Privacy Policy

1. Identity of the Data Fiduciary

Padhai is an adaptive STEM learning platform operated by RSustain (Resilient Sustainance Private Limited) (the "Data Fiduciary" under the Digital Personal Data Protection Act, 2023).

Registered Entity	Resilient Sustainance Private Limited
Platform	Padhai (padhai.rsustain.com)
Data Protection Officer	[DPO Name] — privacy@padhai.rsustain.com
Registered Address	[Registered Office Address]

2. Categories of Personal Data Collected

Category	Data Elements
Identity Data	Full name, email address, phone number (optional)
Education Profile	Class/grade level, education board (CBSE/ICSE/State), school name (if provided)
Account Data	Hashed password, user role (student/parent/teacher), account creation date
Learning Data	Question attempts, answers submitted, time taken per question, mastery scores, chapter progress, diagnostic test results
Adaptive Engine Data	Knowledge state per concept, IRT ability estimates, spaced repetition card states, streak counts
Subscription Data	Subscription tier, payment transaction IDs (via Razorpay), subscription dates
Parental Consent Data	Parent/guardian name, parent email/phone, consent method, consent timestamp, IP address at consent
Device & Usage Data	IP address, browser type, device type, pages visited, session duration
Leaderboard Data	XP earned, cohort rank, promotion/relegation status (anonymised display name used)

3. Purpose of Data Collection

Purpose	Data Used	Legal Basis
Account creation and authentication	Identity Data, Account Data	Consent / Contract
Delivering adaptive learning content	Education Profile, Learning Data, Adaptive Engine Data	Contract
Tracking academic progress	Learning Data, Adaptive Engine Data	Contract
Personalising question difficulty and spaced repetition	Adaptive Engine Data	Legitimate Interest
Processing payments and managing subscriptions	Subscription Data	Contract
Parental consent verification (DPDP Act compliance)	Parental Consent Data	Legal Obligation
Leaderboard and gamification	Leaderboard Data	Consent
Platform security, fraud prevention, and abuse detection	Device & Usage Data	Legitimate Interest
Improving platform quality and fixing bugs	Aggregated/anonymised usage analytics	Legitimate Interest

4. Children's Data — DPDP Act Section 9 Compliance

4.1 Verifiable Parental Consent

Before any personal data of a child is processed, we obtain verifiable consent from the child's parent or lawful guardian through one of the following methods:

• Email OTP verification sent to the parent's registered email address
• Phone OTP verification sent to the parent's registered mobile number
• Signed consent form uploaded and verified manually

Consent records include the parent's name, contact details, method of verification, timestamp, IP address, and the specific purposes consented to.

4.2 Prohibited Processing

We do NOT, and will never:

• Track, behaviourally monitor, or serve targeted advertising to children
• Process children's data in any manner that could cause detrimental effect to their well-being
• Share, sell, or rent children's personal data to any third party for marketing purposes

4.3 Consent Withdrawal

A parent or guardian may withdraw consent at any time by contacting us at privacy@padhai.rsustain.com. Upon withdrawal, we will cease processing the child's data (except as required by law) and delete the data within 30 days.

5. Data Retention

Data Category	Retention Period
Account & Identity Data	Duration of active account + 90 days after deletion request
Learning & Progress Data	Duration of active account (deleted with account)
Adaptive Engine Data	Duration of active account (deleted with account)
Payment/Subscription Data	7 years from transaction date (as required by Indian tax/accounting law)
Parental Consent Records	Duration of the child's account + 3 years (for regulatory compliance)
Server Logs & Usage Data	90 days (rolling)

6. Your Rights

Under the DPDP Act, 2023, you (or the parent/guardian of a child user) have the right to:

• Access: Request a summary of the personal data we hold about you and how it is being processed.
• Correction: Request correction of inaccurate or incomplete personal data.
• Erasure: Request deletion of your personal data, subject to legal retention requirements.
• Withdraw Consent: Withdraw previously given consent at any time. This will not affect the lawfulness of processing performed before withdrawal.
• Grievance Redressal: Lodge a complaint with our Data Protection Officer or escalate to the Data Protection Board of India.
• Nominate: Nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, email us at privacy@padhai.rsustain.com. We will respond within 30 days of receiving a verifiable request.

7. Cross-Border Data Transfers

Your personal data is primarily stored on servers located in India. In the course of providing our services, data may be transferred to or accessed from servers in other jurisdictions (for example, cloud infrastructure providers).

Any cross-border transfer of personal data will comply with the provisions of the DPDP Act, 2023, and will only be made to jurisdictions not restricted by the Central Government of India. We ensure appropriate safeguards are in place for all such transfers.

8. Cookies and Tracking

Padhai uses the following types of cookies and local storage:

Type	Purpose	Duration
Authentication Token	Maintaining your logged-in session	Session / 24 hours
Local Storage	Caching your progress data for offline access and faster loading	Until cleared
Error Tracking (Sentry)	Detecting and diagnosing application errors to improve reliability	Session

We do not use third-party advertising cookies, social media tracking pixels, or any form of cross-site behavioural tracking.

9. Security Measures

We implement the following technical and organisational measures to protect your data:

• Passwords are hashed using bcrypt (never stored in plain text)
• All data in transit is encrypted using TLS 1.2+
• API endpoints are protected by token-based authentication (JWT with HS256)
• Rate limiting is applied to prevent brute-force attacks (60 requests/minute)
• Database access is restricted to the application layer only
• Structured logging and monitoring via Sentry for security incident detection
• Role-based access control (student, parent, teacher, admin)
• Regular security reviews and dependency updates

10. Third-Party Services

We use the following third-party services in the operation of Padhai:

Service	Purpose	Data Shared
Razorpay	Payment processing	Transaction amount, order ID, payment status. Razorpay processes card/UPI details directly; we never store payment instrument data.
Hosting Provider	Server infrastructure	All platform data is stored on the hosting provider's servers. Subject to their data processing agreement.
Sentry	Error monitoring	Error logs, stack traces, request metadata (IP addresses are anonymised)

Each third-party service acts as a Data Processor and is bound by contractual obligations to process data only for the specified purposes.

11. Grievance Redressal

If you have any concerns, complaints, or grievances regarding the processing of your personal data, you may contact our Data Protection Officer:

DPO Name	[DPO Name]
Email	privacy@padhai.rsustain.com
Response Timeline	Within 30 days of receiving the grievance

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India established under the DPDP Act, 2023.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (sent to the email address associated with your account) and by posting a prominent notice on the platform at least 15 days before the changes take effect. Your continued use of Padhai after the effective date constitutes acceptance of the updated policy.

13. Contact Us

For any privacy-related queries or requests:

• Email: privacy@padhai.rsustain.com
• Subject line: "Privacy Request — [Your Name]"