TechSkilll
Tech Skilll — Legal

Privacy Policy

What we collect, why, who we share it with, and how to ask us to delete it.

Last updated: 29 April 2026

1. The short version

  • We collect your email when you sign in, your profile (username, photo, social links — only if you fill them in), and the events you register for or host.
  • We use this only to run the platform — to log you in, show events, send transactional email, generate passes / certificates, and let organisers manage their participants.
  • We don't sell your data. We don't run third-party ad networks on the platform.
  • You can ask us to export or delete your data at any time.

2. Who runs Tech Skilll

Tech Skilll is operated by The Youth Talks Tech (the "data controller" for the purposes of GDPR / DPDP Act, 2023). Reach the privacy team at privacy@techskilll.com.

3. What we collect

You give us directly

  • Your email address (sign-in).
  • Optional profile info — username, profile picture, LinkedIn / Twitter / website.
  • Events you create, register for, or are added to, plus any answers to organisers' custom registration / submission fields.
  • Submissions, files, comments, scores, and similar event activity.
  • For organisers — payment / payout details if you opt into paid events (handled by our payment partner).

We collect automatically

  • Standard server logs — IP address, user agent, request paths, response codes, timestamps. Used for security, abuse prevention, and rate limiting.
  • An anonymous request ID per request for traceable logs.

We do not collect

  • Browsing on other websites.
  • Location beyond what your IP reveals.
  • Data from social networks unless you explicitly link them.

4. Cookies & similar tech

We use a small number of strictly necessary cookies:

  • refreshToken (HttpOnly) — keeps you signed in.
  • superAdminToken (HttpOnly) — for staff accessing the admin panel only.

We don't use third-party tracking cookies or run analytics that sets cookies on the public site. Site analytics (if and when added) will be privacy-respecting and aggregated only.

5. How we use your data

  • To operate the service — sign-in, registration, submissions, scoring, broadcasts, pass + certificate generation.
  • To communicate with you — magic links, status updates, mentor / judge assignments, organiser broadcasts for events you registered for.
  • To keep the platform safe — rate limiting, abuse detection, fraud prevention.
  • To comply with the law — when we have a valid legal request.

We don't use your event activity to profile you for ads, sell to data brokers, or train third-party AI models without your explicit consent.

6. Lawful basis (GDPR / DPDP)

  • Performance of contract — running the service you signed up for.
  • Legitimate interests — keeping the platform secure and free of abuse.
  • Consent — for any optional marketing email.
  • Legal obligation — when a regulator or court compels us.

7. Who we share it with

We share data only with these categories of recipients:

  • Event organisers — they see registrations, custom-field answers, submissions, and contact emails for their event. That's the whole point of the platform.
  • Mentors / judges / evaluators of an event — only see the teams or submissions assigned to them.
  • Service providers we depend on, under data-processing agreements:
    • MongoDB Atlas — primary database.
    • AWS SES — transactional email.
    • DigitalOcean Spaces — image and document storage.
    • Redis (DigitalOcean Managed Redis or self-hosted on the droplet) — rate-limit + token store.
    • DigitalOcean App Platform / droplet — frontend, super-admin, and API hosting.
  • Authorities — only when legally required.

We do not sell or rent your personal information to anyone.

8. Where we store data

Primary storage is MongoDB Atlas in the AWS region we have configured (typically ap-south-1 Mumbai). Email is sent via AWS SES in the same region. Static assets are served from a CDN.

9. Retention

  • Account data — kept while your account is active. Deleted within 30 days of account deletion (longer if needed for legal or tax purposes).
  • Submissions — kept for the lifetime of the event plus 365 days, then deleted.
  • Server logs — kept for up to 90 days.
  • Magic-link tokens — held in Redis for 15 minutes max, then auto-expire and burn.

10. Your rights

You have the right to:

  • Access your personal data.
  • Correct inaccurate data.
  • Delete your data (subject to lawful exceptions).
  • Export your data in a machine-readable format.
  • Object to specific processing.
  • Withdraw consent for marketing email at any time.
  • Lodge a complaint with the data-protection authority in your country.

Email privacy@techskilll.com to exercise any of these. We respond within 30 days.

11. Children

Tech Skilll is not directed at children under 13. Users between 13 and 18 should have a parent or guardian agree on their behalf where the law requires it.

12. Security

We take security seriously. Highlights — passwordless magic-link sign-in, bcrypt-hashed admin passwords, short-lived JWT access tokens with rotating refresh, HttpOnly cookies, strict CSP, HSTS, per-IP rate limits, request-level audit logging, server-side input validation. See the repository'sSecurity & Hardening section for the technical detail.

No system is impenetrable — if you spot a vulnerability, please email security@techskilll.com.

13. Changes

Material changes to this Policy will be announced by email and reflected here with a fresh "Last updated" date.

14. Contact

Questions, concerns, or want to delete your data? privacy@techskilll.com or the Contact page.