1. Our Commitment to the DPDP Act 2023
NeoNeev AI Private Limited is committed to full compliance with the Digital Personal Data Protection Act, 2023 (the "DPDP Act"), enacted by the Parliament of India to provide for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data.
This page explains how we comply with the DPDP Act, what rights you have as a Data Principal, and how you can exercise those rights. This is not a replacement for our Privacy Policy but is a supplementary compliance document.
The DPDP Act, 2023 came into force in stages. NeoNeev AI has adopted a proactive compliance posture, implementing all required practices regardless of the specific notification schedule of individual provisions.
2. Our Role as Data Fiduciary
Under the DPDP Act, NeoNeev AI Private Limited acts as a Data Fiduciary — the entity that determines the purpose and means of processing personal data. This means we are responsible for:
Obtaining valid, informed consent before processing personal data
Processing personal data only for the notified purpose
Ensuring the accuracy and completeness of data
Implementing appropriate technical and organisational security safeguards
Responding to Data Principal rights requests within prescribed timelines
Establishing a grievance redressal mechanism
Deleting personal data upon withdrawal of consent or upon fulfilment of purpose
Notifying the Data Protection Board of India in case of a personal data breach
3. Categories of Personal Data Processed
The following table describes the categories of personal data we process, the purpose, and the legal basis under the DPDP Act:
| Data Category | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Student Identity | Name, email, phone, date of birth | Account creation and authentication | Consent |
| Academic Information | CGPA, degree, college, graduation year | AI placement score and matching | Consent |
| Skill Profile | Skills, certifications, work experience | AI talent matching and recommendations | Consent |
| Institutional Data | College name, NAAC grade, placement stats | College portal analytics and reporting | Legitimate Interest |
| Employer Data | Company name, GSTIN, hiring requirements | Employer portal and job matching | Contract Performance |
| Usage Data | Login times, features used, click paths | Platform improvement and AI training | Legitimate Interest |
| Payment Data | Billing address, transaction ID (no card numbers) | Subscription management | Contract Performance |
| Communication Records | Support tickets, emails, in-app messages | Customer support and grievance resolution | Legal Obligation |
4. Consent Framework
Under the DPDP Act, consent must be free, specific, informed, unconditional, and unambiguous — expressed through a clear affirmative action. Our consent framework is designed to meet these requirements:
How We Obtain Consent
During onboarding, we present a clear consent notice in plain language describing what data we collect, for what purpose, and with whom it may be shared. Consent is obtained through an explicit checkbox action — not pre-ticked boxes or bundled consents.
How We Record Consent
Every consent event is logged with a timestamp, the consent text version presented, and the user's action. These records are maintained securely for compliance audit purposes.
Granular Consent
We provide separate consent options for different processing activities — for example, separate consent for sharing your profile with employers, for marketing communications, and for AI model improvement using your data.
Withdrawal of Consent
You may withdraw your consent at any time through your account settings or by emailing privacy@neoneev.ai. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal. We will stop processing within 30 days of receiving a withdrawal request.
5. Data Principal Rights
As a Data Principal under the DPDP Act, 2023, you have the following rights which we are legally obligated to honour:
Right to Access Information
Section 11You have the right to obtain a summary of your personal data being processed by NeoNeev AI, a summary of the processing activities undertaken, the identities of all Data Fiduciaries and Data Processors with whom your data has been shared, and any other information as prescribed.
Right to Correction and Erasure
Section 12You have the right to request correction of inaccurate or misleading personal data. You also have the right to request erasure of personal data that is no longer necessary for the purpose it was collected, subject to applicable legal retention requirements.
Right to Grievance Redressal
Section 13You have the right to have your grievances addressed by our designated Grievance Officer within the timeframes prescribed by the DPDP Act. If unsatisfied, you may escalate to the Data Protection Board of India.
Right to Nominate
Section 14You have the right to nominate any other individual who shall, in the event of your death or incapacity, exercise your rights under the DPDP Act in respect of your personal data. Nomination can be made through your account settings.
6. How to Exercise Your Rights
To exercise any of your Data Principal rights under the DPDP Act, follow these steps:
- 1
Compose your request
Email privacy@neoneev.ai with the subject line: "DPDP Rights Request — [Your Name]"
- 2
Include required information
Provide your registered email address, the specific right you wish to exercise, and any relevant details or documentation to support your request.
- 3
Identity verification
We may request identity verification to ensure the security of your data and prevent unauthorised requests.
- 4
Acknowledgement
We will acknowledge your request within 72 hours.
- 5
Resolution
We will fulfill your request within 30 days as required under the DPDP Act. For complex requests, we may extend this by an additional 15 days with written notice to you.
7. Data Localisation
All Personal Data Stored in India
All personal data collected from Indian Data Principals is processed and stored on servers physically located within the territory of India, hosted on AWS India (Mumbai region). We do not transfer personal data to servers outside India.
Our commitment to data localisation ensures compliance with the DPDP Act's provisions on cross-border data transfers and protects our users' data under Indian jurisdiction.
8. Data Retention Policy
We retain personal data only as long as necessary for the purpose it was collected, or as required by applicable law. The following table provides specific retention periods by data category:
| Data Category | Retention Period |
|---|---|
| Student Profile Data | Duration of active account + 30 days post deletion |
| Academic and Skill Data | Duration of active account + 30 days post deletion |
| Employer and Institutional Data | Duration of contract + 1 year |
| Usage and Analytics Data | 2 years (anonymised) |
| Payment and Financial Records | 7 years (Companies Act compliance) |
| Support and Grievance Records | 3 years |
| AI Interaction Logs | 1 year (anonymised for model improvement) |
| Legal Hold Data | Until resolution of legal proceedings |
9. Security Safeguards
We implement appropriate technical and organisational measures to safeguard personal data against unauthorised access, disclosure, alteration, or destruction:
Encryption
AES-256 at rest, TLS 1.3 in transit for all personal data
Access Controls
Role-based access control (RBAC); principle of least privilege
Audit Logs
Comprehensive audit trails of all data access and modifications
Vulnerability Management
Regular penetration testing and security assessments
Employee Training
Mandatory data protection training for all employees handling personal data
Incident Response
Documented breach response plan; notification to Board and Data Principals as required
Vendor Assessment
Due diligence and DPAs with all sub-processors
ISO 27001 Alignment
Security management aligned to ISO/IEC 27001 framework
10. Significant Data Fiduciary Status
The DPDP Act provides that the Central Government may notify certain Data Fiduciaries as Significant Data Fiduciaries (SDFs) based on factors including volume and sensitivity of data processed, potential risk to Data Principals, and national security considerations.
Our Position: As a growing EdTech platform, our SDF status assessment is pending notification by the Government of India. As a precautionary measure, NeoNeev AI has voluntarily adopted SDF-level compliance obligations, including appointment of a Data Protection Officer and Data Audits, even before formal notification.
11. Cross-Border Data Transfers
Current Status: NeoNeev AI currently does not transfer personal data of Indian Data Principals to any servers or entities outside India. All data processing occurs within the Republic of India.
Future Policy: Should we initiate any cross-border transfers in the future, we will do so only in accordance with Section 16 of the DPDP Act and any rules notified thereunder. We will update this page and our Privacy Policy accordingly and obtain any additional consent required from Data Principals.
12. Contact Our Data Protection Officer
For matters related to data protection, DPDP Act compliance, or exercising your Data Principal rights:
Data Protection Office
Organisation: NeoNeev AI Private Limited
Email: privacy@neoneev.ai
Phone: +91 11 4050 6000
Address: Connaught Place, New Delhi 110001, India
Response Time: Within 30 days as required under DPDP Act 2023
13. Grievance Mechanism
As required under Section 13 of the DPDP Act and Rule 12 of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have designated a Grievance Officer to handle your grievances related to personal data.
For the complete details of our grievance mechanism, including our Grievance Officer's contact information, types of grievances handled, resolution timelines, and escalation to the Data Protection Board of India, please visit our dedicated:
Grievance Redressal Page14. Regulatory Updates
The DPDP Act, 2023 is a framework legislation, and the Central Government will notify various rules, standards, and guidelines over time. NeoNeev AI is committed to:
- →Monitoring all notifications, rules, and guidelines issued under the DPDP Act
- →Updating our compliance practices within 90 days of any new notification
- →Updating this page and our Privacy Policy to reflect regulatory changes
- →Communicating material changes to our users via email and in-platform notices
- →Engaging with the Data Protection Board of India as and when it is constituted
This page was last reviewed and updated in March 2026.