1. Introduction
This Privacy Policy ("Policy") describes how dhimantAI ("dhimantAI", "we", "us", or "our") collects, uses, shares, stores, and otherwise processes personal data in connection with the dhimantAI platform — a B2B, white-labeled, voice-first AI faculty infrastructure provided to coaching institutes, schools, and educational organisations ("Institutes") and their authorised users (students, parents, teachers, and administrative staff), whether accessed via the web, mobile applications, APIs, or any associated service (collectively, the "Service").
dhimantAI is committed to protecting your personal data in accordance with the Digital Personal Data Protection Act, 2023 (India) ("DPDP Act"), the Information Technology Act, 2000 and rules thereunder, and — where applicable — internationally recognised frameworks including the EU General Data Protection Regulation ("GDPR") and equivalent standards.
By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please do not use the Service.
2. Scope & Roles
The Service is delivered under a processor-controller model:
- Institute as Data Fiduciary / Controller. When an Institute deploys dhimantAI for its students, teachers, and staff, the Institute determines the purposes and means of processing and acts as the Data Fiduciary under the DPDP Act (equivalent to the GDPR "Controller"). Students, parents, teachers, and staff of the Institute are the Data Principals.
- dhimantAI as Data Processor. dhimantAI processes personal data on behalf of, and strictly per the documented instructions of, the Institute under a binding data processing agreement ("DPA").
- Direct interactions. For limited activities — such as demos, sales enquiries, recruitment, and marketing through vidyai.in — dhimantAI itself acts as the Data Fiduciary.
This Policy applies to (a) the website at vidyai.in and its subdomains, (b) the dhimantAI Student, Teacher, and Management mobile and web applications, (c) any APIs or SDKs published by dhimantAI, and (d) all related backend services operated by dhimantAI.
3. Categories of Personal Data We Collect
We collect the minimum data necessary to operate the Service. Categories vary by role.
3.1 Identity & Account Data
- Full name, date of birth, gender (optional).
- Institute/class/batch/board/stream identifiers provided by the Institute.
- Phone number and/or email address used for authentication.
- Encrypted password hash and OTP-based session tokens.
- Profile photo (optional; uploaded by the user or Institute).
3.2 Parent / Guardian Data
- Parent or guardian name, relationship, and contact number / email, where the Data Principal is below 18 years of age.
- Verifiable parental consent records.
3.3 Learning & Pedagogical Data
- Voice queries and spoken interactions during AI tutoring sessions (processed transiently or at rest as required for the feature).
- Text questions, whiteboard strokes, handwritten or uploaded images, and screenshots voluntarily shared for doubt-solving.
- Session transcripts, step-wise hints, assessments, quiz responses, and performance analytics.
- Cognitive-load signals derived from response patterns (e.g., time-to-answer, retry counts, hesitation markers).
3.4 Device & Technical Data
- Device model, OS version, app version, language, time zone.
- IP address, approximate city-level location (derived from IP), network type.
- Microphone / camera / storage permissions granted (binary: granted or denied; not media content unless expressly uploaded).
- Crash logs, diagnostic traces, and non-identifying telemetry needed to operate the Service reliably.
3.5 Payment & Commercial Data
- For Institutes: billing contact, GSTIN, invoice data, purchase orders.
- We do not store full card numbers or banking credentials. Payment credentials are handled exclusively by PCI-DSS-compliant payment gateways.
3.6 Data We Do Not Collect
- We do not collect Aadhaar numbers, biometric templates, or government IDs unless the Institute expressly configures and legally justifies such collection under the DPDP Act.
- We do not enable continuous ambient-microphone listening outside an explicit tutoring session initiated by the user.
- We do not sell personal data to advertisers or data brokers. Ever.
4. How and Why We Use Personal Data
| Purpose | Categories Used |
|---|---|
| Delivering core tutoring, voice AI, whiteboard, and assessment features | Identity, Learning & Pedagogical, Device |
| Personalising pacing, difficulty, and Socratic hint strategy | Learning & Pedagogical |
| Producing progress reports for the student, parent, teacher, and Institute | Identity, Learning & Pedagogical |
| Authentication, fraud prevention, and platform security | Identity, Device |
| Customer support and troubleshooting | Identity, Device, limited Learning data |
| Aggregated, anonymised analytics for Institute-level insights | Derived aggregates only |
| Legal compliance, audits, and regulatory reporting | As required by law |
| Marketing communication to Institute contacts (opt-out available) | Business contact data only |
We do not use personal data for purposes that are incompatible with the purpose for which it was collected, and we do not make significant decisions about a Data Principal purely by automated means without human oversight.
5. Legal Basis for Processing
We process personal data only where we have a lawful basis to do so:
- Consent — For Data Principals, processing is carried out on the basis of free, specific, informed, unconditional, and unambiguous consent, either obtained directly or through the Institute as Data Fiduciary, in accordance with Section 6 of the DPDP Act.
- Certain legitimate uses — Including processing for employment-related matters of the Institute's staff, for the provision of subsidy / service in fulfilment of legitimate obligations, medical emergencies, court orders, and other uses permitted under Section 7 of the DPDP Act.
- Contract — Processing necessary to perform the subscription agreement with the Institute (for B2B contact and billing data).
- Legal obligation — Where processing is required under Indian law or, where applicable, foreign law binding on us.
You may withdraw your consent at any time; withdrawal does not affect the lawfulness of processing that occurred prior to withdrawal and may limit your ability to use some features.
6. Children's Data (Under 18)
A significant portion of the Service is used by children — i.e., individuals under the age of 18 years as defined under the DPDP Act.
- Verifiable Parental Consent. Where a Data Principal is a child, we process personal data only after obtaining verifiable consent of the parent or lawful guardian, typically operationalised through the Institute at enrollment.
- No Targeted Advertising. We do not undertake tracking, behavioural monitoring of children for advertising, or any targeted advertising directed at children.
- No Detrimental Processing. We do not undertake any processing of a child's personal data that is likely to cause any detrimental effect on the wellbeing of the child.
- Minimal Collection. For children, we collect only data required for the pedagogical features, progress reporting, and safety features of the Service.
- Parental Access. Parents and guardians may request access to, correction of, or deletion of their child's personal data through the Institute or directly via the grievance channel below.
7. No Training of Shared Models on Institute Data
This is a core architectural commitment of dhimantAI and a material term of our engagement with every Institute:
- We do not use an Institute's student queries, voice data, uploaded images, chat history, performance data, or any other Institute-scoped personal data to train, fine-tune, or improve any shared or foundation model.
- Any model improvement using Institute data occurs only within that Institute's isolated instance, solely for that Institute's benefit, and only where contractually permitted and consented.
- Where we engage third-party model providers, we contractually prohibit them from using Institute data for their own model training.
8. Tenant Isolation Architecture
dhimantAI is delivered as a dedicated-instance platform rather than a shared multi-tenant SaaS:
- Each Institute is provisioned with isolated application runtime, isolated database schemas, and encrypted per-tenant key material.
- No student or Institute data is co-mingled across Institutes at rest or in transit.
- Cross-tenant access by dhimantAI personnel is administratively blocked by default and gated through logged, just-in-time access controls limited to narrowly scoped support or incident-response scenarios.
10. Data Retention
We retain personal data only for as long as reasonably necessary for the purposes for which it was collected, or as required by law.
| Data Category | Default Retention Period |
|---|---|
| Active account identity and profile data | Duration of the Institute's subscription + 90 days |
| Learning session transcripts & performance records | Duration of the academic engagement + up to 2 academic years, unless the Institute configures a shorter period |
| Voice recordings | Processed transiently; persistent storage only if feature requires, never exceeding 90 days unless contractually extended |
| Authentication & security logs | Up to 180 days |
| Billing, invoicing, tax records | 8 years (as required under Indian tax and company law) |
| Backups | Rolled off within 35 days of primary deletion |
Upon termination of the Institute's contract, personal data is securely deleted or anonymised in accordance with Section 8(7) of the DPDP Act and the applicable DPA, except where retention is required by law.
11. Security Measures
We implement reasonable and appropriate technical and organisational security measures, including:
- TLS 1.2+ for data in transit; AES-256 or equivalent encryption for data at rest.
- Per-tenant encryption keys, with key rotation policies.
- Role-based access control (RBAC), MFA for privileged accounts, least-privilege provisioning, and audit logging.
- Secure software development lifecycle, code review, dependency scanning, and regular security testing.
- Network segmentation, private data networks, and managed firewalls.
- Formal incident response and business continuity plans.
No system is perfectly secure. While we strive to protect your personal data, we cannot guarantee absolute security and encourage you to use strong, unique passwords and to keep your credentials confidential.
12. Your Rights as a Data Principal
Subject to the DPDP Act and applicable local law, you have the right to:
- Access — obtain confirmation of processing and a summary of your personal data and processing activities.
- Correction & erasure — request correction of inaccurate or misleading data, completion of incomplete data, and erasure of data no longer necessary for the purpose for which it was collected.
- Grievance redressal — raise grievances through the channel described below.
- Nominate — nominate another individual to exercise your rights in the event of your death or incapacity.
- Withdraw consent — at any time, with effect from withdrawal (without affecting the lawfulness of prior processing).
Where dhimantAI is the Data Processor, we will assist the Institute (as Data Fiduciary) in responding to your request. You may also contact us directly at privacy@vidyai.in; we will route your request to the appropriate Institute and assist in fulfilment within the statutory timelines.
13. International & Cross-border Transfers
Personal data of Data Principals in India is, by default, stored and processed on infrastructure located within India. Where an Institute expressly authorises or requires processing by a sub-processor located outside India, such transfer is undertaken only in accordance with any conditions notified by the Central Government under Section 16 of the DPDP Act, and under appropriate contractual safeguards (e.g., Standard Contractual Clauses where GDPR applies).
15. Personal Data Breach Notification
In the event of a personal data breach, we will, without undue delay and in any case within the timelines required under the DPDP Act and applicable law:
- Notify the affected Institute (as Data Fiduciary) with relevant details to enable their statutory notifications.
- Notify the Data Protection Board of India and, where applicable, CERT-In.
- Where we are acting as Data Fiduciary, directly notify affected Data Principals.
- Take corrective and remedial actions to contain, investigate, and mitigate the breach.
16. Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices, features, or legal requirements. The "Last Updated" date at the top of this page indicates when this Policy was last revised. For material changes, we will provide reasonable notice through the Service, email, or in-app notification prior to the change taking effect. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.
17. Grievance Officer
In accordance with the DPDP Act and the Information Technology Act, 2000 read with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the details of the Grievance Officer are:
Grievance Officer & Data Protection Officer, dhimantAI
Email: grievance@vidyai.in
Privacy queries: privacy@vidyai.in
Response timeline: within 72 business hours; resolution within 30 days of receipt (as per applicable law).
If you are not satisfied with the response from the Grievance Officer, you may escalate to the Data Protection Board of India in accordance with the DPDP Act.
18. Contact Us
For any questions or concerns about this Policy or our data practices, please write to us at privacy@vidyai.in or use the contact form on vidyai.in.
This Policy is provided in English. Translations, if any, are for convenience only; the English version prevails in case of conflict.