Privacy & Data Notice

Drishti Innovations Pvt. Ltd. (“Drishti,” “we,” “our”) operates a gamified STEM, robotics, AI curriculum, school LMS/ERP and parent & teacher dashboard used worldwide by students ages 6–18, their parents, teachers, schools and Tier 2/3 colleges. Because we serve minors, we hold ourselves to the highest standard of data minimization, consent and security under the Digital Personal Data Protection Act, 2023 (India), the EU GDPR (incl. GDPR-K), and the US COPPA rule for child-directed services.

We do not sell personal data. We do not run third-party advertising on our learning surfaces. We do not use student work to train external AI models. These rules are non-negotiable.

This notice covers everyone who interacts with Drishti via our websites, web apps, mobile apps, school LMS/ERP, robotics kits, AI mentor, parent dashboard, teacher dashboard, admin console, or our APIs. School contracts may include an additional Data Processing Agreement (DPA) that governs how we process student data on the school’s behalf — in case of conflict, the DPA prevails for that school’s users.

We collect only what we need to deliver the service:

• Account data: name, email, phone (optional), role, school/class, language preference, profile photo (optional).
• Learning activity: projects started/completed, quiz answers, time on task, XP, badges, streaks, certificates.
• Student submissions: code, photos of builds, written reflections, AI-mentor chat history.
• Parent & teacher data: contact details, consent records, communication logs.
• School/ERP data: admissions, attendance, fees, exam scores, timetable — processed strictly on behalf of the school.
• Device & usage: IP address, browser/device type, app version, crash logs, anonymized performance metrics.
• Payments: handled by Razorpay (India) and Stripe (global). We store only order reference and last-4 of the card — never full card numbers or CVV.

For users under 18 in India (DPDP Act) and under 16 in the EU (GDPR-K), we require verifiable parental or guardian consent before activating an account. For users under 13 globally (COPPA), we additionally restrict community features (no public profiles, no open chat) and collect the minimum data needed to deliver the learning experience.

Where a school enrolls students under a school contract, the school acts as the verifying authority and provides consent on the parents’ behalf per Indian school regulations — with a parent opt-out available at any time via the parent dashboard.

• Run the learning platform, score quizzes, issue XP/badges/certificates.
• Personalize the lesson loop (Learn → Watch → Build → Quiz → Debug → Submit → Badge).
• Generate weekly parent and teacher reports.
• Operate the school LMS & ERP modules on the school’s instructions.
• Send transactional emails (account, certificates, payments). Marketing email is opt-in only.
• Detect abuse, fraud and platform safety issues.
• Comply with legal obligations.

Our AI mentor and AI debugger process the student’s in-app interactions to give better, project-specific hints. We use third-party model providers (e.g. Google Gemini, OpenAI) under zero-retention enterprise terms — meaning provider prompts and responses are not stored by the provider and are not used to train their public models.

Student writing, code and project submissions are never used to train external models. Internally we may use aggregated, de-identified learning signals (e.g. “42% of Class 7 students miss step 4 of the Love-o-Meter project”) to improve curriculum quality.

We share data only with carefully vetted processors, and only as needed:

• Hosting & database: Lovable Cloud (Supabase) — primary region ap-south-1 (Mumbai).
• Payments: Razorpay (India), Stripe (global).
• AI providers: Google Gemini, OpenAI — under enterprise no-retention terms.
• Communications: transactional email and SMS providers.
• Analytics: privacy-friendly, IP-anonymized product analytics. No ad networks.
• Authorities: only when legally compelled by a valid court order.

We never sell, rent or trade personal data.

For school customers, Drishti is a data processor — the school is the data controller for student records created inside its instance. The school decides what to collect, who can see it, and what to delete; we execute those instructions. Schools sign a Data Processing Agreement that includes confidentiality, breach notification within 72 hours, and exit data export rights.

We use the minimum cookies needed to keep you signed in, remember your language, and measure aggregate product performance. We do not use third-party advertising cookies. Analytics IPs are truncated before storage. You can clear cookies any time in your browser.

• Active accounts: retained while the account is in use.
• Inactive accounts: notified after 18 months; deleted after 24 months of inactivity.
• AI-mentor chat logs: 12 months, then automatically purged.
• School data: kept for the term of the school contract; exported & deleted within 60 days of contract end.
• Financial records: 8 years, per Indian tax law.

TLS 1.3 in transit. AES-256 at rest. Role-based access control enforced in our database via the user_roles table and row-level security policies — never on the user profile object. Secrets are stored in a managed vault and rotated regularly. Security incidents are reported to affected parties within 72 hours of confirmed discovery, in line with DPDP & GDPR breach-notification rules.

You (or, for minors, the parent/guardian) have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your account and associated personal data.
• Export your data in a machine-readable format.
• Withdraw consent for optional processing (e.g. marketing emails).
• Object to a specific processing activity.
• Lodge a complaint with the Data Protection Board of India or your local supervisory authority.

Most rights are self-service from your dashboard. For anything else, email privacy@drishtiinnovations.com — we respond within 30 days.

Indian customer data is hosted in India (ap-south-1) by default. Where data crosses borders — for example to an AI provider — we use Standard Contractual Clauses (GDPR) and equivalent safeguards under the DPDP Act. We do not transfer data to countries explicitly restricted by the Government of India.

Material changes are announced by email to account holders and posted on this page at least 14 days before they take effect. The “Last updated” date at the top always reflects the current version.

This notice is provided for transparency. It is not a substitute for legal advice. Schools should review their signed Data Processing Agreement for institution-specific terms. See also our homepage.