Privacy Policy

What data we collect, why, who processes it, and the rights you and your child have over it.

Effective / last updated: August 1, 2026. This policy explains our current data practices and, where a safeguard is still being finalized, says so directly rather than claiming it is complete. For a summary of our child-safety framework specifically, see our Safety Policy. For the itemised, standalone notice of exactly what we collect, why, and how to withdraw consent — required under Section 5 of the DPDP Act 2023 — see our Notice to Data Principal.

This is the English original of this policy, effective August 1, 2026. It is also available in Hindi, Bengali, Marathi, Telugu, Tamil, Gujarati, Urdu, Kannada, Malayalam, and Punjabi using the language selector above. Translated versions are synced to this English version as of the same date; if a translation and this English version ever conflict, this English version is authoritative.

In Plain Language

What we collect: your (the parent's) name, email, mobile number and date of birth; a display name/nickname you choose for your child (we never ask for your child's legal name); your child's learning activity (questions, answers, progress); and basic technical data like IP address. We don't collect photos, audio, or precise location from anyone.

Why: to run the parent account, let your child practice and get tutoring support, and show you reports on how your child is doing. Never for advertising.

How long we keep it: for as long as your child's account is active, plus 30 days — then it's deleted, unless the law requires us to keep it longer.

Your rights: you can see, correct, download, or delete your and your child's data at any time, and you can withdraw your consent altogether — see Section 8A below for how.

Who to contact: our Data Protection Officer, Gaurav Chodnekar, at dpo@khypri.com. This box is a simple summary; the full policy below has all the detail.

Translations are provided for accessibility. In case of any conflict between a translation and the English original, the English version governs.

1. Who We Are

Khypri AI acts as the data controller (under GDPR) and Data Fiduciary (under the DPDP Act 2023) for personal data collected through our platform, except where a school or institution independently determines the purposes of processing for its own students, in which case the school acts as controller/fiduciary and Khypri AI acts as processor on its behalf.

2. Data We Collect

We do not collect audio recordings, visual media (photos/video), or precise GPS-level geolocation from any user, parent or child.

2.1 Purpose & Legal Basis for Each Data Category

3. Cookies & Tracking

We use only strictly necessary cookies required to maintain your login session and security preferences. We do not use third-party marketing or advertising cookies, and we do not build behavioral advertising profiles.

4. Automated Decision-Making

Our platform uses AI to generate practice content and provide automated evaluation/feedback on student responses. Where an automated evaluation could have a significant effect on a student (for example, being used as part of a graded assessment), a human teacher retains the ability to review, override, or disregard the AI-generated evaluation. You may request human review of any automated evaluation that materially affects you by contacting dpo@khypri.com.

4.1 Learning Support Reports — Purpose & Lawful Basis

Khypri AI is designed to function as an extension of how a school already evaluates students — an unbiased academic evaluator that helps a student understand concepts, identify gaps, and perform better in their actual exams. To do this, the platform records a student's test/question responses and generates a transparent, parent-visible analysis of their performance. We want to be explicit about what this is and is not:

4.2 Support Team Access

Our customer support team does not have standing access to a student's academic data. Support access is granted only when a parent/guardian chooses to share a one-time Support PIN with our support team for the purpose of resolving a specific query. Even then, support staff can view only the limited information needed to resolve that query — not the student's full academic record or underlying response data. The PIN-gated session is scoped and temporary, and does not grant ongoing access.

5. Who We Share Data With

We do not sell personal data. Data is shared only with the following categories of service providers, strictly to operate the platform:

None of the vendors above currently have a signed Data Processing Agreement with us; we use their services on their standard, publicly available terms. This list will be kept current as our vendor relationships change. See our Sub-Processors page for the full current list with data-location detail.

6. Data Retention

Student and parent data is retained for the duration of active enrollment, plus 30 days, after which it is deleted unless a longer retention period is required by law. Verified erasure requests are processed within 30 days.

7. International Data Transfers

Data may be processed on servers located outside your home country. Where EU/EEA data is transferred outside the EEA, this is governed by Standard Contractual Clauses (SCCs), which are currently being finalized and are not yet fully executed across all vendors. Where Indian data is transferred outside India, we apply protections consistent with the DPDP Act 2023's requirements for cross-border transfer.

8. Data Subject Request Process

To exercise any right described in this policy (access, correction, erasure, restriction, portability, or objection), send a request to dpo@khypri.com from the email associated with the account, or in the case of a parental request, from the verified parent/guardian email. We follow this process:

8A. Withdrawing Your Consent

Separately from correcting, downloading, or erasing data, you have the right to withdraw the consent you gave for processing your child's data altogether, as easily as you gave it. Use the one-click "Withdraw Consent Now" button on our Notice to Data Principal, or email our Data Protection Officer, Gaurav Chodnekar, at dpo@khypri.com with the subject line "Withdraw Consent," from the verified parent/guardian email on the account. Once we confirm your identity, we will stop all further processing of your child's data and, unless you separately ask us to retain it, proceed to erase it per the timeline in Section 6. Withdrawing consent does not affect the lawfulness of any processing carried out before the withdrawal.

9. DPDP Act 2023 (India)

10. GDPR (European Union)

11. COPPA (United States)

12. Marketing Communications

We only send you promotional or marketing communications if you have opted in. You can withdraw consent and unsubscribe at any time using the link in any marketing email, or by contacting dpo@khypri.com. Transactional and account-related communications (e.g. billing receipts, security notices) are sent regardless of marketing preference, as they are necessary to operate your account.

13. Security

Data is encrypted in transit using TLS 1.3 and at rest using AES-256. We are working toward ISO 27001 certification of our information security management practices; this certification is in progress and not yet complete.

13.1 Access Control Policy (RBAC & Least Privilege)

Internal access to personal data — including a child's academic records, a parent's account details, and payment information — is governed by role-based access control (RBAC) built on the principle of least privilege: every team member's default access is none, and access is granted only for the specific data a role genuinely needs to do its job, nothing broader.

This governs our own internal/employee access. It is separate from a school's own internal access controls where a school is the data controller for its own students, and separate from the third-party sub-processors listed in Section 5, who receive only the pseudonymised, filtered data described there.

13.2 Authentication, Passwords & Credential Protection

Only a parent or guardian authenticates on Khypri AI — a child never has an independent login or password. Parent/guardian authentication is handled by Firebase Authentication (Google), which manages credential storage, password hashing, and login security on our behalf; we do not store parent passwords ourselves. No child data is ever sent to Firebase — not the child's display name, academic activity, or any other information (and, as noted in Section 2, we never collect a child's legal name to begin with). Once a parent's identity is verified through Firebase, all subsequent child-related data (profiles, question responses, progress, generated papers) is created, stored, and processed exclusively in Khypri AI's and/or My Paper Genie's own databases, entirely separate from the authentication layer.

14. Breach Response Process

In the event of a data breach affecting personal data, we follow this process:

15. Changes to This Policy

If we make material changes to this policy, we will update the effective date above and, where required by law, notify affected users directly.

16. Contact & Grievance Redressal

For any question, correction, deletion, or grievance request under the DPDP Act, GDPR, or COPPA, contact our Data Protection Officer, Gaurav Chodnekar, at dpo@khypri.com. We aim to acknowledge all requests within 3 business days and resolve verified erasure requests within 30 days, per the process in Section 8.