Privacy Policy

About this policy

Eduloom Technologies OPC Pvt Ltd (“Eduloom”, “we”, “us”, “our”) operates Chatmadi (chatmadi.com), an AI-powered school management platform for Indian schools. This Privacy Policy explains how we collect, use, share, and protect Personal Data when you use Chatmadi.

This policy is governed by the Digital Personal Data Protection Act, 2023 (“DPDPA”), the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), to the extent they apply.

Summary (plain English, not legally binding)

• We collect data schools enter into Chatmadi, WhatsApp conversations schools upload, payment information, and usage logs.
• We use AI (Anthropic's Claude) to extract structured data like absences and homework status from WhatsApp conversations uploaded by schools.
• We do not sell your data. We do not show ads. We do not use student data for training any AI models.
• For students under 18, we rely on the parental consent obtained by the school at enrollment.
• You can request access, correction, or deletion of your data by contacting your school or our Grievance Officer.
• Our Grievance Officer is Nayan Kumar, nayan@chatmadi.com.
• We use sub-processors in India and overseas (USA, Ireland) for hosting, AI, payments, and communications.
• We retain data for the duration of your subscription plus 30 days, except records we must keep longer by law (for example, invoices for 7 years under GST).

1. Definitions

Terms used in this policy have the meanings given in the DPDPA, 2023, unless context requires otherwise. Key terms:

• “Personal Data” means any data about an individual who is identifiable by or in relation to such data.
• “Data Fiduciary” is a person who, alone or with others, determines the purpose and means of processing Personal Data.
• “Data Processor” is a person who processes Personal Data on behalf of a Data Fiduciary.
• “Data Principal” is the individual to whom Personal Data relates. For students under 18, the Data Principal also includes the parent or lawful guardian.
• “Child” means an individual below 18 years of age.
• “Processing” means any operation on Personal Data such as collection, storage, use, sharing, alteration, or erasure.

2. Who is the Data Fiduciary?

Chatmadi is used both directly by school owners and trustees and by schools on behalf of their students, parents, and staff. Our role depends on who you are:

(a) If you are a school owner, trustee, admin, principal, or teacher who creates a Chatmadi account directly, we are the Data Fiduciary for your account-related data (name, email, phone, role, login records, billing).

(b) If you are a student or parent whose data has been added to Chatmadi by a school, the school is the Data Fiduciary and we are the Data Processor. We process your data only on the school's instructions and for the purposes the school has defined. Requests for access, correction, or erasure should be directed to the school first. Where escalation is needed, our Grievance Officer can help facilitate.

(c) For aggregate usage data, system logs, and product telemetry not tied to identifiable individuals, we are the Data Fiduciary and use this data for security, service improvement, and fraud prevention.

3. What Personal Data we collect

From school staff (owners, admins, principals, teachers) directly

• Full name, email, phone number, profile photo (optional)
• Role within the school
• Account credentials (passwords stored as one-way hashes; OTP verification codes)
• Login timestamps, IP addresses, device and browser information
• Subscription plan, billing information (payment card and bank details are handled by Razorpay and never touch our servers)

From schools, about students and parents

• Student name, class, section, roll number
• Date of birth, gender
• Parent or guardian names and contact details
• Attendance records (manual and AI-extracted)
• Exam marks, grades, and performance bands
• Homework and assignment records
• PTM (parent-teacher meeting) notes and teacher observations
• Fee records and payment status
• Safety alerts and welfare flags raised by school staff

From WhatsApp conversation uploads

• Group chat content (text messages, sender names, timestamps)
• Media references (the media files themselves are not extracted unless separately uploaded)
• Phone numbers of participants
• AI-extracted structured data (absences, homework mentions, fee references, welfare signals)

From WhatsApp Business API (when a school connects WABA)

• Outgoing messages sent via Chatmadi
• Incoming replies to Chatmadi-initiated conversations
• Message delivery and read receipts
• Phone numbers of parents who have provided consent to WhatsApp communication

From school verification documents

• Affiliation certificates, registration certificates, trust deeds, UDISE certificates, and similar institutional documents
• Extracted text and AI verification results (authenticity confidence score, document type classification)

Automatically collected

• Usage logs (pages visited, features used, timestamps)
• Error logs (for debugging and support)
• Cookies (session management, authentication, basic first-party analytics)
• Device type, screen size, operating system, browser

4. Why we process Personal Data

We process Personal Data for the following purposes:

(a) Providing the Chatmadi service: creating and managing school accounts, enabling attendance tracking, exam management, homework workflows, fee records, parent communication, and related features.

(b) AI-powered extraction and analysis: processing WhatsApp conversation uploads to identify absences, homework status, fee mentions, and welfare signals; generating student journey narratives; producing principal-level insights.

(c) Account communication: sending transactional emails and messages (OTPs, password resets, billing notifications, security alerts, service updates).

(d) Billing and payments: processing subscriptions via Razorpay, generating invoices, handling upgrades, downgrades, cancellations, and refunds.

(e) Customer support: responding to queries and investigating issues reported through the Madi AI assistant or support channels.

(f) Security and fraud prevention: detecting unauthorised access, preventing abuse, logging security events.

(g) Legal and compliance obligations: complying with tax laws (GST record retention of 7 years), responding to lawful government or court requests.

(h) Service improvement: analysing aggregated, de-identified usage patterns to improve Chatmadi. We do not use identifiable student data for service-improvement analytics.

5. Legal basis for processing

Under the DPDPA, 2023, we process Personal Data on one or more of the following grounds:

Consent

• For direct account holders (school staff), consent is obtained at signup.
• For students and parents, the school collects consent as part of its enrollment contract. Parents of children below 18 provide verifiable parental consent through the school's enrollment process, and we rely on the school's representation that such consent is in place.

Certain legitimate uses (Section 7, DPDPA)

• Processing necessary to provide the service the Data Principal has requested or authorised.
• Processing necessary to comply with Indian law (including GST, Companies Act, and education regulations).
• Processing to establish, exercise, or defend legal claims.

For children specifically (Section 9, DPDPA)

• We do not undertake tracking, behavioural monitoring, or targeted advertising directed at children.
• We do not process children's data in a manner likely to cause a detrimental effect on their well-being.
• Parental consent for children's data is obtained by schools during enrollment.
• We do not process children's biometric data, precise location data, or other special-category data beyond what is necessary for the school management service.

6. How we share Personal Data

We do not sell Personal Data. We share it only as described below:

(a) With sub-processors

We execute data processing agreements with sub-processors requiring them to process data only on our instructions and to maintain appropriate security.

(b) With the school

If you are a parent or student, your data is shared with the school that added you. The school determines who within its staff has access, and the school's own policies govern internal sharing.

(c) With authorities

We may disclose Personal Data to government authorities, courts, or law enforcement if required by Indian law or in response to a valid legal process. Where permitted by law, we will notify affected Data Principals.

(d) In corporate transactions

If Chatmadi is involved in a merger, acquisition, financing, or asset sale, Personal Data may be transferred to the new entity. We will notify affected Data Principals and provide choices where required.

(e) With consent

We may share data with other parties if you give us specific consent.

7. International data transfers

Some sub-processors operate outside India (primarily the USA and Ireland). The DPDPA permits transfers to countries not specifically restricted by the Government of India.

We protect international transfers through:

• Standard contractual clauses with sub-processors
• Encryption in transit (TLS 1.2 or higher)
• Encryption at rest (AES-256 or equivalent)
• Access controls and audit logging

If the Government of India designates a sub-processor's country as restricted, we will migrate the relevant processing to a compliant jurisdiction promptly.

8. Children's data (special protections)

Students under 18 are “children” under the DPDPA. Our approach:

(a) We do not market directly to children. Chatmadi is sold to schools, not to students or parents.

(b) We do not undertake tracking, behavioural monitoring, or targeted advertising directed at children.

(c) We rely on schools to obtain verifiable parental consent for processing children's data, as part of their enrollment contracts.

(d) Parents or guardians of a child enrolled in a school using Chatmadi can exercise all rights on behalf of the child. Requests should be directed to the school first; our Grievance Officer can assist if the school does not respond within a reasonable time.

(e) We limit processing of children's data strictly to the purposes for which it was collected (education delivery, attendance, academic records, parent-school communication).

(f) We do not process children's biometric data, precise location data, or special-category data unless specifically required for the service and covered by consent.

9. Data retention

We retain Personal Data only for as long as necessary:

• Active account data: retained for the duration of the school's subscription.
• Post-termination: 30 days after subscription ends or account deletion is requested, to allow for recovery. After 30 days, data is deleted from active systems. Backup copies are purged within a further 60 days.
• WhatsApp conversation uploads (raw): original uploaded files are deleted 30 days after successful extraction. Structured extractions are retained with the school's account.
• Student academic records: schools typically require retention for 7 years or more for CBSE, ICSE, or state board compliance. When a school account terminates, schools can export records before deletion.
• Invoices and billing records: retained for 7 years as required by GST law.
• Login and audit logs: retained for 12 months.
• Madi AI assistant conversations: retained for 90 days.
• Marketing opt-out records: retained indefinitely to honour your choice.

10. Your rights as a Data Principal

Under the DPDPA, 2023, you have the following rights:

• Right to access: request a summary of the Personal Data we hold about you and how it is being processed.
• Right to correction and erasure: request correction of inaccurate data, completion of incomplete data, or erasure of data no longer necessary for the purposes it was collected.
• Right of grievance redressal: raise a grievance with our Grievance Officer and receive a response within a reasonable time.
• Right to nominate: nominate another individual to exercise your rights in the event of your death or incapacity.

How to exercise these rights

• If you are a direct account holder: email our Grievance Officer at nayan@chatmadi.com from your registered email. We aim to respond within 15 days.
• If you are a student or parent: first contact your school's admin. If the school does not respond within a reasonable time, escalate to our Grievance Officer.

Identity verification

We may verify your identity before acting on rights requests, to protect against impersonation. Verification methods may include email confirmation, OTP on the registered phone number, or a signed declaration.

Fees

Rights requests are processed free of charge. Unreasonable or repetitive requests may attract a reasonable administrative fee, which we will communicate in advance.

11. Security measures

We take reasonable security measures as required by Section 8 of the DPDPA and the SPDI Rules:

• Encryption: AES-256 at rest, TLS 1.2 or higher in transit.
• Access controls: role-based access, multi-factor authentication on admin accounts, principle of least privilege.
• Row-level security: enforced on our Supabase database so users see only the data they are authorised to see.
• Application-level enforcement: permission checks inside server actions, not solely reliant on database security.
• Audit logging: all admin and sensitive operations are logged.
• Vulnerability management: periodic dependency reviews and prompt patching of critical vulnerabilities.
• Backups: daily encrypted backups with point-in-time recovery.
• Sub-processor oversight: we contract only with sub-processors who maintain SOC 2, ISO 27001, PCI DSS, or equivalent certifications where applicable.
• Physical security: cloud infrastructure only; we do not operate on-premises servers holding customer data.

No security measure is perfect. In the event of a personal data breach, we will investigate, contain, and notify affected parties as required by law.

12. Personal data breach notification

If a personal data breach occurs that is likely to result in harm to Data Principals:

• We will notify the Data Protection Board of India within the time prescribed under DPDPA rules once they are in force.
• We will notify affected Data Principals (or the Data Fiduciary on whose behalf we process data, where we act as Processor) without undue delay.
• The notice will include: a description of the breach, the categories and approximate number of affected Data Principals, likely consequences, and measures taken or proposed.
• We will maintain internal records of all breaches, including those not meeting the notification threshold, for regulatory inspection.

13. Cookies and tracking

We use cookies and similar technologies for:

• Strictly necessary cookies: session management, authentication, security tokens. These cannot be disabled without breaking the service.
• Functional cookies: remembering preferences like language and dashboard layout.
• Analytics cookies: basic first-party usage analytics. We do not use third-party advertising cookies. We do not participate in cross-site behavioural advertising.

You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent you from using Chatmadi.

14. Third-party links

Chatmadi may contain links to third-party websites (for example, Razorpay checkout, Meta documentation, educational resources). Those sites have their own privacy policies, and we are not responsible for their practices. Review their policies before submitting information.

15. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by:

• Posting a notice on chatmadi.com
• Sending an email to registered account holders
• Adding a banner inside the Chatmadi application

The “Last updated” date at the top reflects the most recent revision. Continued use of Chatmadi after notice of changes constitutes acceptance.

16. Grievance Officer

In compliance with Section 5 of the DPDPA, 2023 and Rule 5(9) of the SPDI Rules, the Grievance Officer for Chatmadi and Eduloom Technologies is:

We aim to acknowledge grievances within 48 hours and resolve them within 15 days, as prescribed under Indian law.

17. Data Protection Board of India

If you are not satisfied with our handling of your grievance, you may escalate to the Data Protection Board of India once it is operational. Details will be published by the Government of India.

18. Governing law and jurisdiction

This Privacy Policy is governed by the laws of India. Any dispute arising out of or in relation to this policy shall be subject to the exclusive jurisdiction of the courts in Mysore, Karnataka, subject to the dispute resolution clauses in our Terms of Service.

19. Contact us

For any questions about this Privacy Policy: