1. Introduction & Scope

University Insights (“we”, “our”, “us”) is committed to safeguarding the personal data of every student, parent, guardian, and visitor who interacts with our services. This Privacy Policy explains what information we collect, why we collect it, how we use it, and the options available to you.

This Policy applies to all processing carried out by Unisights Global Private Limited through: (a) our public websites located at universityinsights.in and unisightsglobal.com, together with any sub‑domains; (b) our mobile‑optimised site and any future mobile applications; and (c) our offline activities such as walk‑in counselling, education fairs, telephone consultations, and document‑collection services.

We process personal data in accordance with all applicable data‑protection laws, including, where relevant, the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Digital Personal Data Protection Act, 2023 (India), and any other country‑specific regulations that apply to the users we serve. Where laws differ, we apply the strictest requirement that protects your rights.

By accessing or using our services, you acknowledge that you have read and understood this Policy. If you do not agree with any part of it, please discontinue use of our services.

2. Data Controller & Contact Information

The Data Controller responsible for your personal data under this Privacy Policy is:

Unisights Global Private Limited
(Brand name “University Insights”)
CIN: U85500UP2025PTC215382
PAN: AADCU7365G
GSTIN: 09AADCU7365G1ZZ

Registered Office
2401, 24th Floor, E‑Square, Supertech, Plot C‑2, Sector 96,
Noida, Gautam Buddha Nagar, Uttar Pradesh 201303, India.

Grievance Officer / Data Protection Officer
Mr Kashif Khan (Director)
Email: [email protected]
Phone: +91 98703 49912
Office hours: Monday – Friday, 10:00 – 18:00 IST

You may contact the Grievance Officer at the details above regarding any questions, requests, or complaints about this Privacy Policy or our data‑handling practices.

3. Definitions

For clarity in this Privacy Policy, the following terms have the meanings set out below:

Term	Meaning
“Personal Data”	Any information that relates to an identified or identifiable natural person, such as name, e‑mail, phone number, passport details, or online identifiers.
“Sensitive Personal Data”	Personal Data revealing racial or ethnic origin, religious beliefs, health information, or any other data classified as “special category” under GDPR or “sensitive personal data” under India’s DPDP Act.
“Processing”	Any operation performed on Personal Data, whether automated or not, including collection, recording, storage, alteration, retrieval, use, disclosure, or deletion.
“Controller” / “Data Controller”	The natural or legal person that determines the purposes and means of Processing Personal Data. In this Policy, Unisights Global Private Limited is the Controller.
“Processor”	A natural or legal person that Processes Personal Data on behalf of the Controller (e.g., cloud‑hosting provider).
“Cookies”	Small text files placed on a user’s device by a website to store preferences and enable certain functionalities.
“Consent”	Any freely given, specific, informed, and unambiguous indication of a user’s wishes by which they signify agreement to the Processing of their Personal Data.
“GDPR”	Regulation (EU) 2016/679, the General Data Protection Regulation of the European Union.
“DPDP Act”	India’s Digital Personal Data Protection Act, 2023.
“Child”	An individual under 13 years of age for the purposes of this Policy.

4. Personal Data We Collect

We collect only the data required to deliver our counselling and application‑processing services efficiently and in line with legal requirements. The information falls into the categories below. Unless otherwise specified, we store each category for no longer than 90 days from the last point of interaction, after which it is securely deleted or anonymised (see Section 11 for details).

Category	Typical examples	When collected
Identity Data	Full name, date of birth, gender, nationality	When you fill out enquiry or application forms, verify identity, or attend offline counselling.
Contact Data	E‑mail address, mobile/landline number, postal address, WhatsApp ID (optional)	Web forms, live chat, phone calls, education fairs.
Academic & Career Data	Class 10/12 marksheets, NEET scorecard, résumé/CV, language‑proficiency scores	During profile evaluation and university short‑listing.
Government‑ID & Travel Data	Passport copy, PAN/Aadhaar (for Indian residents), visa scan	When preparing admission and visa documents.
Financial Data	Limited card/bank information (only the last four digits and transaction ID), payment receipts, invoice details	When you pay counselling fees or transfer university application fees via our payment gateway.
Marketing Preferences	Opt‑in status for newsletters, SMS, WhatsApp broadcasts	Via consent check‑boxes or double‑opt‑in e‑mails/SMS.
Technical & Usage Data	IP address, device type, browser version, referring URL, anonymised clickstream	Collected automatically through cookies, Google Analytics 4, and similar tools when you browse our sites.

We do not intentionally collect or solicit Sensitive Personal Data such as health information or religious beliefs, except where a university requires such details (e.g., vaccination records) and only with your explicit consent.

If you choose to decline providing certain Personal Data, we may be unable to deliver part or all of our services—such as university application submission—because that information is mandatory.

5. How We Collect Personal Data

We obtain Personal Data from a variety of sources to provide our counselling, admissions, and support services. We always aim to collect information directly from you whenever possible and to keep data collection to the minimum necessary.

Collection channel	What happens	Typical data captured
Direct interactions	You complete enquiry or application forms on our website, visit our office, speak with us by phone/WhatsApp, or meet us at education fairs.	Identity, Contact, Academic, Government‑ID, Financial, Marketing‑Preference data.
Automated technologies	When you browse our sites, cookies, pixels, and similar tools record limited technical information so we can secure the site, measure engagement, and show remarketing ads.	Technical & Usage Data; pseudonymised cookie IDs.
Partner universities & service providers	With your written consent, we request status updates or verification details from universities, language‑test bodies, insurance companies, and payment gateways.	Confirmation of application status, fee‑payment confirmation, visa approval letters.
Public or third‑party sources	Less commonly, we may validate information using publicly available registers (e.g., NEET score portals) or social‑login APIs (Google / Facebook) when you choose that option.	Verified identity tokens, scores, or publicly available profile details.

We do not buy marketing lists, scrape social media, or use covert data‑collection methods. All automated tracking is disclosed in Section 8 (Cookies & Tracking Technologies) and can be controlled through our cookie banner.

If you contact us via social platforms (Facebook, Instagram, LinkedIn), we may receive your public profile name and contact details according to that platform’s privacy settings. Such data is processed under this Policy once imported into our CRM.

6. Legal Bases for Processing

Under the GDPR, the DPDP Act, and comparable regulations, we must identify a specific legal basis for each use of Personal Data. We rely on one or more of the following grounds:

Purpose of processing	Legal basis & explanation
Counselling & admissions	Contractual necessity – Processing is required to take steps at your request prior to entering into a services agreement and to fulfil that agreement (e.g., submitting an application to a university).
Marketing e‑mails, SMS & WhatsApp updates	Consent – We send these communications only if you have expressly opted‑in and may withdraw consent at any time (see Section 14).
Website analytics & optimisation	Legitimate interest – We have a business interest in understanding site performance and improving user experience, balanced against minimal privacy impact through aggregated or pseudonymised data.
Regulatory compliance & record‑keeping	Legal obligation – We may need to retain invoices, visa documents, or statutory registers to comply with tax laws, anti‑money‑laundering rules, and other legal requirements.

If we intend to use Personal Data for a purpose that is incompatible with those listed above, we will notify you and, where required, collect fresh consent.

7. How We Use Personal Data

We use the Personal Data described in Sections 4–6 strictly for the purposes outlined below and only when we have a valid legal basis to do so. We do not sell or rent your information.

Purpose	Typical activities	Legal basis (see Section 6)
Counselling & admissions	Assess your academic profile, suggest suitable universities, prepare and submit application forms, schedule interviews, coordinate visa documentation.	Contractual necessity
Account & relationship management	Create or update your CRM record, respond to questions, schedule counselling sessions, send service notifications.	Contractual necessity; Legitimate interest
Payment processing	Issue invoices, process online card payments, generate receipts, track outstanding balances.	Contractual necessity; Legal obligation
Service updates & transactional messages	Send e‑mails/SMS/WhatsApp messages about application status, document requirements, exam reminders, travel briefings.	Contractual necessity
Marketing communications	Send newsletters, scholarship alerts, and promotional offers. You can opt‑out at any time.	Consent
Analytics & site optimisation	Analyse aggregated traffic patterns, A/B‑test new web pages, measure campaign effectiveness.	Legitimate interest
Personalisation & remarketing	Show tailored content or ads on Google and social platforms based on your on‑site behaviour. Profiling is limited to cookie IDs and may be disabled via our cookie banner.	Consent (EU) / Legitimate interest (India & others)
Security & fraud prevention	Monitor logs for suspicious activity, enforce access controls, perform identity verification to prevent impersonation.	Legitimate interest; Legal obligation
Legal & regulatory compliance	Maintain statutory records, respond to lawful requests from authorities, and enforce our terms and conditions.	Legal obligation

We do not engage in automated decision‑making that produces legal or similarly significant effects without human involvement. Profiling used for remarketing is limited to non‑intrusive, pseudonymised cookie and device identifiers; it does not extend to academic or financial evaluations.

If we need to use your data for a new purpose that is incompatible with the above, we will update this Policy and, where legally required, obtain your explicit consent before proceeding.

8. Cookies & Tracking Technologies

We use cookies, pixels, and similar tracking technologies (“cookies”) to ensure our sites work securely, to understand how visitors engage with our content, and—where you have consented—to tailor ads for services that may interest you.

8.1 What are cookies?

Cookies are small text files placed on your device when you visit a website. They allow the site to recognise your device and store certain information about your preferences or past actions.

8.2 Types of cookies we use

Type	Purpose	Examples	Lifespan*
Strictly‑necessary	Enable core functionality such as page navigation, form submission, and security. The website cannot function properly without these cookies.	__cf_bm(Cloudflare), csrf_token	Session only
Analytics / performance	Help us understand how visitors interact with our pages so we can improve content and site speed. Data is aggregated and pseudonymised.	_ga, _ga_*, _gid(Google Analytics 4)	1 day – 90 days
Advertising / remarketing	Record your on‑site activity so we can show relevant ads for our counselling services on Google, Facebook, and partner sites.	_gcl_au(Google Ads), _fbp(Meta Pixel)	30 days – 90 days
Preference	Remember choices such as language, cookie‑banner settings, or chat‑widget state.	cookie_consent, tawk_uuid_*	30 days

*Lifespan denotes the maximum period before a cookie is automatically removed by your browser; we have configured all cookies to expire within 90 days or less.

8.3 Managing or withdrawing consent

On your first visit, a banner allows you to accept all cookies, reject non‑essential cookies, or customise settings. You can change your preference at any time by clicking the “Cookie Settings” link in the site footer.

Alternatively, you may:

• Use your browser settings to block or delete cookies (see Help menu for instructions).

• Opt‑out of Google Analytics with the GA Opt‑out Add‑on.

• Opt‑out of Google Ads personalisation via Ads Settings.

• Opt‑out of Meta remarketing via Facebook Ad Preferences.

Blocking some cookies may limit functionality—for example, the counsellor chat widget or enquiry forms may not work correctly.

8.4 Third‑party cookies

Some cookies are set by third‑party services we embed, such as YouTube video players or live‑chat widgets. Those providers are responsible for their own cookies and privacy practices. We encourage you to read their policies.

9. Sharing & Disclosure of Personal Data

We share Personal Data only when necessary to deliver our services, fulfil legal obligations, or protect our legitimate interests. Whenever we share information, we ensure appropriate contractual and technical safeguards are in place, and we never sell your data to third parties.

Recipient category	Typical recipients	Purpose of disclosure	Safeguards applied
Partner universities & colleges	Accredited medical universities in Uzbekistan, Russia, Egypt, Iran, Nepal, etc.	Submit applications, confirm seat availability, issue Letters of Acceptance (LOA), coordinate tuition‑fee invoicing.	Data‑sharing agreements referencing Standard Contractual Clauses (see Section 10); transfer limited to required documents.
Service providers (Processors)	Hosting: AWS Asia‑Pacific (Mumbai).
Payment gateway:Razorpay (India) / Stripe (US, if applicable).
Email delivery: SendGrid.
CRM & marketing: Zoho CRM, Google Workspace, Google Ads, Google Analytics, Meta Business Suite.	Cloud hosting, payment processing, e‑mail/SMS delivery, CRM management, analytics, remarketing.	Data‑Processing Agreements (DPAs) requiring confidentiality, security controls, and data‑return/deletion clauses.
Professional advisers	Auditors, accountants, legal counsel	Financial audit, tax filing, dispute resolution, contract drafting.	Confidentiality clauses in engagement letters.
Government & regulatory authorities	Indian DPBI (once constituted), police, courts, embassies/visa centres	Respond to lawful requests, comply with subpoenas/court orders, facilitate visa processing.	Disclosure only on valid legal basis; records maintained for audit trail.
Security & fraud‑prevention partners	Payment‑risk monitoring tools, fraud‑detection APIs	Detect and prevent fraudulent payments or identity theft.	Limited data (transaction ID, device fingerprint) shared under strict purpose limitation.
Corporate transactions	Potential acquirers, investors, or merger partners	Due‑diligence review in the event of restructuring, merger, or asset sale.	Data shared under Non‑Disclosure Agreements and, where feasible, anonymised or aggregated.

We may also publish aggregated, anonymised statistics (e.g., number of students placed per country) that do not identify any individual.

If a recipient is located outside your jurisdiction, we put in place additional transfer safeguards as described in Section 10 (International Data Transfers).

10. International Data Transfers

We primarily store and process Personal Data on servers located in India (AWS Asia‑Pacific – Mumbai region). However, certain trusted third‑party service providers operate from or store data in other jurisdictions, including the European Economic Area (EEA) and the United States. Whenever your information is transferred across borders, we ensure that an equivalent level of protection travels with it.

10.1 Transfer mechanisms we rely on

Scenario	Legal mechanism	Additional safeguards
Transfers to the EEA/UK	Not applicable, as India is regarded as a third country under GDPR; if an EEA‑based provider receives data, we sign the EU Commission’s Standard Contractual Clauses (SCCs 2021/914).	Data minimisation; encryption in transit; pseudonymisation where feasible.
Transfers to the United States or other non‑adequate countries	SCCs supplemented by a Transfer Impact Assessment (TIA) per EDPB guidelines.	Encryption at rest and in transit; limited access on a need‑to‑know basis; regular vendor audits.
Intra‑group transfers(between universityinsights.in and future subsidiaries)	Intra‑group Data‑Sharing Agreement based on SCCs.	Same technical and organisational measures as above.

10.2 Hosting & caching

Primary hosting: AWS Mumbai (India).
Static asset CDN: Cloudflare, which may cache encrypted assets on edge servers worldwide. Cloudflare is certified under ISO/IEC 27001 and incorporates SCCs for EU data.

10.3 Your rights & copies of safeguards

You may request a copy of the Standard Contractual Clauses or other transfer safeguards by contacting our Grievance Officer (see Section 2). For security reasons, some text may be redacted.

11. Data Retention

We retain Personal Data only for as long as necessary to fulfil the purposes set out in this Policy or to comply with legal, accounting, or reporting requirements. In line with your instruction, we apply a universal retention period of 90 days from the date of your last interaction with us, unless a shorter or longer period is required by law.

Data category	Typical examples	Standard retention period
Identity & Contact Data	Name, e‑mail, phone, address	90 days after last interaction
Academic & Career Data	Marksheets, NEET scorecard, CV	90 days after last interaction
Government‑ID & Travel Data	Passport, PAN/Aadhaar, visa scans	90 days after last interaction
Financial Data	Card/bank identifiers, invoices, receipts	90 days after last interaction (Note: Invoices may be kept longer if required by Indian tax law; if that occurs, they are stored offline and encrypted.)
Marketing Preferences	Opt‑in/opt‑out records	90 days after opt‑out or last interaction
Technical & Usage Data	IP address, device info, cookie IDs	90 days from collection

Criteria used to set retention periods

• Service necessity: We keep information while actively counselling you and up to 90 days afterwards to accommodate follow‑up queries or re‑engagement.

• Legal compliance: If specific data (e.g., invoices) must be retained beyond 90 days to satisfy statutory obligations, we do so securely and delete it once the obligation expires.

• Dispute resolution: Data needed to establish or defend legal claims may be preserved until the claim is resolved.

When the retention period expires, we either permanently delete the data or irreversibly anonymise it so that it can no longer be linked to an individual.

12. Data Security Measures

We apply a layered security programme combining technical, physical, and organisational controls designed to protect Personal Data against unauthorised access, alteration, disclosure, or destruction.

12.1 Technical controls

• TLS 1.3 encryption – All data in transit between your browser and our servers is secured with 256‑bit SSL/TLS certificates issued by Let’s Encrypt or DigiCert.

• Encryption at rest – Databases and file‑store volumes are encrypted using AWS KMS AES‑256. Back‑ups inherit the same encryption.

• Access control & least privilege – Production systems reside in VPCs with strict security‑group rules. IAM roles enforce the principle of least privilege and all administrator actions require MFA.

• Logging & monitoring – AWS CloudTrail, GuardDuty, and CloudWatch capture security‑related events. Suspicious activity triggers real‑time alerts to our security dashboard (Grafana/Loki).

• Regular vulnerability scans – We run quarterly AWS Inspector scans and external OWASP Top‑10 penetration tests; critical findings are patched within 72 hours.

12.2 Organisational controls

• Staff training – All employees undergo annual security and privacy awareness training, including phishing simulations and GDPR/DPDP compliance modules.

• Background checks – Before onboarding, we verify education counsellors and developers through ID and reference checks.

• Access reviews – User‑access rights are reviewed every 90 days or upon role change; dormant accounts are disabled after 30 days of inactivity.

• Confidentiality agreements – Every staff member and contractor signs an NDA covering Personal‑Data handling and continues to be bound post‑employment.

12.3 Physical & network security

• ISO 27001‑certified data centres – Our AWS Mumbai region data centres implement 24 × 7 on‑site security, CCTV, biometric access, and redundant power.

• Firewalls & WAF – AWS Shield Standard and Cloudflare Enterprise WAF mitigate DDoS attacks and block malicious traffic patterns.

• Secure development lifecycle (SDLC) – Code changes are peer‑reviewed, scanned for vulnerabilities (Snyk), and deployed via CI/CD pipelines with automated tests.

12.4 Incident response & breach notification

• We maintain a documented Incident Response Plan with defined roles, a severity‑matrix, and a 24‑hour on‑call team.

• If a data breach is likely to result in risk to individuals’ rights and freedoms, we will notify the affected users and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR and DPDP rules.

12.5 Data deletion & disposal

• Personal‑Data files scheduled for deletion (see Section 11) are securely wiped using NIST SP 800‑88 standards or cryptographic erase.

• Paper documents are shredded on‑site using cross‑cut shredders and disposed of via certified recycling vendors.