Privacy Policy

Summary — the short version

• We collect the data you give us when you register, build a profile, and use the marketplace — plus minimal technical data needed for security.
• We never sell your data. The only parties who see it are the other side of a conversation you start, our hosting and email vendors, and authorities when legally required.
• You can download a JSON export or permanently delete your account at any time from Settings > Privacy.
• For any data request that's not self-serve, email hello@trainerconnect.space. We respond within 30 days as required by India's DPDPA 2023.

1. Who is the Data Fiduciary

For the purposes of India's Digital Personal Data Protection Act, 2023 ("DPDPA") and equivalent international laws (GDPR, CCPA), TrainerConnect is the Data Fiduciary / Controller for personal data collected through this platform. Any reference to "we", "us", or "our" in this policy means TrainerConnect.

2. What Data We Collect

We collect the minimum data needed to run the marketplace. We tag every field below with its legal basis and how long we keep it.

3. How We Use Your Data

• Run the marketplace — match trainers with vendors, surface relevant requirements/trainers, deliver messages.
• Authenticate and secure — password authentication, OTP delivery, rate limits, abuse and fraud detection.
• Transactional communications — account verification emails, application/message/notification emails (you can opt out of the non-critical ones in Settings > Notifications).
• Improve the platform — aggregated analytics on views, searches, and conversion (we never link aggregated stats back to individual identifiers when published).
• Comply with law — respond to lawful requests from authorities, retain records that statute requires.

We do not use your data for behavioural advertising, do not sell your data to third parties, and do not use it to train large language models. We block known AI-training crawlers in robots.txt.

4. When We Share Your Data

There are exactly three situations in which your data leaves our systems:

1. The other side of a conversation you start. When you apply to a requirement, the vendor sees your trainer profile (name, headline, experience, public portfolio fields, application content, and any contact you choose to share). When a vendor posts, trainers see the requirement and the company's public profile. Phone numbers, private emails, and KYC fields are never exposed without your explicit action.
2. Our service providers (data processors under contract):
   • Hostinger (web hosting, India servers)
   • SMTP provider for transactional email delivery
   • Bunny CDN / Cloudflare equivalents for static asset delivery (if enabled)
   • Database backups stored encrypted within the same hosting environment
   Each processor is bound by a written contract limiting use to instructions from us. None of them use your data for their own purposes.
3. Legal authorities when we receive a valid order, subpoena, or written request that we are required to comply with under Indian law. We push back on overbroad requests where we can.

5. International Transfers

Our primary servers are located in India. Some service providers (e.g. CDN edge nodes, email reputation services) may transfer data outside India. We rely on Standard Contractual Clauses or equivalent safeguards where applicable. Per DPDPA 2023, we do not transfer personal data to any country prohibited by the Central Government.

6. Public Profile Visibility

Trainers control whether their profile is publicly indexable through the Profile Visibility toggle in Trainer Profile. When public, your profile may be indexed by search engines and shown on the public listing pages. When private, your profile is only visible to logged-in vendors and to vendors whose requirements you have applied to.

Vendor company details are visible to trainers reviewing requirements; sensitive vendor contact data is revealed to a trainer only after the trainer applies and the vendor accepts (or initiates the call).

7. Cookies & Local Storage

We use a small number of first-party cookies. We do not use third-party advertising cookies, behavioural retargeting, or cross-site trackers.

• PHPSESSID — session identifier (essential)
• tc_remember — "Keep me signed in" token (functional, opt-in)
• tc-theme (localStorage) — light/dark theme preference (functional)
• tc_csrf — CSRF token to protect form submissions (essential)

All cookies are SameSite=Lax, Secure, and HttpOnly where appropriate.

8. Security

• Passwords are hashed with bcrypt (cost factor 12) — never stored in plaintext.
• All connections use HTTPS with HSTS (max-age=31536000; includeSubDomains).
• We send a strict Content-Security-Policy, X-Frame-Options: SAMEORIGIN, Referrer-Policy: strict-origin-when-cross-origin.
• Sensitive endpoints (login, OTP, registration, exports) are rate-limited per IP and per account.
• CSRF tokens guard every state-changing request; sessions rotate on authentication state changes.
• Admin actions and login attempts are logged for forensic review.

No system is perfectly secure. Report vulnerabilities responsibly to hello@trainerconnect.space; we acknowledge within 48 hours.

9. Data Retention & Deletion

When you delete your account using the in-product button, we immediately:

• Replace your name, email, and phone with anonymised stubs (e.g. deleted-xxxxxx@deleted.local).
• Delete your trainer or vendor profile, saved items, notifications, remember-me token, and 2FA secret.
• Wipe your password hash and disable login.

Messages you sent are retained without your identifying information attached — this is required so the other party still has their copy of the conversation. Activity logs we are legally required to keep (e.g. login records, fraud-prevention data) are retained for the period named in the table above.

10. Your Rights (DPDPA / GDPR / CCPA)

You have the right to:

• Access — download a JSON copy of all data we hold about you from Settings > Privacy.
• Correct — edit your account and profile fields directly from settings; for anything you can't change in the UI, email hello@trainerconnect.space.
• Erasure — permanently delete your account from the same Privacy tab.
• Data portability — the JSON export is structured machine-readable data suitable for porting to another service.
• Object — opt out of non-essential email notifications in Settings > Notifications.
• Withdraw consent — for anything you consented to (e.g. marketing emails). Withdrawal does not affect lawful processing already done.
• Grievance redressal — if you believe we have not handled a request correctly, you can complain to the Data Protection Board of India (once constituted) or your local supervisory authority.

11. Grievance Officer

In compliance with the Information Technology (Reasonable Security Practices) Rules and the DPDPA:

• Grievance Officer: The TrainerConnect Privacy Team
• Email: hello@trainerconnect.space
• Response time: Within 30 days of receipt of complaint, as required by DPDPA 2023.

12. Children

The Platform is not directed to and we do not knowingly collect data from children under 18 (the threshold under DPDPA 2023). If you believe a minor has registered, contact hello@trainerconnect.space so we can remove the account.

13. Changes to This Policy

We may update this policy. We will note the "Last updated" date at the top and, for material changes that affect your rights, notify registered users by email and a banner in the app at least 14 days before the change takes effect.

14. Contact

For privacy questions, data subject requests, or grievances, email hello@trainerconnect.space. For security issues only, email hello@trainerconnect.space.