Effective / last updated: August 1, 2026. This policy describes the safeguards we have built and the ones we are actively finalizing. Where a control is still in progress, we say so explicitly rather than claim it is complete. For the full picture of what data we collect, who we share it with, and your rights over it, see our Privacy Policy.
1. K-12 Student Safety Core™
Unlike general-purpose generative AI tools that operate open-ended queries, Khypri AI processes all exchanges through a proprietary 7-layer Safety Core™ system. This is designed to prevent content hallucinations, curriculum escapes, and student exposure to non-academic topics, supporting a safe, age-appropriate learning sandbox for K-12 students worldwide. The description below reflects our current architecture, which continues to evolve; no automated safety system can guarantee the complete prevention of every possible unsafe output.
- Layer 1 — Input Filtering: Incoming prompts are screened before reaching the AI model, flagging attempts to request non-academic, unsafe, or manipulative content.
- Layer 2 — Curriculum Boundary Check: Requests are checked against the relevant curriculum scope (CBSE, ICSE, IB, Cambridge, and supported State Boards) so the platform stays within academic subject matter.
- Layer 3 — Content Moderation: Automated classifiers flag violent, sexual, hateful, or otherwise harmful content before it can be generated or returned.
- Layer 4 — Age-Appropriateness Filter: Output complexity and tone are adjusted based on the student's declared grade level.
- Layer 5 — Accuracy & Hallucination Check: Generated academic content is checked against curriculum-aligned reference material to reduce factual errors, though it cannot eliminate them entirely (see the assumption-of-risk provisions in our Terms of Service).
- Layer 6 — Human-in-the-Loop Review: A sample of outputs, along with anything flagged by earlier layers, is reviewed by human moderators to identify gaps and retrain the automated filters.
- Layer 7 — Final Output Scan: A last automated pass runs immediately before content is returned to the student, to catch anything earlier layers may have missed.
2. Olli AI Tutor & File Uploads
Olli, our open-ended AI tutor, and the ability to upload notes/worksheets are both subject to the same 7-layer Safety Core described above, plus the following additional safeguards specific to open-ended input and file content:
- Upload Safety Check: Any file a student uploads is checked for safety before the student can use it or generate anything from it. A file that fails this check is not made available to the student.
- PII Redaction: Our default design avoids sending personal data to any third-party AI model in the first place. As an additional safeguard in case personal information is inadvertently included in a chat prompt or an uploaded file, we apply PII redaction to strip it out before any content is passed to a third-party model for processing.
- Topic & Content Guardrails: The same curriculum-boundary, content-moderation, and output-scanning layers that apply to generated practice papers also apply to Olli's open-ended chat and to any content derived from an uploaded file.
- Logging: Chat prompts, uploads, and Olli's responses are logged internally, so that a specific interaction can be reviewed if a safety concern is raised.
- Parental File Vault Controls: Parents/guardians can grant or revoke their child's access to the file upload/library feature at any time.
3. Content Reporting & Escalation
If a parent, teacher, or student encounters content that seems unsafe, inaccurate, or inappropriate, it can be reported from within the platform or by emailing support@khypri.com with the content in question. We aim to acknowledge safety reports within 24 hours and to review and, where warranted, remove or correct the flagged content within 5 business days. Reports involving a credible safety risk to a child are prioritized for immediate review.
4. Mandatory Reporting of Offences Against Children (POCSO Act, India)
This section is separate from general content moderation in Section 3 above. It exists because Indian law imposes a specific, personal, non-optional duty here: under Section 19 of the Protection of Children from Sexual Offences (POCSO) Act, 2012, any person — including anyone who works for or with Khypri AI — who has knowledge, or a reasonable apprehension, that a sexual offence against a child has been, is being, or is about to be committed, must report it. Under Section 21 of the POCSO Act, failing to do so is itself a criminal offence, punishable independently of whatever underlying offence was not reported. This duty applies the moment there is a reasonable apprehension — it does not require proof, certainty, or an internal investigation first.
4.1 Who Must Report
Every Khypri AI employee, contractor, content moderator, teacher-partner, and support staff member with any access to student interactions, uploaded files, chat logs, or communications is individually bound by this duty. It cannot be delegated away by assuming "someone else will report it," and it is not satisfied merely by flagging content for routine moderation review under Section 3 — a suspected child sexual offence must go through the pathway below, not the general content-report queue.
4.2 Who to Report To
A report must be made to the Special Juvenile Police Unit (SJPU) or the local police, as POCSO Section 19 requires. In parallel — not instead of — the reporting individual must immediately notify Khypri AI's internal escalation contact:
- Internal escalation: our Data Protection Officer and designated Child Safety point of contact, Gaurav Chodnekar, reachable at dpo@khypri.com and, for anything urgent, via WhatsApp at +91 88679 64542. This contact is available for staff to escalate immediately, any time, not only during business hours.
- External, statutory reporting: the nearest Special Juvenile Police Unit or police station, and/or Childline India, 1098 (a free, 24/7 national child helpline), which can also guide a reporting individual through the process.
A report to Khypri AI's internal contact does not substitute for the statutory report to the SJPU/police required by law — both must happen. Our internal contact exists so that Khypri AI can simultaneously take platform-level action (see 4.4) and support the reporting individual, not to gatekeep or filter what gets reported externally.
4.3 Preserving Evidence
Once there is a reasonable apprehension of an offence, anyone with access to relevant material must preserve it, unaltered, for law enforcement:
- Do not delete, edit, or "clean up" the chat logs, uploaded files, timestamps, account/session metadata, or any other record connected to the apprehended offence, even if it seems routine to do so as part of normal data-retention practice.
- Restrict access to the preserved material to only those directly handling the report, to protect the child's privacy and the integrity of the evidence.
- Suspend routine retention/deletion timelines (see our Privacy Policy, Section 6) for the specific records involved, until law enforcement confirms they are no longer needed.
- Record what was preserved and when, so there is a clear internal chain of custody from the point the apprehension was first raised.
4.4 What Happens on Our Platform
Independent of the statutory report, Khypri AI immediately restricts the account(s) involved from further activity where a credible apprehension exists, and cooperates fully with the SJPU/police, including responding promptly to lawful requests for the preserved evidence in 4.3.
4.5 Good-Faith Reporting Is Protected
No Khypri AI employee, contractor, or partner will face retaliation, penalty, or adverse action for reporting a good-faith apprehension under this section, even if the apprehension later turns out to be mistaken. The risk we are guarding against is under-reporting, not over-reporting.
5. Safety Incident Response Process
Where a genuine safety incident is confirmed (for example, a student was exposed to harmful content despite the Safety Core), we follow this process:
- Step 1 — Containment: The specific gap that allowed the incident is identified and blocked as quickly as possible.
- Step 2 — Notification: Affected parents/guardians and, where applicable, the partner institution are notified.
- Step 3 — Root Cause Review: The relevant Safety Core layer(s) are reviewed and updated to close the gap.
- Step 4 — Record-Keeping: Confirmed incidents are logged internally to track our safety record over time.
6. Parental Controls
Parents/guardians can view their child's activity summary, request a copy of their child's data, and request correction or erasure at any time by contacting dpo@khypri.com, consistent with the rights described in our Privacy Policy, Section 8 (Data Subject Request Process). A dedicated self-serve parent dashboard with granular activity logs is planned and not yet available platform-wide; where it is unavailable, requests are handled manually by our team.
7. DPDP Act 2023 Alignment (India)
Khypri AI is being built in line with India's Digital Personal Data Protection (DPDP) Act 2023 concerning children's personal data. Our current and in-progress operational boundaries include:
- Verifiable Parental Consent (VPC): Only a parent or guardian can register on Khypri AI; students cannot create an account directly. Registration captures the parent's date of birth and a self-declaration of adult status, followed by verification of the parent's email and mobile number. Only after the parent's own profile is complete can they add their child(ren) to the account — a student profile cannot exist without an already-verified parent account behind it. We ask the parent for explicit consent before processing any of their child's data; if that consent is not given, no processing of the child's data takes place.
- Unbiased Academic Support, Not Behavioral Profiling: Khypri AI is designed to function as an extension of how a school already evaluates students — giving a transparent, unbiased analysis of test performance to help the student understand concepts and improve. We do not track student web browsing, location telemetry, or behavioral patterns outside their immediate academic workspace, and this data is never used for advertising or marketing. See our Privacy Policy for the full lawful-basis explanation.
- The Right to Correction & Erasure: Parents can view, modify, or request erasure of their child's information at any time. Verified erasure requests are processed with a full delete from production systems within 30 days.
- Data Retention: Student and parent data is retained only for the duration of active enrollment, plus 30 days, after which it is deleted unless a longer retention is legally required.
- Grievance Officer: Data protection queries or grievances under the DPDP Act can be directed to our Data Protection Officer, Gaurav Chodnekar, at dpo@khypri.com.
8. GDPR Alignment (European Union)
For schools and users in the EU/EEA, Khypri AI is working to align its data handling with the General Data Protection Regulation:
- Lawful Basis for Processing: Student data is processed under consent (via parent/guardian or institution) and, where applicable, the legitimate interests of the school as data controller.
- Data Residency: European institutional data is hosted on EU-based cloud infrastructure.
- Cross-Border Transfer Safeguards: Standard Contractual Clauses (SCCs) to govern any transfer of EU data outside the EEA are currently being put in place and are not yet fully executed.
- Data Subject Rights: Users and parents may request access, correction, restriction, or erasure of personal data by contacting our Data Protection Officer, Gaurav Chodnekar, at dpo@khypri.com.
- Breach Notification: In the event of a data breach, we commit to notifying affected users and relevant supervisory authorities within 72 hours of discovery.
- End-to-End Encryption: Data is encrypted in transit using TLS 1.3 and encrypted at rest using AES-256.
9. COPPA Alignment (United States)
For users in the United States, Khypri AI is working to align with the Children's Online Privacy Protection Act, which applies to children under 13:
- Minimal Data Collection: We collect no audio recordings, visual media, or precise geolocation data from children under 13.
- Verifiable Parental Consent: Because only a parent or guardian can register and verify their own identity before adding a child to the account, no child under 13 is ever able to provide their own consent or create an independent account.
- Parental Access & Deletion Rights: Parents may review the data collected from their child and request its deletion at any time by contacting our Data Protection Officer, Gaurav Chodnekar, at dpo@khypri.com.
- No Conditioning on Excess Data: Participation in Khypri AI is never conditioned on a child disclosing more personal information than is reasonably necessary.
10. Cookies & Third-Party Processors
We use only strictly necessary cookies for login sessions and security — no third-party marketing or advertising cookies. Data is processed only by BigRock (hosting and email), OpenAI and Google (AI content generation and evaluation), Razorpay (payments), and Google Analytics (aggregate usage analytics on our public marketing website only, opt-in only). As we scale, we may add AWS or Google Cloud as additional or replacement hosting infrastructure. We never collect a child's legal name in the first place — only a parent-chosen display name is used to identify a child within the platform, including in any content sent to our AI processors; none of our vendors currently have a signed Data Processing Agreement with us, and we use their services on their standard terms. See our Privacy Policy for full detail.
11. Contact & Grievance Redressal
For any question, correction, deletion, or grievance request under the DPDP Act, GDPR, or COPPA, please contact our Data Protection Officer, Gaurav Chodnekar, at dpo@khypri.com. We aim to acknowledge all requests promptly and resolve verified erasure requests within 30 days.