Data Protection Policy

1. INTRODUCTION

At BrightSchool.ai, we are committed to protecting the personal data of teachers, students, and educational institutions who use our AI-powered educational platform. This Data Protection Policy outlines our comprehensive approach to data protection and complements our Privacy Policy.

Hyperleap Software Technologies Private Limited, the operator of BrightSchool.ai ("we," "us," or "our"), acts as a data controller and processor of personal information collected through our platform. We have implemented this policy to ensure compliance with applicable data protection laws and to maintain the trust of our users.

2. DATA PROTECTION PRINCIPLES

We adhere to the following data protection principles:

• Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner.
• Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.
• Data Minimization: We limit personal data collection to what is necessary for the purposes for which it is processed.
• Accuracy: We take reasonable steps to ensure personal data is accurate and kept up to date.
• Storage Limitation: We retain personal data only for as long as necessary for the purposes for which it is processed.
• Integrity and Confidentiality: We process personal data securely, protecting against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
• Accountability: We take responsibility for complying with data protection principles and can demonstrate this compliance.

3. DATA PROCESSING ACTIVITIES

3.1 Categories of Personal Data

We process the following categories of personal data:

• Identity Data: Names, usernames, and profile information
• Contact Data: Email addresses, phone numbers, and physical addresses
• Professional Data: Employment information, school affiliations, and teaching credentials
• Educational Data: Subjects taught, grade levels, teaching preferences, and student educational information
• Technical Data: IP addresses, login data, browser type, device information, and usage data
• User Content: Information and materials created, uploaded, or shared through our platform
• Special Category Data: We do not intentionally collect sensitive personal data, but some educational data may include information about learning disabilities or special educational needs

3.2 Legal Basis for Processing

We process personal data on the following legal bases:

• Contractual Necessity: Processing necessary for the performance of our contract with you
• Legitimate Interests: Processing necessary for our legitimate interests, such as improving our services, preventing fraud, and direct marketing
• Consent: Processing based on your explicit consent, particularly for marketing communications or when required by law
• Legal Obligation: Processing necessary for compliance with legal obligations
• Educational Context: Processing in the context of educational services, with appropriate safeguards for student data

3.3 AI Training and Model Improvement

We use anonymized and aggregated data to improve our AI models and educational algorithms. This includes:

• Pattern analysis to enhance educational content recommendations
• Quality improvements for AI-generated educational materials
• Linguistic model refinement for multiple Indian languages
• Effectiveness evaluation of various teaching approaches and content

Personal identifiers are removed before data is used for AI training purposes. Users can opt out of having their data used for AI improvement by contacting us.

4. DATA SECURITY MEASURES

We have implemented appropriate technical and organizational measures to protect personal data, including:

4.1 Technical Measures

• Encryption: Data encryption in transit and at rest
• Access Controls: Role-based access controls and strong authentication
• Network Security: Firewalls, intrusion detection, and prevention systems
• Backup and Recovery: Regular data backups and disaster recovery procedures
• Server Security: Regular security updates and vulnerability management
• Monitoring: Continuous monitoring for unusual activities and potential breaches

4.2 Organizational Measures

• Staff Training: Regular data protection and security awareness training
• Policies and Procedures: Comprehensive data protection policies
• Data Protection Impact Assessments: For high-risk processing activities
• Vendor Management: Due diligence and data processing agreements
• Incident Response: Documented procedures for data breach detection and notification

4.3 Data Breach Procedures

In the event of a data breach, we will:

• Assess the nature and scope of the breach
• Take immediate steps to contain and mitigate the breach
• Notify affected individuals and relevant authorities as required by law
• Document the breach and our response
• Implement measures to prevent similar breaches in the future

5. DATA SUBJECT RIGHTS

We respect and facilitate the exercise of data subject rights. You have the right to:

5.1 Access

You have the right to request a copy of your personal data that we hold and information about how we process it.

5.2 Rectification

You have the right to have inaccurate personal data corrected and incomplete personal data completed.

5.3 Erasure

In certain circumstances, you have the right to have your personal data erased (the "right to be forgotten").

5.4 Restriction of Processing

You have the right to request the restriction of processing of your personal data in specific circumstances.

5.5 Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.

5.6 Objection

You have the right to object to the processing of your personal data in certain circumstances, particularly for direct marketing purposes.

5.7 Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

5.8 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@brightschool.ai. We will respond to your request within one month, with the possibility of extending this period by two further months if necessary, taking into account the complexity and number of requests.

6. DATA RETENTION

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements.

6.1 Retention Periods

• Account Information: For the duration of your account plus 12 months after account closure
• User Content: For the duration of your account plus 90 days after account closure
• Transaction Data: For 7 years for tax and financial record-keeping purposes
• Communication Data: For 3 years after the last communication
• Technical Data: For up to 12 months

6.2 Criteria for Determining Retention

In determining appropriate retention periods, we consider:

• The amount, nature, and sensitivity of the personal data
• The potential risk of harm from unauthorized use or disclosure
• The purposes for which we process the personal data
• Whether we can achieve those purposes through other means
• Legal, regulatory, and contractual requirements

7. INTERNATIONAL DATA TRANSFERS

We primarily store and process personal data within India. However, in some cases, your personal data may be transferred to, stored, and processed in other countries.

7.1 Transfer Safeguards

When we transfer personal data outside of India, we ensure appropriate safeguards are in place, such as:

• Data processing agreements incorporating standard contractual clauses
• Transfers to countries with adequate data protection laws
• Implementation of appropriate technical and organizational measures
• Obtaining explicit consent for transfers when applicable

7.2 Service Providers

We may use third-party service providers to support our operations. These providers may access and process personal data as data processors on our behalf. We ensure these providers offer adequate levels of protection for personal data through appropriate agreements.

8. SPECIAL CONSIDERATIONS FOR EDUCATIONAL DATA

8.1 Student Data

We recognize the sensitivity of student data and implement additional safeguards:

• We collect only the information necessary to provide educational services
• We do not use student personal data for advertising purposes
• We provide educational institutions with tools to manage and protect student data
• We implement age-appropriate design for features used by students

8.2 Educational Institution Responsibilities

Educational institutions using our platform are responsible for:

• Obtaining appropriate consents for student data processing
• Managing access rights and permissions for their users
• Implementing their own data protection policies and procedures
• Responding to data subject requests from their students or staff
• Notifying us promptly of any data protection concerns

9. REGULATORY COMPLIANCE

9.1 Compliance Framework

Our data protection program is designed to comply with applicable data protection laws, including:

• Indian Information Technology Act, 2000 and its amendments
• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• Personal Data Protection Bill (when enacted)
• Relevant state and sector-specific privacy regulations
• International best practices for data protection

9.2 Data Protection Officer

We have appointed a Data Protection Officer (DPO) responsible for overseeing our data protection strategy and implementation. Our DPO can be contacted at dpo@brightschool.ai.

9.3 Regular Assessments

We conduct regular assessments of our data protection practices, including:

• Data protection impact assessments for new processing activities
• Regular internal audits of our data protection practices
• Periodic review and update of our policies and procedures
• Vendor security assessments

10. CHANGES TO THIS POLICY

We may update this Data Protection Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify users of any material changes through appropriate channels, such as email notifications or notices on our platform.

The most current version of this policy will always be available on our website. We encourage you to review this policy periodically to stay informed about our data protection practices.

11. CONTACT US

If you have any questions, concerns, or requests regarding this Data Protection Policy or our data protection practices, please contact us at:

For data protection specific inquiries or to contact our Data Protection Officer:

Email: dpo@brightschool.ai