How we handle your family's data

Effective: [29 April 2026] · Last updated: [30 April 2026] · Version: 1.0

ShikshaPal is built for school students in India. Because most of our users are minors, we have written this Privacy Policy in plain language for parents, guardians, and older students to read together. This Policy is written to comply with the Digital Personal Data Protection Act, 2023 ("DPDP Act") and other applicable Indian laws.

In one paragraph

ShikshaPal runs entirely on your phone after you install it. The AI tutor never sends questions, conversations, or learning data to our servers. We require an email address and password only to give each student a personal account on their phone. We never sell data, never show ads, and never use student conversations to train AI models.

Contents

Who we are
What this Policy covers
Children & parental consent
Data we collect
Why we collect it
Our legal basis
Who we share data with
How long we keep data
How we protect data
International transfers
Your rights under DPDP Act
Cookies & analytics
Donations
Changes to this Policy
Contact & grievances

1. Who we are

ShikshaPal is operated by [Legal Entity Name] ("ShikshaPal", "we", "us", or "our"), a [proprietorship / private limited company / LLP — to be confirmed] organised under the laws of India and based in Bengaluru, Karnataka. For all matters relating to your personal data, we act as a Data Fiduciary as defined under the DPDP Act.

You can write to us at contact@shikshapal.com.

2. What this Policy covers

This Policy applies to:

The ShikshaPal mobile application for Android and iOS phones;
Our website at shikshapal.com and any related domains;
Any communication you have with us by email.

It does not apply to third-party services we link to or rely on, such as Hugging Face (where our AI models are hosted) or any donation processor we may use in future. Each of those services has its own privacy policy.

3. Children and parental consent

Most students who use ShikshaPal are under the age of 18. Under the DPDP Act, anyone under 18 is treated as a Child, and we must obtain verifiable consent from a parent or lawful guardian before processing a child's personal data.

For parents

When a student under 18 creates an account, we ask them to provide a parent or guardian email address. We send a consent request to that address, and the account is activated only after the parent confirms. By giving consent, you agree to this Policy on behalf of your child.

You can withdraw consent and ask us to delete the child's account at any time by writing to contact@shikshapal.com.

We do not knowingly process the data of any child without parental consent. We do not track children's behaviour for advertising or profiling, and we do not use children's data for any purpose that is likely to cause them harm.

4. Data we collect

We have deliberately designed ShikshaPal to collect as little as possible. This is what we collect, and nothing more:

Email address: The email used to register, and (if the user is a minor) the parent's email used for consent.
Password: Stored only as a one-way cryptographic hash. We never see, store, or log your actual password.
Student profile: Class (e.g., Class 8), preferred language of instruction, and an optional display name. No real name is required.
Account events: Account creation date, last login date, and password reset requests. Used for security only.
Email correspondence: If you write to us, we keep the email so we can respond and follow up.

What we do not collect

The questions students ask the tutor;
The tutor's answers;
Chat history of any kind;
Time spent in the app, sessions, or screen-by-screen activity;
Microphone, camera, or location data;
Contacts, photos, or any other files on the device;
Aadhaar, PAN, phone numbers, or any other identity documents.

All tutoring conversations stay on the student's device. They are never transmitted to our servers and are never sent anywhere else.

5. Why we collect this data

We use the limited data above only for these purposes:

To create and authenticate your account so each student can sign in to their personal copy of ShikshaPal;
To verify parental consent when the user is a minor;
To let you reset your password if you forget it;
To respond to your emails and support requests;
To detect abuse such as repeated failed logins or attempts to misuse the service;
To comply with law where we are legally required to.

We do not use your data for advertising, profiling, scoring, or model training.

6. Our legal basis under the DPDP Act

We process personal data on the basis of:

Your consent, which you give when you (or your parent, if you are a minor) create an account and accept this Policy;
Legitimate use for security, fraud prevention, and to comply with applicable Indian law.

We do not sell, rent, or trade personal data. We share data only with the following categories of recipients, and only to the extent necessary:

Email delivery providers — to send account verification, parental consent, and password reset emails;
Cloud infrastructure providers — to host our authentication server (data stays in India where possible);
Donation processors — only if and when you choose to donate. We will name the processor at the time of donation;
Law enforcement and regulators — only when we receive a valid, written legal order from an Indian authority and have no lawful way to refuse.

About Hugging Face

The AI models that power ShikshaPal are hosted on Hugging Face, a public platform for open-source models. When the app downloads a model file to your phone, the request goes directly from your phone to Hugging Face. We do not see this request, and we do not pass any account information to Hugging Face. Their privacy practices are governed by their own policy.

8. How long we keep data

Active accounts: as long as the account exists.
Inactive accounts: if an account is unused for 24 months, we will email a warning and then delete it.
Deletion requests: we delete the account within 30 days of receiving a valid request, except where law requires us to retain certain records.
Email correspondence: kept for up to 36 months unless you ask us to delete it sooner.

9. How we protect data

We follow standard security practices, including:

Encryption of data in transit (HTTPS/TLS) for all communication with our server;
One-way hashing of passwords using a strong, salted algorithm;
Access controls so that only authorised personnel can reach the database;
Regular backups and basic intrusion monitoring.

No system on the internet is perfectly secure. If we ever discover a personal data breach that is likely to result in significant harm, we will notify the Data Protection Board of India and affected users as required under the DPDP Act.

10. International transfers

We aim to keep all personal data within India. If we ever transfer data outside India (for example, to use a particular email provider), we will only do so to jurisdictions that the Government of India has not restricted, and we will protect the data with appropriate contractual safeguards.

11. Your rights under the DPDP Act

As a Data Principal (or, in the case of a minor, the parent acting on their behalf), you have the right to:

Access a copy of the personal data we hold about you;
Correct data that is inaccurate or out of date;
Erase data you no longer want us to hold;
Withdraw consent at any time, which will result in account deletion;
Nominate another individual to exercise your rights in case of your death or incapacity;
Lodge a grievance with us, and if unresolved, escalate to the Data Protection Board of India.

To exercise any of these rights, write to contact@shikshapal.com from the email address registered to the account. We will respond within 30 days.

12. Cookies and analytics

The ShikshaPal mobile application does not use cookies. Our website uses only essential cookies needed to keep you signed in to your account dashboard. We do not use Google Analytics, Facebook Pixel, or any third-party advertising or behavioural tracking on the app or the site.

13. Donations

ShikshaPal is free to use. If you choose to make a voluntary donation to support the project, the payment is processed by an external donation processor (to be confirmed at launch). That processor will collect the information needed to process your payment, and their handling of that information is governed by their own privacy policy. We do not store full card or bank details on our servers.

14. Changes to this Policy

We may update this Policy from time to time. If we make a material change, we will email registered users at least 14 days before the change takes effect. The "Last updated" date at the top of this page always shows the most recent version.

15. Contact and grievances

For any privacy question, request, or complaint, please write to:

Grievance Officer / Data Protection Officer
[Legal Entity Name]
Bengaluru, Karnataka, India
Email: contact@shikshapal.com

If you are not satisfied with our response, you may approach the Data Protection Board of India in accordance with the DPDP Act.