1. Who we are
This Privacy Policy applies to Harshh & Co., a brand division of Acquisition Monk Private Limited ("the Company", "we", "us", "our"). For the purposes of the Digital Personal Data Protection Act, 2023, the Company is the "Data Fiduciary" responsible for your personal data.
Registered office: Bandra West, Mumbai, Maharashtra, India.
Contact for privacy queries: operations@harshh.co.
2. What data we collect
We collect personal data only when you provide it to us, or when it is automatically generated through your use of our website and programmes.
2.1 Data you provide
- Identity data: Full name, email address, phone number, business name, GSTIN where applicable
- Programme data: Information you submit in applications, intake forms, homework, and community posts
- Payment data: Billing address and tax information; full card details are processed by Razorpay and never stored by us
- Communication data: Emails, messages, and support tickets you send us
2.2 Data automatically collected
- Usage data: Pages visited, time spent, click paths on our website
- Device data: IP address, browser type, device type, operating system
- Cookie data: Functional and analytics cookies (see Section 7)
3. Why we collect it
| Purpose | Lawful basis |
|---|---|
| Deliver programmes you have purchased | Performance of contract |
| Process payments and issue invoices | Performance of contract |
| Send programme updates, schedules, and reminders | Performance of contract |
| Send marketing newsletters and product updates | Your consent (opt-in) |
| Improve our website, programmes, and services | Legitimate interest |
| Comply with tax, accounting, and legal obligations | Legal obligation |
| Detect and prevent fraud or abuse | Legitimate interest |
4. Who we share data with
We do not sell your personal data. Ever. Period.
We share data only with the following categories of recipients, and only to the extent necessary:
- Payment processors: Razorpay (for payment processing and invoicing)
- Email service providers: ConvertKit, Postmark (for transactional and marketing emails)
- Communication platforms: Slack (for the community), Zoom (for live calls)
- Analytics: Plausible (a privacy-focused analytics provider that does not use cookies or track personal data)
- Cloud infrastructure: Amazon Web Services, Google Cloud (for hosting)
- Tax and accounting professionals: Where required by Indian law
- Legal authorities: Where required by a valid legal order
All third parties we share data with are bound by confidentiality and data protection obligations.
5. International transfers
Some of our service providers operate servers outside India. Where personal data is transferred outside India, we ensure equivalent levels of protection through standard contractual clauses or by selecting providers with adequate data protection frameworks.
6. How long we keep your data
- Active member data: For the duration of your active enrolment plus 7 years (for tax record-keeping under Indian law)
- Marketing list data: Until you unsubscribe, after which it is deleted within 30 days
- Application data (declined): 12 months, then deleted
- Website analytics: 90 days in identifiable form, then aggregated and anonymised
- Support tickets: 24 months for product improvement, then deleted
7. Cookies
We use a minimal set of cookies. We do not use third-party advertising cookies or tracking pixels.
- Strictly necessary cookies: Session management, security tokens. Cannot be disabled.
- Functional cookies: Remember your preferences (e.g., dark/light mode).
- Analytics: We use Plausible Analytics, which is cookieless and does not track personal data. There is no opt-in required.
You can control cookies via your browser settings. Disabling strictly necessary cookies may affect site functionality.
8. Your rights under DPDP Act 2023
You have the following rights regarding your personal data:
- Right to access: Request a copy of the personal data we hold about you
- Right to correction: Ask us to correct inaccurate or incomplete data
- Right to erasure: Ask us to delete your data, subject to our legal retention obligations
- Right to grievance redressal: Raise a complaint about how your data is being handled
- Right to nominate: Nominate another individual to exercise these rights on your behalf in case of incapacity or death
- Right to withdraw consent: Withdraw consent for any processing based on consent, at any time
To exercise any of these rights, write to operations@harshh.co. We will respond within 30 days.
9. Data security
We implement reasonable technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) for all data exchanged with our servers
- Encryption at rest for sensitive data stored in our databases
- Access controls limiting personal data access to authorised personnel only
- Regular security reviews and updates of our infrastructure
- Incident response procedures and breach notification protocols
While we take security seriously, no method of transmission or storage is 100 percent secure. In the event of a data breach affecting your personal data, we will notify you and the Data Protection Board within 72 hours of becoming aware of the breach.
10. Children's data
Our programmes are not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us personal data, contact us immediately at operations@harshh.co and we will delete it.
11. Marketing communications
We send marketing emails only if you have actively opted in (e.g., by subscribing to our newsletter). You can unsubscribe at any time via the link in every marketing email or by writing to us. Transactional emails (programme updates, receipts, schedules) are part of the contract and cannot be opted out of without leaving the programme.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to active members at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent change.
13. Grievance Officer
In compliance with Section 5(7) of the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer:
Name: Privacy & Data Protection Lead
Email: operations@harshh.co
Postal: Acquisition Monk Pvt Ltd, Bandra West, Mumbai, Maharashtra, India
Response time: Within 30 days of receipt
If you have any questions about this Privacy Policy, write to operations@harshh.co. We answer every email personally and within 30 days.