Privacy Policy

1.1 Privacy by design We follow privacy-by-design and data-minimisation principles. We collect only what's necessary, retain it only as long as needed, and protect it with industry-standard safeguards. We regularly review our data practices against these principles.

2.1 Information you give us • Account details: Name, email, phone number, password (stored hashed with bcrypt or equivalent), date of birth. • Profile: Educational background, CFA® exam registration status, target exam date, study preferences, photo (optional). • Payment: Billing name, address, GSTIN (if applicable), transaction ID, payment method type. We never store your card numbers, CVV, or banking PINs—those go directly to our PCI-DSS compliant payment gateway. • Communications: Support tickets, emails, chat messages, feedback, and survey responses. • Identity verification: Government ID, if submitted for account verification or dispute resolution.

2.2 Information we collect automatically • Usage data: Pages visited, features used, time on each page, quiz/mock scores, accuracy rates, study session duration, click patterns, scroll depth, and learning behaviour patterns. • Device and technical data: IP address, browser type/version, OS, device type, device identifiers (including advertising identifiers), screen resolution, timezone, language, hardware configuration. • Device fingerprinting data: We collect browser fingerprints and hardware configuration hashes for anti-piracy and fraud detection. This may include canvas fingerprint, WebGL renderer, installed fonts, and audio context data. This data is used solely for security purposes. • Logs: Server access logs, error logs, timestamps, referring/exit URLs, API call records. • Cookies and tracking: Cookies, web beacons, pixel tags, local storage, and similar technologies (see Section 10). • Email engagement data: We use tracking pixels in emails to measure open rates, click-through rates, and engagement. This helps us send relevant, useful communications. You can disable this by blocking images in your email client.

2.3 Information from third parties • Social login providers: Name, email, and profile picture if you register via Google Sign-In or similar. • Payment gateways: Transaction status and partial card details (e.g., last 4 digits). • Analytics providers: Aggregated, de-identified usage data.

2.4 Information we do NOT collect We do not knowingly collect biometric data (fingerprints, facial geometry, retinal scans), caste or religious affiliation, political opinions, genetic data, health data, sexual orientation, or trade union membership. If we inadvertently receive such data, we will delete it promptly.

We use your data for the following purposes and on the following legal bases under the DPDP Act: • Providing, maintaining, and improving the platform — Contract; Consent • Personalising learning experience and recommendations — Consent; Legitimate interest • Processing payments and subscriptions — Contract • Account management and customer support — Contract; Legal obligation • Transactional emails (receipts, service updates) — Contract; Legitimate interest • Marketing and promotions (opt-in only) — Consent • Fraud detection, security, anti-piracy enforcement — Legitimate interest; Legal obligation • Device fingerprinting for credential-sharing detection — Legitimate interest; Contract • Enforcing terms and protecting IP — Legitimate interest; Legal obligation • Internal research and content improvement — Legitimate interest; Consent • Email engagement tracking — Legitimate interest • Complying with laws and government requests — Legal obligation • Data Protection Impact Assessments — Legal obligation

Where we rely on legitimate interest, we've conducted a balancing assessment. Contact admin@bluenelumbo.com for details.

We don't sell, rent, or trade your personal data. Period. We only share it as described below. • Service providers (sub-processors): Hosting, payment gateways, email delivery, analytics, CDN, and support tools—all bound by data processing agreements. See Section 4.1 for details. • Professional advisors: Lawyers, auditors, accountants, under professional secrecy. • Legal authorities: When required by law, court order, or to protect rights, property, or safety. • Corporate transactions: In a merger, acquisition, or asset sale. You'll be notified. • Anti-piracy enforcement: When necessary for copyright enforcement, including sharing data with law enforcement or courts. We may share aggregated, anonymised data (which can't identify you) for research and analytics.

4.1 Sub-processors and third-party tools We use the following categories of third-party services that may process your data: • Cloud hosting: For platform infrastructure and data storage. • Payment gateway: For processing transactions (PCI-DSS compliant). • Email service provider: For transactional and marketing emails. • Analytics: For platform usage analysis and improvement. • CDN (Content Delivery Network): For fast, secure content delivery. • Customer support: For help desk and ticket management. • Push notification service: For sending mobile and browser notifications (if you opt in). A current list of specific sub-processors with their names and purposes is available at https://www.bluenelumbo.com/sub-processors and is updated whenever we add or change a sub-processor. All sub-processors are bound by data processing agreements requiring confidentiality, security, and data deletion on termination.

4.2 Third-party SDKs and analytics Our platform and mobile applications (if any) may include third-party software development kits (SDKs) for analytics, crash reporting, and performance monitoring. These SDKs may collect device data and usage statistics. We configure them to minimise data collection and disable advertising identifiers where possible. Details of specific SDKs used are available at https://www.bluenelumbo.com/third-party-sdks.

• Account data — Account life + 3 years (Limitation period for disputes) • Transaction records — 8 years (Income Tax Act; GST Act) • Usage data (identified) — 3 years (Service improvement) • Usage data (anonymised) — Indefinite (Research; analytics) • Communications — 3 years (Dispute resolution; QA) • Security / audit logs — 5 years (IT Act; security compliance) • Device fingerprint data — Account life + 1 year (Anti-piracy; fraud detection) • Anti-piracy investigation data — Legal proceedings + 3 years (Copyright enforcement) • Email engagement data — 1 year (Communication optimisation) • Marketing consent records — Account life + 3 years (Proof of consent)

After the retention period, data is securely deleted or anonymised within 30 days, subject to legal obligations.

We implement industry-standard security measures, including: • Encryption in transit (TLS 1.2+) and at rest (AES-256); • Role-based access controls with least-privilege principle; • Multi-factor authentication for admin access; • Regular vulnerability assessments and penetration testing; • Intrusion detection and prevention systems; • Automated log monitoring and alerting; • Encrypted backups with geographically distributed storage; • Secure software development lifecycle (SSDLC); • Employee/contractor confidentiality agreements and background checks; • Mandatory data protection training for all personnel; • Documented incident response and disaster recovery procedures; and • Periodic internal and third-party security audits.

No system is 100% secure. We can't guarantee absolute security, but we take commercially reasonable steps.

In the event of a data breach: • We'll notify the Data Protection Board of India as required under the DPDP Act; • We'll notify affected users by email or platform notification with details of the breach, data affected, likely consequences, and mitigation measures; • We'll report to CERT-In within 6 hours of becoming aware of qualifying incidents, per current CERT-In directives; and • We'll maintain a breach register documenting all incidents, their impact, and remediation actions.

Under the DPDP Act, 2023, you have the right to: 1. Access: Get a summary of your data and how it's being processed. 2. Correction: Fix inaccurate or incomplete data. 3. Erasure: Request deletion (subject to legal retention requirements). 4. Withdraw consent: Withdraw at any time. Won't affect past processing, but may limit services. 5. Data portability: Request your data in a structured, commonly used, machine-readable format (JSON or CSV) where technically feasible. 6. Restrict processing: In certain circumstances, request that we limit how we use your data while a dispute is being resolved. 7. Object to processing: Object to processing based on legitimate interest. We'll stop unless we have compelling legitimate grounds. 8. Nominate: Nominate someone to exercise your rights in case of death or incapacity. 9. Grievance: Lodge a complaint with our Grievance Officer, or escalate to the Data Protection Board.

Email admin@bluenelumbo.com to exercise any right. We'll respond within 7 working days after verifying your identity (per DPDP Rules, 2025). Complex requests may take up to 30 days with notification.

8.1 Marketing opt-out You can opt out of marketing communications at any time by: • Clicking the "unsubscribe" link in any marketing email; • Updating your communication preferences in account settings; • Emailing admin@bluenelumbo.com with the subject "Unsubscribe"; or • Disabling push notifications in your device settings. We'll process opt-out requests within 48 hours. Note: transactional and service communications are not marketing and cannot be opted out of while your account is active.

9.1 Cross-border transfers Your data is primarily stored in India. If transferred to other countries (e.g., through cloud providers), we ensure compliance with the DPDP Act, appropriate contractual safeguards, and that the receiving jurisdiction is on the government's approved list. We won't transfer data to restricted jurisdictions.

9.2 EU/EEA users (GDPR) If you access the platform from the European Economic Area, the following additional rights apply under the General Data Protection Regulation (GDPR): • Right to lodge a complaint with your local supervisory authority; • Right to data portability in a machine-readable format; • Right to object to processing based on legitimate interest or direct marketing; • Right not to be subject to automated decisions with legal or significant effects; and • Right to erasure (right to be forgotten) under Article 17 GDPR. Our legal bases for processing under GDPR include: consent (Article 6(1)(a)), performance of contract (Article 6(1)(b)), legitimate interest (Article 6(1)(f)), and legal obligation (Article 6(1)(c)). For cross-border transfers from the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

9.3 US users (CCPA/CPRA) If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): • Right to know what personal information we collect, use, and share; • Right to delete personal information; • Right to opt-out of the "sale" or "sharing" of personal information (note: we do not sell personal information); • Right to non-discrimination for exercising your rights; and • Right to correct inaccurate personal information. To exercise these rights, email admin@bluenelumbo.com with "CCPA Request" in the subject line. We'll respond within 45 days.

We use the following types of cookies: • Essential: Login, sessions, security, load balancing. Can't be disabled. • Analytics: Usage patterns, performance monitoring. Anonymised. • Preferences: Your settings (language, display mode, study preferences). • Marketing: Only with explicit consent. Relevant ads and campaign measurement. Manage cookies via our consent banner or browser settings. Full cookie details at https://www.bluenelumbo.com/cookies.

10.1 Do Not Track We don't currently respond to "Do Not Track" browser signals. If a uniform standard is established, we'll update this policy.

10.2 Push notifications If you enable push notifications, we collect a device token to send you notifications. This token is stored securely and deleted when you disable notifications or uninstall the app. Push notification data is not shared with third parties except our notification delivery service.

The platform is not for children under 16. We don't knowingly collect data from children under 16. If we discover we have, we'll delete it within 72 hours. Contact admin@bluenelumbo.com if you believe a child has provided us data.

We use algorithms for personalised content recommendations, adaptive learning paths, and fraud/piracy detection. These do not produce legal or similarly significant effects on you. If we ever implement automated decisions that significantly affect you, we'll inform you and offer human review on request within 7 working days.

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to your rights and freedoms. This includes assessments for: • Large-scale processing of usage and behavioural data; • Device fingerprinting and anti-piracy monitoring; • Introduction of new technologies or significant platform changes; and • Cross-border data transfers to new jurisdictions. DPIA records are maintained internally and available for regulatory inspection.

As required by the IT Act, SPDI Rules, and DPDP Act: Name: Niyati Arora Designation: Grievance Officer Phone: +91 98101 18573 Email: grievance@bluenelumbo.com Address: Flat No. B-3/103, Sahara Grace, M.G. Road, Gurgaon – 122002, Haryana

We'll acknowledge your complaint within 48 hours with a tracking ID and resolve it within 7 working days. If unsatisfied, you can use our internal appeal mechanism. If still unresolved, escalate to the Data Protection Board of India.

We may update this policy. For material changes, we'll give at least 15 days' notice by email or platform notification. Continued use after the effective date means you accept the changes. Previous versions of this policy are archived at https://www.bluenelumbo.com/privacy/archive.

Pravesio Consulting Private Limited | Registered Office: Flat No. B-3/103, Sahara Grace, M.G. Road, Gurgaon – 122002, Haryana | CIN: U70200HR2025PTC134374 | Email: admin@bluenelumbo.com | Grievance: grievance@bluenelumbo.com | Web: https://www.bluenelumbo.com