LSBF India Privacy Policy

Introduction

LSBF Institute of Education Private Limited (“LSBF India”, “we”, “us”, or “our”) is a company incorporated under the Companies Act, 2013 and registered in India. We are committed to protecting the personal data of all individuals (“Data Principals”) who interact with us — including prospective students, enrolled students, alumni, parents or guardians, faculty, staff, and visitors to our website and facilities. 

This Privacy Notice (“Notice”) is issued in compliance with the Digital Personal Data Protection Act, 2023 (“DPDPA” or “the Act”) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”) notified by the Ministry of Electronics and Information Technology (MeitY). It explains what personal data we collect, why we collect it, how we use it, with whom we share it, how long we retain it, and what rights you have as a Data Principal. 

Please read this Notice carefully. By providing your personal data to us — whether through our website, application forms, or in person — you acknowledge that you have read and understood this Notice. 

Who We Are – Data Fiduciary

Under the DPDPA, LSBF Institute of Education Private Limited is the “Data Fiduciary” — the entity that determines the purpose and means of processing your personal data. We are solely responsible for all processing activities described in this Notice. 

We operate educational programmes in India, offering professional qualifications, diplomas, and certification courses in the areas of business, finance, accounting, logistics, information technology, hospitality, and healthcare. Our operations are entirely domestic, and this Notice is governed exclusively by Indian law. 

Personal Data We Collect

We collect only such personal data as is necessary and proportionate to the purposes for which it is processed. The categories of personal data we collect include: 

Purposes of Processing and Legal Grounds

Under Section 4 of the DPDPA, personal data may only be processed where there is a lawful ground — either the free, specific, informed, unconditional, and unambiguous consent of the Data Principal, or a legitimate use specified under the Act. The table below sets out the purposes for which we process your data and the applicable legal ground:

Purpose of Processing	Data Categories Used	Legal Ground (DPDPA)
Processing admission applications and enrolment	Identity, Academic, Contact	Consent (Section 6)
Delivering educational programmes and services	Identity, Academic, Contact	Consent / Legitimate Use
Issuing certificates, transcripts, and academic records	Identity, Academic	Legitimate Use (legal obligation)
Fee collection, invoicing, and financial administration	Identity, Financial, Contact	Consent / Legitimate Use
Compliance with statutory and regulatory obligations (e.g., UGC, AICTE, income tax)	Identity, Financial, Contact	Legitimate Use (legal obligation)
Communicating with you regarding your programme, services, or account	Identity, Contact	Consent
Marketing our programmes and events (with your consent)	Identity, Contact	Consent (Section 6) — opt-in only
Operating and improving our website and digital platforms	Technical, Usage	Consent
Conducting surveys and improving service quality	Contact, Feedback	Consent
Preventing fraud, ensuring campus security, and protecting legal rights	Identity, Contact, Technical	Legitimate Use
Providing academic support and reasonable adjustments for disability	Identity, Special Category	Explicit Consent

Note on Marketing: We will only send you promotional or marketing communications where you have affirmatively opted in. You may withdraw your consent at any time by contacting our DPO or using the unsubscribe link in any marketing email.

Consent — How We Obtain and Manage It

Where we rely on consent as the legal ground for processing, we ensure that such consent is:

• Free — not bundled with any terms that make it a condition of service (except where strictly necessary); 
• Specific — separately sought for each distinct processing purpose; 
• Informed — accompanied by a clear notice describing the personal data being collected and the purpose; 
• Unconditional — not contingent on your agreeing to unrelated processing; and 
• Unambiguous — indicated by a clear affirmative action, such as ticking a checkbox.

Consent may be provided electronically through our website, online admission portal, or via signed written forms. Where personal data was collected prior to the commencement of these provisions, we will seek fresh consent in accordance with the transition obligations under the DPDPA.

Withdrawal of Consent

You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal. Where consent is withdrawn, we will cease processing for the relevant purpose, except where continued processing is required under a legitimate use or statutory obligation. To withdraw consent, please contact our DPO using the details in Section 14.

Sharing of Personal Data

We do not sell your personal data. We share your personal data only to the extent necessary and only with the following categories of recipients:

Cross-Border Transfers of Personal Data

Our primary processing activities are conducted within India. Where personal data is transferred to any recipient located outside India — for example, to our affiliated institutions or international examination bodies — we ensure that such transfers are made only in accordance with the requirements prescribed by the Central Government under Section 16 of the DPDPA. 

We will not transfer personal data to any country or territory that has been restricted or blocked by the Central Government of India for cross-border data transfers. We maintain records of all cross-border data flows and ensure contractual or other safeguards are in place before any such transfer is effected.

Data Retention

We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by applicable law, whichever is longer. Our general retention principles are:

Student Academic Records	Retained for a minimum of 10 years after graduation or last enrolment, in line with institutional and regulatory requirements.
Financial Records	Retained for 8 years from the end of the relevant financial year, as required under Indian tax and accounting laws.
Admission Applications (unsuccessful)	Retained for 2 years from the date of the final decision.
Marketing Consent Records	Retained for the duration of the consent and for 2 years thereafter.
Website Usage Data (logs)	Retained for up to 12 months.
Employee and HR Data	Retained for the duration of employment and for a minimum of 6 years thereafter.

Upon expiry of the applicable retention period, personal data is securely deleted or anonymised. Where deletion is imminent, we will notify you at least 48 hours in advance as required under the DPDP Rules. Data required for the investigation or resolution of a breach or dispute may be retained for a longer period as required under the DPDPA Rules or other applicable law.

Your Rights as a Data Principal

The DPDPA grants you, as a Data Principal, the following rights in relation to your personal data that we process. You may exercise any of these rights by submitting a request to our DPO using the contact details set out in Section 14.

Right to Access (Section 11)	You have the right to obtain a summary of the personal data we hold about you, the purposes for which it is being processed, and the identities of any third parties with whom it has been shared in the preceding 12 months.
Right to Correction and Erasure (Section 12)	You have the right to request that we correct inaccurate or incomplete personal data, and to erase personal data that is no longer necessary for the purpose for which it was collected, subject to our lawful retention obligations.
Right to Grievance Redressal (Section 13)	You have the right to have your grievances addressed by us within 30 days of lodging a complaint. If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India.
Right to Nominate (Section 14)	You have the right to nominate another individual who may exercise your rights in the event of your death or incapacity.
Right to Withdraw Consent	As described in Section 5.1, you may withdraw consent for any processing activity that is based on consent at any time, with effect from the date of withdrawal.

We will respond to all valid requests within 7 (seven) working days of receipt, in accordance with Rule 14 of the DPDP Rules, 2025. We may request proof of identity before processing your request to prevent unauthorised access. 

Note: These rights do not apply where the processing is carried out in connection with the prevention or detection of an offence, enforcement of a legal right or claim, or where a specific exemption under the DPDPA or its Rules applies. 

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These include: 

• Encryption of personal data in transit and at rest 
• Role-based access controls limiting data access to authorised personnel only 
• Regular vulnerability assessments and security audits 
• Staff training on data protection and information security 
• Incident response and breach notification procedures

In the event of a personal data breach, we will notify the Data Protection Board of India and all affected Data Principals promptly — and in any event within the timeframe prescribed under the DPDPA and DPDP Rules — with details of the breach, its likely consequences, and the remedial measures we have taken or propose to take. 

Processing of Children’s Personal Data

We are mindful of our obligations in relation to children’s data under the DPDPA and DPDP Rules. For the purposes of this Notice, a “child” is any individual under 18 years of age. 

Where we collect personal data from or about a child, we will obtain verifiable parental or guardian consent in accordance with Rule 10 of the DPDP Rules, 2025. The parent or guardian must be verified as an adult (18 years or above) using reliable identity documentation before processing of the child’s data commences. 

We do not engage in tracking, behavioural monitoring, or targeted advertising directed at children. We do not process children’s personal data in any manner that may cause detrimental effects to the child’s well-being. 

If we become aware that we have inadvertently collected personal data from a child without appropriate parental consent, we will take immediate steps to delete such data and notify the parent or guardian.

Cookies and Digital Tracking

Our website uses cookies and similar tracking technologies to improve your browsing experience, analyse usage, and support our digital communications. We categorise cookies as follows:

• Strictly Necessary Cookies: Required for the website to function and cannot be disabled. 
• Analytical / Performance Cookies: Help us understand how visitors interact with our website. These are activated only with your consent. 
• Marketing Cookies: Used to display relevant advertisements. These are activated only with your explicit, affirmative opt-in consent.

You may manage your cookie preferences at any time through our cookie consent banner or by adjusting your browser settings. Withdrawing cookie consent will not affect your ability to access our core website or services.

Grievance Redressal Mechanism

If you have any concerns, questions, or complaints regarding this Notice or the manner in which we handle your personal data, you may contact our Grievance Officer:

Name	Jatin Rawal
Designation	Chief Legal Officer
Email Address	greviance@lsbfindia.org
Postal Address	A 21/13, Naraina Industrial Area, Phase 2, New Delhi-110028
Response Timeline	Within 30 days of receipt of complaint

If you are not satisfied with the resolution provided by our Grievance Officer, you may file a complaint with the Data Protection Board of India once the Board is fully constituted and operational. Details of the Board’s complaint mechanism will be published on the MeitY website and the Board’s official portal.

Contact Our Data Protection Officer

Our Data Protection Officer (DPO) is responsible for overseeing compliance with the DPDPA and for handling enquiries and requests from Data Principals:

Name	Ramyalakshmi Annamalai
Email Address	rannamalai@lsbf.edu.sg
Telephone	+91 92173 32521
Postal Address	A 21/13, Naraina Industrial Area, Phase 2, New Delhi-110028
Working Hours*	Monday to Friday, 9:00 AM – 5:30 PM IST

*Excluding Holidays

Changes to This Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our data processing practices, applicable law, or regulatory guidance. When we make material changes, we will:

• Publish the updated Notice on our website with a revised “Effective Date” 
• Notify you by email or through our student portal where the changes materially affect how we process your personal data; and 
• Where required under the DPDPA, obtain fresh consent for any new processing purposes.

We encourage you to review this Notice periodically to stay informed of how we protect your personal data. Continued engagement with our services following notification of any changes constitutes acknowledgement of the updated Notice, but not a waiver of any rights you hold under the DPDPA.

Governing Law and Jurisdiction

This Privacy Notice is governed by and construed in accordance with the laws of India, including the Digital Personal Data Protection Act, 2023, the Digital Personal Data Protection Rules, 2025, and any other applicable Indian legislation. 

Any dispute arising out of or in connection with this Notice shall be subject to the exclusive jurisdiction of the courts in New Delhi, India, and, where applicable, to the adjudicatory authority of the Data Protection Board of India.