Data Protection Policy
BUDDY MENTOR
www.buddymentor.ai
GDPR POLICY
General Data Protection Regulation (EU) 2016/679
Vishesham Private Limited
Effective Date: 07 May 2026 | Last Updated: 07 May 2026
1. Applicability of GDPR
This GDPR Policy applies to individuals who are located in member states of the European Union (EU) and the European Economic Area (EEA) and who access or use the Buddy Mentor platform operated by Vishesham Private Limited (“Vishesham,” “we,” “us,” or “our”). It supplements and should be read alongside the Privacy & Cookie Policy, which applies to all Users of the Platform globally.
The General Data Protection Regulation (EU) 2016/679 (“GDPR”) applies to Vishesham’s processing of personal data of EU/EEA residents by virtue of the Platform’s global reach and the offering of services to Data Subjects located within the EU/EEA, regardless of where Vishesham itself is established. Accordingly, to the extent that Vishesham processes the personal data of EU/EEA residents, it shall do so in compliance with the GDPR.
Given that Buddy Mentor explicitly caters to a global audience, including users based in EU member states, this GDPR Policy is mandatory and not merely precautionary.
2. Data Controller
For the purposes of the GDPR, Vishesham Private Limited acts as the Data Controller in respect of personal data collected from EU/EEA residents through the Platform. The contact details of the Data Controller are:
Vishesham Private Limited
Registered Office: A43, Block 55, Jeevan Bhima Nagar, Anna Nagar West Extension, Chennai – 600101, India
Operational Office: 126, SIDCO Plug & Play, 3rd Main Road, Ambattur Industrial Estate, Chennai – 600058, India
Email: contact@buddymentor.ai
As Vishesham is established outside the EU/EEA, EU/EEA residents may also contact our appointed representative or Data Protection Officer (DPO), where designated, at the email address above.
3. Personal Data We Process
In the course of providing the Buddy Mentor platform to EU/EEA residents, we process the following categories of personal data:
Identity Data: Full name, age, gender;
Contact Data: Email address, mobile number, postal address;
Profile Data: Profile photograph (where voluntarily uploaded), username, account preferences;
Financial Data: Payment transaction records processed through third-party payment gateways (we do not directly store card data or banking credentials);
Technical Data: IP address, device identifiers, browser type and version, operating system, session data, and log information;
Usage Data: Information about how you use the Platform, including pages visited, content accessed, duration of sessions, and interaction patterns;
User-Generated Content: Reviews, Tech Diary entries, Drill submissions, and Q&A responses;
Marketing and Communication Data: Preferences in receiving marketing communications and your communication history with us; and
Social Login Data: Where you register using a Social Media Account (such as Google or LinkedIn), we receive data in accordance with the permissions you grant on that platform.
4. Purposes and Legal Bases for Processing
Vishesham processes the personal data of EU/EEA residents on the following lawful bases as defined under Article 6 of the GDPR:
4.1 Performance of a Contract (Article 6(1)(b))
We process personal data where such processing is necessary for the performance of our contract with you, or to take steps at your request before entering into a contract. This includes:
Creating and managing your account;
Providing access to Courses, mentorship, assessments, and other Platform features;
Processing payments and managing subscriptions; and
Communicating with you regarding your account and purchased services.
4.2 Compliance with Legal Obligations (Article 6(1)(c))
We process personal data where necessary to comply with our legal obligations under applicable law, including record-keeping, tax, and regulatory reporting requirements.
4.3 Legitimate Interests (Article 6(1)(f))
We process personal data where it is necessary for the purposes of our legitimate interests, provided such interests are not overridden by your interests or fundamental rights and freedoms. Our legitimate interests include:
Improving and developing the Platform and its features;
Monitoring and ensuring the security and integrity of the Platform;
Preventing fraud, abuse, and unlawful activity;
Conducting analytics and business intelligence; and
Enforcing our Terms of Service and other policies.
4.4 Consent (Article 6(1)(a))
Where we process personal data on the basis of your consent, such as for marketing communications or for the placement of non-essential cookies, we shall obtain your explicit, freely given, informed, and unambiguous consent before doing so. You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to such withdrawal.
5. Special Categories of Personal Data
Vishesham does not intentionally collect or process special categories of personal data (within the meaning of Article 9 of the GDPR), including data relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual orientation, biometric data, or genetic data. If you choose to voluntarily disclose any such information in User-Generated Content, you do so at your own risk and at your own discretion.
6. International Transfers of Personal Data
Vishesham is incorporated and operates in India. By using the Platform, EU/EEA residents acknowledge that their personal data will be transferred to and processed in India, which is a country outside the EU/EEA.
Such international transfers are made on the basis of appropriate safeguards in accordance with Chapter V of the GDPR. Where India has not been granted an adequacy decision by the European Commission, we implement appropriate transfer mechanisms, which may include Standard Contractual Clauses (SCCs) as approved by the European Commission, or other lawful transfer mechanisms as may be applicable.
We also transfer personal data to third-party service providers (including payment gateways, cloud hosting providers, and analytics services) who may process data in jurisdictions outside the EU/EEA. All such transfers are subject to appropriate contractual safeguards as required by the GDPR.
7. Data Retention
We retain personal data of EU/EEA residents for no longer than is necessary for the purposes for which it was collected, and in any event for a maximum period of three (3) years from the date of last activity on your account, unless a longer retention period is required by applicable law or is necessary for the establishment, exercise, or defence of legal claims.
At the expiry of the retention period, personal data shall be securely deleted or anonymised in a manner that prevents re-identification.
8. Rights of EU/EEA Data Subjects
As an EU/EEA resident, you have the following rights under the GDPR in respect of your personal data processed by Vishesham:
8.1 Right of Access (Article 15)
You have the right to obtain confirmation as to whether we process personal data concerning you and, if so, to receive a copy of that data along with information about the purposes of processing, categories of data, recipients, and retention periods.
8.2 Right to Rectification (Article 16)
You have the right to request that we correct any inaccurate personal data concerning you, or complete any incomplete data, without undue delay.
8.3 Right to Erasure / ‘Right to be Forgotten’ (Article 17)
You have the right to request the deletion of your personal data where: the data is no longer necessary for the purposes for which it was collected; you withdraw consent and there is no other legal basis for processing; you object to processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or the data must be erased to comply with a legal obligation. Certain exceptions apply, including where the data is necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.
8.4 Right to Restriction of Processing (Article 18)
You have the right to request that we restrict the processing of your personal data where: you contest the accuracy of the data; the processing is unlawful but you oppose erasure; we no longer need the data but you require it for legal claims; or you have objected to processing pending verification of our legitimate grounds.
8.5 Right to Data Portability (Article 20)
Where processing is based on consent or on the performance of a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller where technically feasible.
8.6 Right to Object (Article 21)
You have the right to object at any time to the processing of your personal data where such processing is based on our legitimate interests (Article 6(1)(f)), including profiling based on those interests. We shall cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless the processing is necessary for the establishment, exercise, or defence of legal claims.
You also have the right to object at any time to the processing of your personal data for direct marketing purposes, including profiling to the extent that it relates to direct marketing.
8.7 Rights Related to Automated Decision-Making and Profiling (Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or which similarly significantly affects you, except where such processing is necessary for a contract, authorised by law, or based on your explicit consent.
8.8 Right to Withdraw Consent (Article 7(3))
Where processing is based on your consent, you have the right to withdraw such consent at any time. Withdrawal of consent shall not affect the lawfulness of processing carried out prior to the withdrawal.
8.9 Right to Lodge a Complaint (Article 77)
If you consider that the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the supervisory authority of the EU member state in which you habitually reside, work, or where the alleged infringement occurred. A list of EU supervisory authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en
9. How to Exercise Your Rights
To exercise any of the rights set out in Section 8 above, please submit a written request to us at:
Email: contact@buddymentor.ai
Subject Line: GDPR Data Subject Request
We shall respond to your request within one (1) month of receipt. In cases of complexity or a high volume of requests, we may extend this period by a further two (2) months, in which case we shall notify you of the extension and the reasons therefor within one month of receipt of your request.
We may request proof of your identity before processing your request in order to ensure the security of your personal data and prevent unauthorised access.
There is no charge for exercising your GDPR rights, unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to act on the request.
10. Data Breach Notification
In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of EU/EEA Data Subjects, Vishesham shall notify the affected Data Subjects without undue delay, providing information about the nature of the breach, likely consequences, and measures taken or proposed to address the breach, in accordance with Article 34 of the GDPR.
Where required, Vishesham shall also notify the competent supervisory authority within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 of the GDPR.
11. Data Protection by Design and Default
Vishesham is committed to implementing the principles of data protection by design and by default as required under Article 25 of the GDPR. This means that, in the design and operation of the Platform, we consider data protection from the outset and implement technical and organisational measures to ensure that, by default, only personal data that is necessary for each specific purpose of processing is processed.
12. Third-Party Data Processors
We engage certain third-party service providers to process personal data on our behalf as data processors. All such processors are engaged pursuant to written data processing agreements that comply with the requirements of Article 28 of the GDPR, ensuring that they process personal data only on our documented instructions and implement appropriate security measures. Our data processors include providers of cloud hosting, payment processing, email delivery, analytics, and content delivery services.
13. Cookies and Tracking Technologies
In respect of EU/EEA residents, we obtain explicit consent prior to placing any non-essential cookies or similar tracking technologies on your device, in accordance with the requirements of the ePrivacy Directive (Directive 2002/58/EC) and applicable national implementing legislation. For detailed information regarding the types of cookies we use and how to manage them, please refer to the Cookie Policy section of our Privacy & Cookie Policy.
14. Contact and Complaints
If you have any questions, concerns, or complaints regarding our processing of your personal data under the GDPR, or if you wish to exercise any of your rights as a Data Subject, please contact us at:
Vishesham Private Limited
Data Protection Contact
Email: contact@buddymentor.ai
Address: A43, Block 55, Jeevan Bhima Nagar, Anna Nagar West Extension, Chennai – 600101, India
We take all data protection queries seriously and are committed to resolving them promptly and in compliance with the GDPR. If you are not satisfied with our response, you retain the right to lodge a complaint with your local data protection supervisory authority.