Privacy Policy

Privacy Policy

Last updated: June 2026 | Effective: June 2026

Elevana (“we,” “our,” “us”) operates elevana.guru and its sub-products including Karka (LMS), Lekha (Document Generator), Disha (Career Guidance), and Marga (CRM). This Privacy Policy explains how we collect, use, disclose, and safeguard your information.

This policy is designed to comply with applicable privacy laws globally, including: GDPR (EU/EEA), UK GDPR (United Kingdom), CCPA/CPRA (US/California), LGPD (Brazil), DPDPA 2023 (India), PIPEDA (Canada), POPIA (South Africa), PDPL (UAE/Saudi Arabia), and Privacy Act 1988 (Australia).

1. Information We Collect

1.1 Information You Provide

• Account Information: Name, email address, phone number when registering on Karka LMS
• Lead Information: Name, email, phone, programme interest submitted via chatbot or forms
• Payment Information: Processed by Razorpay; we do not store card details
• Document Data (Lekha): All document generation happens in your browser. We do NOT collect, store, or transmit any data you enter in Lekha forms.

1.2 Information Collected Automatically

• Cookies: Session cookies, analytics cookies (Google Analytics), preference cookies
• Device Information: Browser type, operating system, screen resolution
• Usage Data: Pages visited, time spent, referral source
• IP Address: For security, rate limiting, and approximate geolocation

2. How We Use Your Information

• To provide and maintain our services (Karka LMS, dictionary, chatbot)
• To communicate with you about programmes, updates, and support
• To process enrolments and payments
• To improve our website and services
• To comply with legal obligations
• To prevent fraud and ensure security

3. Legal Basis for Processing

For EU/EEA residents (GDPR) and UK residents (UK GDPR), we process your personal data under the following legal bases:

Purpose	Legal Basis
Account creation & LMS access	Contract performance (Art. 6(1)(b))
Marketing communications	Consent (Art. 6(1)(a))
Analytics & improvement	Legitimate interest (Art. 6(1)(f))
Legal compliance	Legal obligation (Art. 6(1)(c))
Lead capture (chatbot)	Consent (Art. 6(1)(a))

For Brazilian residents (LGPD), we rely on equivalent bases including consent, contract performance, legitimate interest, and legal obligation as defined in LGPD Art. 7. For Indian residents (DPDPA 2023), we process personal data based on consent or other legitimate uses defined by the Act.

4. Data Sharing

We do NOT sell your personal data. We may share data with:

• Service Providers: Razorpay (payments), WordPress.com/Automattic (hosting), Google (analytics), FluentCRM (email marketing)
• Legal Requirements: When required by law, court order, or government authority in any applicable jurisdiction

All service providers are required to maintain appropriate data protection standards. Data Processing Agreements (DPAs) are in place with our primary data processors.

5. Your Privacy Rights

To exercise any of the rights below, email support@elevana.guru. We respond within 30 days (or sooner as required by applicable law).

All Users

• Access your personal data
• Correct inaccurate data
• Delete your account and data
• Object to processing
• Data portability (receive your data in a structured, machine-readable format)

EU/EEA Residents (GDPR)

• Right to restriction of processing
• Right to withdraw consent at any time (without affecting prior lawful processing)
• Right not to be subject to solely automated decision-making with legal effects (we do not use such systems)
• Right to lodge a complaint with your local EU supervisory authority — find your authority here

UK Residents (UK GDPR & Data Protection Act 2018)

• All equivalent rights to EU GDPR, enforced under UK law
• Right to withdraw consent at any time
• Right to lodge a complaint with the UK Information Commissioner’s Office (ICO): ico.org.uk/make-a-complaint

California Residents (CCPA/CPRA)

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to correct inaccurate personal information
• Right to opt-out of sale or sharing of personal information (we do not sell data)
• Right to limit use of sensitive personal information
• Right to non-discrimination for exercising CCPA rights

Brazilian Residents (LGPD)

• Right to confirmation of the existence of data processing
• Right to access your personal data
• Right to correction of incomplete, inaccurate, or outdated data
• Right to anonymisation, blocking, or deletion of unnecessary or excessive data
• Right to data portability
• Right to deletion of data processed with consent
• Right to information about third parties with whom data is shared
• Right to revoke consent at any time
• Right to review automated decisions that affect you
• Right to lodge a complaint with Brazil’s National Data Protection Authority (ANPD): gov.br/anpd

Canadian Residents (PIPEDA)

• Right to access your personal information held by us
• Right to challenge the accuracy and completeness of your data and have it corrected
• Right to withdraw consent at any time (subject to legal or contractual restrictions and reasonable notice)
• Right to lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC): priv.gc.ca

South African Residents (POPIA)

• Right to be notified that your personal information is being collected
• Right to access your personal information
• Right to request correction or deletion of personal information
• Right to object to processing of personal information
• Right to withdraw consent at any time
• Right to submit a complaint to the Information Regulator of South Africa: justice.gov.za/inforeg

Indian Residents (DPDPA 2023)

• Right to access, correction, and erasure of personal data
• Right to nominate another person to exercise rights on your behalf
• Right to grievance redressal (we acknowledge within 48 hours and resolve within 30 days)
• Right to withdraw consent at any time

UAE & Saudi Arabia Residents (PDPL)

• Right to know what personal data is collected and how it is used
• Right to access your personal data
• Right to request correction of inaccurate or incomplete data
• Right to request deletion of personal data where no longer necessary
• Right to withdraw consent at any time
• Right to object to processing for direct marketing purposes
• Right to data portability in a readable format
• UAE residents may contact the Telecommunications and Digital Government Regulatory Authority (TDRA); Saudi residents may contact the National Data Management Office (NDMO)

Australian Residents (Privacy Act 1988)

• Right to access and correct your personal information
• Right to anonymity or pseudonymity where practicable
• Right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC): oaic.gov.au

6. Data Retention

• Account data: Retained while your account is active + 30 days after deletion request
• Lead data: 2 years from collection, then deleted
• Analytics data: Aggregated after 26 months (Google Analytics retention setting)
• Payment records: 7 years (as required by Indian tax law)

7. Data Security & Breach Notification

We implement industry-standard security measures including:

• SSL/TLS encryption for all data in transit
• Hashed passwords (bcrypt) for Karka accounts
• Cookie-based sessions with HttpOnly and Secure flags
• Rate limiting on forms and APIs
• Regular security audits

Breach Notification: In the event of a personal data breach likely to result in risk to individuals’ rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware (as required by GDPR and UK GDPR). Where the breach is likely to result in high risk to individuals, we will also notify affected individuals without undue delay. For Indian residents, we comply with applicable CERT-In and DPDPA guidelines.

8. International Data Transfers

Your data may be processed on servers in the United States (WordPress.com/Automattic) and India (Razorpay, Elevana infrastructure). We ensure appropriate safeguards are in place for all cross-border transfers:

• EU/EEA data transfers: Standard Contractual Clauses (SCCs, 2021 edition) under GDPR Article 46
• UK data transfers: International Data Transfer Agreements (IDTAs) or SCCs with the UK Addendum, as approved by the ICO
• Brazilian data transfers: Standard contractual clauses or equivalent safeguards as recognised under LGPD
• Other jurisdictions: Equivalent transfer mechanisms as required by applicable local law

9. Children’s Privacy

Our services are not directed to children under 18 (or the applicable minimum age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@elevana.guru and we will delete it promptly.

10. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. For significant changes, we will also notify registered users by email.