Safety & Data Protection Policy

Our framework for protecting minor privacy, developed in line with the DPDP Act 2023, GDPR, and COPPA.

Effective / last updated: August 1, 2026. This policy describes the safeguards we have built and the ones we are actively finalizing. Where a control is still in progress, we say so explicitly rather than claim it is complete. For the full picture of what data we collect, who we share it with, and your rights over it, see our Privacy Policy.

1. K-12 Student Safety Core™

Unlike general-purpose generative AI tools that operate open-ended queries, Khypri AI processes all exchanges through a proprietary 7-layer Safety Core™ system. This is designed to prevent content hallucinations, curriculum escapes, and student exposure to non-academic topics, supporting a safe, age-appropriate learning sandbox for K-12 students worldwide. The description below reflects our current architecture, which continues to evolve; no automated safety system can guarantee the complete prevention of every possible unsafe output.

2. Olli AI Tutor & File Uploads

Olli, our open-ended AI tutor, and the ability to upload notes/worksheets are both subject to the same 7-layer Safety Core described above, plus the following additional safeguards specific to open-ended input and file content:

3. Content Reporting & Escalation

If a parent, teacher, or student encounters content that seems unsafe, inaccurate, or inappropriate, it can be reported from within the platform or by emailing support@khypri.com with the content in question. We aim to acknowledge safety reports within 24 hours and to review and, where warranted, remove or correct the flagged content within 5 business days. Reports involving a credible safety risk to a child are prioritized for immediate review.

4. Mandatory Reporting of Offences Against Children (POCSO Act, India)

This section is separate from general content moderation in Section 3 above. It exists because Indian law imposes a specific, personal, non-optional duty here: under Section 19 of the Protection of Children from Sexual Offences (POCSO) Act, 2012, any person — including anyone who works for or with Khypri AI — who has knowledge, or a reasonable apprehension, that a sexual offence against a child has been, is being, or is about to be committed, must report it. Under Section 21 of the POCSO Act, failing to do so is itself a criminal offence, punishable independently of whatever underlying offence was not reported. This duty applies the moment there is a reasonable apprehension — it does not require proof, certainty, or an internal investigation first.

4.1 Who Must Report

Every Khypri AI employee, contractor, content moderator, teacher-partner, and support staff member with any access to student interactions, uploaded files, chat logs, or communications is individually bound by this duty. It cannot be delegated away by assuming "someone else will report it," and it is not satisfied merely by flagging content for routine moderation review under Section 3 — a suspected child sexual offence must go through the pathway below, not the general content-report queue.

4.2 Who to Report To

A report must be made to the Special Juvenile Police Unit (SJPU) or the local police, as POCSO Section 19 requires. In parallel — not instead of — the reporting individual must immediately notify Khypri AI's internal escalation contact:

A report to Khypri AI's internal contact does not substitute for the statutory report to the SJPU/police required by law — both must happen. Our internal contact exists so that Khypri AI can simultaneously take platform-level action (see 4.4) and support the reporting individual, not to gatekeep or filter what gets reported externally.

4.3 Preserving Evidence

Once there is a reasonable apprehension of an offence, anyone with access to relevant material must preserve it, unaltered, for law enforcement:

4.4 What Happens on Our Platform

Independent of the statutory report, Khypri AI immediately restricts the account(s) involved from further activity where a credible apprehension exists, and cooperates fully with the SJPU/police, including responding promptly to lawful requests for the preserved evidence in 4.3.

4.5 Good-Faith Reporting Is Protected

No Khypri AI employee, contractor, or partner will face retaliation, penalty, or adverse action for reporting a good-faith apprehension under this section, even if the apprehension later turns out to be mistaken. The risk we are guarding against is under-reporting, not over-reporting.

5. Safety Incident Response Process

Where a genuine safety incident is confirmed (for example, a student was exposed to harmful content despite the Safety Core), we follow this process:

6. Parental Controls

Parents/guardians can view their child's activity summary, request a copy of their child's data, and request correction or erasure at any time by contacting dpo@khypri.com, consistent with the rights described in our Privacy Policy, Section 8 (Data Subject Request Process). A dedicated self-serve parent dashboard with granular activity logs is planned and not yet available platform-wide; where it is unavailable, requests are handled manually by our team.

7. DPDP Act 2023 Alignment (India)

Khypri AI is being built in line with India's Digital Personal Data Protection (DPDP) Act 2023 concerning children's personal data. Our current and in-progress operational boundaries include:

8. GDPR Alignment (European Union)

For schools and users in the EU/EEA, Khypri AI is working to align its data handling with the General Data Protection Regulation:

9. COPPA Alignment (United States)

For users in the United States, Khypri AI is working to align with the Children's Online Privacy Protection Act, which applies to children under 13:

10. Cookies & Third-Party Processors

We use only strictly necessary cookies for login sessions and security — no third-party marketing or advertising cookies. Data is processed only by BigRock (hosting and email), OpenAI and Google (AI content generation and evaluation), Razorpay (payments), and Google Analytics (aggregate usage analytics on our public marketing website only, opt-in only). As we scale, we may add AWS or Google Cloud as additional or replacement hosting infrastructure. We never collect a child's legal name in the first place — only a parent-chosen display name is used to identify a child within the platform, including in any content sent to our AI processors; none of our vendors currently have a signed Data Processing Agreement with us, and we use their services on their standard terms. See our Privacy Policy for full detail.

11. Contact & Grievance Redressal

For any question, correction, deletion, or grievance request under the DPDP Act, GDPR, or COPPA, please contact our Data Protection Officer, Gaurav Chodnekar, at dpo@khypri.com. We aim to acknowledge all requests promptly and resolve verified erasure requests within 30 days.