Privacy Policy

Last Updated: [February 2026 ]

Namaste! From Team GetMyUni!

We value your privacy and are committed to safeguarding your personal data while enabling you to explore educational institutions, careers, and counselling services.

The term “We”/ “Us” / “Our” used in this document refers to Girnarsoft Education Services Private Limited (GetMy Uni), and "You" / "Your" /"Yourself" refers to the users who visit or access, or use (collectively “usage”) the Platform.

PLEASE READ THIS PRIVACY POLICY CAREFULLY.

This Privacy Policy explains in detail how we collect, use, store, share, retain, and protect your digital personal data when you use our website, mobile applications, communication systems, or interact with us in any manner. By accessing or using our Platform and by submitting your personal data, you acknowledge that you have read and understood this Privacy Policy and provide your free, specific, informed, unconditional, and unambiguous consent for the processing of your personal data in accordance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”). You further confirm that you have the lawful authority to provide the personal data that you submit, including for any child where you are the parent or lawful guardian, including where the Data Principal is below eighteen (18) years of age, in which case such submission shall be deemed to be made by the parent or lawful guardian with full legal authority, responsibility, and accountability under applicable law and that such submission does not violate the rights of any other individual. If you do not agree with this Policy or any part of it, you are requested to immediately cease accessing or using our platform and not avail any of our services.

This document constitutes an electronic record under the Information Technology Act, 2000, and does not require physical or digital signatures.

Topics Covered:

This policy is designed to make you understand:

• The type of information which You share with Us or which we collect during your usage of our Platform or availing any Product or Services from Our Platform.
• The purpose of the collection, storage, processing, and transferring of Your Information by Us.
• Security measures implemented by Us to protect Your Information as mandated by law.
• Disclosure, sharing, and transfer of your personal information by Us, and the purpose of such disclosure, sharing, or transfer.

A. SCOPE, COVERAGE, AND APPLICABILITY

This Privacy Policy applies to all personal data processed by or on behalf of Us through any means, whether automated or manual, digital or physical, including but not limited to:

• The GetMy Uni website, mobile applications, landing pages, and microsites;
• Call centres, counselling calls (including recorded calls), chat interfaces, emails, SMS, WhatsApp, and other messaging platforms;
• Offline interactions such as education fairs, seminars, campus events, workshops, surveys, and feedback mechanisms;
• Integrations with third-party platforms, customer relationship management systems, analytics tools, and institutional portals;
• Data received from educational institutions, partners, referral sources, or public sources, where lawfully obtained;
• Any other platform, service, or interface owned, operated, or controlled by Us (collectively, the "Platform").

This Privacy Policy applies to all categories of Data Principals, including students, prospective students, parents, lawful guardians, institutional representatives, and any other individuals whose personal data is processed by Us in connection with our services.

B. DATA FIDUCIARY AND CONTACT INFORMATION

We are the Data Fiduciary responsible for determining the purpose and means of processing personal data. For operational efficiency and service facilitation, personal data may be shared with its Group Companies strictly on a need-to-know basis.

Corporate Identity:
GetMy Uni Education Services Private Limited

Office: 6th and 7th Floor, Capital The Cityscape, Badshahpur, Sector 66, Gurugram, Haryana 122101

C. DEFINITIONS AND INTERPRETATION

Unless the context otherwise requires, terms used in this Privacy Policy shall have the meanings assigned to them under the DPDP Act. For clarity and completeness:

• Personal Data means any data about an individual who is identifiable by or in relation to such data, including but not limited to the individual’s first and last name, contact details (such as mobile number and email address), age, gender, location, photograph, academic information, identifiers, or any other information provided by the user at the time of registration, during use of the Platform, or at any time thereafter, which directly or indirectly identifies such individual.
• Sensitive Personal Data means such categories of personal data that require a higher standard of protection under applicable law, including but not limited to:
  • Account passwords and authentication credentials;
  • Financial information (excluding truncated card details);
  • Health-related data, where applicable;
  • Officially issued identifiers such as Aadhaar number, PAN, passport, driving licence, or other government-issued identification documents;
  • Biometric data, where legally required; and
  • Any other data classified as sensitive personal data or special category data under applicable laws, including the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and other equivalent or successor legislations.
• Processing means any operation or set of operations performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, restriction, erasure, or destruction.
• Data Principal means the individual to whom the personal data relates.
• Consent means a freely given, specific, informed, unconditional, and unambiguous indication of the Data Principal’s agreement to the processing of personal data for a specified purpose.
• Child means an individual who has not completed 18 (eighteen) years of age.
• Parent or Lawful Guardian means a natural or legal guardian authorised under applicable law to provide consent on behalf of a Child.

D. PRINCIPLES GOVERNING PROCESSING

We process personal data in accordance with the following foundational principles:

• Lawfulness, fairness, and transparency – personal data is processed only in accordance with applicable law and in a transparent manner;
• Purpose limitation – personal data is collected only for specified, explicit, and lawful purposes;
• Data minimisation – only such personal data as is necessary for the stated purposes is collected;
• Accuracy – reasonable steps are taken to ensure that personal data is accurate and up to date;
• Storage limitation – personal data is retained only for as long as necessary.
• Integrity and confidentiality – personal data is protected against unauthorised or unlawful processing.

E. CATEGORIES AND SOURCES OF PERSONAL DATA

Depending on the nature of engagement, we may collect personal data directly from Data Principals, indirectly through parents or guardians, or from authorised third parties.

1. Personal Information

   Personal Information means any information that identifies or relates to You as an individual. We may collect such information when you voluntarily provide it, including when you:

   • Create or modify an account on Our Platform
   • Fill out forms, surveys, requests, or service subscriptions
   • Participate in counselling sessions, customer support interactions, webinars, or career guidance activities
   • Engage in verification or transaction-related activities
   This category includes, but is not limited to:
   • Full name, date of birth, age, and gender (where voluntarily provided)
   • Residential address, city, state, and communication details (email ID, phone number)
   • Financial or payment-related data for transaction facilitation (if applicable)
   • Identity or academic documents voluntarily uploaded for verification and admission- related processing
   • Any additional personal data that you willingly submit while using our services
   Purpose of Processing Personal Information
   We process this information for:
   • Account creation, authentication, and secure access
   • Personalised service delivery, including course recommendations and counselling
   • Communication & service notifications (transactional, advisory, reminders)
   • Processing payments and verifying financial transactions, where applicable
   • Resolving user queries, grievances, and providing customer assistance
   • Compliance with legal, regulatory, investigative, or security requirements

   Where any personal data requires enhanced protection based on context, we shall process it only with explicit, informed consent and implement appropriate safeguards.

2. Non-Personal Information

   This includes information that may not directly identify you on its own but may help us understand Platform usage and improve functionality. We may collect such information automatically when you access or interact with Our Platform.

   1. Usage Information

      This includes analytics related to:

      • Browsing behaviour, navigation patterns, and clicks
      • Search queries, viewed content, and interactions
      • Frequency, time duration, and manner of usage of services and features
      • Engagement metrics related to our content, tools, and partners
      Purpose of Processing Usage Data:
      • To analyse and improve Platform performance and user experience
      • To understand user preferences for better service design
      • To generate anonymised statistical insights and reporting
   2. Device and Technical Information

      Information about electronic devices used to access Our Platform, such as:

      • IP address, Device ID, browser type, operating system, network, and telecom details
      • System diagnostic logs, app version, crash reports, and functional analytics
      • Approximate or real-time geolocation (only if you grant permission)
      • Metadata and related technical identifiers
      Purpose:
      • Platform security, fraud detection, prevention of misuse, or service disruption
      • Enabling core functionalities and maintaining service quality
      • Personalised localisation features such as region-specific content
      Geolocation access can be enabled or disabled by you at any time through device settings.
   3. Preferences

      Data relating to your personalized selections, such as:

      • Language preference, display settings, time zone
      • Academic/study area interests or goal selections (where voluntarily chosen)
      Purpose:
      • Providing a custom and relevant user experience tailored to your interests
   4. Social Media & Third-Party Integrated Data

      Where you choose to sign in or connect through third-party platforms (e.g., Google, Facebook):

      • We receive only that information which you authorize for sharing via the respective
      interface
      • This may include your public profile details, display picture, and registered contact information
      Additionally, we may lawfully obtain information from:
      • Referral partners, marketing collaborators, educational institutions or service affiliates
      Purpose:
      • Enabling secure login and seamless user onboarding
      • Service personalisation and lawful marketing assistance
      • Academic verification and eligibility assessment, where necessary
      We encourage you to configure your privacy controls and review third-party policies to manage what is shared.
   5. Cookies & Similar Tracking Technologies

      We may use:

      • Cookies (session, persistent)
      • Pixel tags, SDKs, clear GIFs, flash cookies, and mobile device identifiers
      • Web beacons or other analytical technologies
      These technologies may collect data regarding:
      • User journey, behaviour analytics and session management
      • Advertisement relevance and engagement measurement (only with consent)
      Purpose:
      • To enhance accessibility, stability, navigation, and functionality of the Platform
      • To remember user preferences and improve service delivery
      • To conduct analytics and, with your explicit consent, deliver personalised advertising
      You may disable cookies from device/browser settings; however, essential cookies are required for core functionalities to work effectively.
      • All data is processed solely for legitimate, declared, and necessary purposes
      • We adopt reasonable security practices and procedures
      • We do not collect or retain more data than required for service fulfilment or legal compliance
      • Any secondary or new purpose will require fresh user consent

   Additional details regarding storage, retention, rights, deletion, grievance redressal and cross- border transfers are provided in separate sections of this Privacy Policy.

   We do not knowingly collect biometric data or financial information unless expressly disclosed and required for a lawful, specific, and transparent purpose.

   Users are requested to provide only such Personal Data as is specifically required or requested for the purposes of availing services on Our Platform. Where a user voluntarily provides any Personal Data that has not been specifically requested by Us, such data shall be processed only to the extent necessary, in accordance with applicable law, and subject to appropriate security safeguards. We shall not be responsible for the accuracy or relevance of such voluntarily disclosed information beyond its lawful obligations under applicable data protection laws.

F. PURPOSES OF PROCESSING

Personal data is processed strictly for purposes that are necessary, proportionate, and directly related to our services, including:

1. Providing personalised education counselling, guidance, and admissions facilitation;
2. Enabling discovery and comparison of educational institutions, courses, examinations, and career pathways;
3. Facilitating communication and information exchange between Data Principals and educational institutions;
4. Managing registrations, inquiries, applications, and follow-ups;
5. Responding to queries, service requests, complaints, and grievances;
6. Improving platform functionality, service quality, and user experience through aggregated and anonymised analysis;
7. Conducting internal research, reporting, and analytics using anonymised or de- identified data;
8. Sending transactional communications, service notifications, and consent-based informational or promotional communications;
9. Ensuring information security, preventing fraud or misuse, and maintaining platform integrity;
10. Complying with applicable laws, legal processes, regulatory requirements, and governmental directions.

G. LAWFUL BASIS FOR PROCESSING

We process personal data only where permitted under applicable law, including:

1. On the basis of Consent obtained from the Data Principal for one or more specified purposes; and
2. For legitimate uses expressly recognised under Section 7 of the DPDP Act, including where personal data is voluntarily provided for availing requested services or for responding to emergencies or legal obligations.

Processing activities such as responding to user-initiated enquiries, providing counselling or information expressly requested by the Data Principal, ensuring platform security, preventing fraud, maintaining records required by law, and complying with legal or regulatory obligations may be carried out under ‘legitimate uses’ as defined under Section 7 of the DPDP Act.

All other processing activities, including marketing communications, optional personalisation, profiling, or sharing of personal data with third parties for non-essential purposes, are undertaken only pursuant to explicit and informed consent

H. PROCESSING OF CHILDREN’S PERSONAL DATA

Where personal data relates to a Child, or where We have reason to believe that a Data Principal is a Child, the following safeguards apply:

1. Processing is undertaken only after obtaining verifiable parental or lawful guardian consent. Verifiable parental or lawful guardian consent may be obtained through one or more mechanisms including, but not limited to, OTP-based verification, recorded confirmation calls, consent-linked email verification, digitally signed declarations, or any other method prescribed under applicable law or rules issued under the DPDP Act.
2. Children’s personal data is processed strictly for educational guidance, counselling, admission facilitation, platform safety, and legal compliance;
3. We do not engage in behavioural monitoring or targeted advertising in a manner prohibited under applicable law, including any form of targeted advertising, profiling, or behavioural tracking of Children beyond what is strictly necessary for platform safety, security, and essential service delivery.”
4. Additional access controls and security safeguards are applied to children’s personal data;
5. Parents or lawful guardians may exercise all applicable rights on behalf of the Child, including withdrawal of consent.
6. Where a User initially represents themselves as being eighteen (18) years of age or above, but is later identified or reasonably believed to be a Child, We reserve the right to pause, restrict, or discontinue processing of such personal data until verifiable parental or lawful guardian consent is obtained.
7. Any interim processing prior to such verification shall be limited strictly to platform safety, fraud prevention, and legal compliance purposes.

I. SHARING AND DISCLOSURE OF PERSONAL DATA

Personal data may be shared, strictly on a need-to-know and purpose-limited basis, with:

1. Educational institutions, universities, and academic partners for counselling, application, or admission-related purposes;
2. Third-party service providers acting as Data Processors, bound by written agreements imposing confidentiality, security, and purpose limitation obligations; auditors, advisors, or consultants under duties of confidentiality;
3. Personal data may be shared with Group Companies solely for purposes such as user support, counselling assistance, program recommendations, analytics, technology infrastructure, communication, and regulatory compliance. Such sharing shall always be governed by contractual safeguards and data protection obligations consistent with applicable law.
4. Government authorities, regulators, courts, or law enforcement agencies where disclosure is required under applicable law.

We do not sell personal data or commercially exploit personal data shared with its Group Companies and do not permit third parties to use personal data for independent commercial purposes. All entities are bound by confidentiality and information security obligations.

J. CROSS-BORDER TRANSFER OF PERSONAL DATA

Where necessary, personal data may be processed or stored outside India, strictly in accordance with the DPDP Act and any notifications or restrictions issued by the Government of India, and subject to appropriate contractual and technical safeguards.

K. DATA RETENTION AND STORAGE LIMITATION

Personal data is retained only for so long as is reasonably necessary to fulfil the purposes for which it was collected or to comply with legal, regulatory, or contractual obligations. Upon expiry of the retention period or cessation of purpose, personal data is securely deleted, anonymised, or de-identified subject to legal, regulatory, audit, dispute resolution, and security requirements or unless retention is mandated by law.

L. DATA SECURITY MEASURES

We implement administrative, technical, and physical safeguards consistent with industry standards to protect personal data against unauthorised access, disclosure, alteration, loss, or destruction. Access to personal data is restricted to authorised personnel on a need-to-know basis, with role-based controls, monitoring, and encrypted storage and transmission wherever feasible.

While we take reasonable steps to maintain robust security measures, no system can be entirely immune to all risks.We cannot guarantee absolute protection against all potential threats or breaches, but implements reasonable precautions in accordance with applicable law and industry best practices.

M. RIGHTS OF DATA PRINCIPALS

Subject to the provisions of the Digital Personal Data Protection Act, 2023, and applicable rules made thereunder, Data Principals shall have the right to:

• Obtain confirmation as to whether their personal data is being processed by Us;
• Access information regarding the personal data being processed, including the nature and purpose of such processing;
• Request correction, completion, updating, or erasure of their personal data, where such data is inaccurate, incomplete, or no longer necessary for the stated purpose;
• Withdraw consent for the processing of personal data at any time, in accordance with this Privacy Policy;
• Nominate another individual to exercise their rights in the event of death or incapacity; and lodge a grievance with Us and, where such grievance is not resolved within the prescribed timelines, with the Data Protection Board of India.
• All rights in relation to a Child’s personal data shall be exercisable exclusively by the parent or lawful guardian, and any request received directly from a Child shall be actioned only after verification of guardian authority.

N. HOW YOU CAN MANAGE YOUR PERSONAL INFORMATION

We provide Data Principals with simple and effective mechanisms to exercise their rights under the Digital Personal Data Protection Act, 2023, and applicable rules made thereunder. The manner in which you may manage your personal information is described below:

Correction and Updating:

You may request correction, completion, or updating of your personal data where it is inaccurate or incomplete. Certain information may be updated directly through your account, where such functionality is available, or by contacting the Grievance Officer using the contact details provided below.

Access to Personal Data:

You may request access to information relating to the personal data processed by Us, including the nature and purpose of such processing, in accordance with applicable law.

Erasure of Personal Data:

You may request erasure of your personal data where such data is no longer necessary for the purpose for which it was collected, subject to retention requirements under applicable law, regulatory obligations, or lawful directions of competent authorities.

Withdrawal of Consent:

Where the processing of personal data is based on consent, you may withdraw such consent at any time by using the consent management features available on the Platform or by writing to us at compliance@girnarsoft.com. Upon withdrawal of consent, we shall cease processing personal data for the relevant purpose, except where continued processing is permitted or required under applicable law.

Nomination:

You may nominate another individual to exercise your rights under the Digital Personal Data Protection Act, 2023, on your behalf in the event of your death or incapacity. Such nomination may be made in the manner prescribed or by contacting Us using the contact details provided below.

Account Closure:

If you choose to close your account, we shall delete or anonymise your personal data, unless retention is necessary to comply with applicable laws, regulatory requirements, dispute resolution, fraud prevention, cybersecurity obligations, or enforcement of legal rights.

O. GRIEVANCE REDRESSAL MECHANISM

We have appointed a Grievance Officer to address concerns relating to personal data processing.

Grievance Officer Contact:

Email: compliance@girnarsoft.com

Grievances shall be acknowledged within seven (7) days of receipt and resolved within the timelines prescribed under the Digital Personal Data Protection Act, 2023, and applicable rules.

P. THIRD-PARTY WEBSITES AND SERVICES

It is clarified that while using the Platform, you may encounter links to third-party websites, advertisements, or electronic communication services that are operated and controlled by independent third parties. We do not control, endorse, or make any representations or warranties in relation to the content, services, products, or privacy practices of such third-party websites or services.

Any access to or use of third-party websites or services is at your discretion and subject to the terms and privacy policies of such third parties, who act as independent data fiduciaries in respect of any personal data collected by them. We shall not be responsible for any loss or damage arising from your interaction with such third-party websites or services. Users are advised to review the privacy policies and terms of use of such third-party websites prior to accessing or using them.

Q. COOKIES, TRACKING TECHNOLOGIES, AND ANALYTICS

We use cookies and similar technologies (including pixels, SDKs, and log files) to ensure the proper functioning, security, and performance of the Platform.

1. Types of Cookies Used

   1. Strictly Necessary Cookies: Required for core platform functionality, security, and session management. These cannot be disabled.
   2. Functional Cookies: Enable personalisation features such as language preferences and saved settings.
   3. Analytics Cookies: Used to understand aggregated user behaviour, platform usage trends, and performance metrics. Analytics data is processed in an aggregated and anonymised manner and is not used for profiling or targeted advertising.

2. Children and Cookies

   For users identified as Children, we do not deploy non-essential cookies or tracking technologies and restrict processing to strictly necessary cookies only. Where age status is unclear, the Platform shall default to child-safe cookie settings until age or guardian consent is verified

Data Principals may manage cookie preferences through browser settings or platform controls, where available.

R. DATA BREACH AND INCIDENT RESPONSE

We maintain internal policies and procedures to detect, investigate, respond to, and mitigate personal data breaches or security incidents.

In the event of a personal data breach that is likely to cause harm to Data Principals:

1. Appropriate remedial measures shall be taken without undue delay.
2. Affected Data Principals and the Data Protection Board of India shall be notified where required under applicable law;
3. The nature of the breach, likely consequences, and mitigation steps shall be communicated in a transparent manner.

S. WITHDRAWAL OF CONSENT AND CONSEQUENCES

Data Principals may withdraw consent previously provided for the processing of personal data, using the mechanisms made available by Us.

Upon withdrawal of consent:

1. We shall cease processing personal data for the relevant purpose, unless continued processing is permitted or required under applicable law;
2. Certain services, features, or communications that rely on such personal data may no longer be available;
3. Withdrawal shall not affect the lawfulness of processing carried out prior to such withdrawal.

Where consent is withdrawn in relation to Children’s personal data, processing shall cease subject to legal retention requirements.

T. OPERATIONAL ALIGNMENT AND DATA PROCESSING PRACTICES

1. Call Scripts and Tele-Counselling Workflows

   Counselling, support, and follow-up calls follow pre-approved scripts to the extent reasonably practicable, which:

   • Clearly identify GetMy Uni as the Data Fiduciary;
   • Inform Data Principals (or parents/lawful guardians, where applicable) about call recording practices;
   • Specify the purpose for which personal data is collected and used;
   • Capture consent where required under applicable law; and
   • Provide information on consent withdrawal and grievance mechanisms.
   Where calls involve or may involve a Child, counsellors pause substantive data collection until verifiable parental or lawful guardian consent is obtained, in accordance with applicable law.
2. CRM and Lead Management Systems

   Personal data stored in customer relationship management (CRM) systems is accessed on a role- based and purpose-limited basis, with monitoring and logging applied to the extent reasonably practicable. Data sharing with educational institutions or partners is limited to consented or lawful purposes and proportionate to the services requested. Retention of personal data follows documented schedules and legal obligations.

3. Consent Management and Logging

   We maintain electronic records of consent, parental authorisation, and other lawful bases for processing. These records are reflected across integrated CRM and operational systems to ensure that consent status is respected, to the extent reasonably practicable.

4. Training, Awareness, and Accountability

   Employees, agents, and contractors handling personal data receive periodic training on data protection obligations, including safeguards for children’s data and incident reporting. Compliance with documented procedures and this Privacy Policy is monitored through internal reviews and supervisory oversight, consistent with reasonable operational standards.

5. Continuous Review and Improvement

   We periodically review operational processes, technical safeguards, and internal controls to ensure alignment with this Privacy Policy and applicable laws. Internal reviews aim to identify opportunities to enhance data protection measures while recognizing inherent limitations of operational and technical systems.

U. AUTHORIZATION AND COMMUNICATION PREFERENCES

You acknowledge that the personal data provided on the Platform is shared voluntarily and in compliance with applicable laws. We may verify and process such information only for lawful purposes in accordance with this Privacy Policy.

Where any information is found to be inaccurate, misleading, or provided in violation of applicable laws or this Privacy Policy, we may take proportionate corrective action, including restricting access to certain services, in accordance with applicable law and internal policies. You consent to receive communications from Us and our authorised partners through telephone calls, SMS, email, or other electronic modes solely for transactional, service-related, or consented purposes, including counselling, application support, account updates, and service notifications.

Promotional or marketing communications will be sent only where specific and explicit consent has been provided, and in accordance with your communication preferences and registrations under the National Customer Preference Register (NCPR/NDNC).

You may withdraw or modify your communication preferences at any time through Platform controls or by contacting us at compliance@girnarsoft.com. Withdrawal of consent will be effective within a reasonable period and will not affect the lawfulness of prior processing. Where consent is withdrawn in relation to Children’s personal data, processing shall cease subject to legal retention requirements.

V. CHANGE IN TERMS OF PRIVACY POLICY:

We reserve the right to amend or modify this Privacy Policy at any time, as and when the need arises. We request that you regularly check this Privacy Policy from time to time to keep you apprised of changes made. We may update this Privacy Policy from time to time. Where any material change affects the purpose or manner of processing of personal data or requires fresh consent under applicable law, such consent shall be obtained from the Data Principal. Continued use of the Platform shall constitute acceptance only where such changes do not materially alter previously consented processing purposes.

W. GOVERNING LAW AND JURISDICTION

This Privacy Policy shall be governed by and construed in accordance with the laws of India. Courts at NCT of Delhi shall have exclusive jurisdiction.