Your data, handled with care and clarity.

This Privacy Policy describes how Campus Mitra (“Campus Mitra,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards information when you use our websites, mobile applications, dashboards, and connected services (collectively, the “Services”).

We are headquartered in Bengaluru, India, and our Services are primarily designed for students and campus communities across India. By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy.

We collect information in three broad categories: information you give us, information we collect automatically, and information we receive from third parties.

a. Information you provide

• Account information. Your name, email address, college or institution, password (stored as a salted hash), and an optional profile photo or avatar.
• Profile and academic details. Department, year of study, areas of interest, and skills you choose to share on your public profile.
• Marketplace and transaction data. Listings you create, purchase or sale history, delivery preferences, and messages exchanged with other users.
• Content and communications. Posts, comments, reviews, support tickets, and feedback submitted through the Services.
• Payment information. When applicable, payment details are collected and processed by our payment processors. We do not store full card numbers on our servers.

b. Information collected automatically

• Device and log data. IP address, browser type, operating system, device identifiers, referrer URLs, and timestamps of requests.
• Usage data. Pages viewed, features used, interactions with listings, and the approximate location derived from your IP for fraud prevention.
• Cookies and similar technologies. See our Cookie Policy for the full breakdown.

c. Information from third parties

• Sign in with Google. If you choose to sign in with Google, we receive your name, email address, Google account ID, and profile picture as authorized by you. We never receive your Google password.
• Campus partners and verified institutions. When your institution invites you, we may receive your enrollment status to verify eligibility for student-only features.

We use information to:

• Operate, maintain, and improve the Services, including authenticating users and powering core features such as marketplace listings, food discovery, and campus forums.
• Personalize your experience, including surfacing relevant deals, listings, and recommendations.
• Communicate with you about your account, security alerts, product updates, and support requests.
• Detect, investigate, and prevent fraud, abuse, and security incidents.
• Measure aggregate trends and conduct analytics to improve our product and design decisions.
• Comply with applicable laws, respond to lawful requests, and enforce our Terms of Service.

We do not use the contents of your private direct messages to train machine learning models. Aggregated, de-identified data may be used to improve relevance and ranking.

Where applicable law (including the Digital Personal Data Protection Act, 2023 in India, and the GDPR for users in the European Economic Area) requires a legal basis for processing, we rely on:

• Performance of a contract to provide the Services you signed up for.
• Legitimate interests in operating, securing, and improving the Services, balanced against your rights.
• Consent for optional features such as marketing communications, location services, and certain cookies.
• Legal obligation to comply with tax, accounting, and law enforcement requirements.

We share information only in the following circumstances:

• With other users, when you choose to share content publicly, post a marketplace listing, or message a counterparty. Your profile name and photo are visible to people you interact with.
• With service providers who help us operate the Services, including hosting, email delivery, analytics, error monitoring, and customer support. These vendors are bound by confidentiality and data-processing agreements.
• With campus partners, only the limited information required to verify your enrollment or grant access to institution-specific features.
• For legal and safety reasons, when we believe disclosure is necessary to comply with law, protect users, or defend our rights.
• In a business transaction, such as a merger, acquisition, or sale of assets. We will notify you before your data is transferred and becomes subject to a different policy.

We retain personal data for as long as your account is active and for a limited period afterward to comply with our legal obligations, resolve disputes, and enforce agreements.

• Account data: retained until you delete your account, then purged within 30 days, except where retention is legally required.
• Transaction records: retained for up to 8 years to satisfy financial and tax obligations.
• Server logs: retained for up to 90 days for security monitoring.
• Backups: may persist for up to 35 days after deletion before being overwritten on rotation.

We implement administrative, technical, and physical safeguards designed to protect your data, including:

• TLS 1.2+ encryption for data in transit.
• At-rest encryption for databases, backups, and sensitive fields.
• Argon2 / bcrypt password hashing with per-user salts. We never store passwords in plain text.
• Short-lived JWT access tokens with rotating refresh tokens and optional device-bound sessions.
• Role-based access controls and least-privilege principles for our team.
• Continuous logging, intrusion detection, and a documented incident response process.

No method of transmission or storage is perfectly secure. If we detect a security incident that affects your personal data, we will notify you and the relevant authorities as required by applicable law.

Depending on where you live, you may have the right to access, correct, delete, or export your personal data, restrict or object to certain processing, withdraw consent, and lodge a complaint with your data protection authority.

You can exercise most of these rights directly:

• Access & edit: from your account settings.
• Export: request a downloadable archive of your data from the Privacy section in settings.
• Delete: permanently delete your account from settings or by emailing privacy@campusmitra.com.
• Marketing preferences: unsubscribe from any marketing email using the link at the bottom of the message.

We will respond to verified requests within 30 days, or sooner where required by law.

Campus Mitra is intended for users who are at least 16 years old. If you are between 16 and 18 (or the age of majority in your jurisdiction), you may use the Services only with the involvement and consent of a parent or legal guardian.

We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal data, please contact us and we will take steps to delete it.

Your information may be processed and stored in India and in other countries where our service providers operate. When data is transferred across borders, we use appropriate safeguards such as standard contractual clauses and vendor security assessments.

The Services may contain links to or integrations with third-party websites and services (for example, Google Sign-In, payment providers, and map providers). Their privacy practices are governed by their own policies. We encourage you to read those policies before using those services.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice in the Services before the change takes effect. The “Last updated” date at the top of this page always reflects the most recent revision.

If you have questions, requests, or concerns about this Privacy Policy or our data practices, please reach out:

• Email: privacy@campusmitra.com
• Grievance Officer (India): grievance@campusmitra.com
• Postal address: Campus Mitra, Bengaluru, Karnataka, India