This policy aims to protect personal data of the various stakeholders connected to our organization. This policy is aimed at providing individuals notice of the basic principles by which the company processes the personal data of individuals (“Personal Data”) who visits, uses, deals with and/or transacts through the website and includes a guest user and browser (hereinafter ‘you’, ‘user’).
3. Purpose and Scope
The purpose of this policy is to describe how upGrad collects, uses, and shares information about you through our online interfaces (e.g., websites and mobile applications) owned and controlled by us, including but not limited to https://www.upgrad.com/ (hereinafter the "website"). This policy is also designed to provide information on how upGrad ensures data security, conducts data transfers and process requests from data subjects.
This policy control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees and other third parties who have access to Personal Data available within upGrad.
The company is also committed to ensure that its employees conduct themselves in line with this, and other related, policies. Where third parties process data on behalf of upGrad, the Company endeavours to obtain assurances from such third parties that your Personal Data will be safeguarded consistently.
4. Types of Personal Data collected
The Personal Data that we collect about you depends on the context of your interactions with us, the products, services and features that you use, your location, and the applicable laws.
Personal Data is stored in personnel files or within the electronic records (on servers in India or other countries) of upGrad. The following types of Personal Data may be held by the Company, as appropriate, on relevant individuals:
A. Personal Identification Data
B. Identification Data
C. Financial Data
D. Personal Characteristics
E. Contact Data
F. Education and Recruitment Data
G. Electronic Identification Data
I. User Generated Data
J. Marketing Data
K. Behavioural Data
We do not collect any payments information processed by third-party payment gateway providers.
5. Special Categories of Personal Data
Special Category of Personal Data includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade unions memberships, information about your health and genetic and biometric data.
We do not collect or process any special or sensitive Personal Data.
Should we specifically require “special” or “sensitive” Personal Data in connection with one or more of the uses described below, we will request your explicit consent to use the data in accordance with this policy and/or in the ways described at the point where you were asked to disclose the data.
Other legal basis for our processing of special category data may include, as permitted by applicable law, for scientific research, for employment, social security or social protection law, for reasons of substantial public interest, or as necessary for the establishment, exercise or defence of legal claims. If you voluntarily share with us or post/upload any “special” or “sensitive” Personal Data to this website for any other reason, you consent that we may use such data in accordance with applicable law and this policy. You can contact our DPO for more information about our processing of your Personal Data.
6. Sources of data collection
The data collected by the company is derived directly from the data provided by the user or by use of our sites.
Data Collected when You:
Data Collected from third parties
We receive Personal Data such as access or login details, profile picture or any other text / image in relation to your Personal Data which may be available with such third parties.
We also receive information about your visits to this platform and to other websites using pixel tags.
Third parties from whom we receive your Personal Data include, our service providers, other networks connected to our service, our advertising partners, our marketing and advertising affiliates, our educational partners, scholarship providers, analytics providers, recruiters and such other third-party sources.
Cookies are text files placed on your computer to collect standard Internet log information and visitor behaviour information. When you visit our websites, we may collect information from you automatically through cookies or similar technology.
Furthermore, we may allow third-party advertising companies (such as Facebook, Google, Twitter, Quora and Bing) to place cookies on our website. These cookies enable such companies to track your activity across various sites where they display Ads and record your activities, so they can show Ads that they consider relevant to you as you browse the Internet. These cookies store information about the content you are browsing, together with an identifier linked to your device or IP address.
What types of cookies do we use?
There are a few different types of cookies, however, our website uses:
How to manage cookies?
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. Disabling some cookies form the website, may have a negative impact and may result in some non-availability of some features.
If you want to remove previously stored Cookies, you can manually delete the Cookies at any time. However, this will not prevent the Sites from placing further Cookies on your device unless and until you adjust your Internet browser setting as described above.
You can however obtain up-to-date information about blocking and deleting cookies via these links:
These opt-out mechanisms rely on cookies to remember your choices. If you delete your cookies, use another computer or device, or change browsers, you will need to repeat this process. In addition, opting out of interest-based ads will not opt you out of all ads, but rather only those ads that are personalized to your interests.
8. Data Analytics
We use Analytics tools and search information providers to measure how visitors interact with content on our website. We also use Facebook Custom Audiences to ask Facebook to show you ads that are customized based on your interaction with our websites or our Facebook applications and to measure how you interact with those ads. Additional information on how these services use such technologies can be found on Google’s website, Adobe’s website and Facebook’s website.
If you do not wish to have data relating to your visits to our websites collected through Google Analytics, you may opt-out by installing the Google Analytics opt-out browser add-on. You may opt-out of Facebook Custom Audiences by visiting Facebook’s opt-out page.
9. Aggregated Data
“Aggregated Data” means records that have been stripped of Personal Data and has been manipulated or combined to provide generalised, anonymous information. Your identity and personal information are not available in Aggregated Data. We combine your Personal Data on an anonymous basis with other information to generate Aggregated Data for internal and commercial use and for sharing with affiliates, subsidiaries and business partners for planning and marketing purposes.
10. Data protection principles
Where third parties process data on behalf of upGrad, we endeavour to obtain assurances from such third parties that your Personal Data will be safeguarded consistently. We understand that it will be accountable for the processing, management and regulation, and storage and retention of all Personal Data held in the form of manual records and on computers.
All Personal Data obtained and held by the Company will:
11. Legal basis for processing your Personal Data
Certain jurisdictions require that we have a lawful basis to justify our processing of your Personal Data.
Where applicable, the lawful basis that upGrad relies upon to justify a particular processing activity may differ from the lawful basis used to justify a different processing activity.
upGrad relies on the following lawful basis to process Personal Data, as permitted under applicable law:
We may obtain your consent to collect and use certain types of Personal Data when we are required to do so by law.
Once consent is obtained from the individual to use his or her information for those purposes, upGrad has the individual's implied consent to collect or receive any supplementary information that is necessary to fulfil the same purposes. Express consent will also be obtained if, or when, a new use is identified.
Consent may also be implied where a user is given notice and a reasonable opportunity to opt-out of his or her personal information being used for mail-outs, the marketing of new services or products, and the client, customer, member does not opt-out.
Subject to certain exceptions (e.g., the personal information is necessary to provide the service or product, or the withdrawal of consent would frustrate the performance of a legal obligation), individuals can withhold or withdraw their consent for upGrad to use their personal information in certain ways.
If you refuse or withdraw your consent, or if you choose not to provide us with any required Personal Data, we may not be able to provide you the services that can be offered on our Platform.
13. Purpose of collecting Personal Data
We collect your Personal Data for the following purposes
14. Advertising and Marketing
We strive to provide you with choices regarding certain Personal Data uses, particularly around marketing and advertising. You will receive marketing communications from us if you have requested information from us or if you provided us with your details and expressly consented to receiving that marketing.
We may use your Personal Identification, Identity, Contact, Electronic and User generated Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services and offers may be relevant for you.
We also enter into agreements with third parties to serve Ads on our behalf across the internet, social networking sites and blogs. These third parties may collect Personal Data about your visits to our platform and your interactions with our products and use this information to target advertisements for goods and services.
Where electronic direct marketing communications are being sent, you have the option to opt-out in each communication sent, and this choice will be recognised and adhered to by us.
15. Disclosure of Personal Data
upGrad is a global company and may share the personal information collected or provide such access to other companies within the upGrad group.
We require all third parties to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.
In addition to the examples cited above, upGrad also shares your Personal Data with:
|Recipients||Category(ies) of Personal Data we share||Why we share it||Location(s)|
|Employers; Sponsors and Scholarship Providers|
|If you are taking a Program that is sponsored or paid for by your employer or a sponsor, or if you have availed a scholarship from a third-party scholarship provider, we may share your Personal Data and grades, evaluations or progress in the Program with your employer/sponsor/scholarship provider. This information may be shared at any time during the Program or afterwards.||Global|
|We provide access to or share your information with operations and maintenance contractors and other third parties who perform services on our behalf strictly on confidential terms. They provide a variety of services to us, including billing, sales, marketing, test proctoring, couriers, mentoring, recruitment consulting, product content and features, advertising, analytics, research, customer service, data storage, security, fraud prevention, credit facilities, payment processing and legal services||Global|
Recruitment Service providers
|If you opt for any of our recruitment services or if you participate in any of our recruitment activities, we will be sharing your information with recruiters and potential employers.||Global|
|Associate and Business Transfers|
We share your Personal Data with our associates for business purposes.
upGrad may disclose and/or transfer your Personal Data to an acquirer, assignee or other successor entity in connection with a sale, merger, or reorganisation of all or substantially all of the equity, business or assets of upGrad to which your Personal Data relates
16. Data subject rights
Some jurisdictions have provided individuals with certain rights in relation to the processing of their Personal Data. This is the case where you or the any of our subsidiaries or affiliates with which you interact is located in the European Union, though these rights may be available in other jurisdictions as well. These rights are not available to everyone, and they do not necessarily apply in all contexts. Depending on applicable law, you may have the right to:
To exercise a right that you believe you may be entitled to under applicable law, please write to us at firstname.lastname@example.org.
We may need to verify your identity before we fulfil your request.
Please note that certain conditions in relation to processing of your rights, will vary as many countries have varying data privacy rights. Our response and further processing of request to exercise these rights will depend upon the law applicable in relation to the rights exercised by you. We may refuse requests that are unreasonably repetitive, require disproportionate technical effort, risk the privacy of others, may compromise and ongoing investigation, or are impractical. It is our policy to never discriminate against you for exercising any of these rights.
You may have the right to complain to a data protection authority about our processing of your Personal Data. For more information, please contact your local data protection authority.
17. Our Policy on Children’s Data
Children’s data privacy is important to us. Our Sites are not intended for children Age to constitute a user as children is different for different jurisdictions. The age (for valid consent) of children varies across jurisdictions. For example, under GDPR child is a person aged 16 years or below, and in United Kingdom, children is someone who is aged 13 , in case of Singapore and Qatar the valid age for providing consent is 18 years.
As a general policy, our company does not engage in the collection, processing, storage, use, dissemination, and transfer of Personal Data of children.
In case such a collection becomes necessary for the performance of our contractual obligations, or when required under the concerned law, we shall notify you in a time-bound and appropriate manner, informing the purposes and reasons for such collection and seek your explicit consent, and where applicable, parental authorization, prior to the processing of such data.
We will take appropriate steps to delete any Personal Data of children’s that has been collected on our website without verified parental consent upon learning of the existence of such Personal Data, subject to conditions stipulated in the laws of applicable jurisdiction.
18. Data Security
upGrad will ensure that appropriate technical and organizational measures are in place, supported by privacy impact and risk assessments, to ensure a high level of security for Personal Data, and secure environment for information held both manually and electronically.
upGrad implements appropriate security measures designed to prevent unlawful or unauthorized processing of personal information and accidental loss of or damage to personal information. upGrad maintains written security management policies and procedures designed to prevent, detect, contain, and correct violations of measures taken to protect the confidentiality, integrity, availability, or security of your Personal Information. These policies and procedures assign specific data security responsibilities and accountabilities to specific individuals, include a risk management program that includes periodic risk assessment and provide an adequate framework of controls that safeguard your personal information.
In addition, as part of its organizational security measures, employees at upGrad must:
Personal Data should not be kept or transported on laptops, USB sticks, or similar devices, unless authorised by [insert details]. Where Personal Data is recorded on any such device it should be protected by:
Failure to follow the Company’s rules on data security may be dealt with via the Company’s disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.
We also take steps to ensure that our service providers, contractors and other third parties maintain similar level of data protection measures when processing your Personal Data. While we strive to secure your Personal Data, please note that 100% security of Personal Data cannot be guaranteed and that upGrad shall not be liable for any misuse or loss of Personal Data carried out by third party cloud service provider.
19. International data transfers
Our website is primarily operated and managed on servers located and operated within India. However, owing to the global nature of upGrad, your Personal Data may also be stored in third party data servers located in other countries where upGrad provides its products and services.
upGrad engages sub-contractors, service providers and other third parties for facilitating our products, service offerings and to offer support services to you, and your Personal Data may be transferred to servers of such sub-contractors, service providers and other third parties. Depending upon the location of our service providers, your information, including Personal Data, may be transferred to and maintained on computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction.
Further, your Personal Data may be transferred may be shared, disclosed, and transferred between various upGrad group companies where such transfers are required for legitimate business reasons.
Where required under applicable law we will seek your express consent for such transfers. In all other cases, by consenting to this policy, you also provide consent to upGrad to transfer your Personal Data to upGrad affiliated companies, service providers or any third-party entity in locations around the world. We take steps to ensure that a degree of data protection which is similar to this policy is afforded to such Personal Data transferred.
Where upGrad transfers your personal information internationally, we will comply with applicable legal requirements and where required we will enter into a data transfer agreement with the recipient of the personal information, which in the case of European Personal Data may include the Standard Contractual Clauses. In other cases, and where applicable, we shall enter into separate Data Processing Agreements with the third parties / service providers / contractors and such other recipients of Personal Data. Further as the Company takes steps to ensure that transfers of Personal Data to any public authority cannot be massive, disproportionate, and indiscriminate in a manner that would go beyond what is necessary in a democratic society. In the event of conflicts between these and public authority requirements, the company will find a practical solution that fulfils the purpose of this Policy.
We are committed to take all steps reasonably necessary to ensure that your data is treated securely and in accordance with our data privacy and security standards.
20. Records management
Records management refers to a set of activities required for systematically controlling the creation, distribution, use, maintenance, and disposition of recorded information maintained as evidence of business activities and transactions. It is impossible to be compliant with information law without robust records management policies and practises. Good records management practices ensure not only record quality, but that Personal Data is only kept for as long as necessary for its original purpose and help support data minimization.
21. Organization and Responsibilities
upGrad will maintain records of data processing as required by the laws.
The ‘Data Protection Officer’ (DPO) has the specific responsibility of overseeing data protection and ensuring that we comply with the data protection principles and relevant legislation. The DPO will ensure that the Data Processing Register is kept up to date and demonstrates how the data protection principles are adhered to by our activities. Individual members of staff have a duty to contribute to ensure that the measures outlined in the Register are accurately reflected in our practice.
Our compliance with relevant policies and regulatory requirements in respect of data protection as part of our Data Management Strategy will be periodically monitored internally by a designated governance group. All employees, volunteers, consultants, partners, or other parties who will be handling Personal Data on behalf of upGrad will be appropriately trained and supervised where necessary.
The collection, storage, use and sharing of Personal Data will be regularly reviewed by the Data Protection Officer, the Governance Group, and any relevant business area. We will adhere to relevant codes of conduct where they have been identified and discussed as appropriate.
Where there is likely to be a high risk to individuals rights and freedoms due to a processing activity, we will first undertake a Data Protection Impact Assessment (DPIA) and consult with the relevant supervisory authority prior to processing, if necessary.
22. Conflicts of Law
This Policy is intended to comply with the laws and regulations in the place of establishment and of the countries in which company operates. In the event of any conflict between this Policy and applicable laws and regulations, the latter shall prevail.
23. Retention of Personal Data
We retain your Personal Data, not longer than necessary for the purposes for which it was collected. The length of time to retain Personal Data depends on the purposes for which we collect and use it and/or as may be required to comply with applicable laws, to establish, exercise, or defend our legal rights.
The users can exercise their rights enumerated herein. Also, if in case required to extend the period of retention of such data, we shall obtain your consent for the same. Further, we may also dispose the data prior to completion of the period of retention, if the purpose for which it was collected is exhausted.
The Company has taken the following steps to protect the Personal Data of relevant stakeholders, which it holds or to which it has access:
- the comprehensive reviewing and auditing of its data protection systems and procedures
- overviewing the effectiveness and integrity of all the data that must be protected.
- There are clear lines of responsibility and accountability for these different roles.
25. Breach notification
Where a data breach is likely to result in a risk to the rights and freedoms of individuals, it will be reported to the relevant supervisory authority within 72 hours of the Company becoming aware of it and may be reported in more than one instalment. Individuals will be informed directly in the event that the breach is likely to result in a high risk to the rights and freedoms of that individual. If the breach is sufficient to warrant notification to the public, the Company will do so without undue delay.
26. External Links on our website
27. Information for California Residents
In particular, depending upon your relationship with upGrad we may have collected the following categories of Personal Data within the last twelve (12) months:
|Identifiers.||A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.|
|Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).||A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some Personal Information included in this category may overlap with other categories.|
|Protected classification characteristics under California or federal law.||Age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).|
|Commercial information.||Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.|
|Biometric information.||Genetic, physiological, behavioural, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.|
|Internet or other similar network activity.||Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.|
|Geolocation data.||Physical location or movements.|
|Sensory data.||Audio, electronic, visual, thermal, olfactory, or similar information|
|Professional or employment-related information.||Current or past job history or performance evaluations.|
|Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).||Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.|
|Inferences drawn from other Personal Information.||Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes.|
|Sensitive personal Information||Consumers Social Security, driver's license, identification card, passport number, a consumer’s account log‐in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account, genetic data, contents of consumer's mail, email or text messages, consumers racial or ethnic origin, religious or philosophical beliefs, or union membership and their genetic data|
For more information on types of Personal Data we collect, including the sources we receive information from, review section Types of Personal Data collected. We collect and use these categories of personal information for the business purposes described in section Purpose of Collecting data, including to provide and manage our platforms.
upGrad does not engage in selling of Personal Data (as defined under CCPA). In case of advertising technology activities used, such as those disclosed in the Advertising and Marketing & Data Analytics section, we will comply with applicable law as to such activity. If you are a California consumer and wish to opt-out of the sale of your Personal Data, See the “Do Not Sell My Personal Information” page on our Site homepage to exercise your right and know more on how to opt-out of the sale of Personal Information.
You may also submit a request to us at email@example.com.
We use and partner with different types of entities to assist with our daily operations and manage our platforms. Please review the section Disclosure of your Personal Data for more detail about the parties we have shared your Personal Data with.
We will not discriminate against you for exercising any of your CCPA rights. We may choose in the future to offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your Personal Data’s value and contain written terms that describe the Program’s material aspects.
28. Use of this website and our Terms of Service
29. Updates to this policy
30. Data Controller/ Company Details
The "Data Controller" (i.e., upGrad) means the entity that will make the decisions about how your data is used and that is responsible for deciding how it holds personal information about you.
Since upGrad is made up of different legal entities, the entity who will be the controller for your data is dependent on the situation where your Personal Data is collected.
31. Data Protection Officer
The company, in accordance with the applicable laws, and all applicable rules made thereunder, has appointed a Data Protection Officer; who can be reached at the details below:
Name: Mr. Binoy Cherian
Email Address: firstname.lastname@example.org