Legal Document
Privacy Policy
iThinkers Olympiad â Fivesep Pvt. Ltd.
1
Introduction
Fivesep Pvt. Ltd. ("Fivesep", "we", "us", "our") operates the iThinkers Olympiad, India's most insightful school Olympiad experience, through two digital platforms: www.iThinkersOlympiad.com (the "Main Website") and practice.iThinkersOlympiad.com (the "Practice Portal"), collectively referred to as the "Platforms".
This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, with whom we share it, and what rights you have in relation to it. We are committed to protecting your privacy and handling all personal data â especially data relating to students who are minors â with the highest standards of care, transparency, and legal compliance.
â ī¸ This Policy is especially important if you are a Parent or Guardian. All students participating in the iThinkers Olympiad are minors. We process student data only through schools acting as authorised intermediaries, and strictly in compliance with the Digital Personal Data Protection Act, 2023. Please read Section 10 (Children's Privacy) carefully.
By accessing or using the Platforms, you acknowledge that you have read and understood this Privacy Policy. If you are a school administrator registering students, you confirm that you have obtained all necessary parental/guardian consents for the processing described in this Policy.
2
Who We Are
đī¸ Data Fiduciary â Fivesep Pvt. Ltd.
CompanyFivesep Pvt. Ltd. (incorporated under the Companies Act, 2013)
Address12A01, Tower 3, Paras Seasons, Sector 168, Noida, Uttar Pradesh â 201301, India
GSTIN09AAFCF3112J1ZS
Websitewww.iThinkersOlympiad.com
Phone+91 9266766901â904
For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), Fivesep Pvt. Ltd. is the Data Fiduciary â the entity that determines the purpose and means of processing personal data on the Platforms. Schools that register students act as intermediaries and are responsible for obtaining and maintaining verifiable parental consent on our behalf.
3
Scope & Applicability
3.1
This Privacy Policy applies to all personal data processed in connection with the Platforms, including data collected from: (a) school administrators and coordinators; (b) students (through their schools); (c) parents and guardians; and (d) any other visitor to or user of the Platforms.
3.2
This Policy covers both the Main Website (ithinkersolympiad.com) and the Practice Portal (practice.ithinkersolympiad.com). Where practices differ between the two platforms, this Policy expressly states so.
3.3
This Policy does not apply to third-party websites or services linked from the Platforms. We encourage you to review the privacy policies of any third-party sites you visit.
3.4
This Privacy Policy should be read alongside our Terms & Conditions, which govern your use of the Platforms and are incorporated herein by reference.
4
Information We Collect
4A â School & Administrator Data
When a School submits a Registration Form, we collect the following from school personnel:
| Data Element | Source | Purpose |
|---|---|---|
| School name & address | Registration Form | Dispatch of materials, invoicing |
| Principal's name, mobile, email | Registration Form | Primary communication & recognition |
| Coordinator's name, mobile, email | Registration Form | Exam coordination & support |
| Board affiliation | Registration Form | Curriculum alignment |
| GSTIN | Registration Form | Tax compliance & invoicing |
| Total student count | Registration Form | Resource planning |
| Payment reference data | Payment submission | Fee reconciliation |
4B â Student Data (Collected via Schools)
Minimal Data by Design: We collect the absolute minimum personal data necessary from students. We do not collect date of birth, home address, religion, caste, biometric information, or any sensitive personal data from students.
| Data Element | Source | Purpose |
|---|---|---|
| Full name | School / Registration Form | Certificates, results, reports |
| Class & section | School / Registration Form | Subject eligibility, ranking |
| School name | School / Registration Form | School-level aggregation |
| SAC ID (Student Access Code) | Generated by Fivesep | Portal access, results, continuity |
| OMR responses | Physical OMR sheets | Evaluation, scoring, reports |
| Practice attempt data | Practice Portal (via SAC ID) | Performance analytics, reports |
| Audio-visual data (Qualifiers only) | Proctored session | Examination integrity only â deleted within 90 days |
4C â Automatically Collected Technical Data
When any visitor accesses the Platforms, our servers and third-party analytics tools automatically collect:
| Data Element | Collected By | Platform |
|---|---|---|
| IP address | Hostinger server logs | Both |
| Browser type & version | Server logs | Both |
| Device type & operating system | Server logs / Google Analytics | Both |
| Pages visited, time on page, referral URL | Google Analytics | Both |
| User interactions (clicks, scroll depth) | Google Analytics | Both |
| Approximate geographic location (city/country level) | Google Analytics | Both |
| Event data (page views, conversions) | Meta Pixel (Facebook/Instagram) | Main Website only |
| Practice session data (time per question, attempts) | Practice Portal systems | Practice Portal only |
| Cookies and similar identifiers | See Section 8 | Both |
4D â Payment Data
4.1
When schools remit fees, payment-related data (payer name, contact number, transaction reference, amount) is processed by our payment partners. We do not store full payment card details on our servers. See Section 9 for details of our payment processors.
5
How We Collect Data
5.1
Directly from Schools: Through the physical or online Registration Form submitted by school administrators to order@ithinkersolympiad.com or via the Main Website's registration portal.
5.2
From Students (indirectly, via Schools): Schools provide student name and class details during registration. Students interact with the Practice Portal using their SAC ID, and their usage data is collected automatically during those sessions.
5.3
Through Physical OMR Sheets: Completed answer sheets submitted by schools are scanned and digitised for evaluation. The data extracted (SAC ID, answer selections) is used to generate results and reports.
5.4
Automatically via Cookies and Tracking Technologies: When visitors browse the Platforms, cookies and similar technologies collect technical and behavioural data. See Section 8 for full details.
5.5
Via Communications: When schools, parents, or visitors contact us by email, phone, or WhatsApp, we retain those communications for the purpose of responding and record-keeping.
5.6
From Schools Voluntarily: Photographs and event images shared by schools with Fivesep for marketing purposes (see Section 7.5).
6
Why We Process Your Data (Legal Basis)
Under the DPDP Act 2023 and applicable Indian law, we rely on the following lawful bases to process personal data:
| Processing Activity | Legal Basis |
|---|---|
| School registration & exam administration | Performance of contract (Registration Form) |
| Student SAC ID creation, results, certificates | Consent (obtained by school on parents' behalf) |
| Practice portal access & performance analytics | Consent (obtained by school on parents' behalf) |
| Fee processing via Razorpay / IDFC Bank | Performance of contract; legal obligation |
| Google Analytics & Meta Pixel tracking | Legitimate interest (website improvement); consent via cookie banner |
| Grievance handling & legal compliance | Legal obligation |
| Marketing communications to school contacts | Legitimate interest / consent |
| Proctoring data (Qualifiers Round) | Consent (explicit, provided at time of Qualifiers registration) |
âšī¸ Children's Data (DPDP Act, Section 9): All student data is processed on the basis of verifiable parental consent, obtained and maintained by the School as our authorised intermediary. Fivesep does not directly interact with minors for the purpose of obtaining consent.
7
How We Use Your Data
7A â Core Examination Services
7.1
Processing student registrations, generating SAC IDs, dispatching question papers, evaluating OMR responses, producing results and academic reports, and distributing medals and certificates.
7.2
Enabling and maintaining student access to the Practice Portal, including subject-wise practice, mock tests, performance tracking, and parent-facing progress dashboards.
7.3
Communicating examination updates, logistics, deadlines, and support to school administrators and coordinators.
7B â Financial & Legal
7.4
Processing and reconciling fee payments, generating invoices and receipts, and complying with GST, TDS, and other applicable tax obligations.
7C â Marketing & Recognition
7.5
School Photographs: Photographs voluntarily shared by schools (award ceremonies, events) may be used on the Platforms, social media, and marketing materials. Schools are responsible for having obtained parental consent before sharing photographs containing students.
7.6
School Performance References: We may reference a school's general participation statistics (e.g., "School X participated with 500 students") in promotional content without separate consent. Individual student names, photographs, or scores are not used for marketing without explicit parental consent.
7.7
Marketing Emails / WhatsApp: We may send newsletters, exam updates, and promotional communications to school coordinators and principals. Recipients may opt out of non-transactional communications at any time by emailing support@iThinkersOlympiad.com with the subject line "Unsubscribe".
7D â Platform Improvement
7.8
Aggregated, anonymised analytics from Google Analytics and practice portal usage data are used to improve question quality, platform performance, and user experience. This data does not identify individual students.
7.9
We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects on any individual.
8
Cookies & Tracking Technologies
8A â What Are Cookies
Cookies are small text files placed on your device by websites you visit. They are widely used to make websites function efficiently and to provide analytical information to website owners. The Platforms use cookies and similar technologies as described below.
8B â Cookies We Use
| Cookie Type | Provider | Purpose | Duration |
|---|---|---|---|
| Strictly Necessary | Fivesep (Hostinger) | Login sessions, security, platform functionality | Session |
| Analytics | Google Analytics (GA4) | Page views, user behaviour, platform improvement | Up to 2 years |
| Marketing / Tracking | Meta Pixel (Facebook/Instagram) | Ad conversion tracking, audience measurement on Main Website | Up to 90 days |
| Persistent Login | Fivesep | Remember logged-in state on Practice Portal | 30 days |
â ī¸ Important â Meta Pixel & Children: The Meta Pixel is deployed on the main website only (ithinkersolympiad.com) and is used for measuring the effectiveness of school outreach and advertising. It is not deployed on the Practice Portal where students log in. We have configured Google Analytics and Meta Pixel to anonymise IP addresses and to avoid sending data that could identify individual students. We do not use these tools to create behavioural profiles of minors.
8C â Google Analytics Disclosure
8.1
We use Google Analytics 4 (GA4), a service provided by Google LLC, USA. GA4 collects data about your visits (pages viewed, time on site, device type) and sends it to Google's servers, which may be located outside India. We have enabled IP anonymisation. Google's privacy policy is available at policies.google.com/privacy. You may opt out using the Google Analytics Opt-out Browser Add-on.
8D â Meta Pixel Disclosure
8.2
We use the Meta Pixel, a tracking tool provided by Meta Platforms, Inc., USA. The Meta Pixel records actions taken on the Main Website (such as page visits and form submissions) and may match this data with your Facebook or Instagram account if you are logged in. This data helps us measure the effectiveness of our school outreach campaigns. Meta's privacy policy is available at facebook.com/privacy/policy. You may manage your preferences via Facebook Ad Preferences.
8E â Managing Cookies
8.3
You may control and delete cookies through your browser settings. Please note that disabling strictly necessary cookies may affect the functionality of the Platforms. Most browsers allow you to: (a) view cookies stored; (b) delete individual or all cookies; (c) block third-party cookies; and (d) set preferences for future cookies.
8.4
A cookie consent banner will be displayed on your first visit to the Platforms. Strictly necessary cookies are set without consent; analytics and marketing cookies are set only upon your acceptance. You may withdraw consent at any time by clearing your cookies and re-visiting the Platform.
9
Data Sharing & Disclosure
We do not sell, rent, or trade personal data. We share data only in the limited circumstances described below:
9A â Payment Processors
| Processor | Data Shared | Purpose | Location |
|---|---|---|---|
| Razorpay Software Pvt. Ltd. | Payer name, contact, amount, transaction reference | Online fee collection & reconciliation | India (PCI DSS compliant) |
| IDFC FIRST Bank Ltd. | Account holder details, NEFT/RTGS/DD reference | Direct bank transfer for school fees | India |
Both payment processors are India-based and PCI DSS compliant. We do not store full card numbers or CVV on our servers. Payment data is processed directly by the respective processor's secure payment infrastructure.
9B â Hosting & Infrastructure
9.1
The Platforms are hosted on Hostinger International Ltd., a web hosting provider headquartered in Kaunas, Lithuania, EU. Data stored on our servers â including school and student data â resides on Hostinger's infrastructure. See Section 11 (Cross-Border Data Transfers) for how we address this.
9C â Analytics Providers
9.2
Google LLC (USA): Anonymised visit and behaviour data from Google Analytics. Data is processed under Google's standard contractual clauses.
9.3
Meta Platforms, Inc. (USA): Aggregated event data from Meta Pixel on the Main Website. No student personal data is shared with Meta.
9D â Courier & Logistics Partners
9.4
For dispatching question papers, medals, certificates, and results packages, we share the school name and registered address with courier and logistics partners. No student-level personal data is shared with courier partners.
9E â Legal & Regulatory Disclosure
9.5
We may disclose personal data to law enforcement agencies, courts, or regulatory authorities where required by applicable law, including in response to valid legal processes such as court orders, government directives, or CERT-In requirements.
9F â Business Transfers
9.6
In the event of a merger, acquisition, restructuring, or sale of assets involving Fivesep, personal data may be transferred to the successor entity, provided that the successor agrees to process such data in accordance with this Privacy Policy or a policy offering equivalent or greater protection.
10
Children's Privacy (DPDP Act 2023)
All students participating in the iThinkers Olympiad are minors (under 18 years of age). This section sets out our specific obligations and protections under Section 9 of the Digital Personal Data Protection Act, 2023.
10A â Parental Consent
10.1
We do not directly solicit personal data from students. All student data is provided to us by the School acting as the authorised representative of the student's parent or guardian. By registering students, the School represents and warrants that it has obtained verifiable parental or guardian consent for each student, permitting Fivesep to process that student's data as described in this Privacy Policy.
10.2
Schools must maintain records of parental consent and must provide evidence of consent to Fivesep upon request. If a parent/guardian withdraws consent, the School must notify Fivesep promptly at support@iThinkersOlympiad.com.
10B â Minimal Collection & No Profiling
10.3
We collect only the minimum data necessary from students (name, class, school, SAC ID). We do not create behavioural profiles of students, serve targeted advertisements to students, or use student data for any purpose other than delivering the Olympiad services.
10.4
The Meta Pixel and Google Analytics are not deployed on the Practice Portal where logged-in students interact. These tracking tools operate only on the Main Website, which is principally accessed by school administrators and parents, not students.
10C â No Tracking or Advertising to Minors
10.5
Fivesep does not knowingly engage in behavioural tracking, targeted advertising, or data monetisation involving students. If we learn that student data has been used in a manner inconsistent with this commitment, we will take immediate corrective action.
10D â Parental Rights
10.6
Parents and guardians may exercise the following rights in respect of their child's data by contacting the Grievance Officer (Section 19): (a) access the data held about their child; (b) request correction of inaccurate data; (c) request erasure of data (subject to exam integrity and legal retention obligations); and (d) withdraw consent for future processing.
10.7
Where consent is withdrawn, we will cease processing the student's data for non-essential purposes. However, we may retain data to the extent required to fulfil pending examination obligations, generate results already in progress, or comply with legal requirements.
11
Cross-Border Data Transfers
â ī¸ International Data Transfer Notice: Some of our service providers are located outside India. When data is transferred internationally, we ensure appropriate safeguards are in place as required by the DPDP Act 2023 and any applicable rules.
| Recipient | Country | Data Transferred | Safeguard |
|---|---|---|---|
| Hostinger International Ltd. | Lithuania / EU GDPR Zone | All data stored on Platforms | EU Standard Contractual Clauses; GDPR adequacy framework |
| Google LLC (Analytics) | USA Data Processing Agreement | Anonymised visit/behaviour data | Google's DPA; Standard Contractual Clauses; IP anonymisation enabled |
| Meta Platforms, Inc. (Pixel) | USA Data Processing Agreement | Aggregated event data (Main Website only) | Meta's DPA; no student data transferred |
| Razorpay Software Pvt. Ltd. | India Domestic | Payment transaction data | PCI DSS; RBI guidelines |
| IDFC FIRST Bank Ltd. | India Domestic | Bank transfer details | RBI regulated; banking secrecy laws |
11.1
By using the Platforms, you acknowledge that your data may be transferred to and processed in countries other than India. We take reasonable steps to ensure that such transfers comply with applicable data protection laws and that your data receives an adequate level of protection.
11.2
We do not transfer student personal data (name, class, SAC ID, academic results) to any entity outside India, except to the extent that such data is incidentally processed by our hosting provider (Hostinger) in connection with providing the server infrastructure.
12
Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Student academic records (name, SAC ID, results, reports) | 5 years from examination date | Enable historical access; continuity across years |
| School registration & coordinator data | 7 years from last transaction | GST compliance; legal obligations under Companies Act |
| Payment transaction records | 8 years | Tax law; financial audit requirements |
| OMR sheet scans | 2 years after results dispatch | Dispute resolution; appeals window |
| Practice portal session data | 5 years (linked to SAC ID) | Academic continuity; historical performance |
| Proctoring audio-visual data (Qualifiers) | 90 days after examination | Examination integrity only |
| Marketing communications records | 3 years from last interaction | Consent records; opt-out management |
| Server logs (IP, access records) | 12 months | Security; CERT-In compliance |
| Cookie / analytics data | As per Google Analytics / Meta Pixel settings | Website analytics (anonymised after 14 months) |
12.1
Upon expiry of the applicable retention period, personal data is securely deleted or anonymised so that it can no longer be attributed to any identifiable individual.
12.2
Where a parent/guardian or school requests deletion of student data before the 5-year retention period, we will consider such requests on a case-by-case basis. We will honour deletion requests where they do not conflict with: (a) pending examination obligations; (b) results already in process; (c) legal retention obligations; or (d) SAC ID continuity required for future participation.
13
Your Rights Under the DPDP Act 2023
Under the Digital Personal Data Protection Act, 2023, Data Principals (individuals whose data is processed) have the following rights. For students, these rights are exercised by their parents or guardians through the School or directly with our Grievance Officer.
| Right | Description | How to Exercise |
|---|---|---|
| Right to Access | Obtain a summary of personal data held by us and the processing activities carried out. | Email Grievance Officer |
| Right to Correction | Request correction of inaccurate or incomplete personal data. | Email Grievance Officer with correct details |
| Right to Erasure | Request deletion of personal data where no longer necessary for the stated purpose, subject to legal retention obligations. | Written request to Grievance Officer |
| Right to Grievance Redressal | Lodge a complaint if you believe your data has been processed in violation of the DPDP Act. | Grievance Officer (Section 19) |
| Right to Nominate | Nominate an individual to exercise your rights in the event of your death or incapacity. | Written request to Grievance Officer |
| Right to Withdraw Consent | Withdraw previously given consent for non-essential processing. Withdrawal does not affect lawfulness of prior processing. | Email Grievance Officer |
13.1
We will respond to all rights requests within 30 days of receipt. Where we are unable to fulfil a request, we will explain the reason in writing.
13.2
If you are dissatisfied with our response, you may escalate your complaint to the Data Protection Board of India once it is constituted under the DPDP Act 2023.
14
Data Security
14.1
We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, accidental loss, destruction, disclosure, or alteration. These measures include:
- Encryption in transit: All data transferred between your browser and our servers is encrypted using TLS (HTTPS).
- Access controls: Student data is accessible only to authorised Fivesep personnel on a need-to-know basis, and to school coordinators only in respect of their own school's data.
- Secure payment processing: Payment card data is processed directly by PCI DSS-compliant payment processors. We do not store card numbers or CVV on our systems.
- SAC ID authentication: Practice portal access is protected by individual SAC ID credentials.
- Physical security: Physical OMR sheets are handled and stored securely during processing and destroyed after the applicable retention period.
- Vendor due diligence: We review the security practices of key service providers (Hostinger, Razorpay) before engagement.
Important: While we take all reasonable precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of data. We encourage schools to use strong passwords, keep login credentials confidential, and promptly notify us of any suspected unauthorised access.
15
Data Breach Response
15.1
In the event of a personal data breach that is likely to result in risk to the rights and freedoms of affected individuals, we will:
- Contain the breach and assess its scope and severity without undue delay.
- Notify affected schools and/or individuals within 72 hours of becoming aware of the breach, where feasible, or as soon as reasonably practicable thereafter.
- Report the breach to the Computer Emergency Response Team India (CERT-In) and the Data Protection Board of India (once constituted) in accordance with applicable legal requirements.
- Provide affected parties with information about the nature of the breach, data categories affected, likely consequences, and remedial measures taken.
- Maintain an internal register of all breaches, regardless of whether notification to authorities is required.
15.2
Schools and users are requested to immediately report any suspected data breach, unauthorised access, or suspicious activity to support@iThinkersOlympiad.com or call +91 9266766901.
16
Marketing Communications
16.1
We may send the following communications to school principals, coordinators, and other registered school contacts:
- Transactional: Registration confirmations, payment receipts, question paper dispatch notices, results announcements. These are essential to the service and cannot be opted out of.
- Operational: Exam reminders, OMR submission deadlines, logistics updates. These are sent only during active registration cycles.
- Promotional: Newsletters, new subject launches, early registration offers, Olympiad updates. You may opt out of these at any time.
16.2
We may communicate via email and/or WhatsApp. We do not send marketing communications directly to students or parents without the school's explicit facilitation.
16.3
Opting Out: To unsubscribe from promotional communications, email support@iThinkersOlympiad.com with the subject "Unsubscribe" or reply "STOP" to any WhatsApp message. We will process your opt-out within 5 business days.
16.4
We do not send marketing communications to students. Practice portal notifications (progress updates, practice reminders) are operational communications linked to the service and are not marketing communications.
17
Third-Party Links & Embedded Content
17.1
The Platforms may contain links to third-party websites (such as social media platforms, educational resources, or payment portals). Once you leave our Platforms, this Privacy Policy no longer applies. We encourage you to read the privacy policy of any third-party site you visit.
17.2
The Main Website may embed content from third-party platforms, including YouTube video embeds and social media links. These third parties may set their own cookies and collect data when you interact with their embedded content. We are not responsible for their data practices.
17.3
Third-party advertisers whose content appears on the Platforms operate independently. We are not responsible for the privacy practices of advertisers. Please refer to their individual privacy policies.
18
Updates to This Privacy Policy
18.1
We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or Platform features. The updated Policy will be published on this page with a revised "Effective Date".
18.2
For material changes that significantly affect how we use personal data, we will notify registered school contacts by email at least 15 days before the change takes effect. We encourage you to review this Policy periodically.
18.3
Continued use of the Platforms after the effective date of any amendment constitutes your acceptance of the revised Privacy Policy.
19
Grievance Officer & Contact
In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the DPDP Act 2023, we have designated a Grievance Officer to address privacy-related concerns, data rights requests, and complaints.
đ Grievance Officer â Fivesep Pvt. Ltd. / iThinkers Olympiad
CompanyFivesep Pvt. Ltd.
Address12A01, Tower 3, Paras Seasons, Sector 168, Noida â 201301, Uttar Pradesh, India
WhatsApp+91 9625905959
ResponseAcknowledged within 48 hours ¡ Resolved within 30 days
19.1
All privacy requests, data access requests, correction requests, erasure requests, and complaints should be submitted in writing to the Grievance Officer at the email address above. Please include: (a) your name and contact details; (b) the nature of your request or complaint; (c) relevant details such as SAC ID or school name; and (d) any supporting documentation.
19.2
If you are dissatisfied with the resolution provided by our Grievance Officer, you may escalate your complaint to the Data Protection Board of India once it is constituted under the DPDP Act 2023, or approach a court of competent jurisdiction in India.
Your privacy matters to us. We are committed to being transparent about our data practices and protecting every student's personal information.
Fivesep Pvt. Ltd. | iThinkers Olympiad
Š 2026 Fivesep Pvt. Ltd. All rights reserved. | GSTIN: 09AAFCF3112J1ZS