پرائیویسی پالیسی

This Privacy Policy explains how izyLrn ("izyLrn", "we", "us", "our") collects, uses, shares, retains and protects information in connection with our website, mobile and web applications, AI tutor, live coaching marketplace, APIs, and related products (collectively, the "Service").

For the purposes of India's Digital Personal Data Protection Act, 2023 ("DPDP Act"), izyLrn is the "Data Fiduciary" in respect of the personal data we determine the purpose and means of processing for. Where we process personal data on behalf of a school, institution, or enterprise customer, that customer is the Data Fiduciary and we act as the "Data Processor".

By using the Service you confirm that you have read this Policy and consent to the collection, use, sharing, and processing of your personal data as described below.

We collect the following categories of information:

• Account information — full name, email address, phone number, password (hashed), date of birth or age, grade, board, school or institution name, profile photo (optional), language preference, and parent/guardian email where applicable.
• Identity & verification — for tutors and certain regulated features, government-issued ID, address proof, educational credentials, bank or UPI details for payouts.
• Learning & usage data — questions attempted, answers given, AI tutor prompts and responses, voice tutor audio, time spent on lessons, test scores, study streaks, chapter completion, search queries, feature interaction logs.
• User-uploaded content — files, PDFs, notes, images, voice recordings, and other material you submit to the Service.
• Device & technical data — IP address, browser type and version, device model and OS, app version, screen resolution, language, time zone, crash logs, performance metrics, and unique device identifiers.
• Payment information — billing name and address, plan, transaction ID, last four digits and brand of payment instrument. Full card details and CVV are processed directly by our payment partners (Stripe, Razorpay) and are not stored on our servers.
• Communications — your messages to our support team, surveys you complete, in-app feedback, and reviews.
• Cookies & analytics — see "Cookies" section below.

Some information is required to use the Service. If you decline to provide it (for example, an email at signup), we may not be able to give you full access to the Service.

We use personal data for the following lawful purposes:

• to create, authenticate, secure, and administer your account;
• to provide, personalise, and improve the learning experience, including AI tutoring, recommendations, practice tests, and performance analytics;
• to process payments, prevent fraud, and meet anti-money-laundering and tax obligations;
• to send transactional communications (receipts, password resets, security alerts, important Service updates);
• to send marketing communications about new features, offers, and educational content (you may opt out at any time);
• to send progress reports to parents/guardians where you or your guardian have consented;
• to operate the live coaching marketplace, including matching tutors and learners;
• to monitor, secure, and troubleshoot the Service, detect abuse, debug errors, and improve infrastructure;
• to develop new features and to train, evaluate and improve our internal models — using aggregated, de-identified data only;
• to enforce our Terms of Service, our policies and applicable law, and to defend our legal rights;
• to comply with court orders, legal process, lawful government requests, and reporting obligations under Indian and other applicable laws.

We do not use your private content (uploaded PDFs, voice recordings, AI tutor messages with you) to train commercial AI models without your explicit, separate consent.

We do not sell your personal data. We share data only with the categories of recipients listed below, and only to the extent necessary for the purposes described:

• AI providers — including OpenAI, Google (Gemini), Anthropic, and xAI (Grok). Your prompts and necessary context are transmitted to generate responses. Per our contracts, these providers do not use your prompts to train their public foundation models.
• Cloud infrastructure & hosting — providers that host our application, databases, and backups.
• Payment processors — Stripe and Razorpay process billing, refunds and tax-related transactions.
• Communications providers — email delivery partners (e.g., SendGrid, Amazon SES), SMS and WhatsApp providers for OTPs and notifications.
• Analytics & error monitoring — privacy-aware tools that help us understand aggregate usage and diagnose crashes (with IP truncation where supported).
• Tutors — when you book a session, the assigned tutor receives the limited information needed to deliver the session (your display name, grade, subject, and the session brief).
• Schools & institutions — if you joined the Service via a school or institution account, that institution can access your usage and performance data within their programme.
• Professional advisers — auditors, lawyers, insurers, accountants where reasonably required.
• Authorities — law-enforcement, courts, regulators, and government bodies where we are legally required to disclose, or where disclosure is necessary to protect the rights, safety, or property of izyLrn, our users, or the public.
• Corporate transactions — in connection with a merger, acquisition, financing, reorganisation, bankruptcy, or sale of all or part of our business, personal data may be transferred to the successor entity, subject to confidentiality undertakings.

All processors are bound by written contracts that require them to keep your data confidential and to use it only for the specified purpose.

To deliver the Service we may transfer, store, and process personal data on servers located outside India, including in the United States, European Union, Singapore, and other jurisdictions where our service providers operate. We rely on contractual safeguards, recognised transfer mechanisms, and the requirements of the DPDP Act when transferring personal data internationally. By using the Service you consent to such transfers.

The Service is intended for users aged 13 and above. For users below the age of 18, processing is conditional on verifiable consent of a parent or legal guardian in line with the DPDP Act. By creating an account on behalf of a minor or by allowing a minor to use your account, you confirm that you are the parent/guardian and you consent to the processing described in this Policy.

We do not knowingly collect personal data of children under 13. If you believe we have, please contact us at students@izylrn.com and we will delete the data within a reasonable time.

We do not engage in tracking, behavioural monitoring, or targeted advertising directed at children.

We retain personal data for as long as your account is active and for as long as needed to provide the Service. After account closure or a verified deletion request, we typically delete or anonymise personal data within ninety (90) days, subject to the following exceptions:

• Financial and tax records — retained for the period required by Indian tax and accounting laws (typically up to 8 years).
• Audit, fraud, and security logs — retained for up to 24 months for forensic and dispute-resolution purposes.
• Aggregated, de-identified analytics — may be retained indefinitely as it cannot be linked back to you.
• Legal hold — data subject to ongoing legal, regulatory or tax proceedings is retained until those proceedings are concluded.

We implement industry-standard organisational, technical, and physical safeguards including TLS encryption in transit, encryption at rest for sensitive fields, hashed and salted passwords (bcrypt/Argon2), least-privilege role-based access control, audit logging, network segmentation, periodic penetration testing, secure software development lifecycle, and employee training.

No security control is perfect. You acknowledge that no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

In the event of a personal data breach affecting you, we will notify you and the Data Protection Board of India in accordance with the timelines and content prescribed under the DPDP Act and CERT-In Directions.

Subject to applicable law, you may request to:

• Access — obtain a summary of the personal data we hold about you and a list of recipients with whom we shared it;
• Correct — update inaccurate, incomplete or outdated personal data;
• Erase — request deletion of personal data that is no longer necessary for the purposes for which it was collected;
• Withdraw consent — opt out of processing that is based on your consent (e.g., marketing emails, parent reports);
• Nominate — under the DPDP Act, you may nominate another individual to exercise your rights in case of death or incapacity;
• Grievance — raise a complaint about how we have handled your data.

To exercise any of these rights, write to our Grievance Officer (see "Grievance Officer" section). We will verify your identity before acting on a request and respond within the time limit prescribed by applicable law (usually 30 days).

We may refuse a request that is excessive, manifestly unfounded, interferes with the rights of others, or where we are required to retain the data by law.

We and our service providers use the following categories of cookies and SDKs:

• Strictly necessary — to keep you signed in, remember your language, secure the session, and prevent fraud. These cannot be disabled while still using the Service.
• Preferences — to remember your theme (light/dark), recent grade/subject filters, and other choices.
• Analytics — privacy-respecting tools that count page views, feature usage, and crashes in aggregate. Where available we anonymise IP addresses.
• Marketing — used only with your consent on the marketing website to measure the performance of campaigns.

You can control cookies through your browser settings. Disabling essential cookies may break sign-in and other core features.

The Service may contain links to or integrations with third-party websites, products and services that are not controlled by us. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of any third-party site you visit.

We may update this Privacy Policy from time to time. The "Effective date" at the top indicates when it was last revised. For material changes that adversely affect your rights, we will provide at least 14 days' notice via email or in-app notice. Your continued use of the Service after the effective date constitutes your acceptance of the updated Policy.

In compliance with the Information Technology Act, 2000, the related rules, and the DPDP Act, 2023, the contact details of our Grievance Officer are:

• Email: students@izylrn.com
• Subject line: "Grievance — Personal Data"
• Response time: we acknowledge within 48 hours and aim to resolve within 30 days.

If you are not satisfied with our response, you may approach the Data Protection Board of India or the relevant authority in your jurisdiction.