SkillConnect
Trust & transparency

Privacy Policy

Effective date: 27 February 2026 · Tech Catalyst Private Limited · Pune, India · Governed by Indian law.

SkillConnect ("we", "our", "us") is operated by Tech Catalyst Private Limited. We process personal data lawfully, transparently, and only for the purposes set out below. This Privacy Policy is published in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology Act, 2000, and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

1. Who we are

SkillConnect — "Skills to Careers" — is a placement portal that connects students, working professionals, universities, institutes, and companies. The Data Fiduciary (under the DPDP Act) is Tech Catalyst Private Limited, having its registered office at Pune, Maharashtra, India (CIN: U72900PN2022PTC209876).

2. Categories of personal data we collect

We collect only what we need, in these categories:

  • Account data — name, email, role (student / working professional / company / university / institute), bcrypt-hashed password, login timestamps.
  • Profile data — college, graduation year, skills, projects, social links (LinkedIn, GitHub), photo, resume PDF.
  • Activity data — lessons completed, assessments attempted, certificates issued, applications submitted, interview slots, offers, messages.
  • Sensitive personal data (collected only with explicit, granular consent and used only for the stated purpose) — voluntary EEO data (gender / disability / category), payment instrument details (processed by our PCI-DSS-compliant payment partners; we never store the full card number), Aadhaar last-4 digits (only where mandated for institutional onboarding and never the full number).
  • Cookies & technical data — a single first-party JWT session cookie, IP address (for security & rate-limiting), device / browser type, pages viewed.
  • User-generated content — postings, comments, messages, reviews. By submitting, you grant us a non-exclusive licence to host, display, and distribute within the platform.

3. Lawful basis for processing (DPDP §6)

We process personal data based on:

  • Explicit, informed consent — for non-essential cookies, marketing emails, voluntary EEO data, and resume sharing with employers.
  • Performance of a contract — to provide the platform services you signed up for.
  • Compliance with a legal obligation — tax records, court orders, lawful requests from law-enforcement.
  • Legitimate uses (DPDP §7) — security incident response, fraud prevention, and aggregated, non-identifying analytics.

4. Purposes — why we use your data

  • Operate, maintain, and improve the platform.
  • Match students with relevant postings & employers; surface analytics & placement outcomes to institutes.
  • Send transactional notifications (interview slots, offer letters, password resets) — these cannot be opted out of without closing your account.
  • Send marketing communications (only with your prior opt-in; opt-out link in every email).
  • Detect fraud, abuse, plagiarism in assessments, and bot signups; preserve the integrity of certifications.
  • Comply with statutory, regulatory, and audit obligations.

5. With whom we share your data

We do not sell your personal data. We share strictly on a need-to-know basis:

  • Employers / recruiters — only the profile fields and resume you choose to make visible. Sourced candidates added by recruiters can request closure of their record at any time.
  • Universities / institutes — placement outcomes of their own enrolled students (you control which fields are visible).
  • Service providers under contract — MongoDB Atlas (database), Amazon Web Services (hosting), Resend (email), Stripe (payments). All are bound by data-processing agreements and process data only on our documented instructions.
  • Law-enforcement & regulators — only on receipt of a valid legal demand (written, signed by an authorised officer, citing the applicable statute).
  • Corporate transactions — successor-in-interest in a merger / acquisition, with prior notice to you and an option to delete your account.

6. Cross-border data transfers

Our primary servers are located in India (ap-south-1). If we ever transfer your data outside India for processing (e.g., backup replication), we will publish the destination country in our list of cross-border transfers at /legal/cross-border, follow the conditions of DPDP §16, and apply Standard Contractual Clauses.

7. Retention

  • Account data — for as long as your account is active, plus 24 months after closure (for audit & legal hold).
  • Resumes uploaded — until you delete the file or close the account; backups are purged within 90 days.
  • Audit logs — 5 years (statutory minimum under the IT Act).
  • Application + offer records — 3 years from outcome (for placement-outcome statistics).
  • Inactive accounts — we email you 30 days before automatic deletion after 24 months of zero activity.

8. Your rights as a Data Principal (DPDP §11–14)

You may at any time, free of charge:

  • Access — request a copy of all the personal data we hold about you. Self-serve at Profile → My Data → Export.
  • Correction — fix inaccurate or out-of-date data via Profile → Edit. For data you cannot self-edit, email privacy@skillconnect.com.
  • Erasure — close your account and trigger deletion at Profile → My Data → Close account. We honour the request within 30 days, subject to legal-hold exceptions.
  • Withdrawal of consent — revoke consent for any optional processing at Profile → My Data → Consents. Withdrawal does not affect lawfulness of processing before withdrawal.
  • Grievance redressal — escalate to our Grievance Officer (Section 13) if you are not satisfied with our response.
  • Nominate — appoint another individual to exercise your rights in case of death or incapacity (write to privacy@skillconnect.com).

9. Data security

  • Passwords hashed with bcrypt (cost factor ≥ 12).
  • Authentication via short-lived JWTs in httpOnly, Secure, SameSite=Lax cookies.
  • TLS 1.2+ end-to-end. HSTS enabled.
  • Daily encrypted backups with 7-day point-in-time recovery.
  • Quarterly third-party penetration tests; semgrep AST scans on every PR; XXE-hardened resume parser (defusedxml).
  • Principle of least privilege internally; PII access logged and reviewed.

10. Children

We do not knowingly collect personal data of children under 16. If you believe a child has signed up, write to privacy@skillconnect.com — we will delete the account within 7 days and notify the parent / guardian.

11. Cookies

We use a single first-party session cookie to keep you logged in. We do not use third-party advertising trackers. See our full Cookie Policy at /legal/cookies.

12. Updates to this policy

We will update this Policy when our practices change. Material changes will be notified via in-app banner and / or email at least 14 days in advance. The current effective date is listed at the top.

13. Data Protection Officer & Grievance Officer (IT Rules 2021 §3)

For any privacy concern, write to our Data Protection Officer:

privacy@skillconnect.com (response within 7 working days).

If unresolved, escalate to our Grievance Officer:

Grievance Officer, SkillConnect — grievance@skillconnect.com

Tech Catalyst Private Limited, Attn: Grievance Officer, Pune, Maharashtra — 411014, India

Acknowledgement within 24 hours, resolution within 15 days (acknowledged within 24 hours).

If you remain unsatisfied, you may approach the Data Protection Board of India (under the DPDP Act).

Questions? Write to support@skillconnect.com. Privacy concerns to privacy@skillconnect.com. Formal grievances to grievance@skillconnect.com.