Skip to main content
Zelium

Privacy Policy

Last updated: March 2026

1. Information We Collect

We collect information you provide when registering an institution or creating a user account, including name, email address, phone number, and institution details. We also collect application data, payment information, and documents uploaded by students through the platform. We collect this data with your explicit consent at the point of collection.

2. Purpose of Data Processing

Your personal data is processed for the following specific purposes: (a) providing and operating the Zelium platform services, (b) processing admissions applications and fee payments, (c) sending transactional notifications about application status, (d) generating analytics for institution administrators, and (e) fulfilling legal and regulatory obligations. We do not process your data for purposes beyond what is stated here without obtaining additional consent.

3. Data Isolation and Multi-Tenancy

Zelium is a multi-tenant platform with strict data isolation. Institution data is separated using PostgreSQL row-level security policies enforced at the database level. No institution can access another institution's data. Platform administrators have limited cross-tenant visibility for operational purposes only, with all access recorded in immutable forensic audit logs.

4. Data Storage, Security, and Retention

Data is stored in encrypted PostgreSQL databases hosted in India (asia-south1 region). Files and documents are stored in S3-compatible encrypted object storage (MinIO with AES-256-GCM). All sessions are encrypted and support multi-factor authentication. Immutable audit logs track all data access and modifications.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. Upon account termination, all institution data is permanently deleted within 30 days, except where retention is required by law or regulation.

5. Your Rights Under DPDP Act 2023

Under the Digital Personal Data Protection Act, 2023 (India), you have the following rights:

  • Right to Access: You may request a summary of your personal data being processed and the processing activities undertaken.
  • Right to Correction: You may request correction of inaccurate or misleading personal data, and completion of incomplete data.
  • Right to Erasure: You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected.
  • Right to Withdraw Consent: You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing done before withdrawal.
  • Right to Grievance Redressal: You may raise a grievance with our Data Protection Officer. We will respond within 30 days.
  • Right to Nominate: You may nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, contact our Data Protection Officer at [email protected]. We will respond to your request within 30 days.

6. Data Export and Portability

Institution administrators can export their data at any time through the Data Export feature in Settings. Exported data is provided in standard machine-readable formats (CSV, JSON).

7. Third-Party Services

We integrate with payment gateways (Razorpay, Easebuzz) to process fee payments. These services process payment data under their own privacy policies. We do not share your personal data with any other third parties except: (a) with your consent, (b) to comply with legal obligations, or (c) to protect our legitimate interests as permitted by law.

8. Cross-Border Data Transfers

Your data is primarily stored and processed in India. If any data is transferred outside India, we ensure appropriate safeguards are in place in compliance with the DPDP Act, 2023 and any rules notified by the Central Government regarding permissible jurisdictions.

9. Children's Data

Where applicants are below 18 years of age, we process their data only with verifiable consent from a parent or lawful guardian, in accordance with the DPDP Act, 2023. We do not undertake tracking, behavioral monitoring, or targeted advertising directed at children.

10. Breach Notification

In the event of a personal data breach, we will notify the Data Protection Board of India and affected Data Principals without undue delay, in accordance with the DPDP Act, 2023. Notification will include the nature of the breach, data affected, and remedial measures taken.

11. Grievance Redressal

If you have any concerns about how your data is processed, you may contact our Data Protection Officer at [email protected]. If your grievance is not resolved within 30 days, you may approach the Data Protection Board of India as established under the DPDP Act, 2023.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or platform notification before they take effect. Continued use of the platform after changes constitutes acceptance.

13. Contact

Data Protection Officer: [email protected]

Zelium — operated from India. Registered office details available upon request.