DATA PRIVACY POLICY
- Definitions
- “BDM / BRM” means Business Development Manager / Business Relationship Manager. This is the person responsible for managing and developing the business relationship between Invictus and the Client.
- “Client(s)” means the companies who are customers of Invictus and who have purchased licenses for eLearning modules from Invictus.
- “Data Subjects” means Users.
- “Data Breach” means a breach of security leading to the accidental or Unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
- “Invictus” means Invictus Spot Events Private Limited, a company incorporated in India under the Companies Act 1956, having its address at TF-431, 3rd Floor, Ansal API Palam Corporate Plaza, Carterpuri Road, Sector 3, Gurgaon, Haryana – 122017.
- “LMS” means the website(s) on which the Learning Management System containing the online courses is hosted.
- “Personal Data / Personal Information” means any information relating to an identified or identifiable natural person (“User” or “Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Services” includes all services discharged by Invictus in implementing and hosting eLearning Modules and making content available to its Users.
- “User(s)” means any person whose Personal Data is being collected, held or processed for delivering Services.
- Purpose
- Invictus is committed to safeguarding its Users’ privacy. This Privacy Policy explains how Invictus treats its Users’ Personal Information when it processes it
- Scope
- The scope of this Privacy Policy includes the implementation and hosting of eLearning Modules by Invictus for its Clients.
- This Privacy Policy is for the data of Users / Clients which may be collected, stored and processed by Invictus for the efficient discharge of its Services.
- Data Collection
- Only required data, necessary for the efficient delivery of the Services, is to be collected from the Users.
- The following Personal Data will be collected from the Users who undertake Invictus’ online courses.
- Full Name
- Email ID
-
- In cases where SSO is not implemented or when Users do not register themselves on the LMS and Invictus is asked to create user ids and provide login credentials, this data will be provided to Invictus by the respective Clients. In case additional data such as office location, department of users is provided by the Client for the purpose of reporting, Invictus shall collect such data and use it only for the purposes as stated by the Client.
- In cases where Single Sign On or Automatic Registration has been implemented, only the aforementioned Personal Data would be collected.
- Internet Protocol (“IP”) address of Users are also collected. The IP address is used to diagnose problems with Invictus’ servers and/or software, to administer its Services.
- We may collect certain information that does not by itself identify a specific individual. Such information tells us about the User’s equipment, browsing actions, and the resources accessed and used through the online modules, such as User’s operating system and browser type.
- When a User individually or through its employer contacts Invictus for customer support, Invictus may collect additional information to resolve the issue
- Data such as login date and time, responses provided by User, progress achieved in courses by the users, quiz scores is also collected for reporting purposes and to enable the user to resume course from where they left off.
- It shall be ensured that the data to be collected and the reason or necessity for collecting such data shall be documented in writing in the contract / SoW / Agreement executed with the respective Companies.
- Data Storage and Retention
- All data is stored for a reasonable period to achieve the purpose for which they were collected, unless continued retention is required by the Client and / or the Law.
- In cases where Single Sign On / Auto Registration has been implemented, the data collected shall be stored on the LMS. The LMS and all its components along with the data collected and including the online modules maybe hosted on Invictus servers and / or on the cloud or a combination of both.
- In cases where SSO is not implemented or where users do not self-register on the website and if Invictus is asked to create users ids and provide login credentials by the Client, then in these cases the data required for creation of users ids shall be shared with Invictus through an email. Such email shall be marked to either the BRM / BDM for the Client or to support@invicus.in. The BDM / BRM may forward the aforementioned information to the support team via email. Such emails may be deleted 6 months after the expiry of the license period or as mutually decided between Invictus and the Client. The data shared over these emails shall only be downloaded on the system of the support team member assigned the job of creating the said user ids. The data downloaded on the system of the support team member shall be deleted immediately after the creation of user ids.
- Invictus may send transactional, support, certification and reminder emails to the users as mutually agreed with the Client. Invictus may use third party email delivery services like Postmarkapp, Sendgrid or any other such service providers for sending such emails. The messages sent through these email delivery services shall be removed from the service providers’ records periodically or as mutually agreed between Invictus and the Client.
- No physical copy of the data shall be made. In case, for any reason, it is imperative to make physical copy of the data, a written approval from the Client shall be taken. In such cases, when the destruction is necessary, the physical asset shall be disposed securely – either burnt, pulverized or shredded. Such disposal shall be confirmed to the Client.
- Once a user completes an online course, a completion certificate may be sent to the user. The user can also download the certificate from the course page. For the purpose of maintaining user certification records, Invictus may, periodically and / or at the end of the license period, generate a report detailing which user (user’s name, email id and organization detail) completed the course and when (date and time of completion). This report shall be shared with the Client. Invictus reserves the right to retain information regarding user certification even after the expiry of the license period. User certification records shall be stored on Google Cloud Platform and / or GSuite. This data shall be encrypted at rest.
- Any other report generated for administrative purposes or for sharing with the Client shall be stored on Google Cloud Platform and / or GSuite, if required. These records shall be deleted periodically or as mutually decided between Invictus and the Client. Any data downloaded on the system of an Invictus employee for preparing such a report and the report itself shall be deleted from the system once the report has been shared with the Client and / or stored on Google Cloud Platform and / or GSuite.
- Data Usage
- User information shall be used for the purposes set out in this Privacy Policy and as per the SoW / Agreement executed with the Client. The legal basis for using Personal Information is that either Invictus has a legitimate interest in doing so or it has the Client’s express consent. The data is used in these ways:
- Legitimate interest:
- To administer the LMS and Services;
- To present content and help users access the courses, restore progress, and personalize their experiences;
- To respond to technical support requests, enquiries and complaints by user and / or Client;
- To provide requested information to the user;
- To ensure the continuity of its services e.g. to back up the LMS and all its components;
- To send such emails as specifically requested by the Client;
- To understand how users are using the online courses, to help Invictus improve and develop its services;
- To monitor compliance with the Terms and Conditions of Invictus;
- To keep its systems secure and prevent fraud;
- To send users necessary information, if required
- To record and maintain User certification information
- To comply with its contractual obligations.
- In any other way Invictus may describe when users provide the information or when Invictus prompts the users regarding a new use of information.
Invictus does not:
- Share the data with third parties for their own purposes;
- Send unsolicited communications unless specifically requested by the Client.
- Disclosure of Information
- Invictus will share Personal Data with third parties only in the ways that are described in this Privacy Policy. Invictus does not sell, trade, rent or disclose the information to others, except as provided herein:
- Invictus provides and supports some of its Services through contractual arrangements with service providers and other third parties. These include but are not limited to, its hosting service provider; its third party subcontractors and service providers involved in the development, maintenance, backup, storage, financial administration and other integrated services as required; content delivery networks. Invictus and its service providers use Personal Data to operate Invictus’s LMS and to deliver Services.
- Invictus will also disclose Personal Data in the following circumstances: (i) if it is required by law enforcement or judicial authorities, or to cooperate with a law enforcement investigation; (ii) if Invictus has a good faith belief that it is required or permitted to do so by law or legal process; (iii) to protect its rights, reputation, property or the safety of Invictus or others; (iv) to defend or enforce its rights or Clients obligations; (v) if the disclosure is required by mandatory professional standards; (vi) to a third party with Client’s prior consent to do so.
- In the event that Invictus decides to sell all or part of its stock or assets or enter into a merger, Invictus reserves the right to include Client’s data, including Personal Data, among the assets transferred to the acquiring or surviving company.
- Data Security
- Invictus works hard to protect data and its users from unauthorised access to or unauthorised alteration, disclosure or destruction of information it holds. In particular:
- Invictus encrypts its eLearning services using SSL;
- Data stored on the LMS is encrypted at rest.
- All devices that handle Personal Data employ disk based encryption.
- Invictus does not use Personal Data in test environments.
- Invictus does not store copies of User data on any form of removable media or in any of its office locations, unless expressly required by the Client;
- Invictus regularly reviews the information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to systems;
- Only members of the Invictus support team shall be authorised to have privileged access to the LMS and the User information for the purpose of enabling smooth access and delivery of intended services.
- Only the Information Security Officer and the Corporate Relations Head shall be authorised to have access to the User certification records retained after the expiry of the license period.
- Invictus restricts access to Personal Information to its employees, contractors and agents on a need-to-know basis and ensure they are subject to contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.
- Cookies and Other Technologies
- Invictus uses cookies when Users access its Services. Cookies are small files which transfer to Users’ hard disk. They can inform of the pages Users visit, and their preferences, which enables provision of a better online experience.
- Users can set their browser to refuse cookies, or to warn them before accepting them.
- Some parts of the LMS can be accessed even if Users’ cookies are turned off, but Users may find there are parts of the LMS which they cannot access if the cookies are turned off.
- User Rights
- The Users have several rights as summarised below:
- Access: The User will have the right to obtain confirmation as to whether their Personal Information is being processed by Invictus and, if it is, to access their information and details of how Invictus processes it, as long as this does not adversely affect the rights and freedoms of others.
- Rectification: Invictus will rectify any errors in the Personal Information it holds on request, either from the User or from the Client.
- Deletion: The User and / or the Client may ask Invictus to delete Personal Information / User Ids from its systems in the following situations:
- The information is no longer necessary in relation to the purpose for which it was collected;
- The User / Client withdraws their consent on which the processing is based and where there is no other legal ground for the processing;
- The User / Client object to the processing and there are no overriding legitimate grounds for the processing;
- The information has been unlawfully processed;
- The information has to be erased for compliance with a legal obligation to which we are subject.
It may be noted that even though user ids may be deleted on the request of the Users / Client, the process for which would be documented in the SoW / Agreement with the Company, Invictus reserves the right to retain information regarding User certification even after the expiry of the license period.
- Notification: Where User has asked to rectify, erase information, Invictus shall communicate the same to each recipient to whom User information has been disclosed, unless this proves impossible or involves disproportionate effort, in which case Invictus shall let the Company know.
Invictus shall receive requests for amendment / deletion of User information in one of the following ways.
- Email from the Client which has purchased the license
- Email from the User
When responding directly to Users, Invictus shall validate the identity of the User either by sending a verification email on their email id or through the Client. In case of any issue or dispute, Invictus shall report the matter to the Client.
- How to exercise rights
- The User / Client may get in touch with Invictus by sending an email to support@invictus.in.
- Invictus shall respond to User requests without undue delay.
- Occurrence of Data Breach
- In the unlikely event where Invictus believes that the security of the Personal Data in its control may have been compromised, Invictus will try to notify the Client without undue delay and may suspend access to its servers, emails and online systems and take other urgent steps to prevent further unauthorised access to information.
- Amendments to the Privacy Policy
- This Privacy Policy may change from time to time. Invictus shall inform its Clients through email notification of such Privacy Policy changes.