Privacy Policy

This Policy applies to personal data processed by CampX through:

• Website: campx.in and all sub-domains owned and operated by CampX, including blogs, landing pages, marketing micro-sites, and product pages.
• Platform:the cloud-hosted CampX software-as-a-service platform used by higher-education institutions for admissions, learning, examinations, fees, hostel, transport, HR & payroll, alumni engagement, and related campus operations.
• Mobile Applications: the CampX Student app, CampX Faculty app, and any other CampX-branded mobile applications distributed through the Google Play Store, Apple App Store, or institutional MDM channels.

This Policy does not apply to third-party websites, applications, or services that may be linked from our Services. Such third parties operate under their own privacy notices, and we encourage you to review them.

Under the DPDP Act, CampX may act as a Data Fiduciary or as a Data Processor depending on the context of processing:

• Where we act as a Data Fiduciary: when you visit our website, request a demo, subscribe to marketing communications, apply for employment, or otherwise interact with us directly, CampX determines the purpose and means of processing and is the Data Fiduciary.
• Where we act as a Data Processor:when an educational institution (the “Institution”) onboards onto the CampX Platform and uploads or causes the upload of personal data of its applicants, students, parents/guardians, faculty, staff, or other constituents, the Institution is the Data Fiduciary and CampX processes such personal data on its instructions and pursuant to a written contract. In such cases, the Institution’s privacy notice will primarily govern that processing, and any rights you wish to exercise should first be directed to the Institution.

Capitalised terms used in this Policy have the meanings ascribed to them in the DPDP Act unless otherwise defined here. For convenience:

• “Personal Data” means any data about an individual who is identifiable by, or in relation to, such data.
• “Sensitive Personal Data or Information” (SPDI) means data of the categories specified under Rule 3 of the SPDI Rules, including financial information, health information, and biometric information.
• “Data Principal” means the individual to whom the Personal Data relates; where the individual is a Child or a person with disability with a lawful guardian, it includes the parent or lawful guardian.
• “Child” means an individual who has not completed eighteen (18) years of age.
• “Processing” means a wholly or partly automated operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, sharing, alteration, and erasure.

The categories of Personal Data we collect depend on how you interact with us:

5.1 Information you provide to us

• Identity and contact data: name, designation, institution, work email, phone number, postal address, and country.
• Account credentials: user ID, password (stored in salted-hashed form), multi-factor authentication tokens, and security question responses.
• Demo / sales enquiry data: information you submit through demo requests, contact forms, downloadable resource gates, event registrations, or chat widgets.
• Recruitment data: CV/résumé, cover letter, prior work history, qualifications, and other information voluntarily submitted in response to a job posting.

5.2 Information processed on behalf of an Institution

When you use the Platform as a student, applicant, parent/guardian, faculty member, or staff member of a partner Institution, we process the following categories of Personal Data on the Institution’s instructions:

• Applicant and admissions data: name, date of birth, gender, photograph, contact details, parent/guardian details, prior academic records, entrance test scores, ID proofs, application forms, and supporting documents uploaded to the admissions module.
• Academic and learning data: enrolment number, programme, course, batch, attendance, internal assessment marks, examination results, GPA/CGPA, learning-management activity, assignment submissions, and academic correspondence.
• Examination data: hall-ticket data, seating arrangements, evaluator allocations, internal/practical/semester-exam marks, and re-evaluation requests.
• Financial data: fee schedules, fee receipts, transaction references, payment status, scholarship records, and refund details. Card numbers, CVVs, and net-banking credentials are never stored by CampX; payments are processed through PCI-DSS-compliant payment-gateway sub-processors.
• Hostel and transport data: room/bed allocation, hostel-attendance, mess preferences, route allocation, and pick-up/drop-off points.
• HR & payroll data (where the Institution uses these modules): employee records, salary structure, statutory identifiers (PAN, UAN, ESIC), leave balances, and payroll outputs.
• Communications data: notifications, in-app messages, email and SMS logs, and support tickets raised through the Platform.

5.3 Information collected automatically

• Device and technical data: IP address, device identifier, advertising ID (where exposed by the OS), operating system, browser type, app version, language preference, and crash logs.
• Usage data: pages viewed, features used, click-stream, session duration, and referring URL, captured through first-party and third-party analytics technologies.
• Cookies and similar technologies: see Section 9 below.
• Location data: approximate location derived from IP address; precise GPS location is processed only where you grant explicit permission within the mobile applications (for example, for hostel attendance, transport tracking, or proctored assessments).

We process Personal Data only for the lawful purposes described below, and only to the extent necessary for such purposes:

• Service delivery: to provide, operate, maintain, and improve the Services; to authenticate users; to enable the features ordered by an Institution; and to process transactions you initiate.
• Customer support: to respond to enquiries, troubleshoot issues, manage support tickets, and provide training and onboarding assistance.
• Sales and marketing (own data only): to respond to demo requests; to send service announcements; and, with your consent, to send promotional communications about CampX products and events. You may withdraw consent at any time as described in Section 12.
• Analytics and product improvement: to understand usage patterns, measure performance, conduct A/B tests, fix defects, and develop new features.
• Security and fraud prevention: to detect, prevent, and respond to security incidents, malicious activity, and abuse of the Services.
• Legal and regulatory compliance: to comply with applicable laws, including responding to lawful requests from public authorities, regulators, and courts, and to enforce our terms.
• Recruitment: to evaluate candidates and manage the hiring process.

We process Personal Data on the basis of your consent, or where another lawful ground is available under the DPDP Act (such as performance of a contract, compliance with law, or a legitimate use specified in the Act). For SPDI under the SPDI Rules, we obtain prior written/electronic consent before collection.

CampX recognises that some applicants and students using the Platform may be Children. In accordance with Section 9 of the DPDP Act, we do not knowingly process the Personal Data of any Child without obtaining verifiable consent of the parent or lawful guardian before such processing.

• We do not undertake tracking, behavioural monitoring, or targeted advertising directed at Children.
• Where the Platform is used by a Child as part of an Institution's admissions or academic workflow, the Institution is responsible for obtaining the requisite parental consent and for furnishing such consent records to CampX upon request.
• If we become aware that we have inadvertently collected Personal Data of a Child without verifiable parental consent, we will erase such data without undue delay.

Parents and lawful guardians may exercise rights on behalf of a Child by writing to our Grievance Officer at srikanth@campx.in.

We do not sell Personal Data. We disclose Personal Data only to the categories of recipients listed below, and only as necessary for the purposes set out in Section 6:

8.1 Sub-processors

• Cloud hosting and infrastructure: Amazon Web Services, Microsoft Azure, and/or Google Cloud Platform, located in India and other regions, for hosting, storage, content delivery, backups, and disaster recovery.
• Payment gateways: PCI-DSS-compliant payment processors such as Razorpay, Cashfree, and similar partners engaged by an Institution, for the secure collection of fees and other payments. Card numbers, CVVs, and bank credentials are processed and stored solely by these payment processors and are never persisted on CampX systems.
• Communications and notifications: transactional SMS, email, voice, and WhatsApp Business API providers (such as MSG91, Twilio, AWS SES, and equivalent providers) for OTPs, alerts, notifications, and Institution-led communications.

8.2 Other recipients

• Affiliates and group entities for shared back-office, security, and support operations under contractual confidentiality obligations.
• Professional advisors (legal, accounting, audit, insurance) bound by professional duties of confidentiality.
• Authorities and courts when disclosure is required by applicable law, lawful order, or to protect the rights, property, or safety of CampX, our users, or the public.
• Parties to a corporate transaction such as a merger, acquisition, financing, or sale of assets, in which case the recipient will be bound to honour this Policy.

All sub-processors are engaged under written contracts that impose confidentiality obligations and require them to implement reasonable security practices consistent with this Policy and the SPDI Rules. A current list of material sub-processor categories is set out in Annexure A to this Policy.

Our website and Platform use cookies and similar technologies to operate, secure, analyse, and improve the Services. We classify cookies as follows:

• Strictly necessary: required for authentication, session management, load-balancing, and security. These cannot be disabled without breaking core functionality.
• Functional: used to remember preferences such as language, region, and display settings.
• Analytics: used to understand aggregated usage patterns and improve performance.
• Marketing (website only, with consent): used to measure the effectiveness of marketing campaigns and serve relevant content.

Where required by law, we present a cookie banner that allows you to accept, reject, or manage non-essential cookies. You can also control cookies through your browser settings; disabling certain cookies may affect functionality.

Personal Data processed by CampX is primarily stored on data-centre regions located in India. To deliver the Services, we may transfer Personal Data to other countries where our sub-processors operate. Any such transfer is undertaken only in accordance with the DPDP Act, including any restrictions notified by the Central Government under Section 16, and is supported by contractual safeguards consistent with the SPDI Rules and applicable Indian law.

We retain Personal Data only for as long as it is necessary for the purposes for which it was collected, or for any longer period required or permitted under applicable law (including statutory record-keeping obligations under tax, labour, education-regulator, and corporate laws).

• Website enquiry data: retained for up to twenty-four (24) months from last interaction unless converted into a customer account.
• Customer-account and Platform data: retained for the duration of the agreement with the Institution and thereafter as set out in such agreement, plus a reasonable wind-down period for backups and archival.
• Financial and statutory records: retained for the period prescribed under applicable tax and corporate laws, typically eight (8) years.
• Children’s data: erased without undue delay once consent is withdrawn or the purpose is exhausted, subject to any over-riding legal obligation.

Upon termination or expiry of an Institution’s subscription, we will, on written instruction, return or securely erase all Personal Data within the timelines set out in the relevant data-processing addendum.

Subject to verification of identity and to applicable law, you may exercise the following rights in respect of your Personal Data:

• Right to access information about Personal Data being processed, the processing activities, and the identities of other Data Fiduciaries and Data Processors with whom such Personal Data has been shared (DPDP Act § 11).
• Right to correction and erasure of inaccurate, incomplete, or no-longer-necessary Personal Data (DPDP Act § 12).
• Right of grievance redressal by approaching our Grievance Officer (DPDP Act § 13).
• Right to nominate another individual to exercise rights in the event of death or incapacity (DPDP Act § 14).
• Right to withdraw consent at any time, with effect prospectively. Withdrawal will not affect the lawfulness of processing carried out before withdrawal (DPDP Act § 6(4)–6(6)).

Where CampX acts as a Data Processor for an Institution, please direct your request to the Institution’s designated grievance officer. We will support the Institution in fulfilling such requests in accordance with our contract.

CampX implements reasonable security practices and procedures within the meaning of the SPDI Rules, having regard to the nature of the Services and the sensitivity of the Personal Data processed. Our safeguards include:

• encryption of Personal Data in transit (TLS 1.2+) and at rest using industry-standard ciphers;
• role-based access controls, least-privilege principles, and multi-factor authentication for administrative access;
• network segmentation, web-application firewalls, intrusion detection, and continuous vulnerability scanning;
• secure software-development life-cycle practices, including code review, dependency scanning, and pre-production security testing;
• logging, monitoring, and incident-response processes aligned with recognised standards;
• background checks, confidentiality undertakings, and periodic privacy and security training for personnel.

In the event of a Personal Data breach that is likely to result in harm to Data Principals, CampX will notify the Data Protection Board of India, the affected Data Principals, and the relevant Institution, in the manner and within the timelines required under the DPDP Act and the Indian Computer Emergency Response Team (CERT-In) directions, as applicable.

Certain features of the Services may use artificial-intelligence or machine-learning models to assist Institutions in workflows such as application shortlisting, fee-defaulter prediction, examination evaluation support, or chat-based assistance. CampX does not use such models to make solely automated decisions that produce legal effects on Data Principals; final decisions in admissions, academic, and disciplinary matters are taken by the Institution. Where AI is used to process inputs you provide, we apply additional safeguards, including data-minimisation, output-review by authorised users, and the right to seek human review through the Institution.

We may update this Policy from time to time to reflect changes to the Services, our practices, or applicable law. The “Last Updated” date at the top of this Policy will indicate the date of the most recent revision. For material changes, we will provide reasonable advance notice through the Services or by email. Your continued use of the Services after the effective date of an update constitutes your acknowledgement of the revised Policy.

In accordance with Section 8(9) of the DPDP Act and Rule 5(9) of the SPDI Rules, the contact details of our designated Grievance Officer are set out below. The Grievance Officer will acknowledge any grievance within forty-eight (48) hours and endeavour to resolve it within fifteen (15) days from the date of receipt.

If your grievance is not resolved to your satisfaction by the Grievance Officer, you may approach the Data Protection Board of India in accordance with the procedures notified under the DPDP Act.

This Policy is governed by the laws of the Republic of India. Subject to any mandatory provisions of law, the courts at Hyderabad, Telangana shall have exclusive jurisdiction over any disputes arising out of or in connection with this Policy.