Privacy Policy
How Transitley collects, uses, stores and protects your personal data — and the rights you hold over it under UK GDPR and India’s DPDP Act, 2023.
1Introduction and Identity of Controller
Transitley (“we”) operates transitley.com, a platform that facilitates international education admissions by connecting prospective students with institutions. We are committed to protecting your personal data and privacy in accordance with:
- The UK General Data Protection Regulation (“UK GDPR”) as retained in UK law by the European Union (Withdrawal) Act 2018, supplemented by the Data Protection Act 2018 (“DPA 2018”).
- The Digital Personal Data Protection Act, 2023 (“DPDP Act”) of India, and any rules notified thereunder.
- Any other applicable data protection legislation in force at the relevant time.
We act as the Data Controller (UK GDPR) and Data Fiduciary (DPDP Act) in respect of personal data processed through transitley.com.
| Detail | Information |
|---|---|
| Company / Trading Name | Transitley |
| Website | transitley.com |
| Contact Email | privacy@transitley.com |
| UK ICO Registration | Pending / [ICO Reg. No.] |
| India Grievance Officer | grievance@transitley.com |
| Data Protection Officer | dpo@transitley.com |
2Scope of this Policy
This Privacy Policy applies to:
- All visitors to transitley.com.
- All prospective students, applicants, or users who create an account or submit personal data or documents through the platform.
- Any third parties who interact with Transitley on behalf of an applicant.
It does not apply to third-party websites or platforms linked from transitley.com. We encourage you to review the privacy notices of those third parties independently.
3Personal Data We Collect
3.1 Identity and Contact Data
- Full legal name, date of birth, gender, nationality, country of residence.
- Email address, phone number, postal address.
- Username and password (hashed / salted).
3.2 Admission Documents (Special Category — Document Repository)
For the purpose of processing your study-abroad or admission application, we collect and temporarily store the following documents:
- Passport / travel document copies.
- Academic transcripts, degree certificates, mark sheets.
- English-language proficiency test results (e.g. IELTS, TOEFL, PTE).
- Statement of purpose / personal statement.
- Letters of recommendation.
- Financial evidence documents (bank statements, sponsorship letters).
- Visa documentation (where applicable).
- Any additional documents required by destination institutions.
3.3 Technical and Usage Data
- IP address, browser type and version, operating system.
- Pages visited, time spent, clickstream data (collected via cookies — see Section 8).
- Device identifiers.
3.4 Communications Data
- Content of messages sent through in-platform messaging or to our support team.
- Records of consent and preferences.
4Legal Basis for Processing
4.1 Under UK GDPR (Article 6)
| Purpose | Legal Basis |
|---|---|
| Processing your admission application | Article 6(1)(b) — Performance of contract |
| Account creation and platform access | Article 6(1)(b) — Performance of contract |
| Compliance with regulatory obligations | Article 6(1)(c) — Legal obligation |
| Marketing communications (opt-in only) | Article 6(1)(a) — Consent |
| Security, fraud prevention, analytics | Article 6(1)(f) — Legitimate interests |
| Processing sensitive documents | Article 9(2)(a) — Explicit consent |
4.2 Under India DPDP Act, 2023 (Section 4 & 7)
| Purpose | Legal Basis |
|---|---|
| Admission processing and platform use | Section 7(a) — Consent of Data Principal |
| Legal/regulatory compliance | Section 7(b) — Legal obligation |
| Legitimate business purposes | Section 7(f) — Legitimate uses as notified |
| Processing children’s data (under 18) | Section 9 — Verifiable parental consent required |
5How We Use Your Personal Data
- Create and manage your Transitley account.
- Match you with suitable educational institutions and programmes.
- Forward your application documents to the institutions you select.
- Communicate with you regarding your application status.
- Verify identity and prevent fraudulent submissions.
- Comply with applicable legal and regulatory obligations.
- Improve platform functionality and user experience (using anonymised analytics).
- Send you marketing communications where you have given explicit consent (you may withdraw at any time).
- Respond to enquiries and resolve disputes.
6Sharing of Personal Data
6.1 Educational Institutions
We share your application documents and personal data only with the specific institution(s) you select when submitting an application. You control which institutions receive your data. By selecting an institution, you authorise this disclosure.
6.2 Sub-processors and Service Providers
We engage sub-processors who process data strictly on our behalf and under binding data processing agreements:
| Category | Purpose |
|---|---|
| Cloud hosting provider | Secure document and data storage (UK/India data residency options) |
| Email service provider | Transactional and marketing emails |
| Analytics provider | Anonymised platform usage analytics |
| Identity verification provider | KYC and fraud prevention |
| Customer support software | Support ticket management |
6.3 Legal and Regulatory Disclosure
We may disclose personal data to law enforcement, regulatory bodies (including the UK Information Commissioner’s Office and India’s Data Protection Board), or courts if required to do so by law, court order, or in connection with legal proceedings.
6.4 No Sale of Data
We do not sell, rent, trade, or otherwise commercially exploit your personal data to third parties for their own marketing purposes. This is an absolute commitment.
7International Data Transfers
7.1 Transfers from UK
Where we transfer personal data outside the UK, we ensure adequate safeguards are in place, including:
- Transfers to countries with UK Adequacy Regulations in force.
- Use of UK International Data Transfer Agreements (IDTAs) or addenda to EU Standard Contractual Clauses.
- Binding Corporate Rules where applicable.
7.2 Transfers under DPDP Act (Cross-Border)
Personal data of Indian residents may be transferred to countries as notified by the Central Government of India under Section 16 of the DPDP Act. We maintain transfer mechanisms as prescribed by applicable rules and do not transfer data to countries on any restricted list.
8Cookies and Tracking Technologies
We use cookies and similar technologies on transitley.com. You may manage cookie preferences at any time via our Cookie Preference Centre accessible in the website footer.
| Cookie Type | Purpose & Retention |
|---|---|
| Strictly Necessary | Platform functionality, session management — Session (deleted on close) |
| Performance / Analytics | Anonymised usage data to improve the platform — 12 months |
| Functional | Remember preferences and settings — 6 months |
| Marketing (Opt-in only) | Personalised content, with your consent — 12 months |
Under UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR), non-essential cookies require your prior consent. We obtain this via our cookie banner on first visit.
9Data Retention Policy
| Data Category | Retention Period |
|---|---|
| Admission documents (passports, transcripts, financials, etc.) | Maximum 5 months — then permanently deleted |
| Account profile data (name, email, contact) | Duration of active account + 12 months after closure |
| Application records (status, institution choices) | 36 months for audit / dispute resolution |
| Consent records | 5 years from date of consent (legal evidence) |
| Support communications | 24 months from resolution |
| Cookie / analytics data | 12 months (anonymised immediately after 5-month upload window) |
| Transaction / billing records | 7 years (UK legal requirement — Companies Act / HMRC) |
| Legal hold data | Until legal proceedings are resolved |
Where retention periods under UK GDPR (storage limitation — Article 5(1)(e)) or DPDP Act (Section 8(7)) require earlier deletion, we comply with the shorter period.
10Data Security
We implement technical and organisational measures appropriate to the risk, including:
- AES-256 encryption for documents at rest; TLS 1.3 for data in transit.
- Role-based access controls — only authorised personnel and your selected institution(s) can access your documents.
- Multi-factor authentication for administrative access.
- Regular penetration testing and vulnerability scanning.
- ISO 27001-aligned information security policies.
- Immediate, irreversible deletion using NIST SP 800-88 compliant data sanitisation upon retention expiry.
- Breach detection, monitoring, and response procedures.
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and, where required, notify the ICO within 72 hours (UK GDPR Article 33) and the Data Protection Board of India under the DPDP Act.
11Your Rights
11.1 Rights under UK GDPR
| Right | What it means |
|---|---|
| Right of Access (Art. 15) | Obtain a copy of your personal data held by us. |
| Right to Rectification (Art. 16) | Correct inaccurate or incomplete data. |
| Right to Erasure (Art. 17) | Request deletion of your data (‘right to be forgotten’). |
| Right to Restriction (Art. 18) | Restrict processing in certain circumstances. |
| Right to Data Portability (Art. 20) | Receive your data in a structured, machine-readable format. |
| Right to Object (Art. 21) | Object to processing based on legitimate interests or direct marketing. |
| Right to Withdraw Consent (Art. 7(3)) | Withdraw consent at any time without affecting prior processing. |
| Rights re Automated Decisions (Art. 22) | Not be subject to solely automated decisions with legal effect. |
11.2 Rights under India DPDP Act, 2023
| Right | Provision |
|---|---|
| Right to access information (Summary of data processed) | Section 11 |
| Right to correction, completion, updating of data | Section 12 |
| Right to erasure of personal data | Section 12 |
| Right to grievance redressal | Section 13 |
| Right to nominate (in case of death / incapacity) | Section 14 |
11.3 How to Exercise Your Rights
12Children’s Privacy
Transitley does not knowingly collect personal data from children under 13 years of age.
- For users aged 13 to 17 (UK) or under 18 (India), we require verifiable parental or guardian consent before processing personal data, in compliance with UK GDPR Article 8 and DPDP Act Section 9.
- If we discover that a child’s data has been collected without appropriate consent, we will delete it within 48 hours of discovery.
- Parents / guardians may contact privacy@transitley.com to review or request deletion of a minor’s data.
13Complaints and Supervisory Authorities
13.1 UK — Information Commissioner’s Office (ICO)
If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the ICO:
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
- Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
13.2 India — Data Protection Board of India
Once the Data Protection Board of India is established under the DPDP Act, you may file a complaint through the Digital India Corporation portal as notified by the Central Government. In the interim, you may contact our India Grievance Officer:
- Email: grievance@transitley.com
- Response timeline: within 30 days.
14Updates to this Privacy Policy
We may update this Privacy Policy periodically. Material changes will be notified by:
- Email notification to registered users at least 30 days before the change takes effect.
- A prominent banner on transitley.com.
Continued use of the platform after the effective date of any updated policy constitutes acceptance of the changes.
Document Reference: TRANS-LEGAL-5.1-v1.0 · Effective 11 May 2025 · Next Review 11 May 2026. © 2025 Transitley. All rights reserved.