Griya Academy logo
Toggle navigation menu
Start a Project

Privacy

Privacy Policy

This notice explains what personal data Griya Academy processes, why we process it, and how users can exercise their privacy rights.

Last updated: March 2, 2026Privacy PolicyCookie PolicyData Rights

Who this notice covers

This notice applies to visitors, learners, instructors, venue operators, company partners, organizers, and administrators who use Griya Academy through our website, applications, or APIs.

Personal data we collect

We process account and profile data such as name, email address, role, login identifiers, avatar, verification status, and contact details you provide.

Depending on the workflow you use, we may also process course enrollments, learning progress, identity verification submissions, payout details, support messages, venue or company data, and consent records.

  • Authentication and security data such as session, CSRF, refresh-token, and device metadata.
  • Operational telemetry such as page views, search events, and product usage events when optional analytics consent is granted.
  • Administrative records such as audit entries, notifications, payment-review artifacts, and abuse-prevention logs.

Why we use personal data

We use personal data to create accounts, deliver courses, manage purchases and venue workflows, protect the platform, respond to support requests, and comply with legal obligations.

Where applicable, we also use data to personalize learning experiences, measure product performance, and improve conversion flows when optional analytics consent has been granted.

Legal bases

We generally rely on contract performance to provide the service you request, legitimate interests to secure and improve the platform, legal obligations to retain records or respond to lawful requests, and consent where optional analytics or marketing technologies are involved.

Jurisdiction-specific rights

For GDPR and similar frameworks, users may request access, correction, deletion, restriction, objection, export, and withdrawal of consent where applicable.

For Indonesia's Personal Data Protection Law (UU PDP), users may request information about processing, complete or update data, end processing in some cases, and request deletion or destruction where legally appropriate.

For California privacy laws such as CCPA and CPRA, California residents may request to know, access, delete, and correct personal information, limit certain sensitive-data uses where applicable, and opt out of sale or sharing if those activities ever become relevant.

Sharing and processors

We share data only with service providers and partners that help us host the platform, store files, deliver communications, review payments, or measure product usage on our behalf.

Examples of processor categories include infrastructure and storage providers, analytics providers, authentication providers, communication tools, and payment or banking operations where relevant.

Sale, sharing, and targeted advertising

Griya Academy does not sell personal information for money. Optional analytics and marketing tools may involve disclosures or sharing that some jurisdictions treat as targeted advertising or cross-context behavioral advertising, but those tools stay disabled until the user grants consent.

If the platform enables any broader advertising or data-sharing practice in the future, the relevant opt-out controls and notices should be updated before launch.

International transfers

Some processors may process data outside your country. Where international transfers apply, Griya Academy should rely on an appropriate transfer mechanism and vendor contractual safeguards before enabling the relevant service in production.

Retention

We keep data only for as long as needed for the purpose it was collected, to satisfy contractual obligations, to resolve disputes, and to meet legal, accounting, or security requirements.

Operational retention windows for learning events, notifications, tokens, and consent records should be enforced through backend jobs and documented in the data-retention runbook.

Your rights

Depending on your location, you may have rights to access, export, correct, delete, restrict, or object to certain processing, and to withdraw consent for optional analytics or marketing at any time.

Signed-in users can manage optional tracking through the privacy settings panel and can use self-service tools in account settings to download their data or request account deletion.

If you believe your data has been handled unlawfully, you may also raise a complaint with the data protection authority or regulator that supervises your jurisdiction.

Children and guardian flows

Griya Academy is not directed to children under 13. If a learner is under the minimum age required by local law, guardian consent and verification steps may be required before certain data-processing or course features are enabled.

If the platform is ever expanded into a child-directed service or knowingly collects data from children under 13, additional COPPA-specific notices, parental consent flows, and review controls must be deployed before launch.

Security

We apply layered controls such as authentication cookies, CSRF protection, rate limiting, audit logging, redaction, consent-aware analytics ingestion, and operational monitoring to reduce misuse and unnecessary exposure of personal data.

Payments and PCI scope

The current product flow uses manual bank-transfer review and administrative approval. Griya Academy should not collect, store, or transmit payment card numbers, CVV values, or magnetic-stripe data through this workflow.

If card processing is added in the future, production should move that workflow behind a PCI-capable payment provider and update the privacy notice, payment notice, and internal scoping documentation before accepting live card data.