Privacy Policy
This Privacy Policy explains how BigBeeSec, a unit of Geethanjali Technologies ("BigBeeSec", "we", "us", "our"), collects, uses, shares, and protects personal data when you use www.bigbeesec.com and related services (the "Platform"). It is written to comply with the Digital Personal Data Protection Act, 2023 (the "DPDP Act") and the Information Technology Act, 2000 and its rules, and to address the rights of users in other jurisdictions, including the EU and UK General Data Protection Regulation (see the GDPR Addendum) and the California Consumer Privacy Act (see the CCPA and CPRA Addendum).
1. Who we are
BigBeeSec is a cybersecurity education platform offered to college students and enthusiasts through verified institutional partnerships. The data fiduciary responsible for your personal data is Geethanjali Technologies, with registered office at Hyderabad, India (full registered address available on request), CIN available on request, GSTIN available on request. For privacy questions, contact our Grievance Officer using the details in section 13 and in the Grievance Officer Notice.
2. Scope
This policy applies to visitors, registered students, instructors, institution contacts, and other users of the Platform. Where an educational institution enrolls its students, that institution may act as a separate data fiduciary for the student records it manages. In those cases the institution's own privacy notice also applies, and the Data Processing Agreement governs the relationship between the institution and BigBeeSec.
3. The personal data we collect
We collect only what we need to operate the Platform.
3.1 Data you provide.
- Account and identity: name, institutional email address, optional phone number, department, batch year, and profile photo.
- Verification: institutional email and, where an institution requires it, identity proof documents you upload.
- Communications: the contents of contact forms, support tickets, testimonials, blog comments, and resume content you create.
- Consent records: the legal documents you accept, with the timestamp and the IP address at the time of acceptance.
3.2 Data we collect automatically.
- Technical data: IP address, browser and device type, operating system, and pages visited, used for security, abuse prevention, and aggregate analytics.
- Cookies and similar technologies: see the Cookie Policy. We use strictly necessary cookies for authentication and security, and limited functional cookies for theme and session preferences.
3.3 Data we do not seek. We do not intentionally collect special category or sensitive personal data beyond identity proof documents required for verification. Please do not submit health, biometric, financial account, or other sensitive data in free-text fields.
4. Children and students
The Platform is intended for users who are college students or older and are accessed through an institution. If you are below the age of 18, you may use the Platform only with verifiable consent from a parent or lawful guardian, as required by the DPDP Act. We do not knowingly profile children or serve them targeted advertising. If we learn that we have collected a child's data without the required consent, we will delete it.
5. How we use your data and the legal basis
| Purpose | Personal data used | Legal basis under the DPDP Act |
|---|---|---|
| Create and manage your account | Identity, verification | Performance of the service you requested |
| Verify institutional eligibility | Institutional email, identity proof | Legitimate use for the requested service |
| Send transactional email and OTP | Email, phone | Performance of the service |
| Provide support | Ticket and contact contents | Performance of the service |
| Protect the Platform from abuse and fraud | Technical data, consent records | Legal obligation and legitimate use |
| Improve the Platform with aggregate analytics | Technical data | Consent, where required |
| Comply with law and respond to lawful requests | As relevant | Legal obligation |
We rely on your consent where the law requires it, and you may withdraw consent at any time as described in section 9. Withdrawing consent does not affect processing already carried out, and it may limit your ability to use parts of the Platform.
6. How we share data
We do not sell personal data. We share it only as follows.
- With your institution, for the student records it administers.
- With data processors who act on our written instructions, such as email delivery, SMS OTP delivery, and hosting providers. A current list appears in the Data Processing Agreement and Sub-processors document.
- With professional advisers, auditors, and authorities where required by law or to protect our rights.
- In a merger, acquisition, or asset sale, subject to this policy and applicable law.
All processors are bound by contract to protect personal data and to process it only for the purposes we specify.
7. International transfers
We operate from India. Where personal data is processed outside India by a sub-processor, we transfer it only to jurisdictions not restricted by the Central Government under the DPDP Act, and under contractual protections appropriate to the data. For EU, UK, and California users, see the respective addenda for additional transfer safeguards.
8. Security
We apply technical and organisational measures appropriate to a security-focused service, including encryption in transit, hashed passwords (bcrypt), field-level encryption for uploaded identity documents, access on a least-privilege basis, rate limiting, activity logging, and authenticated, time-limited access to sensitive documents. No method of transmission or storage is perfectly secure. If a personal data breach occurs that is likely to affect you, we will notify you and the Data Protection Board of India as required by the DPDP Act.
9. Your rights
Subject to the DPDP Act, you have the right to:
- access a summary of the personal data we process about you and the processing activities;
- request correction, completion, or updating of inaccurate or incomplete data;
- request erasure of personal data that is no longer necessary for the purpose it was collected;
- nominate another person to exercise your rights in the event of death or incapacity;
- withdraw consent where processing is based on consent; and
- grievance redressal through our Grievance Officer, and escalation to the Data Protection Board of India.
To exercise any right, contact the Grievance Officer in section 13. We will respond within the timelines set by law. We may need to verify your identity before acting. Users in other jurisdictions may have additional rights described in the relevant addenda.
10. Data retention
We keep personal data only as long as necessary for the purposes in this policy or as required by law. Specific periods are set out in the Data Retention Policy. When data is no longer needed, we delete or irreversibly anonymise it.
11. Automated decision-making
We do not make decisions producing legal or similarly significant effects about you solely by automated means without human involvement.
12. Changes to this policy
We may update this policy. We will post the updated version with a new "Last updated" date and, for material changes, provide a prominent notice or email. Continued use after the effective date constitutes acknowledgement of the change to the extent permitted by law.
13. Contact and grievance redressal
Grievance Officer: Grievance Officer, BigBeeSec Email: grievance@bigbeesec.com Postal address: Hyderabad, India (full registered address available on request) For general privacy questions: privacy@bigbeesec.com
We will acknowledge grievances within the period required by the IT Rules and resolve them within the statutory timeline. See the Grievance Officer Notice for details.