Legal Center

Document Control · ISO 9001:2015 §7.5 — Documented Information

EVP-DCP-01

Data Collection Policy

Activev1.0

Document ID

EVP-DCP-01

Version

1.0

Status

Active

Effective Date

2026-02-09

Owner / Custodian

Chintankumar Bhatt, Platform Founder

Classification

Public

Next Review

2027-02-09

Framework

IT Rules 2011

Jurisdiction

Mumbai, India

Revision History

RevDateDescriptionAuthor
1.02026-02-09Initial release — data collection policyC. Bhatt

1. Purpose

This Data Collection Policy defines the categories of personal and non-personal data collected by EduVerse™, the legal basis and purpose for each collection, and the controls in place to ensure data minimisation, accuracy, and lawful processing in compliance with the Indian IT Act 2000, GDPR (for EU/EEA users), and COPPA (for users under 13).

This policy supplements EVP-PP-01 (Privacy Policy) and provides a granular technical inventory of all data points collected by the platform.

2. Scope

This policy applies to:

  • All data collected through the EduVerse™ web application and APIs
  • All user roles: visitors, students, tutors, and administrators
  • All data collected automatically (technical/device data) and manually (form submissions)
  • All personnel and third-party processors handling collected data

3. Terms & Definitions

TermDefinition
Personal DataAny data relating to an identified or identifiable natural person
Sensitive Personal DataFinancial information, health data, biometrics, geolocation (IT Rules 2011)
Data MinimisationCollecting only data that is adequate, relevant, and limited to what is necessary
Purpose LimitationData may only be used for the specific purposes stated at collection
ConsentFreely given, specific, informed, unambiguous agreement (EUWA Clickwrap)
EUWA §3Geolocation collection clause in the End User Website Agreement
EUWA §4Timezone detection clause in the End User Website Agreement

4. Data Collection Inventory

4.1 — Visitor Data (Pre-Registration)

Data ElementCollection MethodBasisPurpose
IP AddressAutomatic (request header)Legitimate InterestSecurity, fraud prevention, geo approximation
Geolocation (lat/lon, city, country)Browser Geolocation API + consentEUWA §3 — Explicit ConsentAuto-fill onboarding, region scheduling
IANA TimezoneAutomatic (Intl API)EUWA §4 — Explicit ConsentSession schedule display in local time
User AgentAutomatic (request header)Legitimate InterestCompatibility, security, consent audit
Consent recordEUWA ClickwrapLegal Obligation (IT Act)Audit trail per EVP-CLP-01
Session dedup flagsessionStorageLegitimate InterestAccurate visitor count (one increment per session)

4.2 — Account Registration Data

Data ElementMandatory?BasisPurpose
Full NameYesContractIdentity, tutor matching, certificates
Email AddressYesContractAuthentication, notifications, billing
Password (hashed)Yes (if not OAuth)ContractAccount security
Google OAuth TokenIf using Google loginContractThird-party authentication
Phone NumberYesContractOTP verification, WhatsApp notifications
Date of BirthYesContract + Legal ObligationAge verification, COPPA compliance
Profile PhotoOptionalConsentPersonalisation, tutor recognition

4.3 — Know Your Student (KYP) Onboarding Data

Data ElementMandatory?Purpose
Current Grade / ClassYesCurriculum matching, fee calculation
Educational Board (CBSE, ICSE, IB, Common Core, etc.)YesCurriculum alignment
Subject selectionsYesTutor matching, resource delivery
School NameYesInstitutional context, scheduling
City & CountryYesTimezone, regional fee structure
Parent/Guardian NameYes (if under 18)COPPA consent, progress reports
Parent/Guardian PhoneYes (if under 18)Guardian notifications, OTP
Father / Mother NameOptionalProfile completeness
Student ID (EDV-XXXX)Auto-assignedUnique platform identifier
Face Photo (biometric-class)Yes (KYP)Identity verification, anti-impersonation

4.4 — Usage & Behavioural Data

Data ElementCollection MethodPurpose
Login timestampsAutomaticSecurity, session management
Navigation eventsAutomaticPlatform improvement (aggregated)
Test scores & gradesForm submissionProgress tracking, reporting
Session attendanceAutomaticBilling, performance tracking
Assignment submissionsFile upload / formAssessment, feedback
AI tutoring interactionsAPI loggingPersonalisation, quality improvement

4.5 — Payment & Billing Data

Data ElementStored by EduVerse™?Notes
Payment transaction reference IDYesStored for billing reconciliation
Selected fee plan (A/B/C)YesBilling configuration
Currency & amountYesInvoice generation
Card/Bank detailsNoProcessed exclusively by Razorpay / PayPal
UPI / Payment method typeReference onlyNo sensitive data stored

5. Mandatory vs Optional Data

EduVerse™ clearly distinguishes between mandatory and optional data at point of collection.

  • Mandatory: Refusal to provide mandatory data will prevent access to the relevant feature or service. Core registration data (name, email, grade, board) is mandatory for platform access.
  • Optional: Optional data (e.g., profile photo, father/mother name) may be provided at the user's discretion and does not affect core service access.
  • Consent-gated mandatory: Geolocation (EUWA §3) and timezone (EUWA §4) are mandatory as conditions of platform use, collected under explicit clickwrap consent.

6. Data Minimisation Principle

EduVerse™ adheres to the principle of data minimisation: we collect only data that is adequate, relevant, and limited to what is necessary for the specified purpose.

  • No collection of racial, ethnic, religious, or political data.
  • No health or medical data collected unless voluntarily disclosed for disability accommodations.
  • Payment card data never touches EduVerse™ servers — processed entirely by gateway SDKs.
  • Analytics data is aggregated and anonymised before any internal reporting.

7. Consent Requirements

Data collection requiring explicit consent:

  • Geolocation data (EUWA §3): Collected under clickwrap consent. Browser Geolocation API permission prompt is also displayed. Users may deny browser-level permission; the EUWA geolocation field will then capture approximate IP-based location only.
  • Timezone data (EUWA §4): Collected automatically via Intl.DateTimeFormat API after EUWA consent.
  • Face photo / biometric-class data: Collected with explicit in-app consent during KYP onboarding. Stored as profile image, not processed for biometric identification.
  • Marketing communications: Opt-in only; separate consent required.

8. Third-Party Data Processors

ProcessorData SharedLocationAgreement
Google Firebase / CloudAll platform dataGlobal (GCP)Google Cloud Data Processing Addendum
RazorpayTransaction references, billing amountsIndiaRazorpay Privacy Policy
PayPalTransaction references, billing amountsGlobalPayPal Data Processing Agreement
Google Gemini / GenkitAI tutoring prompts (anonymised)GlobalGoogle AI Terms

All data processors are contractually bound to process data only for specified purposes and to maintain appropriate security standards.

9. Accuracy & Data Currency

Users are responsible for keeping their account information accurate and up to date. EduVerse™ provides self-service profile editing for most personal data fields. For data that cannot be self-edited (e.g., Student ID, consent records), contact support.

10. Policy Review

This policy is reviewed annually or when significant changes to data collection practices are made. Changes that expand the scope of data collection require user re-consent via the EUWA mechanism. The revision history above documents all changes to this document.

Related Policies

EUWA-v1.0End User Website AgreementEVP-PP-01Privacy PolicyEVP-TC-01Terms & ConditionsEVP-DDP-01Data Deletion PolicyEVP-CLP-01Consent Logging PolicyEVP-AI-01AI Use, Content & DisclaimerEVP-CSP-01Contact & Support Policy

Document ID: EVP-DCP-01 · Version 1.0 · EduVerse™ · © 2026 All rights reserved.

Status: Active · Next Review: 2027-02-09