Privacy Policy

Mesa Careers CRM · Effective: 20 April 2026 · Last updated: 20 April 2026

Internal-use platform. The Mesa Careers CRM is operated by Mesa School of Business ("Mesa") for the sole purpose of running its academic and career-placement programmes. It is restricted to authorised internal users — current Mesa students, mentors, professors, POCs, and staff. The Platform is not a public consumer service.

1. Who we are

"Mesa", "we", "our", and "us" refer to Mesa School of Business, the data controller responsible for the Careers CRM Platform available at careers-crm.mesaschool.co.in and careers-crm-backend.mesaschool.co.in. For any privacy-related enquiry contact gaurav@mesaschool.co.

2. Scope of this policy

This policy explains what personal data Mesa collects when you use the Platform, how we use it, who we share it with, how long we keep it, and the rights you have. It applies only to the Platform — not to Mesa's public website or unrelated services.

3. Who uses the Platform

The Platform processes data belonging to, and generated by, the following categories of users, all of whom have an existing relationship with Mesa:

Students — enrolled in Mesa's UG, PG, or other cohorts.
Mentors — engaged for 1:1 sessions, demo-day judging, mock interviews, or consulting.
Professors & guest faculty — delivering lectures or assessments.
Mesa staff / POCs / administrators — operating the programme.

Accounts are provisioned by Mesa administrators; there is no public self-registration.

4. Personal data we collect

The categories of data we collect depend on your role.

4.1 Account data (all users)

Username, email address, mobile number, hashed password, role flags (student / mentor / professor / admin / POC), profile picture.

4.2 Student profile data

Full name, email, phone, LinkedIn URL, profile picture.
Education details (UG degree, college), work experience and internship history.
Pre-Mesa career data: previous companies, job function, sector, last compensation (fixed / variable / ESOP), target salary.
Skills and tool proficiency, projects portfolio, achievements, video CVs.
Documents: resumes, demo-day resume, portfolio files, salary slips.
Placement-related data: target companies, role preferences, demo-day rankings, interview feedback, offer letters, placement status.
Academic records: course enrolment, attendance, grades, GPA/CGPA, report cards.

4.3 Mentor & professor profile data

Name, email, contact number, date of birth, gender, LinkedIn, profile picture.
Professional details: current company, designation, years of experience, expertise areas, qualifications, publications, certifications.
Availability and session preferences.
Financial / payout details (for paid engagements): mailing address, account holder name, bank account number, IFSC code, PAN number.
Uploaded documents.

4.4 Calendar and session data

Event title, date/time, attendee list (student + mentor), meeting link, event type, feedback.
When you authorise Google Calendar access: event IDs and minimum metadata required to create, update, and remove calendar invites on your behalf.

4.5 Content generated through use

Resume versions created via the AI-assisted resume editor.
Mentor feedback, intervention-call notes, demo-day evaluations.
Server logs: IP address, request path, user-agent, timestamps — retained for security and debugging.

5. How we use your data

To authenticate you and provision role-based access.
To run Mesa's academic programme: attendance, lectures, grading, report cards, transcripts.
To coordinate placements: sharing student profiles with mentors, evaluators, and recruiting partners strictly for placement purposes.
To schedule, remind about, and record mentorship sessions and demo-day events (via Google Calendar).
To improve resumes via Google Gemini (see §7).
To disburse mentor / vendor payments (using bank details from §4.3).
To send transactional email and WhatsApp messages (OTPs, booking confirmations, notifications).
To generate aggregate, de-identified analytics about programme performance.
To comply with legal obligations and to defend Mesa's legitimate interests.

6. Legal bases

We rely on the following legal bases:

Contract — you are engaged with Mesa as a student, mentor, professor, or staff member.
Consent — where you explicitly grant access (e.g., connecting a Google account, uploading a portfolio for sharing).
Legitimate interests — running and securing the Platform, fraud prevention, and programme administration.
Legal obligation — taxation, record-keeping, and statutory reporting.

7. Third-party services (sub-processors)

We share personal data only with the sub-processors listed below, and only to the extent needed for them to perform their function.

Service	Purpose	Data shared
Google OAuth 2.0	Sign-in / account linking	Email, name, Google user ID
Google Calendar API	Create / update / delete calendar events and Meet links	Event title, attendee emails, start/end times, description
Google Sheets API	Read from / write to programme tracking sheets	Student and cohort roll-up data
Google Cloud Storage	Storing uploaded files (resumes, profile pics, report-card PDFs, project media)	The file contents plus metadata
Google Gemini (Generative AI)	AI-assisted resume editing	Resume text you submit and the job description you target
MongoDB Atlas	Primary database hosting	All stored Platform data
Redis Cloud	Session / task-state cache	Transient auth and background-task state
Gmail SMTP	Transactional email (OTP, notifications, invites)	Your email and the message body
Interakt (WhatsApp)	WhatsApp notifications	Mobile number and template parameters

We do not sell your personal data, and we do not share it with advertisers.

Google API Services User Data Policy — Limited Use disclosure

Mesa's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

We use Google user data (Calendar, Sheets, Cloud Storage) only to provide the user-facing features described in this policy.
We do not transfer Google user data to third parties except as necessary to provide those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with user notice.
We do not use Google user data for serving ads.
We do not allow humans to read Google user data, except (a) with your explicit consent, (b) for security purposes (e.g., investigating abuse), (c) to comply with applicable law, or (d) where the data is aggregated and used for internal operations in accordance with Google's policies.

8. Data retention

Active users — data is retained for the duration of your engagement with Mesa plus a reasonable period afterwards for placement, alumni, and audit purposes (typically up to 7 years for academic and financial records, in line with Indian statutory requirements).
Sensitive financial data (bank and PAN details) — retained only as long as required for tax and payout reconciliation, then archived with restricted access.
Server logs — retained for up to 12 months for security and debugging.
Backups — may retain older snapshots for up to 90 days after the primary record is deleted.

9. Security

Passwords are stored hashed using Werkzeug's password-hash primitive.
Authentication tokens are JWT, scoped to the user.
Transport is over HTTPS/TLS.
Role-based access controls restrict what each user can view or modify.
Production secrets (API keys, OAuth client secrets, database credentials) are kept out of source control.
File uploads are size- and type-restricted; large uploads are capped at 100 MB.

No system is completely secure. If you believe your account or data has been compromised, email gaurav@mesaschool.co immediately.

10. Your rights

Subject to applicable law (including India's DPDP Act, 2023), you may:

Request access to, or a copy of, the personal data Mesa holds about you.
Request correction of inaccurate or outdated data.
Request deletion of your account and associated data, subject to Mesa's legitimate record-keeping and statutory obligations.
Withdraw any consent you have given (for example, revoke Google Calendar access from your Google Account permissions page).
Raise a grievance with Mesa's Grievance Officer.

To exercise any of these rights, email gaurav@mesaschool.co. We will respond within a reasonable timeframe and in line with applicable law.

11. How to revoke Google access

You can revoke Mesa's access to your Google account at any time by visiting myaccount.google.com/permissions, locating "Mesa Careers CRM", and clicking Remove access. This will stop new Google Calendar syncs; existing events previously created on your calendar will remain until you delete them.

12. International transfers

Mesa is based in India. Some of our sub-processors (Google, MongoDB Atlas, Redis Cloud) operate globally and may process data in data centres outside India. Where this happens, Mesa relies on the sub-processor's own safeguards and on contractual commitments they publish (including standard contractual clauses, where applicable).

13. Children

The Platform is intended for users who are 18 or older (or who are enrolled in a Mesa programme of study that ordinarily requires age 17+). Mesa does not knowingly collect data from children under 18 outside of that programme context.

14. Changes to this policy

Mesa may update this Privacy Policy from time to time. Material changes will be notified via the Platform or email. The "Last updated" date at the top of this page reflects the latest revision.

15. Contact & grievance

Data-protection queries, access / deletion requests, and grievances should be addressed to:

Mesa School of Business — Careers CRM
Email: gaurav@mesaschool.co
Secondary: admissions@mesaschool.co