Effective / last updated: August 1, 2026. This policy explains our current data practices and, where a safeguard is still being finalized, says so directly rather than claiming it is complete. For a summary of our child-safety framework specifically, see our Safety Policy. For the itemised, standalone notice of exactly what we collect, why, and how to withdraw consent — required under Section 5 of the DPDP Act 2023 — see our Notice to Data Principal.
This is the English original of this policy, effective August 1, 2026. It is also available in Hindi, Bengali, Marathi, Telugu, Tamil, Gujarati, Urdu, Kannada, Malayalam, and Punjabi using the language selector above. Translated versions are synced to this English version as of the same date; if a translation and this English version ever conflict, this English version is authoritative.
In Plain Language
What we collect: your (the parent's) name, email, mobile number and date of birth; a display name/nickname you choose for your child (we never ask for your child's legal name); your child's learning activity (questions, answers, progress); and basic technical data like IP address. We don't collect photos, audio, or precise location from anyone.
Why: to run the parent account, let your child practice and get tutoring support, and show you reports on how your child is doing. Never for advertising.
How long we keep it: for as long as your child's account is active, plus 30 days — then it's deleted, unless the law requires us to keep it longer.
Your rights: you can see, correct, download, or delete your and your child's data at any time, and you can withdraw your consent altogether — see Section 8A below for how.
Who to contact: our Data Protection Officer, Gaurav Chodnekar, at dpo@khypri.com. This box is a simple summary; the full policy below has all the detail.
Translations are provided for accessibility. In case of any conflict between a translation and the English original, the English version governs.
1. Who We Are
Khypri AI acts as the data controller (under GDPR) and Data Fiduciary (under the DPDP Act 2023) for personal data collected through our platform, except where a school or institution independently determines the purposes of processing for its own students, in which case the school acts as controller/fiduciary and Khypri AI acts as processor on its behalf.
2. Data We Collect
- Parent/Guardian Identity Data: The account holder's full legal name, email, and contact details.
- Child Identity Data: We deliberately do not ask for or collect a child's legal name. Instead, the parent/guardian chooses a display name or nickname to identify the child within the platform, along with grade/school and board. This display name, not a legal name, is what's used everywhere the child's profile appears — including in any content sent for AI processing (see Section 5) — specifically so a child's real identity is never exposed or at risk if that data were ever compromised.
- Educational Data: Question responses, performance metrics, generated papers, and learning activity within the platform, tied to the child's display name/profile, not a legal name.
- Technical Data: IP address, device identifiers, browser type, and city-level (not precise) geolocation inferred from IP. This geolocation and IP-based country detection is collected only during the parent/guardian's own registration and login — to prevent fraud and to suggest which country's age-of-consent rules apply to the registering parent (a default suggestion the parent can correct, not a silent, unappealable determination). We do not collect or infer geolocation from a child's own sessions, and it is never used to track a child's location or movement.
- Payment Data: Processed directly by our payment providers; Khypri AI does not store full card numbers.
We do not collect audio recordings, visual media (photos/video), or precise GPS-level geolocation from any user, parent or child.
2.1 Purpose & Legal Basis for Each Data Category
- Parent/Guardian Identity Data — Purpose: account creation, parental consent verification, communication. Legal basis: consent (parent/guardian) or contract (institution).
- Child Identity Data (display name, grade/school, board) — Purpose: personalising and curriculum-aligning content without exposing the child's real identity. Legal basis: consent (parent/guardian) or contract (institution).
- Educational Data — Purpose: generating and evaluating academic content, tracking learning progress. Legal basis: consent and legitimate interest in providing the core educational service.
- Technical Data — Purpose: security, fraud prevention, service reliability, and suggesting the applicable country's age-of-consent rules at registration. Legal basis: legitimate interest in keeping the platform secure, operational, and correctly applying jurisdiction-specific child-protection rules.
- Payment Data — Purpose: processing subscription charges. Legal basis: contract with the paying party.
3. Cookies & Tracking
We use only strictly necessary cookies required to maintain your login session and security preferences. We do not use third-party marketing or advertising cookies, and we do not build behavioral advertising profiles.
- Strictly Necessary: Session/authentication cookies required for login and security. These cannot be disabled without losing the ability to use the platform.
- Functional: Preference cookies (e.g. theme selection) that remember your settings between visits.
- Analytics: We may use privacy-conscious, aggregated usage analytics to understand feature usage; these do not build individual behavioral profiles or feed advertising.
- Advertising: None. We do not use third-party advertising or cross-site tracking cookies.
4. Automated Decision-Making
Our platform uses AI to generate practice content and provide automated evaluation/feedback on student responses. Where an automated evaluation could have a significant effect on a student (for example, being used as part of a graded assessment), a human teacher retains the ability to review, override, or disregard the AI-generated evaluation. You may request human review of any automated evaluation that materially affects you by contacting dpo@khypri.com.
4.1 Learning Support Reports — Purpose & Lawful Basis
Khypri AI is designed to function as an extension of how a school already evaluates students — an unbiased academic evaluator that helps a student understand concepts, identify gaps, and perform better in their actual exams. To do this, the platform records a student's test/question responses and generates a transparent, parent-visible analysis of their performance. We want to be explicit about what this is and is not:
- What it is: a learning-support function, limited to the student's own academic activity within the platform, used only to (a) give the student and parent an honest, unbiased picture of the student's understanding of concepts and test performance, and (b) help the student learn (e.g. surfacing weaker topics, adjusting question difficulty).
- What it is not: it is not used for targeted advertising, marketing, engagement-maximization, or any purpose directed at the child outside the academic workspace. We do not build a behavioral or advertising profile of a child, and this data is never shared with or sold to advertisers.
- Lawful basis: this processing is necessary to perform the core educational service the parent/guardian (or school) has requested on the child's behalf. We ask the parent/guardian for explicit consent before any of their child's data is processed; if consent is not given, no processing of that child's data takes place at all. Where a school has issued the account, processing instead occurs under the school's contractual instructions as data controller.
- Parent visibility: parents/guardians can access their child's progress reports at any time; this data is not used to make decisions about the child outside of supporting their learning, without the parent's knowledge.
4.2 Support Team Access
Our customer support team does not have standing access to a student's academic data. Support access is granted only when a parent/guardian chooses to share a one-time Support PIN with our support team for the purpose of resolving a specific query. Even then, support staff can view only the limited information needed to resolve that query — not the student's full academic record or underlying response data. The PIN-gated session is scoped and temporary, and does not grant ongoing access.
5. Who We Share Data With
We do not sell personal data. Data is shared only with the following categories of service providers, strictly to operate the platform:
- Hosting & Email: BigRock, for hosting and account/marketing email delivery. As we scale, we may add Amazon Web Services (AWS) or Google Cloud as additional or replacement hosting infrastructure; this policy will be updated before that happens.
- Authentication: Firebase Authentication (Google), used only to verify and log in the parent/guardian account holder — email, mobile number, and credentials. A child never has an independent login, and no child data is ever sent to Firebase; all child-related data is stored and processed only in Khypri AI's and/or My Paper Genie's own databases.
- AI Processing: OpenAI and Google (Gemini / Vertex AI), for generating and evaluating academic content. Educational inputs may be sent to these providers for inference, identified only by the child's display name/profile (see Section 2) — we never collect a child's legal name in the first place, so there is no real name to strip out before sending content for processing. We currently rely on these providers' published API data-usage policies, which state that API inputs are excluded from model training; no signed Data Processing Agreement is yet in place with either provider, and we use their services on their standard terms.
- Payments: Razorpay, for processing subscription payments.
- Analytics: Google Analytics, for aggregate usage analytics on our public marketing website only (not inside the learning platform). This only runs if you accept analytics cookies in the cookie banner — it is denied by default.
None of the vendors above currently have a signed Data Processing Agreement with us; we use their services on their standard, publicly available terms. This list will be kept current as our vendor relationships change. See our Sub-Processors page for the full current list with data-location detail.
6. Data Retention
Student and parent data is retained for the duration of active enrollment, plus 30 days, after which it is deleted unless a longer retention period is required by law. Verified erasure requests are processed within 30 days.
7. International Data Transfers
Data may be processed on servers located outside your home country. Where EU/EEA data is transferred outside the EEA, this is governed by Standard Contractual Clauses (SCCs), which are currently being finalized and are not yet fully executed across all vendors. Where Indian data is transferred outside India, we apply protections consistent with the DPDP Act 2023's requirements for cross-border transfer.
8. Data Subject Request Process
To exercise any right described in this policy (access, correction, erasure, restriction, portability, or objection), send a request to dpo@khypri.com from the email associated with the account, or in the case of a parental request, from the verified parent/guardian email. We follow this process:
- Step 1 — Acknowledgement: We acknowledge receipt within 3 business days.
- Step 2 — Identity Verification: We may ask for information to confirm you are the account holder or the account holder's parent/guardian, to prevent unauthorized access to a child's data.
- Step 3 — Fulfillment: Access, correction, and portability requests are fulfilled within 15 days; erasure requests within 30 days, consistent with Section 6.
- Step 4 — Data Portability Format: Where you request a copy of your data, we provide it in a structured, commonly used, machine-readable format (JSON or CSV).
- Step 5 — Escalation: If you are unsatisfied with our response, EU/EEA residents may lodge a complaint with their local supervisory authority, and Indian residents may escalate to the Data Protection Board of India once operational.
8A. Withdrawing Your Consent
Separately from correcting, downloading, or erasing data, you have the right to withdraw the consent you gave for processing your child's data altogether, as easily as you gave it. Use the one-click "Withdraw Consent Now" button on our Notice to Data Principal, or email our Data Protection Officer, Gaurav Chodnekar, at dpo@khypri.com with the subject line "Withdraw Consent," from the verified parent/guardian email on the account. Once we confirm your identity, we will stop all further processing of your child's data and, unless you separately ask us to retain it, proceed to erase it per the timeline in Section 6. Withdrawing consent does not affect the lawfulness of any processing carried out before the withdrawal.
9. DPDP Act 2023 (India)
- Verifiable Parental Consent: Only a parent or guardian can register on Khypri AI; students cannot create an account directly. Registration captures the parent's date of birth and a self-declaration of adult status, followed by verification of the parent's email and mobile number. Only once the parent's own profile is complete can they add their child(ren) — a student profile cannot exist without an already-verified parent account behind it.
- No Behavioral Profiling: We do not track student browsing or behavior outside the academic workspace, and serve no targeted advertising.
- Correction & Erasure: Parents may view, correct, or request erasure of their child's data at any time.
- Grievance Officer: Data protection queries under the DPDP Act can be directed to our Data Protection Officer, Gaurav Chodnekar, at dpo@khypri.com.
10. GDPR (European Union)
- Lawful Basis: Processing occurs under consent (parent/guardian or institution) and, where applicable, the school's legitimate interest as controller.
- Data Subject Rights: Access, correction, restriction, portability, and erasure requests can be sent to dpo@khypri.com, and are handled per the process in Section 8.
- Breach Notification: We commit to notifying affected users and relevant supervisory authorities within 72 hours of discovering a breach, per the process in Section 14.
11. COPPA (United States)
- Scope: COPPA applies to children under 13 in the United States.
- Minimal Collection: We collect no audio, visual media, or precise geolocation from children under 13.
- Verifiable Parental Consent: Because only a parent or guardian can register and verify their own identity before adding a child to the account, no child under 13 is ever able to provide their own consent or create an independent account.
- Parental Rights: Parents may review or request deletion of their child's data at any time by contacting dpo@khypri.com.
- No Conditioning: Participation is never conditioned on disclosing more data than reasonably necessary.
12. Marketing Communications
We only send you promotional or marketing communications if you have opted in. You can withdraw consent and unsubscribe at any time using the link in any marketing email, or by contacting dpo@khypri.com. Transactional and account-related communications (e.g. billing receipts, security notices) are sent regardless of marketing preference, as they are necessary to operate your account.
13. Security
Data is encrypted in transit using TLS 1.3 and at rest using AES-256. We are working toward ISO 27001 certification of our information security management practices; this certification is in progress and not yet complete.
13.1 Access Control Policy (RBAC & Least Privilege)
Internal access to personal data — including a child's academic records, a parent's account details, and payment information — is governed by role-based access control (RBAC) built on the principle of least privilege: every team member's default access is none, and access is granted only for the specific data a role genuinely needs to do its job, nothing broader.
- Defined roles, not individuals: Access is granted to a role (e.g. Support, Engineering, Content/Curriculum, Data Protection Officer), not to a person directly, so that what someone can see is determined by their function, not by tenure or convenience.
- Least privilege by default: A role's access is scoped to only the data categories and actions it requires. For example, our support team has no standing access to a student's academic data at all — access is granted only for the duration of a specific, parent-authorised Support PIN session (see Section 4.2), and even then is limited to what's needed to resolve that query, not the full academic record.
- Segregation of duties: Engineering access needed to operate the platform is separated from the ability to export or bulk-view personal data; routine engineering work does not require looking at individual children's data.
- Time-bound, revocable access: Access tied to a role is removed immediately when someone changes roles or leaves, and temporary/elevated access (such as a Support PIN session) automatically expires rather than persisting indefinitely.
- Access logging: Access to personal data by internal roles is logged, so that any access can be traced back to a role and a reason.
- Periodic access review: We periodically review who has access to what, to catch and remove any access that is broader than currently needed — this review process is being formalised into a fixed cadence and is not yet fully mature.
This governs our own internal/employee access. It is separate from a school's own internal access controls where a school is the data controller for its own students, and separate from the third-party sub-processors listed in Section 5, who receive only the pseudonymised, filtered data described there.
13.2 Authentication, Passwords & Credential Protection
Only a parent or guardian authenticates on Khypri AI — a child never has an independent login or password. Parent/guardian authentication is handled by Firebase Authentication (Google), which manages credential storage, password hashing, and login security on our behalf; we do not store parent passwords ourselves. No child data is ever sent to Firebase — not the child's display name, academic activity, or any other information (and, as noted in Section 2, we never collect a child's legal name to begin with). Once a parent's identity is verified through Firebase, all subsequent child-related data (profiles, question responses, progress, generated papers) is created, stored, and processed exclusively in Khypri AI's and/or My Paper Genie's own databases, entirely separate from the authentication layer.
- Password protection: Passwords are never stored or handled in plaintext by us; Firebase enforces industry-standard password hashing and salting on our behalf.
- Multi-Factor Authentication (MFA): We support and encourage MFA on the parent/guardian account (e.g. email/mobile OTP verification at signup, and available as an additional login step) to reduce the risk of account takeover. Enforcing MFA as a mandatory requirement on every login is on our roadmap and not yet universally enforced.
- API keys & service credentials: Credentials used to connect Khypri AI's systems to our sub-processors (Section 5) — including AI providers, payment processing, and hosting — are stored in encrypted secrets management, not in source code or plaintext configuration, and are scoped to the minimum permissions each integration needs, consistent with the least-privilege principle in Section 13.1.
- Session security: Login sessions use secure, time-limited tokens; sessions can be revoked (e.g. on password change or suspected compromise).
14. Breach Response Process
In the event of a data breach affecting personal data, we follow this process:
- Step 1 — Containment: Identify and contain the breach as soon as it is discovered.
- Step 2 — Assessment: Assess the scope of affected data and individuals.
- Step 3 — Notification: Notify affected users and relevant supervisory authorities (including the Data Protection Board of India, where applicable) within 72 hours of discovery, describing the nature of the breach and the data involved.
- Step 4 — Remediation: Take corrective action to prevent recurrence and, where appropriate, offer affected users guidance on protective steps they can take.
15. Changes to This Policy
If we make material changes to this policy, we will update the effective date above and, where required by law, notify affected users directly.
16. Contact & Grievance Redressal
For any question, correction, deletion, or grievance request under the DPDP Act, GDPR, or COPPA, contact our Data Protection Officer, Gaurav Chodnekar, at dpo@khypri.com. We aim to acknowledge all requests within 3 business days and resolve verified erasure requests within 30 days, per the process in Section 8.