Privacy Policy
How NCC.training collects, uses, retains, and protects your personal data.
1. Who we are
NCC.training is a private online training brand operated by VSVSV (VIDHI SANGAT VIDYUT SAKSYA VINAYA) TECH (OPC) PRIVATE LIMITED. We offer self-paced courses and study material to help learners prepare for the NCC A, B, and C certificate syllabus.
We are not the National Cadet Corps, the Directorate General NCC, the Ministry of Defence, the Government of India, or any government organisation. We are not affiliated with, authorised by, or endorsed by any of them. Completing a course on NCC.training is not official NCC enrollment and does not by itself grant an official NCC certificate, government recruitment preference, or any government benefit. Those are handled only through official NCC channels.
Under India's Digital Personal Data Protection Act, 2023 (DPDPA), VSVSV (VIDHI SANGAT VIDYUT SAKSYA VINAYA) TECH (OPC) PRIVATE LIMITED, operating the NCC.training brand, is the Data Fiduciary for the personal data described in this policy. Our payment provider, our email provider, and our hosting provider are Data Processors acting on our instructions.
2. What we collect, and when
We collect the minimum data we need for what you are trying to do. Each row below is asked only at the stage where it is necessary.
At account creation (required)
| Field | Why |
|---|---|
| Display name | So we know what to call you in the product UI. |
| Email address | Your login identifier and the channel for grievance, security, and policy notices. |
| Password | Stored only as a salted bcrypt hash; we never see your plain-text password. |
| Age confirmation | "I am 18 or older, or I am a parent/guardian acting for a minor." See §7 below. |
| Consent to this policy and our Terms | Recorded with timestamp and the version hash of the policy at that time. |
Newsletter / product-update emails are a separate, unticked, optional consent — never bundled with account creation.
At profile completion (optional)
Once you are signed in you may, at your option, add a full legal name (used when you generate a certificate), mobile number (only if you opt into SMS-based account recovery or 2FA), city / state, date of birth, institution name (for your own reference), a profile photo, and a preferred language. Each field has a clear "why we ask" note and may be left blank or deleted later.
At checkout
For paid courses we collect billing name, billing email, and an optional GST number (only if you want a GST invoice). Card, UPI, and netbanking details are handled by our approved payment gateway provider — we never store, transmit, or process your full payment instrument. We receive only a payment reference, amount, currency, status, and timestamp.
At certificate generation
If you want a course-completion certificate, we ask for your full legal name (printed on the certificate body) and, optionally, your city / state.
Automatic / operational
To run the service we record server access logs (IP address, browser user-agent, requested path, response code), course-progress events (lesson started, completed, time spent), payment audit entries, and email-delivery events from our email provider. We do not enable click or open tracking in our email provider unless you separately consent to it.
3. Why we collect it
Each category above is processed for a specified, lawful purpose under DPDPA §6:
- Operating the service you signed up for — account creation, course enrollment, lesson delivery, progress tracking, assessment scoring, certificate generation, payment processing, support correspondence.
- Complying with the law — payment audit and tax-related records under the Income-tax Act and CGST Act; consent records under DPDPA; lawful requests from competent authorities.
- Security and fraud prevention — server logs and rate-limiting data, used only to keep the service safe.
- Communications you have consented to — product updates and newsletters, only if you opted in.
We do not use your personal data to make automated decisions that significantly affect you, to build behavioural profiles, or to deliver targeted advertising.
4. Who we share it with
We share the minimum data necessary with a short list of processors who act for us under a contract:
| Processor | What they receive | Why |
|---|---|---|
| Approved payment gateway provider | Order amount, currency, billing contact details, and payment reference | To collect payment for paid courses |
| Email service provider | Your email address, the email body | To deliver transactional and consented-newsletter emails |
| Hostinger (VPS host) | Database storage location for the items above | To host the application and database |
We do not sell, rent, or trade your data. We do not share it with advertising or data-broker networks. If we ever add a new processor we will update this section, notify you, and where required obtain fresh consent.
5. How long we keep it
| Category | Retained for |
|---|---|
| Account record (email, hashed password, name, consent log) | While the account is active, plus 30 days after deletion (reversible-cancel grace), then irreversibly deleted |
| Course-progress events | While the account is active; 90 days after deletion for your own export window; then deleted |
| Certificates issued (PDF + record) | 7 years after issue (in case of reissue); after account deletion, retained without your email or IP — only name, course, and date |
| Payment audit (gateway reference, amount, status) | 7 years (Income-tax Act statute) |
| GST invoice copies | 8 years (CGST Act §36 minimum) |
| Server access logs (IP, UA, path, response) | 90 days raw, then aggregated and deleted |
| Email-delivery events from the provider | 30 days for tracing, then aggregated and deleted |
| Support tickets / emails | 18 months after the ticket is resolved |
| Encrypted backup snapshots | 30-day rolling window, then overwritten |
6. Your rights (DPDPA §11–14)
Through your dashboard you can, self-serve and with one click:
- Access — download a JSON export of all the data we hold about your account.
- Correction — edit any profile field directly.
- Erasure / account deletion — irreversible after the 30-day grace; we keep only what the law forces us to keep.
- Withdraw consent — granular toggles for newsletter and any future optional purposes; withdrawing with the same ease as giving (DPDPA §6(4)).
- Grievance / complaint — a form that emails the Grievance Officer (see §12); auto-acknowledged within 24 hours; substantive response within 30 days (faster for child-related complaints).
- Nomination — name someone who may exercise these rights if you become unable to (DPDPA §13).
7. Children (under 18)
School-level NCC programmes start at around age 13, so a meaningful share of our learners are minors. DPDPA §9 prohibits behavioural monitoring of children, prohibits targeted advertising to them, and requires verifiable consent of a parent or lawful guardian before processing a child's personal data.
How parental consent works
- On the sign-up form, an age-confirmation checkbox: "I am 18 or older, or I am a parent/guardian acting for a minor." If unchecked, you are routed to the parent / guardian sign-up flow.
- The parent registers their own name, email, and password, then provides a separate explicit consent to process the child's data for the purpose of private online NCC-syllabus training.
- The parent is verified by email confirmation at the moment of sign-up; phone-OTP verification is added if/when a higher-touch feature (live class, mentoring) is used.
- The child's account is created linked to the parent account. The parent retains the consent / deletion authority.
- When the child turns 18, both parent and child are prompted to re-confirm consent under the child's own login.
What we never do on child accounts
- No third-party analytics or advertising scripts on any page reachable from a child account.
- No newsletter opt-in on the child's own account (only the parent can opt in to product updates, separately).
- No public leaderboards or share-link incentives that expose the child's name to other learners by default.
8. Cookies & local storage
We use only strictly-necessary cookies and local-storage items. No third-party analytics, advertising, or tracking pixels.
| Item | Purpose | Type |
|---|---|---|
| Session token (cookie / localStorage) | Keeps you signed in | Strictly necessary |
| CSRF token (cookie) | Protects forms against cross-site forgery | Strictly necessary |
| Consent record (localStorage) | Remembers which version of this policy you have agreed to | Strictly necessary |
| Theme / language preference (localStorage) | UI preference | Functional |
If we ever add an analytics or marketing cookie, we will ask for a separate, granular, opt-in consent through a banner and update this section accordingly.
9. Security (DPDPA §8(5))
We protect personal data with reasonable safeguards: HTTPS in transit, bcrypt-hashed passwords, signed cookies, CSRF tokens, input validation and output sanitisation, rate limiting, admin-route role checks, encrypted backups, and an internal log of admin access to user PII. We test these regularly and document each pass in our internal audit register.
10. Personal-data breach
If a personal-data breach happens, our internal runbook calls for: containment within one hour of confirmed detection; notification to the Data Protection Board of India without delay and a fuller written report within 72 hours; direct notification to affected users in plain language, telling you what happened, what data was involved, what we have done, and what you should do; faster cycles where children's data is involved.
11. Where your data is stored
NCC.training's primary database and application server are hosted in India. Our payment gateway provider processes payment data under its own regulated payment infrastructure. Our email provider may route messages through servers outside India for delivery; this is standard for SMTP and is treated as a transit, not a primary store.
DPDPA §16 lets the Central Government issue a list of countries to which personal-data transfers are restricted. If such a list is issued and any of our processors is on it, we will migrate or substitute that processor and notify you of the change.
12. Grievance Officer
Grievance Officer (NCC.training)
Email: nt@vsvsv.tech
Acknowledgement: within 24 hours of receipt.
Substantive response: within 30 days (faster for complaints involving children, payments, or security).
You may also complain to the Data Protection Board of India under DPDPA §13. We will cooperate fully with any inquiry.
13. Things we never collect
- Aadhaar, PAN, voter ID, passport, or any other government identifier — ever.
- Caste, religion, political opinions, biometrics — ever, unless a specific, lawful, legally reviewed use case is documented and you separately consent.
- Behavioural / cross-site tracking, third-party advertising trackers, fingerprinting libraries.
- Real-time location, contacts, microphone, camera — unless a future course-player feature explicitly requires it and only with separate contextual consent.
14. Changes to this policy
We will tell you about material changes by email and a dashboard banner, with at least 14 days' notice before the change takes effect. Each version increments the version number above. If you have a pending consent on the previous version, you will be asked to consent to the new version at next login.
Contact the Grievance Officer with any privacy question or request.