Privacy Policy

Last updated: 2026-04-19. Effective date: 2026-04-19.

1. Who We Are (Data Fiduciary)

This privacy policy applies to howtocfa.com ("Website") operated by GreyHair Ventures Private Limited ("Company", "we", "us"), a company incorporated in India with its registered office at L.Shiva-19 Springboard, Plot 23, Sector-18, Gurgaon 122015, Haryana, India. For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Company is the Data Fiduciary in respect of your personal data.

2. Information We Collect

• Contact information you submit via our forms: name, email address, phone number, and the text of any question or query you send.
• Payment information when you enrol in the CFA Level 1 course: we do not receive or store your card / UPI / netbanking credentials. Payment processing is handled entirely by Razorpay (see §5). We receive only a payment reference ID, amount, and status.
• Website-usage data collected by our first-party analytics (pages viewed, scroll depth, engaged time, CTA clicks) via a cookie-free tracker. We also use Cloudflare Web Analytics for aggregate traffic data (visitor IP is seen by Cloudflare's edge for network delivery but is not shared with us as personal data).
• Communication history: WhatsApp / email correspondence you initiate with us, retained to serve your queries.

3. Purposes and Legal Basis

We process your personal data for the following specific purposes, based on the consent you provide when you submit a form or initiate a transaction, or, where applicable, on the basis of a contract (course enrolment) or a legitimate use as permitted under the DPDP Act:

• To respond to your CFA or finance career questions via WhatsApp or email.
• To fulfil your enrolment in the CFA Level 1 course, including sending access credentials and onboarding instructions.
• To send you educational content and updates you have explicitly opted into.
• To operate, maintain, secure, and improve the Website.
• To comply with applicable Indian law (tax, accounting, regulatory).

4. Consent & Withdrawal

When you submit a form or enrol in a course, you provide free, specific, informed, unconditional, and unambiguous consent to the processing described above. You may withdraw your consent at any time by:

• Clicking the unsubscribe link in any marketing email we send;
• Replying "STOP" to any WhatsApp message we send you; or
• Emailing the Grievance Officer (see §9).

Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal. After you withdraw consent, we will stop processing your personal data for the affected purpose and erase it in accordance with §7, unless we are required to retain it to comply with law.

5. Third-Party Processors

We share the minimum personal data necessary with the following third-party Data Processors, each of whom is contractually obligated to use your data only for the specified purpose:

• Razorpay Software Private Limited — payment processing. Receives your name, email, phone, and billing information at checkout. Governed by Razorpay's privacy policy.
• Google LLC (Google Workspace & Google Apps Script) — lead-form POST target and email delivery for Company correspondence. Receives the name, email, phone number, and query text you submit through the mentorship form. Governed by Google's privacy policy.
• Cloudflare, Inc. — CDN, DDoS protection, and aggregate web analytics. Handles all network traffic to the Website. Governed by Cloudflare's privacy policy.
• YouTube (Google LLC) — embedded demo videos on our course landing page. If you interact with an embedded video, YouTube may set its own cookies and collect usage data, governed by Google's privacy policy. We do not share personal data with YouTube; the data relationship is between you and YouTube on interaction.
• Fly.io, Inc. — hosting provider for our first-party analytics endpoint at crm.howtocfa.com. Stores aggregated pageview, scroll, and click events; no raw IP addresses are persisted.

6. International Data Transfers

Some of the Processors listed in §5 (Google, Cloudflare, Fly.io) process data on servers outside India. Such transfers are made only to jurisdictions permitted for cross-border transfer under the DPDP Act and applicable notifications of the Central Government. We take reasonable steps — including standard contractual terms with each Processor — to ensure that your personal data continues to receive an adequate level of protection.

7. Data Retention

• Lead / subscriber data (name, email, phone, query): retained until you unsubscribe or for 3 years from the date of your last interaction with us, whichever is earlier, after which it is erased.
• Paying-customer data (course enrolment records, payment references): retained for 8 years from the end of the relevant financial year, as required under the Income Tax Act, 1961 and the Companies Act, 2013.
• Website-usage data: retained in aggregated form; Cloudflare retains logs per its default policy. Our first-party tracker retains event data for up to 24 months.

When the retention period ends or you withdraw consent, we erase your personal data unless continued retention is required by law.

8. Your Rights under the DPDP Act

Subject to the DPDP Act, you have the following rights in respect of your personal data, exercisable by emailing our Grievance Officer:

• Right to access — a summary of the personal data we hold about you and the processing we carry out.
• Right to correction, completion, updating, and erasure — you may request we correct inaccurate or incomplete data, update stale data, or erase data that is no longer needed for the purpose for which it was collected (subject to §7 retention obligations).
• Right to nominate — you may nominate another person to exercise your rights on your behalf in the event of your death or incapacity.
• Right to grievance redressal — you may raise a grievance about our processing to the Grievance Officer.
• Right to withdraw consent — see §4.

We will acknowledge your request within 72 hours and resolve it within 30 days, or sooner where required by law. If you are not satisfied with our response, you may escalate the matter to the Data Protection Board of India.

9. Grievance Officer

Under §8(9) of the DPDP Act, our Grievance Officer is:

• Name: Harmeet Hora
• Designation: Director, GreyHair Ventures Private Limited
• Email: hello@howtocfa.com
• Postal address: L.Shiva-19 Springboard, Plot 23, Sector-18, Gurgaon 122015, Haryana, India

10. Children's Data

Our services are intended for adult learners (typically 18 years or older). We do not knowingly collect personal data of children (under 18) without verifiable parental consent, and we do not conduct targeted advertising or tracking of children. If you believe we have collected personal data of a child, please contact the Grievance Officer — we will erase it promptly.

11. Cookies and Tracking Technologies

Our first-party analytics tracker is cookie-free. Cloudflare may set technical cookies required to deliver and secure the Website. Embedded YouTube videos (on the course page) and the Razorpay checkout popup set their own cookies under those providers' policies; these cookies are only set if you interact with the respective feature. You can clear cookies at any time via your browser settings.

12. Security

We protect your personal data using:

• Encryption in transit — all traffic served over HTTPS/TLS.
• PCI-DSS-compliant payment handling — card, UPI, and netbanking data is handled only by Razorpay; we never see or store it.
• Access controls — administrative access to Company systems is restricted to authorised personnel.
• Encryption at rest — our customer relationship database is encrypted at rest.

In the event of a personal data breach likely to cause harm, we will notify the Data Protection Board of India and the affected Data Principals within 72 hours of becoming aware, in accordance with the DPDP Act and Rules.

13. No Sale of Personal Data

We do not sell your personal data to any third party.

14. Marketing Communications

When you subscribe through our forms, you may receive educational emails about CFA exam preparation. Every email includes an unsubscribe link and you can opt out at any time without affecting any paid service you have enrolled in.

15. Changes to This Policy

We may update this privacy policy from time to time. The "Last updated" and "Effective date" at the top of this page will reflect any changes. Material changes will be notified to enrolled users via email.

16. Contact

For any privacy-related inquiry, please email the Grievance Officer at hello@howtocfa.com.

GreyHair Ventures Private Limited, L.Shiva-19 Springboard, Plot 23, Sector-18, Gurgaon 122015, Haryana, India.