Privacy notice
What we collect, why, where it lives, and the rights you have under India's Digital Personal Data Protection Act 2023.
Version 1.0.1 · 2026-05-26
1. Data fiduciary 2. What we collect 3. How we use it 4. Legal basis 5. Children 6. Sharing 7. Cross-border 8. Security 9. Retention 10. Your rights 11. Grievance officer 12. Changes
1. Who is the data fiduciary
Vaaani is operated as a sole proprietorship by Neil Shankar Ray, an indie EdTech builder based in Kolkata, West Bengal, India. The fiduciary is the controller of personal data processed through this service. Contact details for the named data protection officer are in §11.
2. Personal data we collect
From every signed-up user
- Email address, name, password hash (account credentials)
- Date of birth (required under DPDP §9 for age determination)
- Phone number, only if you opt to add one for OTP login
- Plan tier (free / paid)
- OAuth subject identifiers (Google / GitHub) if you sign in via SSO
- Last sign-in timestamp
From study activity
- Documents you upload (PDF, DOCX, TXT, MD) — text content + filename
- Questions you ask the assistant (queries) and the answers returned
- Topic-level mastery scores derived from your ratings
- Spaced-review schedule rows (which concepts are due when)
- Per-school guardrail interactions, if you belong to a licensed school org
From parents (under-18 accounts)
- Parent name, email, optional phone
- Consent record (timestamp, IP, user-agent, consent text version)
- Consent withdrawal record, when applicable
Automatically
- Server access logs (IP, user-agent, path) — retained 14 days
- Session cookies (HttpOnly, Secure, SameSite=Lax)
3. How we use it
- To run the study assistant: retrieve relevant chunks from your uploaded documents and pass them to the LLM with your question
- To enforce per-school curriculum scoping and Socratic-only mode where licensed
- To track your topic-level mastery and schedule spaced review
- To send service emails (verification, parental consent, password reset)
- To monitor service health and prevent abuse
We do not use your data to train any AI model, sell to advertisers, or share with analytics brokers.
4. Legal basis (DPDP §6, §7)
- Consent (§6) — for all processing of your study activity
- Legitimate use (§7) — only for service emails (verification, OTP) required to operate the account you asked us to create
- Verifiable parental consent (§9) — for any account whose user is under 18 at signup, processing is paused until the parent confirms via the magic-link flow
5. Children's data (DPDP §9)
If you indicate at signup that the account-holder is under 18, we:
- Pause account activation immediately
- Email the parent / lawful guardian you nominated, with a link to a consent page that lays out exactly what we collect, why, and your rights
- Activate the account only after the parent submits the consent form
- Record the parent's IP + user-agent + the consent-text version they agreed to, in an immutable audit log
- Refuse all chat, ingest, and audio endpoints for the child until consent is granted
- Allow the parent to withdraw consent at any time, after which we stop processing the child's data
We do not use children's data for advertising, behavioural tracking, or any profiling beyond the topic-mastery model that is intrinsic to the Socratic teaching surface. We do not perform behavioural monitoring as defined in DPDP §9(3).
Verification mechanism caveat: the current consent magic-link flow satisfies the spirit of §9 but the final DPDP Rules (yet to be notified by MeitY as of this version's date) may require additional verifiability mechanisms such as DigiLocker or Aadhaar-based parent KYC. We will add those when the Rules are finalised, and you will be re-prompted to confirm consent under the stricter mechanism.
6. Who we share data with (processors)
- DeepSeek — your queries (with retrieved context) are sent to DeepSeek's LLM API to generate answers. DeepSeek does not retain queries for training per their stated policy.
- Hostinger — VPS provider; hosts the application + your data at rest.
- Cloudflare — CDN + tunnel; sees TLS-decrypted traffic to and from your browser.
- An SMTP provider — delivers transactional emails (verification, OTP, parental consent).
We do not share your data with third-party advertising or analytics services.
7. Cross-border transfer (DPDP §16)
Some processors named above store or transit data outside India. In particular, DeepSeek currently operates from China. India's DPDP framework permits cross-border transfer to countries not on a Negative List notified by the Central Government. If you are not comfortable with cross-border LLM processing, do not use Vaaani in its current form. We are evaluating India-hosted LLM alternatives.
8. Security
- HTTPS-only via Cloudflare (TLS 1.2+)
- Passwords stored as bcrypt hashes, never in plaintext
- Session cookies are HttpOnly, Secure, SameSite=Lax, signed JWT
- Database access restricted to the application process; no shared DB credentials
- Backups taken before every production deploy
No system is perfectly secure. If you suspect a breach, please email the grievance officer (§11) immediately.
9. Retention
- Account + study data: retained for the life of the account, deleted within 30 days of an erasure request
- Server access logs: 14 days
- Email delivery logs: 30 days at the SMTP provider
- Consent records: retained for 7 years after consent expiry or withdrawal, for legal defensibility
- Audit log (DPDP events): retained for 7 years
10. Your rights (DPDP §11–§14)
- Right to access (§11) — download everything we hold about you as a JSON export from your account page
- Right to correction and erasure (§12) — soft-delete your account at any time from the account page; we hard-delete within 30 days
- Right to nominate (§14) — email the grievance officer to nominate a successor data principal in case of death or incapacity
- Right to grievance redressal (§13) — email the grievance officer named in §11; we respond within seven working days
- Right to withdraw consent (§6(4)) — from your account page, or by emailing the grievance officer
Neil Shankar Ray
Email: neilshankarray@vaaani.in
Postal: C/o Mrs. Chinu Ray, 55/1, Jubilee Park, Tollygunge, Kolkata-33, West Bengal, India
Response SLA: seven working days. If unresolved, you may approach the Data Protection Board of India once it is operational under DPDP §18.
12. Changes to this notice
We will update this notice when our processing changes, when DPDP Rules are notified, or when the lawyer review completes. The version number and date at the top of this page change whenever we publish revisions. We will email registered users whenever a material change ships.