Skip to main content

Privacy

v2026.1Effective April 29, 2026

Privacy Policy — DPDP-Compliant Data Practices

Kompas AI School privacy policy under India's Digital Personal Data Protection Act 2023. What we collect, why, how long we keep it, and your rights.

Privacy Policy

This is the privacy policy for withkompas.com. It complies with India's Digital Personal Data Protection Act, 2023 (DPDP) — in plain English, because the people who read it should not need a lawyer. If anything is unclear, write to our Grievance Officer (section 12).

Last updated: 29 April 2026.

1. Who we are

The Data Fiduciary for personal data collected through this website is Fragmatic Technologies Pvt Ltd (operating the Kompas AI School brand), Registered Office: M-66C, Adani Samsara, Sector-60, Gurgaon, Haryana, India — 122001, hello@withkompas.com.

In this policy, "we" / "Kompas" means Fragmatic Technologies Pvt Ltd (operating the Kompas AI School brand); "you" means the person whose data we process — what DPDP calls the Data Principal.

2. What we actually collect

We list it here in full. If a category is not on this list, we are not collecting it.

2.1 Contact-form submissions. When you submit the form at /contact, we receive: your name, role, institution, email, phone (optional), message, enquiry type, and the page you submitted from. No hidden fields, no third-party form widgets.

2.2 A short-lived rate-limit record. Our Cloudflare Worker stores your IP in a Cloudflare KV record for one hour to enforce a 5-submissions-per-IP-per-hour cap that prevents form spam. After one hour the record auto-expires.

2.3 Standard server logs. Cloudflare Pages keeps the access logs any web host keeps — IP, timestamp, URL, user agent — for security and operations. We run no application-level analytics on top of these.

2.4 What we do not collect. The website sets no cookies of our own, runs no analytics or tracking pixels, embeds no third-party scripts, and uses no marketing tags. Cloudflare's edge may set a security cookie (e.g. to detect DDoS) — that is Cloudflare's, not ours.

2.5 What we plan to add. We expect to add a privacy-respecting analytics tool later in 2026 — most likely Cloudflare Web Analytics or Plausible, both cookieless. When we ship analytics, we will update this page before the change goes live (see section 14).

3. Why we collect it (purposes)

We process the data above for these purposes, and no others:

  1. Responding to your enquiry — partnership, hiring-partner, careers, press, or research.
  2. Routing it to the right person on our team.
  3. Keeping a record so we can pick the conversation up later.
  4. Preventing form abuse (the rate-limit record).
  5. Operating the site securely (the standard server logs).

We do not use this data for marketing, advertising, profiling, or training AI models. We do not sell it. We do not share it with "marketing partners" — we have none.

For the contact-form data, we rely on your explicit consent under DPDP, given at form submission ("By submitting, you agree to our privacy policy"). You are free not to submit; the rest of the site is fully readable without giving us data. For the rate-limit IP record and Cloudflare server logs, we rely on the legitimate uses ground for security and fraud prevention.

5. Who sees your data

A small number of named people on the Kompas team — partnerships, hiring, careers, press, or research, depending on the route you picked — see your submission in their email. Delivery is via Resend (our transactional-email provider), with a fallback alert to our internal Slack workspace if email delivery fails. We do not share your data with any other third party for any other purpose.

6. Cross-border data transfer

Two providers process data outside India: Cloudflare, Inc. (US) hosts the site, runs the Worker, stores the rate-limit KV, and provides DDoS protection; Resend, Inc. (US) sends our notification emails. These transfers are necessary to operate the site. We have signed each provider's standard data-processing terms (which include the relevant standard contractual clauses) and selected providers with mature security certifications. If the Government of India notifies country-level restrictions under DPDP Section 16 affecting either provider, we will move processing or stop using that provider before the deadline.

7. How long we keep it

  • Contact-form submissions — until the conversation is resolved, plus 24 months for record-keeping (so we know we have spoken to your institution before). Then deleted. You can ask us to delete sooner (see section 8).
  • Rate-limit IP records1 hour, then auto-deleted by Cloudflare KV.
  • Server logs — per Cloudflare's standard retention (days to a few weeks for raw logs).

8. Your rights as a Data Principal

DPDP gives you these rights, and we honour all of them:

  1. Access — what data of yours do we hold, how do we process it.
  2. Correction — fix anything inaccurate or incomplete.
  3. Erasure — delete your data when we no longer need it or you withdraw consent.
  4. Nomination — nominate another person to exercise these rights on your behalf (e.g. in incapacity).
  5. Grievance redressal — complain to our Grievance Officer (section 12). We commit to a 7 working day response under DPDP Section 13(3).

To exercise any right, email grievance@withkompas.com from the address you originally used. No fee. If our response is unsatisfactory, you can escalate to the Data Protection Board of India once operational.

9. Children's data

This is a B2B site for university leaders, employers, journalists, and researchers. Under DPDP, processing personal data of anyone under 18 in India requires verifiable parental consent, and certain profiling and tracking of minors is prohibited outright. We do not knowingly collect data from anyone under 18. If we learn a minor has submitted data, we will delete it promptly on notice. If you are under 18, please ask a parent, guardian, or your university to write to us on your behalf.

10. Security

We rely on the security stack of our providers — Cloudflare (site, Worker, KV) and Resend (email) — which encrypt data in transit (TLS) and at rest as part of their standard operations and maintain SOC 2 / ISO 27001-class compliance programmes.

To be honest about a limit: the contact-form Worker applies no additional application-layer encryption on top of what Cloudflare and Resend already provide. We rely on those providers' at-rest encryption and access controls. If we change this, we will update this page. Internally, only employees who need to act on a submission have access to it.

11. Data breach notification

If we suffer a personal-data breach affecting you, we will notify you and the Data Protection Board of India as required by DPDP Section 8(6), within 72 hours of becoming aware of it. The notification will state what happened, what data was affected, what we are doing about it, and what you can do to protect yourself.

12. Grievance Officer

DPDP Section 8(9) requires us to publish a Grievance Officer for data-protection complaints. Until we have appointed a named officer, complaints may be sent to:

Grievance Officer, Fragmatic Technologies Pvt Ltd (operating the Kompas AI School brand) Email: grievance@withkompas.com Response: within 7 working days, per DPDP Section 13(3).

We will publish the named officer's details here once the appointment is finalised.

13. Data Protection Officer (DPO)

DPDP Section 10 requires entities classified as Significant Data Fiduciaries to appoint an India-based DPO. Kompas does not currently meet that threshold — the volume and sensitivity of data we process is small. We commit to appointing a DPO and disclosing it here as soon as we cross the threshold or are notified by the Government of India.

14. Updates to this policy

When our practice changes — adding analytics, changing a processor, modifying retention — the new policy goes live at this URL, the Last updated date changes, and if you have an open contact submission with us, we will email you a redline. We will not weaken your rights, broaden our use of your data, or shorten the rights window without your fresh consent.

15. Contact us about this policy

General privacy questions: hello@withkompas.com. Formal grievances: the address in section 12. Journalists or regulators wanting a faster route, please mark the subject line "DPDP — urgent".

Submit a privacy requestGeneral contact