Privacy Policy.

1.Our Privacy Commitments and Scope

1.1 This Privacy Policy (hereinafter referred to as the “Policy”) sets forth in exhaustive detail the practices, procedures, and principles adopted by BuoyantWave Learning Technologies LLP, operating under the brand name Bodhaka BrightChalk (collectively referred to as “we,” “us,” “our,” or the “Company”), concerning the collection, use, storage, processing, disclosure, protection, and management of your personal information and data. This Policy applies whenever you interact with our Digital Platform, including but not limited to our website (https://bodhaka.org and https://learning.bodhaka.org/brightchalk), mobile applications, web applications, AI-powered learning modules, or any other digital interfaces (collectively, the “Platform”), register as a Parent or Student, upload images, engage with AI tutors, or avail yourself of any associated educational services.

1.2 Our commitment to safeguarding your privacy and personal data — particularly that of minors in Classes 6 to 12 — is paramount and unwavering, grounded in strict adherence to the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the Information Technology Act, 2000 and its Rules 2021 (“IT Act”), the Protection of Children from Sexual Offences Act (“POCSO Act”), and all other pertinent Indian laws, regulations, and standards applicable to data protection and child safety. We recognize the heightened sensitivity of data involving children and implement verifiable parental consent, advanced AI safety filters, and rigorous due-diligence mechanisms to build and maintain trust with Parents, Students, and guardians.

1.3 By accessing, registering on, or using the Platform, submitting verifiable parental consent, uploading images, interacting with AI modules (Ask Bodhaka, Equation Solver, Guided Discovery, or Project Guide), or engaging with our services in any manner, you (including the Parent on behalf of the Student) provide your explicit, informed, voluntary, and unambiguous consent to the data practices described in this Policy. If you are a Parent registering a minor Student, you represent that you have full legal authority to provide this consent and accept responsibility for the Student’s use. If you do not agree with any aspect of this Policy, you must immediately discontinue all interactions with the Platform. Continued use constitutes your binding agreement to this Policy.

1.4 This Policy is fully incorporated into and forms an inseparable part of our Terms of Service, IP & Copyright Policy, and Educational Disclaimer. Any capitalized terms used herein shall have the same meanings as defined in those documents unless explicitly stated otherwise. In the event of any conflict between this Policy and the Terms of Service, this Policy shall prevail with respect to privacy and data protection matters.

1.5 We reserve the right to amend, revise, or update this Policy at any time to reflect changes in our practices, legal requirements (including updates to the DPDP Act or IT Rules), technological advancements in AI safety filtering, or operational needs. Such changes become effective immediately upon posting on the Platform and updating the “Last Updated” date. It is your responsibility to review this Policy periodically. Your continued use after any modifications signifies your acceptance of the revised terms.

2.Types of Information We Collect and Categories

2.1 Personal Information. We collect data that directly identifies or can be used to identify you, including but not limited to your full legal name, email address, mobile phone number, date of birth, gender, residential address, and, for Parents, government-issued identification details submitted through third-party KYC processes. This information is essential for account creation, verifiable parental consent, and secure access to educational services. For households with more than one Student, each Student account is created with its own distinct email address (typically a Gmail address used for “Sign in with Google”), which the Parent provides at the time of account creation and which the Student uses to sign in; this same Student-specific email address is also used, in a strictly limited manner described in Clauses 4.7 and 5.1, to bind that Student’s paid subscription, if any, to that Student’s account at our payment processor. We do not share any Student’s mobile phone number with our payment processor at the time of subscription creation; only the Student’s email address is passed for the purpose of mandate disambiguation between siblings.

2.2 Sensitive Personal Data or Information. We process sensitive data such as Aadhaar or equivalent KYC identifiers solely through certified third-party APIs for verifiable parental consent as mandated by the DPDP Act. We do not store full sensitive government ID data on our servers where technically feasible. We also process data related to User-Uploaded Images (after NSFW filtering) and audit logs of safety decisions. All such data receives enhanced protection and is used strictly for safety, compliance, and service delivery.

2.3 Usage and Technical Data. Automatically collected through your interactions, this includes IP addresses, device identifiers, browser types, operating system details, access timestamps, query logs (academic questions posed to AI tutors), navigation paths within learning modules, session durations, and performance metrics. This data helps optimize the AI-powered learning experience and ensure platform stability.

2.4 Learning and Interaction Data. Information generated during use of core modules, such as academic queries submitted to Ask Bodhaka, equations or problems solved via Equation Solver, responses in Guided Discovery, images cleared by the NSFW Filter, and interactions with Project Guide. This includes metadata about fetched Wikipedia images that passed the 2-Level AI Safety Filter.

2.5 Parental Consent and Verification Data. Records of verifiable parental consent obtained via third-party KYC APIs, including consent timestamps, reference identifiers (without full ID storage), and confirmation of successful verification before minor access is granted.

2.6 Aggregated and Anonymized Data. Non-personal, de-identified data compiled for statistical analysis, such as overall usage trends across Classes 6–12, effectiveness of AI tutoring, or anonymized learning outcome patterns. This data cannot be re-identified to any individual.

2.7 Safety and Compliance Logs. Permanent audit logs of every NSFW Filter decision on User-Uploaded Images, every 2-Level AI Safety Filter decision on fetched imagery, and any CSAM-related quarantine actions. These logs serve as evidence of our due diligence under the IT Act and POCSO Act.

2.8 All data collection is guided by the principles of data minimization, purpose limitation, storage limitation, and lawfulness under the DPDP Act. We collect only what is necessary for providing safe, effective educational services aligned with the syllabus.

3.Methods and Sources of Information Collection

3.1 Direct Collection from Users/Parents. We obtain information directly through registration forms, parental KYC verification flows, image upload interfaces in the three core modules, feedback mechanisms, and support inquiries.

3.2 Automated Collection Technologies. Utilizing server logs, AI processing pipelines, the NSFW AI Vision Filter (applied at the upload gateway), the 2-Level AI Safety Filter for Wikipedia imagery, and RAG system metadata to capture interaction data. Rejected images under the NSFW Filter are never stored.

3.3 Third-Party Sources. Data received from certified KYC API providers for parental consent verification and from Wikipedia (or similar open repositories) for Creative Commons/public-domain educational imagery only after passing safety filters. We do not receive data from unauthorized sources.

3.4 Device and Interaction-Based Collection. Through Platform permissions, we collect technical data necessary for delivering personalized study pathways and ensuring seamless AI tutor performance.

3.5 Passive Collection for Safety. Automated inference within safety pipelines, such as content classification in uploaded images or age-appropriate filtering, always in compliance with DPDP Act consent and proportionality requirements.

3.6 At every collection point, especially during parental KYC and image uploads we provide clear notices about the data being collected, its purposes, safety processing, and your rights, ensuring transparency and informed decision-making.

3.7 We do not engage in covert data collection and maintain full compliance with DPDP Act notice and consent requirements.

4.Purposes and Lawful Bases for Using Collected Information

4.1 Provision and Enhancement of Educational Services. To deliver AI tutoring, equation solving, guided discovery, image-based contextual help, and Project Guide mentoring, based on contractual necessity and parental consent.

4.2 Verifiable Parental Consent and Child Safety. To verify parental identity via third-party KYC, enforce age-appropriate access, and maintain a safe learning environment for minors, as required by the DPDP Act and POCSO-aligned principles.

4.3 Safety Screening and Due Diligence. To run the NSFW Pre-Upload Filter on every user image, the 2-Level AI Safety Filter on fetched imagery, and generate audit logs proving reasonable precautions under the IT Act.

4.4 Communication and Support. To send transactional updates, schedule notifications (exclusively via the Platform dashboard), and respond to support queries.

4.5 Platform Improvement and Analytics. To analyze anonymized usage patterns, improve AI accuracy (while preserving RAG-based originality), and enhance safety filters, grounded in legitimate interests.

4.6 Legal Compliance and Protection. To fulfill obligations under the DPDP Act, IT Act, POCSO Act, respond to law enforcement requests, and defend against claims, including maintaining audit logs for intermediary safe-harbor protection.

4.7 Subscription Mandate Disambiguation Between Siblings. Where a Parent voluntarily elects to purchase a paid subscription for one or more Student accounts under their family, our payment processor’s recurring-payment infrastructure (UPI AutoPay, e-mandate, card-on-file, or any equivalent rail) requires a unique, persistent customer identifier in order to register a separate recurring mandate per Student. In furtherance of this contractual necessity (and only for this purpose), we pass the relevant Student’s own email address — the same address used by that Student to sign in to the Platform — to the payment processor at the time of subscription creation, so that each Student’s subscription is registered as a distinct billing arrangement and not collapsed into a single household mandate. We do not pass any Student’s mobile phone number, date of birth, address, or any sensitive personal data to the payment processor for this purpose; we do not represent or hold out the Student as the financially liable contracting party (the Parent remains the contracting party and remains solely liable for payment); and we do not enable the Student to authorise the mandate themselves — the Parent completes the entire payment and mandate-authorisation flow on the payment processor’s checkout interface using the Parent’s own payment instrument. This processing is carried out on the lawful bases of contractual necessity (to enable the subscription the Parent has elected to purchase) and, where applicable, the Parent’s verifiable consent obtained at the time of subscription checkout.

4.8 We do not use data for automated decision-making with significant legal effects without appropriate safeguards and human oversight where required. All processing aligns with DPDP Act principles of fairness, accountability, and child-centric protection.

5.Sharing and Disclosure of Information Practices

5.1 With Service Providers and Vendors. We share data only with vetted third-party processors (e.g., KYC API providers under strict data processing agreements, cloud hosting partners, AI safety model vendors) who are contractually bound to confidentiality, security, and purpose-limited use.

In particular, and in furtherance of our transparency obligations under Section 8 of the DPDP Act and Rule 4 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, we disclose below the named third-party processors we currently engage. Each of these providers processes a limited, purpose-bound subset of your personal data strictly on our documented instructions and under a binding data processing agreement (or equivalent terms incorporated by reference) that mandates confidentiality, appropriate technical and organizational security safeguards, breach notification, sub-processor controls, and use only for the stated purpose:

• IDfy (Baldor Technologies Private Limited) We use IDfy to perform verifiable parental consent verification as required under Section 9 of the DPDP Act and the corresponding DPDP Rules in respect of children’s personal data, before any minor Student account is activated on the Platform. Specifically, the Parent or legal guardian completes a real-time identity check using IDfy’s Voter ID and/or Passport verification APIs (and any equivalent government-authorised mode IDfy may make available from time to time), in which IDfy validates the submitted document particulars against the relevant authoritative source and returns to us a pass/fail result together with the minimum matched fields necessary to record consent. The categories of personal data shared with IDfy are limited to the document type and number (Voter EPIC number or Passport number), the Parent’s name and date of birth as printed on the document, and, where the verification mode requires it, a document image and/or a live selfie of the Parent for liveness and face-match purposes. We do not retain full copies of the Parent’s government-issued identification on our own servers where technically feasible; we retain only a verification reference identifier, consent timestamp, and pass/fail status as evidence of consent under the DPDP Act and the IT Act. IDfy’s independent processing of this data is governed by its own privacy policy, available at https://idfy.com/privacy-policy/.
• Brevo (Sendinblue SAS) We use Brevo as our transactional and operational email service provider to deliver essential service communications such as account verification, parental-consent confirmations, password resets, security alerts, support replies, credit-related notices, and dashboard-linked notifications. The categories of personal data shared with Brevo are limited to your name, email address, and the contents of the communication itself. Rejected or undeliverable messages and bounce metadata are handled in accordance with Brevo’s standard processor controls. Brevo’s independent processing of this data is governed by its own privacy policy, available at https://www.brevo.com/legal/privacypolicy/.
• MSG91 (Walkover Web Solutions Private Limited) We use MSG91 as our SMS gateway and One-Time-Password (OTP) provider to deliver authentication codes, mobile number verification messages, parental-consent transactional SMS, and other security-critical short messages over Indian telecom infrastructure registered under the TRAI DLT framework. The categories of personal data shared with MSG91 are limited to your mobile number, the OTP or short message content, and minimal sender/template metadata required for compliant delivery. MSG91’s independent processing of this data is governed by its own privacy policy, available at https://msg91.com/privacy-policy.
• Twilio Inc. We use Twilio’s WhatsApp Business API to deliver scheduled academic reminders, quiz links, study session prompts, and similar non-marketing transactional notifications to Users (including Parents on behalf of Students) who have opted in to receive such communications on the WhatsApp platform. The categories of personal data shared with Twilio are limited to your WhatsApp-registered mobile number, the message content, and conversation/session metadata required by Meta’s WhatsApp Business policies for delivery. Such communications are subject to Meta’s template-approval requirements, opt-in rules, and the WhatsApp Business Solution Terms. Twilio’s independent processing of this data is governed by its own privacy policy, available at https://www.twilio.com/en-us/legal/privacy.
• Razorpay Software Private Limited We use Razorpay as our payment gateway to securely process subscription payments, credit purchases, applicable refunds, and related billing operations. The categories of personal data shared with Razorpay are limited to those necessary to complete the transaction, including your name, email address, contact number, and payment instrument details, which you submit directly into Razorpay’s secure environment during checkout. Sensitive payment instrument data (such as full card numbers, CVV, UPI handles, or banking credentials) is captured and tokenized by Razorpay and is never stored on our servers. Where the Parent purchases a recurring subscription for a particular Student account, we additionally pass to Razorpay, at the moment of subscription creation, the email address associated with that specific Student account (the same address the Student uses to sign in to the Platform) in the “notify” and customer-prefill fields of the subscription create request. We do this solely for the technical purpose of ensuring that Razorpay’s recurring-mandate infrastructure (UPI AutoPay, e-mandate, card-on-file or equivalent) treats each Student’s subscription as a distinct billing arrangement and does not, on account of identical contact data across siblings, refuse or collapse a second or third sibling’s subscription into an already-registered household mandate. We expressly do not share with Razorpay any Student’s mobile phone number, date of birth, residential address, academic records, learning interaction data, or any sensitive personal data for this purpose; the Student’s email address is the only Student-identifying field passed for mandate disambiguation, and any contact number entered into Razorpay’s own checkout interface is entered by the Parent at that interface (not transmitted by us) and is intended to be the Parent’s own contact number for payment notifications. Razorpay also acts as an independent Data Fiduciary with respect to information it collects directly from you on its own checkout interface for fraud-prevention, regulatory, and tax-compliance purposes. Razorpay’s privacy practices are governed by its own privacy policy, available at https://razorpay.com/privacy-policy/.
• Google LLC and its affiliated entities (Google Cloud, Google Sign-In, and Google Drive) We use Google’s services in two distinct capacities. First, we offer “Sign in with Google” as an authentication option, in which case Google verifies your identity and returns to us a basic profile (name, email address, and an opaque identifier) to create or sign you into your BrightChalk account; the underlying authentication is governed by Google’s consumer privacy policy at https://policies.google.com/privacy. Second, with your explicit, granular Drive permission grant, we save copies of your conversational and project history files generated within Ask Bodhaka, PhysCrafter, and RxnCrafter into a folder inside your own Google Drive account (which you own and control); these files reside under your Google account, are subject to your Drive sharing settings, and Google’s processing of those files is governed by the same consumer privacy policy linked above. Where we additionally rely on Google Cloud Platform for back-end infrastructure or processing under our control, that processing is covered by the Google Cloud Privacy Notice available at https://cloud.google.com/terms/cloud-privacy-notice. You may revoke our Drive permission at any time from your Google account settings; doing so will stop further file syncing but will not retrieve or delete files already saved to your own Drive (which remain entirely under your control).

IDfy, Brevo, MSG91, Twilio, Razorpay, and Google may, in the course of providing the above services, act as our processors with respect to data we share with them on our instructions, and as independent Data Fiduciaries (or controllers) with respect to data they collect directly from you on their own platforms or interfaces. We remain accountable under the DPDP Act for the personal data we share with each of them as our processors and have entered into appropriate data processing arrangements (or accepted their equivalent terms by reference) to ensure your rights are protected. We encourage you to review each provider’s privacy policy linked above for the specifics of their independent processing.

The list of named processors above is current as of the “Last Updated” date at the top of this Policy and may be updated from time to time as our service providers change. Material changes to this list will be communicated through the Platform dashboard in accordance with Section 12.

5.2 For Legal and Regulatory Compliance. Disclosure to authorities when mandated by law, minimizing data shared and maintaining records of such disclosures.

5.3 In Business Transfers. In the event of merger, acquisition, or restructuring, data may be transferred with continued protection under this Policy.

5.4 Safety and Incident Response. In cases of suspected CSAM or serious safety violations, limited data may be shared with appropriate authorities or Childline, with full audit trail maintained.

5.5 We strictly prohibit the sale, rental, or commercial trading of personal data. All sharing occurs only with equivalent data protection safeguards.

6.Data Security Measures and Protections

6.1 We employ multi-layered security including encryption (in transit and at rest), role-based access controls, secure KYC API integrations (no full ID storage on our servers), and AI-driven threat detection.

6.2 User-Uploaded Images flagged by the NSFW Filter are rejected at the gateway and never stored. Cleared images and audit logs are protected with industry-leading safeguards.

6.3 In the event of a data breach, we follow DPDP Act protocols for notification to affected Users and the Data Protection Board, along with remedial actions.

6.4 While we implement robust measures, no system is infallible. We disclaim liability for breaches beyond our reasonable control. Regular audits are conducted.

7.Your Data Rights and Exercise Mechanisms

7.1 Right to Access, Correction, Erasure, and Portability under the DPDP Act.

7.2 Right to Withdraw Consent (which may limit or terminate Platform access for minors).

7.3 Right to Grievance Redressal and Nomination.

7.4 To exercise rights, submit a verifiable request to compliance@bodhaka.org. We respond within timelines mandated by the DPDP Act, free of charge except for unfounded requests.

8.Data Retention and Deletion Policies

8.1 We retain data only as long as necessary for service provision, legal compliance, or safety audit requirements. KYC verification data is deleted promptly post-consent. Audit logs are retained as required for due-diligence evidence.

8.2 Upon request or retention expiry, data is securely and irreversibly deleted or anonymized.

9.International Data Transfers and Safeguards

9.1 All primary processing and storage occur in India. Any limited international transfers (e.g., to global AI safety model providers) use DPDP Act-compliant safeguards.

10.Cookies, Tracking Technologies, and Management

10.1 We use essential cookies and similar technologies for Platform functionality, security, and anonymized analytics. A consent banner is presented for non-essential tracking.

11.Children’s Privacy Protections and Restrictions

11.1 The Platform is designed exclusively for Students in Classes 6–12 and requires verifiable parental consent. We implement heightened protections, mandatory KYC, image safety filters, and POCSO-aligned due diligence.

11.2 We do not knowingly allow use without parental consent. Any suspected unauthorized minor access triggers investigation and potential termination.

11.3 Parents discovering issues should contact us immediately. Our systems prioritize child safety through proactive filtering and audit logging.

12.Changes to the Privacy Policy and Notification

12.1 Material changes will be notified prominently via the Platform dashboard. Continued use after changes constitutes acceptance.

13.Contact Us for Privacy Inquiries and Grievances

13.1 For any questions, concerns, requests, or complaints, please contact our designated Grievance Officer / Data Protection Officer:

13.2 We commit to acknowledging inquiries within 24 hours and providing a substantive response within 15 days (or as per DPDP Act timelines). If unsatisfied, you may approach the Data Protection Board of India.