Privacy Policy

This Privacy Policy applies to ATC Quest (the "Platform"), operated by Aarna Tech Consultants Private Limited, a company incorporated under the Companies Act, 2013, with its registered office at 72 G Road, Kadma, Jamshedpur, Jharkhand 831005, India (CIN: U72900JH2021PTC017144). References to "we", "us", or "our" in this Policy refer to Aarna Tech Consultants Private Limited and its authorized affiliates.

Quest is primarily an enterprise (B2B) learning platform. Organizations ("Client Organizations") purchase licenses to enrol and train their employees, contractors, and associated learners on the Platform. In that arrangement, the Client Organization acts as the Data Fiduciary for its learners, and we act as Data Processor, processing learner data on the Client Organization's instructions in accordance with our service agreement. Where Quest is accessed directly by an individual without an enrolling organization, we act as the Data Fiduciary for that individual.

For any data protection inquiry, you may contact our Grievance Officer at [email protected] or +91 8986860088.

This Privacy Policy applies to all users of Quest, including:

• Learners — individuals enrolled in courses through their employer's license or directly on the Platform.
• Client Administrators and Single Points of Contact (SPOCs) — authorized representatives of Client Organizations who manage learners, groups, licenses, reports, and reminders.
• System Administrators — internal Quest operators with elevated privileges over the Admin Panel.
• Committee members, reviewers, and instructors associated with specific courses, feedback forms, or certification workflows.
• Visitors to our public pages, login screens, support pages, and help resources.

This Policy does not cover third-party websites or services that may be linked from the Platform. Please review those third parties' own privacy policies before sharing personal data with them.

We collect data that you provide directly, data generated as you interact with the Services, and data received from third parties such as identity providers and Client Organizations.

We collect personal data through the following channels:

• Direct input — when you register, log in, complete your profile, take a course, submit a quiz, file a support ticket, or request a report.
• Client Organization upload — when your employer uploads learner data in bulk (CSV/Excel) to assign courses, groups, or licenses.
• Single Sign-On (SSO) — when you sign in via Microsoft Azure AD, we receive name, email, tenant ID, and object ID from the identity provider.
• Automatic collection — our servers log device, usage, system, and session data through server logs, cookies, and local/session storage.
• Third-party integrations — where enabled, we may receive data from Zoho CRM, Google APIs, and our email/storage providers.
• Offline interactions — correspondence, onboarding forms, MSAs, and license purchase orders submitted to our teams.

5.1 Service delivery

• Authenticate you and maintain your session using JWT tokens, Azure AD, and optional MFA.
• Deliver course content including adaptive-bitrate HLS video streams, quizzes, assessments, and downloadable resources.
• Track progress, evaluate quiz responses, issue certificates and badges, and power the learner dashboard.
• Enforce role-based access control across Admin, Client Admin, SPOC, and Learner roles.

5.2 Client Organization reporting

• Generate progress, completion, engagement, and compliance reports for Client Administrators and SPOCs.
• Provide dashboards, master reports, and entity-wise reports in the Admin Panel.

5.3 Communication

• Send transactional emails (account creation, password reset, OTP, enrolment confirmations, certificate issuance, reminders). You cannot opt out of these.
• Send optional notifications and learning nudges configured by your organization; manage DND preferences in account settings.
• Respond to support tickets and facilitate conversations between learners, SPOCs, committees, and support.

5.4 Platform security and integrity

• Detect and prevent fraud, account takeover, brute-force attempts using rate limiting, encrypted payloads, and audit logging.
• Automatically log out idle sessions to protect accounts on shared devices.
• Investigate suspicious activity, policy violations, and incidents.

5.5 Service improvement

• Analyse aggregated and de-identified usage patterns to improve course delivery and UX.
• Debug issues, monitor uptime and latency, and roll out new features.

5.6 Legal and compliance

• Comply with applicable laws including the DPDP Act 2023, IT Act 2000, tax and accounting laws, and respond to lawful requests.
• Enforce our Terms of Service, Refund & Cancellation Policy, and Enterprise Agreements.

5.7 What we do not do

Depending on the context, we process personal data on one or more of the following legal bases under the DPDP Act:

• Performance of contract — to provide the Services you or your Client Organization have signed up for.
• Consent — where you have explicitly agreed to a specific processing activity. You may withdraw consent at any time.
• Legitimate interests — for platform security, fraud prevention, aggregated analytics, and service improvement.
• Legal obligation — for tax, audit, record-keeping, and regulatory requirements.
• Public interest or vital interest — in exceptional circumstances, such as legally binding requests or protecting safety.

We use cookies, local storage, session storage, and server-side session identifiers strictly for functionality, security, and performance — not for advertising.

You can control cookies through your browser settings. Blocking strictly-necessary cookies will prevent you from signing in.

We share limited personal data with the following recipients, on a need-to-know basis with contractual safeguards:

• Client Organizations and their authorized Administrators/SPOCs — for learner progress and compliance reports.
• Cloud infrastructure providers — including AWS S3 for file/media storage, hosting, and database providers.
• Identity and SSO providers — Microsoft Azure AD, Google identity services, and configured SSO tenants.
• Operational service providers — email delivery, SMS/OTP, Zoho CRM, analytics/monitoring, and job queue infrastructure.
• Payment and invoicing partners — card numbers, UPI PINs, and credentials are handled directly by these partners.
• Professional advisors — legal, accounting, and audit firms, bound by confidentiality.
• Government or regulatory authorities — where disclosure is required by law.
• A successor entity — in the event of a merger, acquisition, or reorganization, with notice as required by law.

We implement technical and organizational measures to protect personal data:

Despite our best efforts, no method of electronic transmission or storage is completely secure. You are responsible for keeping your credentials confidential and promptly notifying us at [email protected] if you suspect unauthorized access.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Learner account and activity data — retained for the duration of the license/enrolment, and thereafter as required by agreement or law.
• Issued certificates and badges — retained for ongoing verification, even after the license term ends, unless revoked.
• Audit logs and security records — retained per regulatory, forensic, and incident-response requirements.
• Support ticket content — retained while necessary for support and a reasonable period thereafter.
• Financial records — invoices, GST credit notes, license purchases retained per Indian tax and accounting laws.

Upon termination of a license or at your lawful erasure request, we delete or anonymize personal data per our deletion workflows, subject to mandatory retention obligations.

Quest is primarily operated and hosted in India. Certain infrastructure providers, SSO providers (Microsoft, Google), and support tools may process data outside India. Where such transfers occur, we rely on contractual safeguards, service-provider privacy commitments, and applicable cross-border transfer rules under the DPDP Act.

Under the DPDP Act, 2023, you have the following rights:

• Right to access — request a summary of personal data we process about you.
• Right to correction and erasure — request correction of inaccurate data, and erasure where no longer necessary.
• Right to withdraw consent — withdraw at any time without affecting prior lawful processing.
• Right to grievance redressal — raise a complaint with our Grievance Officer (Section 16).
• Right to nominate — nominate another individual to exercise your rights in the event of death or incapacity.

If enrolled through a Client Organization, requests may need to go through your Client Administrator/SPOC. To exercise your rights, contact [email protected].

Quest is intended for individuals aged 18 years or older, or minors under the supervision and consent of a parent, lawful guardian, or authorized Client Organization. We do not knowingly collect personal data from children in violation of applicable law. Where we become aware of such collection without verifiable consent, we will promptly delete it.

Quest integrates with select third-party services, each operating under its own privacy policy:

• Microsoft Azure Active Directory and Microsoft Graph APIs — for SSO and identity federation.
• Google APIs — where enabled by your organization for sign-in, calendar, or drive integrations.
• Amazon Web Services — for object storage (S3), file uploads, and certificate asset hosting.
• Zoho CRM — for managing license sales, onboarding, and customer records.
• Email delivery and OTP providers — configured through our back-end mailer and messaging services.

We do not control and are not responsible for the privacy practices of these third parties.

In the event of a personal data breach likely to result in risk to your rights and interests, we will notify the Data Protection Board of India, the affected Client Organization, and affected individuals as required by the DPDP Act. Notifications will contain the nature of the breach, categories of data involved, likely consequences, and measures taken to address and mitigate the breach.

We process personal data in accordance with the Digital Personal Data Protection Act, 2023. If you have a grievance, contact our Grievance Officer:

We will acknowledge your grievance within a reasonable period and seek to resolve it in accordance with applicable law. If unsatisfied, you may approach the Data Protection Board of India.

We may revise this Privacy Policy from time to time. When we make material changes, we will post the updated Policy with a revised "Last updated" date and, where appropriate, notify you by email or in-Platform notice. Your continued use of the Services after the effective date constitutes acceptance of the revised Policy.

If you have questions or concerns about this Privacy Policy or our data practices, please contact: