Privacy Policy

Comprehensive GDPR & DPDP Act Compliance Framework

Effective Date: September 24, 2025
Last Updated: September 24, 2025
Version: 3.0 (Dual Jurisdiction Compliance)

Contents

Dual Data Protection Framework

TWIITR India Intelligence, operated by Upskills Learning Council (UL Council), is committed to protecting your personal data under both the European Union General Data Protection Regulation (EU GDPR 2016/679) and India’s Digital Personal Data Protection Act, 2023 (DPDP Act) along with the Digital Personal Data Protection Rules, 2025 (DPDP Rules).

As your Data Controller (under GDPR) and Data Fiduciary (under DPDP Act), we recognize your rights as a Data Subject (GDPR) and Data Principal (DPDP Act). This comprehensive privacy policy ensures transparent, lawful processing of your personal data regardless of your geographical location, providing appropriate protections based on applicable jurisdiction.

This policy applies to all users of our business intelligence platform at Twiitr.in, with specific provisions activated based on your residency, location, or the legal framework governing your data processing. We process personal data to deliver premium market research, analytics services, educational content, and strategic consulting while maintaining the highest international data protection standards.

Data Controller & Fiduciary Information

Company Name: Upskills Learning Council (UL Council)
Platform: TWIITR India Intelligence
Division: Teraworld Intelligence Institute for Technology & Research
Registered Address: [Company Registered Address]
Website: https://twiitr.in

GDPR Compliance Contacts

EU Data Controller: Upskills Learning Council
EU Representative: M K Sharma
EU Representative Email: eu-representative@twiitr.in
EU Representative Phone: +917823036365

DPDP Act Compliance Contacts

Data Fiduciary: Upskills Learning Council (UL Council)
Data Protection Officer: V C Sharma
DPO Email: dpo@twiitr.in
Grievance Redressal Officer: grievances@twiitr.in

Universal Contact Information

Privacy Inquiries: privacy@twiitr.in
Data Requests: datarequests@twiitr.in
Customer Support: support@twiitr.in
Legal Compliance: legal@twiitr.in

Business Registrations: Companies Act 2013, GDPR Registration, DPDP Act Registration, EU-India Cross-Border Processing Authorization

Personal Data Collection Methods

We collect personal data directly through account registration, subscription forms, consultation requests, newsletter signups, webinar registrations, and customer support interactions. Collection methods comply with both GDPR Article 7 consent requirements (free, specific, informed, unambiguous) and DPDP Act Section 7 consent standards (free, specific, informed, unconditional, unambiguous with clear affirmative action).

Personal Identification Data

Data Categories: Full name, email address, mobile/phone number, professional designation, company name, industry sector, business address, government ID verification (for premium services)
GDPR Basis: Consent (Article 6(1)(a)), Contract performance (Article 6(1)(b))
DPDP Basis: Explicit consent (Section 7), Voluntary disclosure (Section 7(2))

Professional & Business Intelligence Data

Data Categories: Industry experience, business interests, research preferences, market focus areas, educational qualifications, consulting requirements, professional networking information
GDPR Basis: Legitimate interests (Article 6(1)(f)), Consent (Article 6(1)(a))
DPDP Basis: Consent for personalized services, Legitimate use for service delivery

Technical & Usage Data

Data Categories: IP addresses, browser information, device identifiers, session tokens, website navigation patterns, content engagement metrics, search queries, download history, feature usage statistics
GDPR Basis: Legitimate interests (Article 6(1)(f)) for security and optimization
DPDP Basis: Legitimate use under Section 8 for security and fraud prevention

Communication Data

Data Categories: Email correspondence, chat transcripts, support tickets, phone call recordings (with consent), feedback submissions, consultation notes
GDPR Basis: Contract performance (Article 6(1)(b)), Consent for recordings (Article 6(1)(a))
DPDP Basis: Consent for communication processing, Service delivery necessity

Financial & Payment Data

Data Categories: Billing information, payment method details, transaction history, billing addresses, tax information (GST, VAT), financial compliance data
GDPR Basis: Contract performance (Article 6(1)(b)), Legal obligation (Article 6(1)(c))
DPDP Basis: Legitimate use for payment processing and tax compliance

GDPR Legal Bases (Article 6)

Consent (Article 6(1)(a))
For marketing communications, optional cookies, newsletter subscriptions, and non-essential data processing. Consent is freely given, specific, informed, and unambiguous. You can withdraw consent at any time without affecting service provision.

Contract Performance (Article 6(1)(b))
Processing necessary for subscription services, consulting agreements, payment processing, account management, and service delivery obligations under our terms of service.

Legitimate Interests (Article 6(1)(f))
For platform security, fraud prevention, business intelligence service optimization, customer support improvement, and internal business analytics. We conduct balancing tests ensuring our interests don’t override your rights and freedoms.

Legal Obligation (Article 6(1)(c))
Compliance with EU laws, court orders, tax reporting, financial regulations, and regulatory requirements under applicable EU member state legislation.

Public Task (Article 6(1)(e))
Research and educational content development serving public interest, contribution to industry knowledge, and educational resource creation benefiting the professional community.

Vital Interests (Article 6(1)(d))
Emergency situations, security threat response, and circumstances requiring immediate action to protect life, health, or safety of individuals.

Explicit Consent (Section 7)
Primary basis for digital personal data processing with free, specific, informed, unconditional, and unambiguous consent with clear affirmative action. Consent requests include detailed information about processing purposes and Data Principal rights.

Voluntary Disclosure (Section 7(2))
Where you voluntarily provide personal data without indicating non-consent (contact forms, business inquiries) for evident purposes, ensuring no objection was expressed to such processing.

Legitimate Uses (Section 8)

  • Compliance with Indian laws and court orders
  • Performance of governmental functions and regulatory compliance
  • Prevention and detection of fraud and security threats
  • Employment-related processing for our organization
  • Medical emergencies and public health requirements
  • Credit scoring and financial risk assessment where applicable

Data Processing Purposes

Business Intelligence Service Delivery

Purpose: Personalized market research, industry analysis, competitive intelligence, strategic recommendations, content customization
GDPR Basis: Contract performance, Legitimate interests
DPDP Basis: Consent for personalization, Service delivery necessity

Platform Security & Fraud Prevention

Purpose: Security monitoring, unauthorized access prevention, fraud detection, spam filtering, threat analysis, incident response
GDPR Basis: Legitimate interests (security)
DPDP Basis: Legitimate use (Section 8 – fraud prevention)

Customer Support & Communication

Purpose: Account assistance, technical support, inquiry resolution, service notifications, relationship management
GDPR Basis: Contract performance, Legitimate interests
DPDP Basis: Service delivery, Communication consent

Marketing & Business Development

Purpose: Targeted communications, event invitations, newsletter delivery, promotional content, business networking
GDPR Basis: Consent (marketing), Legitimate interests (existing customer communications)
DPDP Basis: Explicit marketing consent, Preference management

Research & Analytics

Purpose: Service improvement, market research, educational content development, industry trend analysis
GDPR Basis: Legitimate interests, Public task (research)
DPDP Basis: Anonymized data processing, Research consent where applicable

Third-Party Data Sharing

GDPR Data Processor Arrangements (Article 28)

We engage Data Processors under written contracts specifying processing instructions, security measures, breach notification procedures, and deletion obligations:

  • Cloud Infrastructure: AWS Europe, Google Cloud EU, Microsoft Azure EU
  • Payment Processing: Stripe Europe, PayPal Europe (PCI DSS compliant)
  • Email Services: SendGrid, Mailchimp (EU data residency)
  • Customer Support: Zendesk, Freshdesk (EU servers)
  • Analytics: Google Analytics (with data retention controls and EU user consent)

DPDP Act Data Processor Compliance (Section 9)

Indian Data Processors operate under strict contractual obligations ensuring DPDP Act compliance:

  • Cloud Infrastructure: AWS India, Google Cloud India, Azure India
  • Payment Processing: Razorpay, PayU, Paytm (Indian banking compliance)
  • Communication Tools: Indian email services with data localization
  • Support Systems: Indian customer support platforms with data residency

International Business Partners

GDPR Compliance: Adequacy decision countries, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs)
DPDP Compliance: Government-approved country list, authorized international transfer mechanisms

Government & Regulatory Disclosures

EU Disclosures: EU member state authorities, court orders, regulatory requests under applicable EU law
Indian Disclosures: Data Protection Board of India, government authorities, law enforcement as mandated by Indian law

Cross-Border Data Transfers

GDPR Transfer Mechanisms (Chapter V)

Adequacy Decisions (Article 45)
We transfer personal data to countries with EU Commission adequacy decisions including UK, Switzerland, Japan, South Korea, and other approved jurisdictions ensuring essentially equivalent protection levels.

Standard Contractual Clauses (Article 46)
For transfers to countries without adequacy decisions, we implement EU Commission-approved Standard Contractual Clauses (SCCs) with additional safeguards including encryption, access controls, and breach notification procedures.

Binding Corporate Rules (Article 47)
Where applicable, we utilize Binding Corporate Rules for intra-group transfers ensuring consistent data protection standards across our international operations.

Derogations (Article 49)
Limited transfers based on specific derogations including explicit consent, contract performance, public interest, vital interests, or legitimate interests with appropriate safeguards and impact assessments.

DPDP Act Transfer Framework (Section 16)

Approved Country Transfers
Cross-border transfers are permitted only to countries and territories notified by the Indian Central Government as providing adequate protection. We maintain updated approved country lists and restrict transfers to non-approved jurisdictions.

Restricted Country Compliance
We prohibit transfers to countries included in the negative list notified by the Indian government, ensuring Indian users’ data remains within approved jurisdictions or India.

Data Localization
Critical personal data categories (as notified by government) remain processed and stored within Indian boundaries, with regular audits ensuring localization compliance.

Individual Rights Framework

GDPR Data Subject Rights (Chapter III)

Right to Information (Article 13-14)
Transparent information about processing purposes, legal basis, recipients, retention periods, and your rights provided at data collection or within one month of indirect collection.

Right of Access (Article 15)
Obtain confirmation of processing, access to personal data, and supplementary information including processing purposes, categories, recipients, retention periods, and rights exercise options.

Right to Rectification (Article 16)
Request correction of inaccurate personal data and completion of incomplete data. We respond within one month and notify relevant recipients where technically feasible.

Right to Erasure (Article 17)
Request deletion when data is no longer necessary, consent is withdrawn, processing is unlawful, or erasure is required for legal compliance. Balanced against freedom of expression and legitimate interests.

Right to Restrict Processing (Article 18)
Request processing restriction when accuracy is contested, processing is unlawful but deletion is opposed, data is no longer needed but required for legal claims, or objection is pending.

Right to Data Portability (Article 20)
Receive personal data in structured, machine-readable format and transmit to another controller for data processed based on consent or contract with automated means.

Right to Object (Article 21)
Object to processing based on legitimate interests or public task, including profiling. We cease processing unless compelling legitimate grounds override your interests, rights, and freedoms.

Rights Related to Automated Decision-Making (Article 22)
Not subject to solely automated decision-making with legal/significant effects. Right to human intervention, express views, and contest automated decisions where applicable.

DPDP Act Data Principal Rights (Chapter III)

Right to Information (Section 11)
Obtain information about personal data processing including categories, purposes, Data Processors, retention periods, cross-border transfers, and grievance redressal procedures.

Right to Correction and Completion (Section 12)
Request correction of inaccurate personal data and completion of incomplete data with reasonable response times as specified in DPDP Rules.

Right to Data Portability (Section 13)
Receive personal data in structured, commonly used, machine-readable format and transmit to another Data Fiduciary, subject to technical feasibility.

Right to Erasure (Section 14)
Request deletion when consent is withdrawn, processing purpose is fulfilled, or data is no longer necessary, with 48 hours advance notice before deletion.

Grievance Redressal Right (Section 15)
File grievances regarding data processing with our internal mechanism and escalate to Data Protection Board of India if unsatisfied.

Data Retention Periods

GDPR Retention Principles (Article 5(1)(e))

Personal data is retained only as long as necessary for processing purposes, with regular review and deletion procedures:

  • Account Data: Duration of relationship plus 3 years for legitimate business purposes
  • Marketing Data: Until consent withdrawal plus statutory limitation periods
  • Financial Records: 7 years for tax and accounting obligations
  • Communication Records: 5 years for customer relationship management

DPDP Act Retention Limits

Maximum retention of 3 years from last interaction with Data Principal unless specific legal obligations require longer periods:

  • Active Subscriptions: Service delivery duration plus maximum 3 years
  • Financial Compliance: Extended retention for tax and regulatory requirements
  • Security Logs: 1 year as specified in DPDP Rules
  • Grievance Records: Resolution plus applicable limitation periods

Deletion Procedures

GDPR: Secure deletion using industry standards with processor notification
DPDP: 48 hours advance notice with cryptographic deletion and audit trails

Security Safeguards

GDPR Security Measures (Article 32)

Technical and organizational measures ensuring appropriate security levels:

  • Encryption: End-to-end encryption, data at rest protection, cryptographic controls
  • Access Controls: Role-based permissions, multi-factor authentication, access logging
  • Incident Response: Breach detection, containment procedures, impact assessments
  • Staff Training: Regular privacy training, confidentiality agreements, security awareness

DPDP Act Security Framework (Section 10)

Comprehensive safeguards including:

  • Data Protection: Encryption, obfuscation, data masking, virtual tokenization
  • Access Management: Access controls, logging, monitoring, unauthorized detection
  • Audit Capabilities: Investigation tools, forensic analysis, compliance verification
  • Breach Response: Detection systems, notification procedures, remediation protocols

International Security Standards

  • ISO 27001: Information security management certification
  • SOC 2: Service organization control compliance
  • Privacy Shield: Where applicable for US transfers
  • Cyber Security Framework: NIST compliance for technical controls

Breach Notification Procedures

GDPR Breach Response (Articles 33-34)

Supervisory Authority Notification: Within 72 hours of awareness to relevant EU supervisory authority with breach details, affected individuals, consequences, and remedial measures.

Individual Notification: Risk-based notification to affected individuals when breach likely results in high risk to rights and freedoms, with clear communication about nature, consequences, and protective measures.

DPDP Act Breach Framework

Data Protection Board Notification: Within 72 hours regardless of breach severity to Data Protection Board of India with comprehensive incident details.

Data Principal Notification: All affected Data Principals notified regardless of risk level with incident details, potential consequences, and remedial actions taken.

Children’s Data Protection

GDPR Age Provisions (Article 8)

Age Threshold: 16 years for information society services, with member state variations allowing 13-16 years
Parental Consent: Verifiable parental consent for children below applicable age threshold
Verification Methods: Reasonable efforts considering available technology and processing costs

DPDP Act Children Framework (Section 9)

Age Threshold: 18 years for all digital services in India
Parental Consent: Verifiable parental consent through digital locker, existing information, or authorized verification entities
Prohibited Processing: No tracking, behavioral monitoring, or targeted advertising without Central Government permission

Supervisory Authorities & Complaints

GDPR Supervisory Authority Contacts

Lead Supervisory Authority: [Irish Data Protection Commission – if applicable]
Website: https://gdpr.eu/supervisory-authorities/
EU Complaint Portal: https://edpb.europa.eu/about-edpb/board/members_en

Country-Specific Authorities

  • Germany: Bundesbeauftragte fĂĽr den Datenschutz und die Informationsfreiheit
  • France: Commission Nationale de l’Informatique et des LibertĂ©s (CNIL)
  • UK: Information Commissioner’s Office (ICO)
  • Netherlands: Autoriteit Persoonsgegevens (AP)

DPDP Act Complaint Mechanism

Data Protection Board of India: [To be operational]
Online Portal: [DPB complaint portal when available]
Grievance Process: Internal resolution followed by Board escalation with case tracking

Consent Requirements: Clear, affirmative action for non-essential cookies with withdrawal options
Cookie Categories: Essential (no consent), Functional (consent), Analytics (consent), Marketing (explicit consent)
Granular Control: Separate consent for different cookie purposes with easy withdrawal

Digital Personal Data: Cookies containing personal data subject to consent requirements
Essential Processing: Technical cookies for platform functionality without consent
Marketing Cookies: Explicit consent with clear purpose explanation and withdrawal mechanisms

Comprehensive cookie preference center allowing granular control over:

  • Essential cookies (always active)
  • Functional cookies (user preference)
  • Analytics cookies (performance improvement)
  • Marketing cookies (personalized advertising)
  • Third-party integrations (social media, payment processors)

Language Accessibility

GDPR Language Requirements

Privacy information provided in clear, plain language in official EU languages where we offer services, ensuring accessibility and understanding for all EU residents.

DPDP Act Language Framework

Privacy notices available in English and any of the 22 languages listed in the 8th Schedule of the Indian Constitution, ensuring linguistic accessibility for Indian users.

Translation Services

Request privacy policy translations through privacy@twiitr.in with professional translation services ensuring legal accuracy and cultural appropriateness.

Contact Information & Resolution

GDPR Contact Framework

EU Data Controller: Upskills Learning Council
EU Representative: M K Sharma
EU Representative Email: eu-representative@twiitr.in
Privacy Officer: privacy@twiitr.in
Data Requests: datarequests@twiitr.in

DPDP Act Contact Framework

Data Fiduciary: Upskills Learning Council (UL Council)
Grievance Redressal Officer: M K Sharma
Grievance Email: grievances@twiitr.in
DPO Contact: dpo@twiitr.in
Response Time: 72 hours acknowledgment, 30 days resolution

Universal Support Channels

General Privacy: privacy@twiitr.in
Account Support: support@twiitr.in
Legal Compliance: legal@twiitr.in
Business Hours: Monday-Friday, 9:00 AM – 6:00 PM (IST/CET)

Policy Updates & Compliance Monitoring

Update Notification Framework

Material Changes: 30 days advance notice via email and platform announcements
Legal Updates: Immediate implementation for regulatory compliance with user notification
Review Schedule: Quarterly policy review with annual compliance audit

Compliance Documentation

GDPR Compliance: Records of processing activities (Article 30), DPIA documentation, transfer impact assessments
DPDP Compliance: Processing records, consent management logs, breach notification documentation
Audit Trail: Regular compliance monitoring with external audit capabilities

Document Control
Version: 3.0 (Dual Jurisdiction Compliance)
Next Review: December 2025
Compliance Standards: GDPR, DPDP Act 2023, ISO 27001, SOC 2
Legal Validation: Reviewed by EU and Indian privacy law specialists

This comprehensive Privacy Policy ensures full compliance with both GDPR and DPDP Act requirements, providing appropriate protection regardless of your jurisdiction. For specific questions about your rights or our data processing activities, contact the appropriate regional representative listed above.Word Count: Approximately 2,950 words
SEO Keywords: GDPR DPDP Act compliance, dual jurisdiction privacy policy, international data protection, EU India privacy rights, business intelligence data protection, comprehensive privacy framework

Get Insider Tips and Tricks in Our Newsletter!

Join our community of subscribers who are gaining a competitive edge through the latest trends, innovative strategies, and insider information!
  • Stay up to date with the latest trends and advancements in AI chat technology with our exclusive news and insights
  • Other resources that will help you save time and boost your productivity.

Must Read

- Advertisement -
Premium WordPress development for enterprises: fast, secure, SEO‑optimized sites with custom architecture and conversion engineering. Free technical audit.