Privacy Policy

AimCourses is committed to protecting the privacy, dignity, and trust of every learner, educator, parent, institute administrator, and visitor who uses our websites, applications, APIs, and related services. This Privacy Policy explains how we collect, use, store, share, transfer, and protect personal information in connection with our education platform. It applies to all users who access public pages, create an account, enroll in a course or test series, communicate with support, attend live classes, participate in assessments, or use any product feature made available by AimCourses and its authorized affiliates.

This Policy applies in addition to our Terms and Conditions, payment terms, educator agreements, and any product specific terms shown at the point of use. If a conflict exists between this Policy and a mandatory legal requirement in a specific country or state, the mandatory legal requirement controls to the extent of that conflict. We design this Policy to be readable, transparent, and practical. We want users to understand not only what data we collect, but why we collect it, how long we keep it, and what choices users can make to control that data.

This Policy covers information collected directly from users, information collected automatically through devices and software, and information received from approved third parties such as payment processors or fraud prevention providers. It also explains rights available to users under applicable data protection laws including rights to access, correction, deletion, restriction, portability, objection, withdrawal of consent, and grievance escalation. We encourage users to read this Policy fully and contact us with any privacy question before using paid services or sharing sensitive information.

In this Policy, Personal Information means any information that can identify an individual directly or indirectly, including name, phone number, email address, account identifier, device identifiers, IP address, profile photo, and data linked to educational activity. Sensitive Personal Information means categories of data that require higher protection under law, such as password credentials, payment instrument details handled by payment gateways, official identity data when required for verification, and limited security telemetry used to prevent cheating or account takeover.

Processing means any operation performed on data, including collection, recording, storage, organization, use, analysis, transmission, disclosure, combination, and deletion. Controller means the entity that decides why and how data is processed. Processor means a service provider that processes data on the controller behalf under contractual instructions. User means any person who accesses our platform, including guests, students, educators, institute staff members, parents, and enterprise contacts. Child means a person below the legal age at which they can independently consent under applicable law in their jurisdiction.

When we use words such as may, can, or typically in this Policy, we do so because data practices can vary by product surface, country, device, and legal requirement. When we use words such as will or must, that indicates a baseline commitment we intend to follow across all products unless a legal exception applies. These definitions are provided to make the remaining sections easier to understand and do not reduce or limit legal rights granted by applicable law.

Some AimCourses services are intended for users who can form a legally binding contract. If a user is below the age required in their jurisdiction, a parent or legal guardian must create and supervise the account, provide required consents, and monitor activity. We do not knowingly market paid products to children in violation of applicable law. Where child access is allowed by law, we apply age appropriate safeguards including reduced profile visibility, stricter communication controls, and limited data use for advertising related profiling.

Parents and guardians are responsible for ensuring the accuracy of information submitted on behalf of minors and for reviewing educational communications and class interactions. If we discover that a child account was created without valid guardian authorization where authorization is required, we may suspend access, request additional verification, or delete the account. We also provide support channels for parents to request review, correction, or deletion of a child profile where legally permitted and technically feasible.

If you are a parent or guardian and believe that a child has submitted information without appropriate authorization, contact us through the privacy contact details listed in this Policy. We will investigate promptly and, where applicable, remove or de-identify the information. We may retain minimal audit records necessary to demonstrate compliance, prevent fraud, and respond to legal obligations. We aim to balance child safety, educational continuity, and legal compliance in every such decision.

When users create an account, we collect registration information such as name, email, phone number, account role, password credential, and optional profile details. For institute onboarding, we may collect institute name, owner details, billing contact details, and role assignments for team members. For students, we may collect exam preferences, target timeline, learning interests, and progress markers. For support interactions, we collect contact details, issue descriptions, attachments, and response history so we can resolve user requests and improve quality.

When users purchase a course, test series, or subscription, we collect transaction metadata such as order identifier, item selected, amount, currency, discount usage, payment status, and invoice related fields. We do not store full card numbers or payment authentication secrets on our own systems when payment is processed by certified payment partners. We may receive masked payment references, bank metadata, and fraud risk scores from payment providers to confirm settlement, prevent abuse, and support refunds, chargebacks, or legal reporting obligations.

When users participate in classes, assessments, or discussion features, we collect educational activity data such as attendance, watch progress, assignment submissions, assessment attempts, answer records, proctoring events, and instructor feedback. We also collect communications voluntarily shared with us, including chat messages to support, ticket conversations, and survey responses. We recommend that users avoid sharing unnecessary sensitive personal data in free text fields because these channels are intended for operational and educational communication rather than high risk data submission.

We automatically collect technical and usage data when users access our services. This may include device type, browser type, operating system version, language preference, app version, approximate location based on IP, timestamps, referral pages, and interaction events such as clicks, scroll depth, feature usage, and session duration. We use this data to maintain platform reliability, diagnose performance issues, improve accessibility, and protect accounts from suspicious activity such as credential stuffing, bot traffic, or repeated abusive requests.

Security and integrity controls may log additional telemetry such as login attempt metadata, session identifiers, token rotation events, unusual device changes, and high risk behavior patterns. During assessments, we may log anti cheating and integrity events designed to preserve exam fairness, such as tab switches, timing anomalies, disallowed actions, and device consistency checks. We do not use integrity telemetry to make unrelated marketing decisions. We use it to secure assessments, investigate incidents, resolve disputes, and improve exam reliability for all learners.

We also use cookies, local storage, and similar technologies to remember preferences, keep users signed in, support secure sessions, and measure aggregate product performance. Some cookies are essential for authentication and cannot be disabled without affecting core functionality. Other cookies are optional and can be managed through browser controls or consent tools where legally required. Users can clear cookies at any time, but doing so may sign them out, reset preferences, or limit personalized recommendations and continuity across sessions.

We may receive data from third party service providers that support account creation, payments, communication, analytics, anti fraud, and customer support. For example, payment gateways may send transaction outcomes, risk indicators, and masked payment references. Messaging providers may return delivery status for emails or SMS. Analytics providers may return aggregate engagement metrics. Security providers may provide abuse risk signals or reputation indicators. We review these integrations and require contractual safeguards before enabling personal data processing through them.

If users sign in through a social login provider where available, we may receive basic profile attributes such as verified email, display name, and provider identifier, depending on permissions granted by the user. We do not request more permissions than required to provide the service. Users can revoke social login permissions through the provider settings at any time. Revocation may affect future sign in until a password based method is configured. We encourage users to keep recovery contact details current to prevent lockouts.

Institutes or enterprise customers may provide roster data for managed onboarding, including names, emails, and assigned learning groups. We process such data based on customer instructions and applicable law. If there is a dispute about ownership or correction of managed account data, we may require the organization and the individual to coordinate resolution. We may temporarily limit profile changes while verifying authority to prevent unauthorized modifications or account misuse. Our objective is to protect both user rights and contractual responsibilities.

Depending on jurisdiction, we process personal information under one or more legal bases. Contractual necessity applies when processing is needed to provide requested services, such as account authentication, enrollment access, billing, and support. Legitimate interests apply when processing is necessary for product improvement, fraud prevention, abuse detection, platform security, and business continuity, provided those interests are not overridden by user rights. Legal obligation applies when we must retain or disclose data to comply with tax, accounting, court, or regulatory requirements.

Consent is used where required, such as optional promotional communication preferences, non essential cookies in consent regions, or specific high sensitivity activities where law requires explicit consent. Users can withdraw consent where consent is the legal basis. Withdrawal does not affect processing completed before withdrawal and may limit service features that depend on consent. We will explain practical consequences when users make a withdrawal request so they can make an informed decision before final confirmation.

In rare cases, we may process data to protect vital interests, such as preventing serious harm or responding to urgent safety incidents. We may also process data for public interest obligations where expressly required by law. We do not rely on opaque automated decision systems that produce legal effects without meaningful safeguards. Where automated processing assists operational decisions, we maintain human oversight for material outcomes such as account suspension, exam integrity actions, and high risk security controls.

We use information to deliver educational services, personalize learning experiences, and operate account functionality. This includes creating and maintaining profiles, enrolling users in purchased content, tracking progress, issuing certifications where applicable, enabling educator dashboards, and supporting collaborative institute workflows. We also use data to provide reminders, schedule notifications, exam alerts, and product updates relevant to user goals. Personalization may include recommendation ranking based on user preferences, completion history, and aggregated performance trends.

We use data to maintain service quality and trust. This includes monitoring uptime, diagnosing errors, improving app speed, identifying abusive behavior, reducing fraudulent transactions, and securing user sessions. We may analyze aggregated usage to identify product gaps, improve feature design, and prioritize roadmap decisions. We may use de-identified and aggregated analytics to understand learning outcomes across cohorts without identifying specific users. Where feasible, we separate direct identifiers from analytical datasets to reduce unnecessary exposure.

We use data for customer support and communication, including responding to tickets, clarifying billing issues, handling refund requests, and sending service notices. Promotional messages are sent according to consent or lawful communication rules and can be managed through unsubscribe controls and account preferences. We may conduct surveys and research to improve pedagogy and product usability. Participation in optional research or feedback activities is voluntary and not required to continue core service usage unless clearly stated for program specific initiatives.

We do not sell personal information for money. We share information only where necessary to provide services, comply with law, protect rights, or operate legitimate business processes. Categories of recipients may include infrastructure providers, payment processors, communication vendors, analytics processors, support platforms, and professional advisors such as auditors or legal counsel. Each recipient is expected to process data according to contract terms, security obligations, and purpose limitations. We conduct due diligence and remove vendors that cannot meet required standards.

For institute managed experiences, authorized institute administrators may access learner data relevant to enrolled users in their institute scope, such as course progress, attendance, assessment outcomes, and billing records associated with institute sponsored purchases. Such access is role based and audit logged where technically feasible. Institute administrators are responsible for their own lawful use of data in accordance with contracts and local law. We may restrict or terminate institute access if misuse is detected or reported.

We may disclose data to law enforcement, regulators, courts, or government authorities when required by legal process, or when disclosure is necessary to investigate fraud, abuse, security incidents, or violations of terms. We may also disclose data during mergers, acquisitions, financing, or asset transfers, subject to confidentiality obligations and continuity of privacy commitments. If ownership changes materially affect data processing, we will provide notice and options where required by law.

Our services may use cloud and support infrastructure located in multiple jurisdictions. As a result, personal information may be transferred to and processed in countries other than the country where users reside. Data protection laws in transfer destinations may differ from those in the user jurisdiction. We take steps to ensure that transfers are protected by lawful transfer mechanisms and contractual safeguards, including standard contractual commitments, vendor security requirements, and access controls designed to limit processing to authorized purposes.

Where legally required, we implement supplementary controls such as encryption in transit and at rest, pseudonymization for analytical processing, strict key management, logging, and least privilege access controls. Transfer pathways are reviewed periodically to ensure continued compliance with evolving legal requirements and regulatory guidance. Users may contact us for information about transfer safeguards relevant to their jurisdiction. In some cases, we may provide additional country specific notices that describe local rights, complaint channels, and regulator contacts.

By using our services, users acknowledge that data transfers may be necessary for global infrastructure operation, support delivery, and security monitoring. We seek to minimize transfer volume by localizing services where feasible and by restricting cross border movement of high sensitivity data where practical. Our objective is to combine reliable global service delivery with lawful, transparent, and proportionate data protection practices regardless of where processing occurs.

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, meet legal obligations, enforce agreements, resolve disputes, and prevent abuse. Retention periods vary by data type and context. Account profile data is generally retained while an account remains active and for a limited period thereafter to allow reactivation, audit integrity, and legal compliance. Transaction records are retained for legally required accounting and tax periods. Security logs may be retained for incident investigation and fraud monitoring windows.

Educational records such as enrollments, progress, attempts, and certification related data may be retained to preserve learner history, support performance analytics, and allow users to retrieve earned credentials. Users may request deletion in accordance with applicable law, but certain records may be retained where legal obligations, public interest in exam integrity, or contractual obligations require limited retention. In such cases, we limit processing to required purposes and restrict access to authorized personnel only.

When retention periods expire, we delete or de-identify data using processes appropriate to storage systems and backups. De-identification aims to remove or transform identifiers so that individuals are not reasonably identifiable. Some residual copies may remain in encrypted backups for defined recovery windows, after which they are overwritten or deleted according to backup lifecycle policies. We continuously improve retention governance to reduce excess data accumulation and ensure defensible disposal practices.

Depending on location and applicable law, users may have the right to request access to personal information, correction of inaccurate data, deletion of eligible data, restriction of processing, portability in structured formats, and objection to certain processing activities such as direct marketing or legitimate interest based profiling. Users may also have the right to withdraw consent where consent is used as the legal basis. We provide account level controls where possible and support request channels for cases not available in self service tools.

To protect users and prevent unauthorized access, we may verify identity before fulfilling rights requests. Verification may involve matching account details, confirmation through registered contact methods, or additional information proportional to request sensitivity. If we cannot verify identity with reasonable confidence, we may decline or narrow the request and explain why. Users may appoint authorized agents where allowed by law, and we may request proof of authority before processing agent submitted requests.

We aim to respond within legally required timelines. Complex requests may require additional time where permitted by law, and we will communicate delays and reasons. In some cases, legal exemptions allow us to decline deletion or access to specific records, for example where disclosure would reveal another person rights, compromise security controls, or violate legal obligations. We provide reasoned responses and appeal options where required by applicable regulation.

We use cookies and similar technologies for core platform operation, security, preference memory, analytics, and measured product improvement. Essential cookies enable account authentication, navigation continuity, and transaction integrity. Performance cookies help us understand page latency, feature reliability, and usage trends. Functional cookies remember language, display preferences, and saved settings. Where permitted, advertising related technologies may be used to understand campaign effectiveness, frequency control, and broad audience insights without exposing sensitive educational details.

Users can manage cookie settings through browser controls and, where available, through consent banners or privacy settings interfaces. Disabling non essential cookies may reduce personalized experiences but should not prevent access to essential educational functions. Disabling essential cookies may break login persistence, checkout steps, or session security. We do not rely on third party advertising identifiers to infer sensitive categories such as health conditions, political views, or protected characteristics from learning activity.

Analytics data is processed to understand product quality and aggregate behavior rather than to monitor individuals for unrelated purposes. We apply technical and contractual controls to analytics providers and limit retention where feasible. We may combine analytics with support feedback and experiment data to improve feature design. Experimentation follows governance processes to reduce risk and avoid harmful educational outcomes. Users may opt out of optional analytics where legally required and technically available.

We implement layered security controls designed to protect confidentiality, integrity, and availability of personal information. Controls may include encrypted transport channels, encrypted storage where appropriate, secret management, role based access control, audit logging, infrastructure monitoring, vulnerability management, incident response workflows, and backup recovery strategies. Access to production systems is limited to authorized personnel with business need and subject to periodic review. We also provide internal privacy and security training to employees and contractors handling sensitive systems.

No system can guarantee absolute security, and users share responsibility for account protection. We encourage strong unique passwords, device security updates, careful handling of one time codes, and prompt reporting of suspicious account activity. Users should avoid sharing credentials and should sign out on shared devices. We may enforce additional authentication checks when unusual behavior is detected, such as location anomalies, device risk signals, or repeated failed login attempts. These controls are intended to protect users even when credentials are exposed elsewhere.

If a security incident involving personal information occurs, we follow incident response procedures to contain, assess, remediate, and notify as required by law. Notifications may include the nature of impacted data, potential user impact, mitigation steps, and recommended user actions. We coordinate with relevant regulators and affected partners where legally required. Post incident, we conduct root cause analysis and control hardening to reduce recurrence risk. Security resilience is an ongoing process, not a one time event.

We may send operational messages required to run services, including account verification, payment confirmations, renewal reminders, security alerts, policy updates, and support follow ups. These messages are generally mandatory for active service usage because they convey essential information about account status and security. We may also send educational insights, product updates, and promotional messages where allowed by law and user preferences. Users can manage promotional communication settings through account controls and unsubscribe links.

Opting out of promotional communication does not stop essential service or legal notices. If users receive communication from institute administrators or educators through class features, those communications may be governed by course participation context rather than platform marketing preferences. We monitor abuse and may limit messaging capabilities if spam, harassment, or policy violations are detected. Users can report unwanted or inappropriate communications through in product reporting tools or support channels.

Where required by law, we maintain consent records for marketing related communication and honor suppression lists to prevent unwanted outreach. We do not use sensitive personal information for broad ad targeting without legal basis and appropriate controls. We may use aggregated engagement data to improve campaign relevance, reduce message frequency fatigue, and measure product discovery outcomes. Marketing teams are expected to follow privacy by design principles for any campaign involving personal data.

To preserve fairness in tests and certifications, we may collect and analyze integrity related event data such as attempt timestamps, answer save patterns, tab visibility changes, unusual time distributions, network anomalies, and restricted interaction signals. These controls are designed to protect honest learners and institute trust. Integrity monitoring is limited to educational quality and anti abuse objectives. It is not used for unrelated advertising profiling. We strive to apply proportionate safeguards and avoid intrusive collection beyond what is necessary for reliable assessments.

Integrity signals may be reviewed by automated systems and trained reviewers. Where a potentially unfair attempt is detected, we may apply temporary hold, request additional verification, or flag the attempt for human review. Users can contact support to contest decisions, and we review disputes based on available evidence, policy standards, and institute rules. We document outcomes and use them to improve detection quality and reduce false positives. Transparency, consistency, and learner trust are key principles in our integrity governance.

Institutes using proctoring or advanced integrity tools are responsible for informing enrolled learners about exam specific monitoring rules. We provide baseline platform disclosures in this Policy and product interfaces, but institutions may impose additional exam policies consistent with law and our terms. We encourage institutes to adopt fair and clear conduct codes. Where institute policies conflict with legal privacy protections, legal requirements control, and we may restrict features that cannot be operated lawfully.

Our platform may contain links to third party websites, tools, or content, including educator resources, partner offerings, and external payment or communication pages. This Privacy Policy applies to AimCourses controlled services and does not govern independent third party privacy practices. Users should review privacy notices of external services before sharing personal information. We are not responsible for third party terms, security controls, or data handling once users leave our platform or interact with embedded content controlled by another provider.

When we integrate third party tools, we aim to limit data sharing to what is necessary for requested functionality. For example, a communication integration may receive limited identifiers required to deliver notifications, or a payment partner may receive billing details required for transaction authorization. We assess integration necessity, establish contracts, and monitor provider reliability. If a provider materially changes practices or fails security obligations, we may suspend or terminate the integration to protect users and service integrity.

Users can reduce risk by avoiding unnecessary sharing of personal data in publicly visible spaces and by using official support channels for account specific concerns. If users encounter suspicious third party behavior linked from our services, we encourage reporting through support so we can investigate and take corrective action where appropriate. Our goal is to provide a trusted learning ecosystem while maintaining clear boundaries regarding third party responsibility.

Users in different regions may have additional rights under local laws. For users in jurisdictions with comprehensive privacy laws, such as India, the European Union, the United Kingdom, California, and other U.S. states with privacy statutes, we process rights requests according to the rights available in those laws. Rights may include notice at collection, access to categories and specific pieces of data, deletion of eligible data, correction, portability, opt out rights for certain sharing, and non discrimination for exercising legal privacy rights.

Where law requires data protection impact assessments, dedicated representative contacts, or regulator reporting, we implement these obligations as applicable. We may ask users to provide residence information to route requests under the correct legal framework. If users believe our response does not satisfy legal requirements, they may seek review through available escalation channels described in this Policy, including regulatory complaint channels where applicable. We encourage direct resolution first so we can address concerns efficiently and transparently.

For California residents, we provide rights consistent with applicable state law, including rights to know, delete, correct, and limit use of certain sensitive personal information where relevant. For users in the EU and UK, we process requests under GDPR and related frameworks, including rights to object and lodge complaints with supervisory authorities. For Indian users, we align operations with evolving digital personal data requirements and platform specific grievance redress mechanisms. We continuously update compliance controls as laws evolve.

Users who have questions, concerns, or complaints about privacy can contact us through our support channels. For faster handling, include account email, issue summary, relevant dates, and the specific request type such as access, correction, deletion, or objection. We may request additional verification details to confirm identity before acting on account specific requests. We aim to acknowledge requests promptly and provide a reasoned response within applicable legal timelines. Complex requests may require additional review time, and we will communicate status updates where possible.

If a user is not satisfied with an initial privacy response, they may request escalation through our grievance process. Escalation requests are reviewed by senior compliance or legal personnel where appropriate. We maintain records of grievance handling to improve process quality and demonstrate compliance accountability. We do not discriminate against users for raising privacy concerns, submitting rights requests, or contacting regulatory authorities. Constructive feedback helps us strengthen platform trust and user protection outcomes.

Privacy Contact: privacy@aimcourses.com. Support Contact: support@aimcourses.com. General Office Contact for legal correspondence: AimCourses Privacy Office, Bengaluru, India. If local law requires additional designated representatives or data protection contacts for your jurisdiction, details will be provided through country specific notices, account communications, or direct response channels. We are committed to respectful, transparent, and lawful handling of every privacy inquiry.

We may update this Privacy Policy from time to time to reflect legal, technical, product, or operational changes. When changes are material, we will provide clear notice through website banners, account notifications, or email where required. The updated Policy effective date will be shown at the top or bottom of this page. Continued use of services after the effective date may indicate acceptance to the extent permitted by law. Where explicit consent is required for new processing purposes, we will seek consent before applying those changes.

Archived versions may be retained for compliance and audit purposes. If users disagree with updated terms, they may stop using affected services and request account deletion as permitted by law and contractual obligations. Some retained records may continue to be stored where legal obligations, security needs, or dispute resolution requirements apply. We recommend reviewing this page periodically, especially before making purchases, sharing sensitive information, or enabling new platform features that involve additional data processing.

Our aim is to keep this Policy practical, understandable, and complete. If any section appears unclear, users should contact us so we can improve language and provide clarification. Privacy is an ongoing responsibility that evolves with technology and regulation. We commit to reviewing our controls, updating user communication, and aligning data practices with responsible educational outcomes. Last Updated: May 15, 2026.

AimCourses follows a data minimization principle, which means we try to collect only the information reasonably necessary to provide requested services, secure the platform, meet legal obligations, and improve educational outcomes. Product teams are encouraged to define clear collection purposes before a new field, event, or integration is introduced into production. Where feasible, optional fields are marked clearly, default visibility is limited, and retention windows are pre-defined. We also periodically review forms and telemetry pipelines to identify fields that no longer serve valid operational, legal, or educational objectives and should be reduced, transformed, or removed.

Data quality and accuracy are equally important because inaccurate records can harm learners, educators, and institutes. We provide mechanisms for users to update profile information and we encourage institutes to maintain correct roster data. When accuracy issues are reported, we investigate source systems, synchronization logic, and role permissions to identify root causes. We may place temporary safeguards on contested records while reviews are in progress so that sensitive updates are not overwritten by conflicting data feeds. In some contexts, we preserve previous values in audit trails to support accountability, dispute resolution, and secure recovery from accidental changes.

Governance controls include documented ownership for major data domains, periodic policy reviews, vendor oversight, and escalation pathways for privacy and security concerns. Internal teams are expected to follow privacy by design principles and complete required training before handling production data. Access reviews, environment separation, and role based controls are used to reduce unnecessary exposure. We also evaluate major product changes for privacy impact and proportionality, especially when they involve children, assessment integrity, or automated decision support. Responsible governance is not only a compliance requirement; it is essential for long term learner trust and platform reliability.

Privacy and security are shared responsibilities. Users are expected to provide truthful information, maintain account credential confidentiality, and use official channels for support and account recovery. Educators and institute administrators should configure roles carefully, grant access only to authorized personnel, and review member permissions regularly to prevent unnecessary exposure. Users should avoid uploading sensitive documents unless required by a clearly identified workflow and should not post personal data of others without lawful authority. Where collaboration tools are available, participants are expected to follow respectful conduct standards and avoid misuse of communication features.

To support safer use, we provide account controls such as password updates, session management, and communication preferences. We also provide report channels for suspected abuse, impersonation, policy violations, and security concerns. Reports are reviewed using risk based processes designed to prioritize urgent threats while maintaining fair investigation standards. In high risk situations, we may temporarily restrict features, require additional verification, or suspend affected accounts while investigation is ongoing. These measures are designed to protect users, preserve evidence, and reduce the spread of abuse while due process reviews are completed.

Our transparency commitment includes plain language policy updates, meaningful notice for material changes, and practical explanations of user choices where possible. We recognize that privacy documents can become complex as products expand and legal obligations evolve. For that reason, we aim to keep terminology consistent, provide clear contact channels, and respond to genuine questions in a timely and respectful manner. We also seek to publish guidance in product interfaces when a decision has privacy implications, such as enabling public profile elements or granting institute wide access. Trust grows when expectations are clear, controls are understandable, and accountability is visible.