← Back // Privacy

Privacy notice

What we collect, why, where it lives, and the rights you have under India's Digital Personal Data Protection Act 2023.

Version 1.0.1 · 2026-05-26

Template notice — under legal review. This page is a faithful, plain-English description of Vaaani's actual data flows, but it has not yet been ratified by privacy counsel. Treat as a working draft. The version + date above will change when the lawyer-reviewed copy lands.

1. Data fiduciary 2. What we collect 3. How we use it 4. Legal basis 5. Children 6. Sharing 7. Cross-border 8. Security 9. Retention 10. Your rights 11. Grievance officer 12. Changes

1. Who is the data fiduciary

Vaaani is operated as a sole proprietorship by Neil Shankar Ray, an indie EdTech builder based in Kolkata, West Bengal, India. The fiduciary is the controller of personal data processed through this service. Contact details for the named data protection officer are in §11.

2. Personal data we collect

From every signed-up user

From study activity

From parents (under-18 accounts)

Automatically

3. How we use it

We do not use your data to train any AI model, sell to advertisers, or share with analytics brokers.

5. Children's data (DPDP §9)

If you indicate at signup that the account-holder is under 18, we:

  1. Pause account activation immediately
  2. Email the parent / lawful guardian you nominated, with a link to a consent page that lays out exactly what we collect, why, and your rights
  3. Activate the account only after the parent submits the consent form
  4. Record the parent's IP + user-agent + the consent-text version they agreed to, in an immutable audit log
  5. Refuse all chat, ingest, and audio endpoints for the child until consent is granted
  6. Allow the parent to withdraw consent at any time, after which we stop processing the child's data

We do not use children's data for advertising, behavioural tracking, or any profiling beyond the topic-mastery model that is intrinsic to the Socratic teaching surface. We do not perform behavioural monitoring as defined in DPDP §9(3).

Verification mechanism caveat: the current consent magic-link flow satisfies the spirit of §9 but the final DPDP Rules (yet to be notified by MeitY as of this version's date) may require additional verifiability mechanisms such as DigiLocker or Aadhaar-based parent KYC. We will add those when the Rules are finalised, and you will be re-prompted to confirm consent under the stricter mechanism.

6. Who we share data with (processors)

We do not share your data with third-party advertising or analytics services.

7. Cross-border transfer (DPDP §16)

Some processors named above store or transit data outside India. In particular, DeepSeek currently operates from China. India's DPDP framework permits cross-border transfer to countries not on a Negative List notified by the Central Government. If you are not comfortable with cross-border LLM processing, do not use Vaaani in its current form. We are evaluating India-hosted LLM alternatives.

8. Security

No system is perfectly secure. If you suspect a breach, please email the grievance officer (§11) immediately.

9. Retention

10. Your rights (DPDP §11–§14)

11. Grievance officer

Neil Shankar Ray
Email: neilshankarray@vaaani.in
Postal: C/o Mrs. Chinu Ray, 55/1, Jubilee Park, Tollygunge, Kolkata-33, West Bengal, India

Response SLA: seven working days. If unresolved, you may approach the Data Protection Board of India once it is operational under DPDP §18.

12. Changes to this notice

We will update this notice when our processing changes, when DPDP Rules are notified, or when the lawyer review completes. The version number and date at the top of this page change whenever we publish revisions. We will email registered users whenever a material change ships.