Privacy Policy

This privacy policy explains how Star Aviation Academy ("we", "us") collects and processes your personal data when you visit https://staraviationindia.org/, our admissions microsite, or any of our funnel landing pages. We comply with the Digital Personal Data Protection Act 2023 ("DPDPA") of India.

1. Data we collect

• Identity: name, email, mobile number, ICP type (student / parent)
• Programme interest: 12th marks (F1 only), stream preference, state, 12th status
• Session telemetry (only with Analytics consent): page views, scroll depth, time on form, session duration, device type
• Attribution (only with Advertising consent): UTM parameters, Google Ads gclid, Meta fbclid, _fbp / _fbc / _ga cookies
• Server-enriched (always): hashed IP (SHA-256), country/region, user agent, server timestamp

2. Why we collect it (purpose)

• To process your admission inquiry and provide counselling (DPDPA Sec 7 — performance of contract)
• To send programme information, fee details, and SAAT 2026 updates via WhatsApp / email / phone
• To improve our website and content (with Analytics consent)
• To show you relevant programs on Google and Meta platforms (with Advertising consent)
• To prevent fraud and abuse (legitimate interest under DPDPA Sec 7(b))

3. Who we share it with

We share minimum necessary data with the following processors. Each is contracted and bound by data-processing agreements:

• Supabase — database (hosted in AWS Mumbai, ap-south-1)
• Cloudflare — website + Worker hosting + DNS
• Resend / SES — transactional email
• Meta Platforms (Facebook / Instagram) — Conversions API + Pixel (only with Advertising consent)
• Google LLC — Google Ads + Analytics 4 (only with Advertising / Analytics consent)
• Microsoft Clarity — session recording (only with Analytics consent)
• WhatsApp Business API — for messaging you about your inquiry

4. How long we keep it (retention)

• Active leads: until enrollment decision, then archived for 3 years (statutory tax + admissions audit)
• Soft-deleted leads: PII redacted within 30 days, hard-purged after 90 days
• Session telemetry: 12 months
• Consent audit log: 5 years (DPDPA grievance trail)

5. Your rights

Under DPDPA, you have the right to:

• Access: request a copy of all data we hold about you
• Correction: ask us to correct inaccurate data
• Erasure: ask us to delete your data (we soft-delete within 30 days)
• Withdraw consent: for analytics / advertising at any time via Manage Cookies
• Grievance: raise a concern with our grievance officer (contact below)

6. Cookies and tracking

We use three categories of cookies, controlled by your consent banner choice:

• Essential (always on): form submission, fraud prevention, CSRF protection. No personal identifiers.
• Analytics (opt-in): _ga (Google Analytics), Microsoft Clarity session ID. Helps us improve the site.
• Advertising (opt-in): _fbp / _fbc (Meta), conversion tracking. Used to show you relevant ads.

Manage your preferences anytime: Open Cookie Preferences

7. Data security

• All data encrypted in transit (HTTPS / TLS 1.3) and at rest (Supabase AES-256)
• IP addresses never stored raw — only SHA-256 hashed with a private salt
• Row-level security policies prevent unauthorized access
• API keys stored as encrypted environment variables in Cloudflare Workers
• Quarterly access audits

8. Children's data

Our programmes are aimed at students aged 17 and above. If you are under 18, please ensure your parent or guardian provides consent before submitting your details. We will request additional verifiable parental consent for applicants identified as minors.

9. Cross-border data

Our primary database is hosted in India (AWS Mumbai). Some processors (Meta, Google, Resend) operate globally. We rely on standard contractual clauses for international transfers, in compliance with DPDPA Section 16.

10. Grievance Officer

11. Updates to this policy

We may update this policy. Significant changes will trigger a new consent banner prompt. The effective version is shown at the top of this page.