KidGPT.in — CBSE AI & CSL Curriculum Platform

1. About This Policy

KidGPT.in (“we”, “our”, or “the Platform”) is operated by Dhanadh Trading and Investments Pvt Ltd, a company incorporated under the laws of India. We are committed to protecting the privacy of all individuals whose data we process, in compliance with the Digital Personal Data Protection (DPDP) Act, 2023, the Information Technology Act, 2000, and all applicable rules thereunder.

This Policy explains how we collect, use, share, retain, and protect personal data when you interact with the KidGPT.in platform as a school administrator, teacher, or parent. KidGPT.in is a B2B platform for schools; students do not have direct accounts or AI chat access.

2. Data We Collect and Why

Category	Data Points	Purpose	Legal Basis (DPDP)
School Registration	School name, CBSE affiliation number, city, state, principal name, email, phone	Account creation, compliance verification, service delivery	Consent (§6)
Teacher Accounts	Name, school email, role, session activity logs	Authentication, lesson plan generation, progress tracking	Legitimate use (§7)
Parent Accounts	Name, email, child's grade (no child name stored)	Portfolio sharing, Demo Day RSVP, communication	Consent (§6)
Usage & Analytics	Page views, feature usage, API call counts (no fingerprinting)	Platform improvement, CSL readiness tracking	Legitimate use (§7)
AI Interactions	Lesson plan prompts submitted by teachers	Generating session plans via AWS Bedrock	Consent (§6)

We do not collect biometric data, financial information, government IDs, or any sensitive personal data beyond what is listed above.

3. Child Data Policy

KidGPT.in takes the protection of child data extremely seriously. Our platform is designed so that children (students) never interact directly with the AI or create accounts. All AI-assisted features are teacher-mediated.

• We do not collect names, photos, or personal identifiers of students under 18.
• Student portfolio data (work samples) is stored only in association with a school/grade/section — not with individual names — unless the school explicitly provides them and parents have consented.
• Schools are the data fiduciaries for student data they upload. KidGPT.in acts as a data processor.
• Parental consent is obtained before any student-linked data is shared with parents via the Parent Portal.

4. How We Use Your Data

✓ Providing, operating, and improving the KidGPT.in platform
✓ Sending transactional emails (account setup, password reset, invoices)
✓ Generating the CSL Readiness Report using school-provided metadata
✓ Complying with legal obligations under Indian law
✗ We do not sell, rent, or trade personal data to third parties
✗ We do not use personal data for advertising or profiling
✗ We do not share data with AI model providers for training purposes

5. Data Sharing and Sub-processors

We use the following trusted sub-processors to deliver the service:

Amazon Web Services (AWS)

Cloud infrastructure — Aurora DB, Lambda, S3, Cognito auth

Region: India (ap-south-1) and USA (us-east-1 for AI only)

Amazon SES

Transactional email delivery

Region: ap-south-1

AWS Bedrock (Anthropic models)

AI lesson plan generation — prompts are not used for model training

Region: us-east-1 (USA)

Data transferred to the USA (for AI processing only) is subject to AWS's Data Processing Addendum and Standard Contractual Clauses.

6. Data Retention

School account dataDuration of subscription + 3 years

Teacher session logs2 years from creation

AI lesson plan prompts90 days, then anonymised

Parent portal dataUntil parent requests deletion

Billing records7 years (GST compliance)

7. Your Rights Under DPDP Act 2023

As a data principal, you have the following rights:

•Right to Access (§11): Request a summary of personal data we hold and how it is being used.
•Right to Correction (§12): Request correction or completion of inaccurate/incomplete data.
•Right to Erasure (§12): Request deletion of personal data where processing is no longer necessary (subject to legal retention obligations).
•Right to Grievance Redressal (§13): Lodge a complaint with our Data Protection Officer.
•Right to Nominate (§14): Nominate a person to exercise your rights in case of incapacity or death.

To exercise any of these rights, email us at admin@kidgpt.in. We will respond within 30 days.

8. Security Measures

✓ All data in transit encrypted via TLS 1.2+
✓ Database in private subnet, never publicly accessible
✓ Authentication via Amazon Cognito with MFA support
✓ Passwords are never stored — Cognito manages authentication
✓ Role-based access control (school_admin, teacher, parent)
✓ AWS CloudTrail enabled for all administrative actions

9. Cookies

KidGPT.in uses only functional cookies (stored in localStorage) necessary for session management. We do not use third-party tracking cookies, advertising cookies, or analytics cookies that identify individuals.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated to registered school administrators via email at least 14 days before taking effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

11. Contact and Grievance Officer

Data Protection Officer / Grievance Officer

Dhanadh Trading and Investments Pvt Ltd

Email: admin@kidgpt.in

General: admin@kidgpt.in

Response time: within 30 days as required by DPDP Act 2023