Document Control · ISO 9001:2015 §7.5 — Documented Information
EVP-PP-01
Privacy Policy
Document ID
EVP-PP-01
Version
1.0
Status
Active
Effective Date
2026-02-09
Owner / Custodian
Chintankumar Bhatt, Platform Founder
Classification
Public
Next Review
2027-02-09
Framework
GDPR / IT Act 2000
Jurisdiction
Mumbai, India
Revision History
| Rev | Date | Description | Author |
|---|---|---|---|
| 1.0 | 2026-02-09 | Initial release — privacy policy | C. Bhatt |
1. Purpose
This Privacy Policy establishes how EduVerse™ ("Platform", "we", "us") collects, processes, stores, and protects personal data of users ("you", "User") in accordance with the Information Technology Act 2000 (India), the Indian IT (Amendment) Act 2008, GDPR (for EU/EEA users), and COPPA (for users under 13).
This document is issued under the EduVerse™ Total Quality Management (TQM) framework and is subject to periodic review as required by ISO 9001:2015 §9.3.
2. Scope
This policy applies to:
- All registered users — students, tutors, administrators, and owners
- Visitors who access the platform without registration
- All personal data collected via web, mobile, or API interfaces
- All personnel and third-party processors handling EduVerse™ user data
3. Terms & Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person |
| Processing | Any operation performed on personal data (collection, storage, use, disclosure, deletion) |
| Data Subject | The individual whose personal data is being processed (the User) |
| Data Controller | EduVerse™ — determines the purpose and means of processing |
| Data Processor | Third party processing data on behalf of EduVerse™ (e.g., Firebase/Google) |
| Consent | Freely given, specific, informed, and unambiguous indication of agreement |
| EUWA | End User Website Agreement — the binding clickwrap agreement presented on first visit |
4. Information We Collect
4.1 — Account & Identity Data
- Full name, email address, and password (hashed via Firebase Auth)
- Profile photo and display name
- Date of birth and age verification data
- Parent/guardian name and contact (for users under 18)
- Educational information: grade, board, subjects, school name, city, country
4.2 — OAuth Provider Data
When signing in via Google OAuth, we receive:
- Email address and public profile (name, photo)
- OAuth tokens (stored securely in Firebase Auth; never exposed to client)
4.3 — Technical & Usage Data
- IP address and geolocation (country, city, coordinates) — collected under EUWA §3
- IANA timezone identifier — collected under EUWA §4
- Browser user agent, device type, and operating system
- Login timestamps, session duration, and navigation events
- Learning progress, test scores, and assignment submissions
- Payment transaction references (no raw card data — processed by third parties)
4.4 — Consent Records
Clickwrap consent metadata is stored per EVP-CLP-01, including timestamp, IP, user agent, agreement version, and verbatim consent statement text.
5. Lawful Basis for Processing (GDPR Art. 6)
| Processing Activity | Lawful Basis |
|---|---|
| Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| Geolocation & timezone collection | Consent via EUWA §3 & §4 (Art. 6(1)(a)) |
| Consent logging and audit trail | Legal obligation (Art. 6(1)(c)) + Legitimate interests (Art. 6(1)(f)) |
| Payment processing | Contract performance (Art. 6(1)(b)) |
| Marketing communications | Consent (Art. 6(1)(a)) — opt-in only |
| Analytics and platform improvement | Legitimate interests (Art. 6(1)(f)) |
| Compliance with legal orders | Legal obligation (Art. 6(1)(c)) |
6. How We Use Your Information
- To create and manage your account and authenticate your identity
- To provide personalised educational services and tutor matching
- To display accurate session schedules in your local timezone
- To process payments, issue invoices, and maintain financial records
- To send critical platform notifications (session reminders, account alerts)
- To maintain legally required consent audit logs (EVP-CLP-01)
- To comply with legal obligations and respond to lawful authority requests
- To detect fraud, abuse, and security threats
- To improve the platform based on usage analytics (aggregated/anonymised)
We do NOT sell, rent, or commercially license your personal data to any third party.
7. Data Sharing & Disclosure
| Recipient | Data Shared | Purpose |
|---|---|---|
| Firebase / Google Cloud | All platform data | Storage, authentication, and compute infrastructure |
| Assigned Tutor | Name, grade, subjects, progress | Delivery of tutoring services |
| Parent/Guardian | Progress reports, session summaries | Oversight for minors (under 18) |
| Payment Processors (Razorpay, PayPal) | Transaction references only | Secure payment processing |
| Legal Authorities | As required by applicable law | Compliance with court orders or statutory requirements |
No data is shared with advertisers, data brokers, or any other commercial third parties.
8. Data Security
EduVerse™ implements industry-standard technical and organisational measures:
- Encryption in transit: TLS 1.2+ for all API and web traffic
- Encryption at rest: Firebase/Google Cloud AES-256 encryption
- Authentication: Firebase Auth with OAuth 2.0; WebAuthn passkey support
- Consent records: Append-only Firestore collection with no admin override
- Access control: Role-based access (student / tutor / owner) enforced server-side
- Firestore Security Rules: Per-user document access restrictions
No security system is infallible. In the event of a data breach affecting your rights, we will notify affected users within 72 hours of discovery as required by GDPR Art. 33.
9. Your Rights as a Data Subject
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of all personal data held about you | Email er.chintanbhatt@gmail.com |
| Rectification (Art. 16) | Correct inaccurate or incomplete data | Update via Profile settings or email us |
| Erasure (Art. 17) | Request deletion of your account and associated data | Data Deletion page (EVP-DDP-01) |
| Data Portability (Art. 20) | Receive your data in machine-readable format (JSON/CSV) | Email er.chintanbhatt@gmail.com |
| Withdraw Consent (Art. 7(3)) | Opt out of marketing; revoke optional data consents | Account settings or email us |
| Object (Art. 21) | Object to processing based on legitimate interests | Email er.chintanbhatt@gmail.com |
| Restrict Processing (Art. 18) | Request temporary suspension of data processing | Email er.chintanbhatt@gmail.com |
| Lodge Complaint | File with supervisory authority if rights violated | India: MeitY / EU: local DPA |
10. Children's Privacy (COPPA & DISHA Compliance)
- Users under 13 years require verifiable parental consent before registration (COPPA §312.5).
- Users aged 13–17 may register with guardian awareness; parental oversight is facilitated via progress reports.
- We collect only data strictly necessary for the provision of educational services to minors.
- We do not display targeted advertising to users under 18.
- Parental consent records are retained per EVP-CLP-01 §8.
11. Cookies & Tracking
| Cookie Type | Purpose | Retention |
|---|---|---|
| Authentication (Firebase) | Maintain login session | Session / 30 days |
| Preference (sessionStorage) | EUWA consent flag, visitor session dedup | Browser session |
| localStorage (EUWA consent ID) | Bridge two-phase consent linkage per EVP-CLP-01 | Persistent |
We do not use third-party advertising cookies or cross-site tracking pixels. You can clear cookies via your browser settings; this will require re-authentication.
12. International Data Transfers
EduVerse™ data is stored and processed on Google Cloud / Firebase infrastructure which operates globally. For transfers outside the EEA, Google applies Standard Contractual Clauses (SCCs) as an appropriate safeguard under GDPR Art. 46. By accepting the EUWA, you acknowledge and consent to such transfers.
13. Retention & Deletion
| Data Category | Retention Period | Reference |
|---|---|---|
| Active account data | Duration of account | — |
| Consent records (user_consents) | Lifetime of account + 7 years post-termination | EVP-CLP-01 §6.2 |
| Payment references | 7 years (Indian Income Tax Act) | — |
| Deleted account data | Purged within 30 days of deletion request | EVP-DDP-01 |
| Anonymised analytics | Indefinite (no personal identifiers) | — |
14. Policy Updates
We may update this policy periodically. When material changes are made — particularly those affecting data collection scope, purpose, or user rights — users will be notified by email and/or required to re-consent via the EUWA mechanism. The version and effective date are tracked in the Document Control block above.
15. Contact & Grievance Redressal
| Role | Contact |
|---|---|
| Privacy / Data queries | er.chintanbhatt@gmail.com |
| Grievance Officer (IT Act 2011 §5) | Chintankumar Bhatt — er.chintanbhatt@gmail.com |
| Co-Founder | er.csbhatt@gmail.com |
| Platform | EduVerse™ · Mumbai, Maharashtra, India |
We aim to respond to all data rights requests within 30 days of receipt.
Related Policies
Document ID: EVP-PP-01 · Version 1.0 · EduVerse™ · © 2026 All rights reserved.
Status: Active · Next Review: 2027-02-09