwords and financial information, is stored using industry-standard encryption algorithms (AES-256) at rest;
• Payment card data is handled exclusively by PCI-DSS compliant payment processors.

11.2 Secure Infrastructure

• Our Platform is hosted on AWS cloud infrastructure, which maintains ISO 27001, SOC 2 Type II, and other internationally recognised security certifications;
• Regular security patches and updates are applied to our systems and software dependencies;
• Network traffic is monitored and protected by firewalls, intrusion detection, and prevention systems.

11.3 Access Controls

• Access to personal data is restricted on a strict need-to-know basis among our employees and contractors;
• All personnel with access to personal data are bound by confidentiality obligations;
• Multi-factor authentication is enforced for administrative access to production systems;
• Access logs are maintained and periodically reviewed.

11.4 Vulnerability Management

• The Company conducts periodic security assessments and vulnerability scanning of its Platform;
• Any identified vulnerabilities are remediated in accordance with our internal risk management framework.

11.5 Breach Response

In the event of a personal data breach, the Company shall follow its Data Breach Response Procedure as detailed in Section 19 of this Policy.

You are responsible for maintaining the confidentiality of your account credentials, and we recommend that you use a strong, unique password and enable two-factor authentication where available.

12. Your Rights as a Data Principal

Under the Digital Personal Data Protection Act, 2023, and other applicable laws, you have the following rights with respect to your personal data:

12.1 Right to Access

You have the right to obtain a summary of the personal data we hold about you, the processing activities carried out in respect of such data, and the identities of Data Processors and other persons to whom such data has been disclosed. You may exercise this right by submitting a request through the methods described in Section 22.

12.2 Right to Correction and Updation

You have the right to request the correction of inaccurate or incomplete personal data held about you. You may update basic profile information directly through your account settings. For corrections to other data categories, please contact us as specified in Section 22.

12.3 Right to Erasure

You have the right to request the deletion of your personal data, subject to applicable legal obligations and legitimate interests that may require continued retention. Upon verified receipt of a valid erasure request, we will delete your personal data within a reasonable period, except where retention is required by law. Please note that deletion of your account will result in permanent loss of access to your purchased courses, progress data, and certificates.

12.4 Right to Withdraw Consent

Where we process your personal data on the basis of your consent, you have the right to withdraw that consent at any time without detriment. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to withdrawal. You may withdraw consent through your account settings or by contacting us.

12.5 Right to Grievance Redressal

Under Section 13 of the DPDPA 2023, you have the right to have your grievances addressed by the Company's designated Grievance Officer within the prescribed timeline. The details of our Grievance Officer are provided in Section 22 of this Policy. If you are not satisfied with the resolution of your grievance, you may approach the Data Protection Board of India upon its establishment and operationalisation.

12.6 Nomination Right

As provided under the DPDPA 2023, you have the right to nominate another individual who shall, in the event of your death or incapacity, exercise your data rights on your behalf.

12.7 Rights under GDPR (for EU/EEA Users)

If you are located in the EU or EEA, you have additional rights under the GDPR, including the right to data portability, the right to object to processing, the right to restriction of processing, and the right not to be subject to solely automated decision-making that produces legal or similarly significant effects. To exercise these rights, please contact us at the address provided in Section 22.

To exercise any of the above rights, please submit a written request to privacy@intucate.com with the subject line 'Data Rights Request'. We will verify your identity before processing your request and will respond within the timelines prescribed under applicable law.

13. Children's Privacy

The Platform is primarily designed for students enrolled in the Chartered Accountancy course, many of whom may be between the ages of 16 and 18 years. The Company is committed to protecting the privacy of users who may be minors.

In accordance with Section 9 of the DPDPA 2023, where a user is below the age of 18 years (or such other age as may be prescribed), the Company shall not process their personal data without verifiable parental or guardian consent. We implement age-gate mechanisms during the registration process to identify users who may be minors and to obtain appropriate parental consent.

The Company does not knowingly collect personal data from children under the age of 13 years. If we become aware that we have inadvertently collected personal data from a child under 13 years without verifiable parental consent, we will promptly delete such data from our records. If you are a parent or guardian and believe that your child has provided personal data to us without your consent, please contact us at privacy@intucate.com and we will take immediate steps to delete such data.

The Company shall not undertake targeted advertising directed at minor users or process their personal data in a manner that may cause detrimental effects on their well-being, as required under the DPDPA 2023.

14. Third-Party Services and Integrations

The Platform may contain links to third-party websites, embedded content (such as YouTube videos for course previews), or integrations with third-party services. This Privacy Policy does not apply to the data practices of any third-party website, application, or service. We encourage you to review the privacy policies of any third-party services you interact with.

Our current third-party service integrations include (without limitation):

• Razorpay - Payment processing (privacy policy available at razorpay.com/privacy);
• Google LLC - Analytics (Google Analytics), login services (Google OAuth), video hosting (YouTube), and cloud APIs;
• Meta Platforms, Inc. - Advertising pixels and audience insights;
• Amazon Web Services, Inc. - Cloud hosting, data storage, and computing infrastructure;
• WhatsApp Business API / Twilio - Transactional communications (OTPs, alerts);
• Zoom Video Communications, Inc. - Live classes and webinars (where applicable).

The Company is not responsible for the privacy practices, data handling, or content of third-party services. Our inclusion of these integrations does not constitute an endorsement of their privacy practices. Any data you provide directly to third-party services is governed by their respective privacy policies.

15. User Responsibilities

As a user of the Platform, you have the following responsibilities in relation to your personal data and the data of others:

• You are responsible for providing accurate, current, and complete information during registration and throughout your use of the Platform.
• You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account.
• You must not share your account credentials with any other person or allow others to access the Platform using your account.
• You must promptly notify us of any unauthorised use of your account or any suspected breach of security at support@intucate.com.
• You must not engage in scraping, bulk data collection, or any activity designed to collect personal data of other users without authorisation.

16. Platform Community Content and Instructor Content

The Platform includes community features (including discussion forums, Q&A boards, and study groups) and provisions for instructor-uploaded content. The following applies:

16.1 Community-Generated Content

When you post, comment, or otherwise contribute to community areas of the Platform, please be aware that such content may be visible to other registered users. Do not share sensitive personal information (including financial details, personal contact numbers, or identification numbers) in public community spaces. The Company is not liable for any personal data you voluntarily disclose in community areas.

16.2 Instructor-Uploaded Content

Instructors and content creators who upload course materials to the Platform are responsible for ensuring that their content does not unlawfully include personal data of third parties without appropriate authorisation. The Company reserves the right to review and remove any content that, in its assessment, breaches applicable data protection or privacy laws. Instructors are bound by the Instructor Agreement, which includes data protection obligations consistent with this Policy.

17. Educational Data Protection Policy

Given the sensitive nature of academic data, the Company is committed to the responsible stewardship of educational records and student learning data. The following principles govern our handling of educational data:

• Student learning data - including assessment scores, progress records, study patterns, and certificates - shall be used exclusively for educational purposes and Platform improvement, unless you have provided explicit consent for other uses.
• We will not share individualised student academic records with third parties (including prospective employers or educational institutions) without your explicit, written consent, except where required by law.
• Aggregated and anonymised academic data may be used for research, product development, and quality improvement, provided that individual users are not identifiable from such data.
• Certificates and credentials issued by Intucate for course completion are subject to verification processes and are the intellectual property of the Company. You are granted a non-transferable right to display such certificates as evidence of your achievement.
• The Company shall implement reasonable safeguards to protect the integrity of academic records and prevent unauthorised alteration or deletion.

18. AI and Algorithmic Processing Transparency

Intucate employs artificial intelligence and machine learning technologies to enhance the learning experience. In the interest of transparency, we disclose the following:

18.1 AI-Powered Course Recommendations

Our Platform uses algorithmic models that analyse your learning history, assessment performance, time-on-task, and preferences to generate personalised course and content recommendations. These recommendations are designed to help you focus your preparation on areas most relevant to your CA examination stage.

18.2 Adaptive Learning Engine

Where enabled, our adaptive learning features analyse your quiz and test performance to adjust the difficulty level and sequencing of practice questions and study materials in real time.

18.3 No Solely Automated High-Stakes Decisions

The Company does not make any decisions that produce significant legal or similarly significant effects on you based solely on automated processing without human oversight. All material decisions relating to your account (such as suspension or termination) involve human review.

18.4 AI Model Training

We may use anonymised and aggregated platform usage data to train and improve our AI models. Individual user data is never used to train models that are shared or deployed externally. You may opt out of having your usage data included in AI model training by contacting privacy@intucate.com.

19. Data Breach Notification Policy

In the event that the Company becomes aware of a personal data breach that is reasonably likely to cause harm to the rights and interests of Data Principals, the Company shall:

• Contain and assess the breach as promptly as practicable upon discovery;
• Notify the Data Protection Board of India (upon its operationalisation) within the timelines prescribed under the DPDPA 2023 and the rules thereunder;
• Notify affected Data Principals in accordance with the requirements of the DPDPA 2023, providing information about the nature of the breach, the categories of personal data affected, the likely consequences, and the remedial measures being taken;
• Document the breach in our internal incident register, including facts relating to the breach, its effects, and the remedial action taken;
• Cooperate fully with the Data Protection Board and any other competent authority in connection with any investigation of the breach.

The Company maintains a dedicated incident response team and documented breach response procedures to ensure rapid and effective action in the event of a data security incident.

20. Updates to This Privacy Policy

The Company reserves the right to update, amend, or revise this Privacy Policy at any time to reflect changes in our data processing practices, applicable laws, or Platform features. The revised Policy will be effective from the date indicated at the top of the document.

We will notify registered users of material changes to this Policy by:

• Sending an email notification to your registered email address; and/or
• Displaying a prominent notice on the Platform.

Your continued use of the Platform after the effective date of any revised Policy shall constitute your acceptance of the updated terms. We encourage you to periodically review this Policy to stay informed about how we protect your data.

21. Governing Law and Dispute Resolution

This Privacy Policy and any disputes arising out of or in connection with it shall be governed by and construed in accordance with the laws of the Republic of India, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and applicable rules and regulations thereunder.

Any disputes arising out of this Policy shall first be attempted to be resolved through our internal grievance redressal mechanism described in Section 22. If your grievance is not resolved to your satisfaction, you may escalate the matter to the Data Protection Board of India upon its establishment and operationalisation.

For disputes not involving data protection matters, the courts located at [City, State] shall have exclusive jurisdiction.

22. Contact Information and Grievance Redressal

22.1 Company Details

22.2 Grievance Officer

In accordance with Rule 5(9) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and Section 13 of the DPDPA 2023, the Company has appointed a Grievance Officer to address complaints and queries related to the processing of personal data:

To submit a grievance, please write to privacy@intucate.com with the subject line 'Privacy Grievance – [Brief Description]'. Please include your registered email address, a description of your concern, and any supporting documentation. The Grievance Officer will acknowledge your complaint within 48 hours and aim to resolve it within 30 days.

23. Effective Date

This Privacy Policy is effective as of April 2026 and supersedes all prior versions of the Privacy Policy of Dharia Enterprises Private Limited / Intucate.