PRIVACY POLICY

Effective date: August 26, 2025

Version: 1.0

Provider: Keshtay L.C.

Business ID: 7775148

Address: 8206 Louisiana Blvd NE, Ste A #4253, Albuquerque, New Mexico 87113, USA

Website: https://student-service.keshtay.com

Keshtay L.C. (“Keshtay”, “we”, “us”, or “our”) operates https://student-service.keshtay.com and provides student-placement and related services for students applying to Malaysian institutions. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, how long we keep it, your rights, and how to exercise them. It applies to all users of our website and services worldwide. Where local laws give you additional rights, those laws will apply to you in addition to this Policy. Key legal frameworks we design this Policy to meet include the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and Malaysia’s Personal Data Protection Act (PDPA). For EU users, we explain the legal basis for processing and the data subject rights required by GDPR. For California residents, we explain CCPA/CPRA rights including the right to opt out of “sale” or “sharing.” For Malaysian users, we respect PDPA notice and consent principles. (GDPR, California DOJ,PDP)

What personal data we collect (categories)

We collect the following categories of personal data depending on the Service you use:

1. Identity & contact information:

   • name, date of birth, email address, phone number, mailing address, nationality, passport number, ID number.

2. Education & application data:

   • academic history, transcripts, test scores, CV/resume, personal statements, program of interest, application forms.

3. Financial & payment data:

   • billing name, billing address, payment card details (via third-party processors), invoices and receipts.

4. Travel and logistics data:

   • flight details, accommodation preferences, local contact details, emergency contact.

5. Immigration & legal data:

   • visa application details, immigration case numbers, supporting documentation (may include sensitive items like health / vaccination information where required for travel).

6. Technical & usage data:

   • IP address, device identifiers, browser type, cookies and analytics data, pages visited, referral URLs, and other site-use metrics.

7. Marketing & communications data:

   • preferences, consent status, engagement with emails and campaigns.

8. Communications & support:

   • messages, chat transcripts, call recordings if you consent to recording.

If you provide information about someone else (for example, a parent providing a child’s data), you confirm you are authorized to share that person’s data and consent on their behalf where required by law.

How we collect personal data

1. Directly from you:

   • when you register, complete application forms, email us, call us, or otherwise interact with our Services.

2. From partner institutions or third-party providers:

   • (e.g., universities, payment processors, travel suppliers) when they share information needed to provide Services.

3. Automatically:

   • via cookies, logs, and analytics when you visit the Site.

4. From public sources:

   • where permitted (e.g., verification services, publicly available academic records).

Purposes of processing & (for EU) legal basis

1. To provide and manage Services:

   • process applications, communicate with Partner Institutions, arrange travel/accommodation and post-arrival assistance.

2. To process payments and invoices:

   • accepting payment for Paid Services, refunds, and bookkeeping.

3. To comply with legal obligations:

   • respond to governmental or legal requests (e.g., visa authorities), prevent fraud, and comply with tax and reporting requirements.

4. For marketing and communications:

   • send newsletters, service updates, offers (with consent where required). You can opt out at any time.

5. For analytics, improvement & security:

   • analyze site usage, detect and prevent abuse, improve our services.

6. To provide promotional benefits:

   • verify eligibility and deliver promotional benefits (e.g., domestic flight and hotel stay) where conditions apply.

7. Where you give explicit consent:

   • for processing sensitive data (health/vaccination) or any special categories we only process with your explicit consent unless another lawful basis applies.

Payment & Fees

1. Fee Disclosure:

   • Any Paid Services, fees for non-partner placements, or optional premium services will be disclosed and require your prior written or electronic agreement.

2. Payment Processing:

   • Payments will be processed via the payment methods displayed on the Site or as otherwise agreed in writing. Keshtay may use third-party payment processors; those providers’ terms apply.

3. Taxes:

   • You are responsible for any taxes, duties, or similar charges (if any) arising from your purchase or use of Paid Services.

Note: If you are in the EU/EEA, you have rights to access, rectify, erase, restrict, portability, and object (see Section 9 below). For California residents, see Section 10 (CCPA/CPRA).

Who we share personal data with

1. Partner Institutions (universities / colleges):

   • for application and placement processing.

2. Third-party service providers:

   • payment processors, travel and accommodation providers, SMS/telecom providers for phone numbers, cloud hosting and analytics providers, background-check providers.

3. Governmental or immigration authorities:

   • when required for visa or legal processing and where required by law.

4. Professional advisors and auditors:

   • when necessary for compliance, legal or accounting obligations.

5. Successors / assignors:

   • in the event of a business transfer, merger or sale, personal data may be transferred as part of business assets (we will notify you where required by law).

We require service providers to handle data in accordance with this Policy and applicable data protection law. When transferring EU/EEA personal data to countries outside the EEA (for example, Malaysia or the USA), we rely on appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms as required under the GDPR. (European Commission)

International transfers

1. Our Services operate internationally. Personal data may be transferred to and stored in countries other than the country where you live (for example, Malaysia, the United States, or other partner locations). Where such transfers occur, we will implement safeguards required by law (for EU/EEA data subjects that typically includes Standard Contractual Clauses or an adequacy decision). We will inform you of any significant transfer risks when required by applicable law. See Section 13 for how to contact us about transfers.

Cookies, trackers and similar technologies

1. Strictly necessary cookies

2. Performance and analytics cookies

3. Functionality cookies

4. Advertising/targeting cookies

Where required (e.g., under EU/ePrivacy rules), we will obtain your consent before setting non-essential cookies and document/record your consent. You can change cookie preferences through the cookie banner or via your browser settings (note: disabling cookies may affect Site functionality). (ICO, European Union)

Your rights & how to exercise them

If you are an EU/EEA resident (or otherwise where the law grants similar rights), you have the following rights subject to legal limitations:

1. Right of access:

   • obtain a copy of personal data we hold about you.

2. Right to rectification:

   • correct inaccurate or incomplete data.

3. Right to erasure (“right to be forgotten”):

   • request deletion where legal grounds permit.

4. Right to restriction of processing:

   • ask us to limit processing in certain situations.

5. Right to data portability:

   • receive a machine-readable copy of data you provided to us.

6. Right to object:

   • object to processing based on legitimate interests or for direct marketing.

7. Right to withdraw consent at any time where processing is based on consent.

8. Right to lodge a complaint with a supervisory authority (for EU users, the supervisory authority in your Member State).

To exercise any of the above rights, contact legal@keshtay.com with the request and necessary verification information. We will respond within the timeframes required by applicable law (typically within 30 days; we may extend where permitted and will notify you if we need more time).

California residents (CCPA / CPRA) notice & rights

If you are a resident of California, this section supplements the above and explains additional rights under the CCPA/CPRA (as applicable):

1. Right of know / access:

   • the categories of personal information collected, sold, or shared and the categories of third parties with whom we disclose it.

2. Right to deletion:

   • request deletion of personal information collected from you, subject to limited exceptions.

3. Right to correct:

   • request correction of inaccurate personal information.

4. Right to opt-out of sale or sharing:

   • you have the right to opt out of the “sale” or “sharing” of your personal information. Although Keshtay does not currently sell personal information, we may share data with certain advertising partners in ways that could be treated as “sharing” under CPRA; you may use our designated opt-out mechanisms (e.g., the “Do Not Sell or Share My Personal Information” link on our homepage: student-service.keshtay.com/legal/donotsell) to exercise this right. We honor Global Privacy Control signals and other recognized mechanisms where technically feasible. (California DOJ, Yes on Prop 24)

5. to exercise California rights, submit a verifiable request to legal@keshtay.com or use any web form we provide. You may designate an authorized agent to submit a request on your behalf; we may need to verify both you and your agent’s authorization.

We will not discriminate against you for exercising your privacy rights (for example by denying services, charging different prices, or providing a different quality of service), except as permitted by law.

Children & parental consent

1. Our Services are not intended for children under 16 (or higher age required by your local law). We do not knowingly collect personal information from minors without parental consent. If you are a parent or guardian who believes we have collected a child’s data without consent, contact legal@keshtay.com and we will take steps to delete the data where required.

Retention (how long we keep your data)

We retain personal data only for as long as necessary to provide Services, comply with legal obligations, resolve disputes, and enforce agreements. Typical retention periods:

1. Application & placement records:

   • retained for the active lifecycle of the application plus up to 7 years for record-keeping and compliance unless local law requires a different period.

2. Financial & billing records:

   • retained for at least 7 years for tax and accounting purposes where applicable.

3. Marketing data:

   • retained until you opt out or withdraw consent.

When we no longer need your data, we securely delete, anonymize, or aggregate it.

Security measures

We implement reasonable administrative, technical and physical safeguards to protect personal data from unauthorized access, disclosure, alteration, and destruction (for example: access controls, encryption in transit and at rest where feasible, secure servers and regular security assessments). No system is 100% secure; if a breach occurs we will follow applicable breach-notification laws and notify affected individuals and regulators as required.

Third-party links, services & processors

Our Site may contain links to third-party websites and may use third-party services (payment gateways, analytics, email delivery, CRM, mapping, and telephony). Those parties have their own privacy practices and are not governed by this Policy. We recommend reviewing third-party privacy policies before providing personal data to them. We contractually require processors to meet appropriate security and privacy standards.

Automated decision-making & profiling

We may use basic automated processing to match applicants to suitable Partner Institutions (for example: automated filtering by qualifications). Such matching is used to assist our human staff and does not produce legal effects on its own. Where any automated decision would have a significant legal or similarly significant effect on you, we will comply with applicable law, provide meaningful information about the logic involved, and offer the right to human review as required.

Changes to this Privacy Policy

We may update this Policy from time to time (for example to reflect new services, legal changes or operational changes). Material changes will be posted with a new effective date and, where required by law, we will notify you (for example by email if you are a registered user). Continued use after the effective date constitutes acceptance of the updated Policy.

How to contact us; supervisory authority complaints

For privacy requests or questions contact:

1. Keshtay L.C.- Privacy Team

   • Email: legal@keshtay.com
   • Address: 8206 Louisiana Blvd NE, Ste A #4253, Albuquerque, New Mexico 87113 USA

If you are an EU/EEA resident and you believe we have violated your rights, you have the right to lodge a complaint with your local data protection supervisory authority. Malaysian residents may contact the Personal Data Protection Commissioner (PDP Commissioner) where appropriate. For California residents, you may contact the California Privacy Protection Agency.

Additional communications & marketing

If you agree to receive marketing (email/SMS), we will send you marketing communications until you opt out. You can opt out at any time by using the unsubscribe link in our emails, replying “STOP” to SMS where supported, or contact legal@keshtay.com.

Confirmation - we may change practice in future (and will notify)

You currently stated Keshtay does not sell personal data, but may change that practice in the future. If we ever intend to sell or share personal information in a way that qualifies as a “sale” or “share” under applicable law, we will provide clear notice and opt-out mechanisms before doing so and comply with legal obligations (including CCPA/CPRA requirements). For California residents, we will provide a clear “Do Not Sell or Share My Personal Information” link on our homepage. (California DOJ)

Legal disclaimers

This Policy sets out our current practices. It is not legal advice. Compliance obligations vary by jurisdiction and may change; if you need tailored legal advice about privacy compliance (for example GDPR adequacy or complex transfers), consult a qualified privacy lawyer.

Additional Resources & Related Policies

1. Terms Of Service:

   • https://student-service.keshtay.com/legal/terms-of-service (describes how we collect, use and protect personal data)

2. Refund Policy:

   • https://student-service.keshtay.com/legal/refund-policy (describes what you agree on when using our services)

Acknowledgment

• By using https://student-service.keshtay.com or providing personal information to Keshtay, you acknowledge that you have read and understood this Privacy Policy.