Privacy Policy

STAT is built for children. That single fact shapes every decision on this page. We collect the smallest amount of data needed to deliver the educational service, we never sell or share it for advertising, and we give parents and schools the controls they expect under Indian law.

1.Scope & who this covers

This Privacy Policy applies to STAT — the Smart Test & Adaptive Training platform delivered at statedutech.com, on each school's subdomain (e.g. your-school.statedutech.com), and through the STAT Android application (including white-label school builds). It governs personal data of:

Students enrolled at a school that uses STAT (institutional users).
Parents and guardians linked to a student account, and parents who self-enrol via the Sankalp parent flavour.
Teachers, principals, and administrative staff at partner schools.
Visitors to our public marketing site.

This policy is read alongside the Terms of Service and (for paid users) the Refund Policy. Where a school has signed a separate Master Services Agreement (MSA) or Data Processing Addendum (DPA) with Tristack Technologies LLP, that document prevails over this policy to the extent of any conflict, but never to a level lower than what Indian law requires.

2.Who is responsible

The Data Fiduciary (the entity that decides why and how personal data is processed, as defined under §2(i) of the Digital Personal Data Protection Act, 2023) is:

Data Fiduciary

Tristack Technologies LLP
Registered office: India
Email: privacy@tristack.tech
Grievance: grievance@tristack.tech

When STAT is delivered to a student through their school, the school is a joint Data Fiduciary for the institutional data of its students, teachers, and staff. The school determines which classes, subjects, and timeline are activated and which teachers and students have accounts. Tristack acts as the technical operator and processes that data only to deliver the service.

3.What we collect

We collect only what is necessary to operate the platform. Categories are listed below.

From the school (institutional onboarding)

School name, board (CBSE / ICSE / State), city, primary contact, billing address, GSTIN.
Class structure (grade, section, stream), academic year.
Curriculum activations (which CBSE/ICSE/State topics are scheduled per week).

From students (created by the school or, in Sankalp, by a parent)

Name, school-issued email, class enrolment, optional phone number.
Quiz attempts: questions seen, answers selected, time taken, score, correctness per question.
Topic-level performance: average score per topic, weak-topic flags (avg < 65%).
Streak: number of consecutive days a quiz was taken.
Optional uploads by the teacher, not by the student: PDFs, images, or notes used to generate quizzes.

From parents

Name, email, phone (for account creation and parent-report delivery).
Linked-child relationship (parent-student link record).
For paid Sankalp top-ups: payment metadata received from Razorpay (order ID, payment ID, amount, status). We do not see card numbers, UPI handles, or netbanking credentials.

From teachers and principals

Name, email, role, class-subject assignments.
Quizzes created, topics uploaded, parent reports generated.

Automatically, from any logged-in user

Authentication session (a signed JWT cookie containing user ID, role, school ID).
IP address, user-agent, and approximate region — used for security, abuse prevention, and to surface the correct school subdomain.
Theme preference (a single first-party cookie, stat-theme).

We do not collect: precise GPS location, device contacts, microphone or camera streams (the Android app uses camera only when the user explicitly attaches an image to a teacher upload), social graph, browsing history, or any biometric data.

4.Why we collect it

Each category above maps to a specific purpose:

Data category	Purpose	Retention horizon
Account identifiers (name, email, role)	Authentication, role-based access control, in-product communication	Active subscription + 24 months
Quiz attempts & scores	Show feedback to the student, compute weak topics, leaderboards, parent reports	Academic year + 24 months
Teacher uploads (PDF/image)	Single AI generation pass; not retained beyond inference	Discarded after question generation completes (within 24 hours)
Payment metadata	Receipts, refunds, statutory accounting	8 years (Indian Income Tax Act & Companies Act)
Server & security logs	Abuse detection, debugging, fraud prevention	30 days for raw logs; 90 days for aggregates
Aggregate, de-identified analytics	Product improvement, capacity planning	Indefinite (no individual is identifiable)

5.Lawful basis & consent

Under §6 and §7 of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), we process personal data on one of the following grounds:

Consent (DPDP §6) — for self-signup (Sankalp), parent communications, and any optional features.
Performance of an instrument — when the school, acting on the principal's instruction, creates accounts for its students and staff to deliver classroom learning. The institutional onboarding letter or MSA evidences this.
Compliance with law — for tax invoices, statutory record-keeping, and lawful demands from authorities.
Legitimate interest — for security, fraud prevention, and debugging, exercised only to the extent it does not override the data principal's rights.

6.Children's data & parental consent

STAT is designed for K-12 learners — most users are below 18. §9 of the DPDP Act and the IT (Reasonable Security Practices) Rules require special care for children's data. We comply by treating every account where the student is below the age of 18 as a child account, and by following these structural rules:

Verifiable parental consent is required for the Sankalp self-signup flow before any child data can be created. The parent (account holder) is the consenting adult; their consent is captured at signup and re-confirmed when a paid top-up is purchased.
For institutional accounts, the school holds the consenting authority delegated by the parent at the time of enrolment with the school. Schools are required, by our MSA, to obtain parental consent for STAT during the student's annual enrolment.
No tracking for advertising. We do not show ads. We do not run any third-party advertising or analytics SDKs. We do not build behavioural profiles for marketing.
No public profile. A student's name, scores, and quiz history are visible only to: the student, the student's teachers and principal (within the same school), and the linked parent. Leaderboards display name and score within the student's class only.
No data monetisation. We do not sell, rent, or share child data with any third party for any commercial purpose unrelated to delivering the service.
Right to be forgotten. A parent (or the student, on attaining majority) may request full deletion at any time; see §11.

We use a small, audited set of Data Processors (sub-processors). Each one operates under a contract that requires confidentiality, equivalent or stronger security controls, and use of personal data only for the specific function below.

Sub-processor	Function	Location
Anthropic, PBC	AI question generation and parent-report drafting (Claude API)	United States
Neon, Inc.	Managed PostgreSQL database	India / Singapore region (primary), US for backups
Vercel, Inc.	Application hosting and edge delivery	India PoP for primary, US for fallback
Razorpay Software Pvt. Ltd.	Payment processing (Sankalp top-ups; school invoices)	India
Google LLC (Fonts only)	Web font delivery	Global CDN; no PII

We do not use Google Analytics, Facebook Pixel, advertising trackers, error-tracking SDKs that record session replay, or any third-party data brokers. The platform does not embed any tracking beacons.

We will disclose data only when compelled by a lawful written demand from an Indian authority of competent jurisdiction, and only the specific records required. Where we are not legally barred from doing so, we will notify the affected school or parent.

8.How AI is used

STAT generates quiz questions and parent reports using Claude (Anthropic). When a teacher creates a quiz:

We send Claude the topic name, subject, grade, curriculum scope (chapter/topic/subtopic/keywords), and — if the teacher attaches one — the uploaded PDF or image.
We do not send: the student's name, the school's name, or any other identifier of any individual.
Anthropic processes the request to return generated questions and does not retain the prompt or response for model training, per our agreement with them.
For parent reports, we send the student's first name, the subject, grade, and the recent quiz scores. The first name is necessary because the report is addressed to the parent. No email, phone, or unique identifier is sent.

AI-generated questions are checked for structural validity (exactly 4 options, valid correct index, required fields) before being shown to a student. We log only failures (input summary + error) for debugging — never successful prompts or outputs.

9.Cross-border transfer

The Central Government of India, by notification under §16 of the DPDP Act, may from time to time restrict transfer of personal data to specified countries. As of the effective date above, no such restriction applies to our sub-processors. Where personal data is processed outside India (currently: the United States, by Anthropic, Vercel, and Neon for limited backup workloads), the data is protected by:

Contractual obligations equivalent to India's standard, including confidentiality, purpose limitation, and notification of any compelled disclosure.
Encryption in transit (TLS 1.3) and at rest (AES-256 or stronger).
The minimum data set described in §8 — never broader.

If the Government of India issues a transfer restriction, we will adjust the architecture (e.g. region pinning, on-shore inference) within the timeline mandated by the notification and notify schools.

10.Retention & deletion

Retention horizons are listed in §4. In addition to those defaults:

School off-boarding. When a school's subscription terminates, the principal receives a complete export (CSV/JSON) of all institutional data within 30 days of termination. We then delete the data from production within 60 days. Backups containing the data age out within an additional 90 days. Within those windows the data remains read-only and accessible only on the school's written request.
Sankalp parent off-boarding. A parent who deletes their account triggers immediate deletion of the child's quiz history, parent-report content, streak, and topic-score records. Account email is retained for 12 months for fraud prevention against the same email re-registering, then permanently anonymised.
Statutory retention. Tax invoices and payment records are retained for 8 years as required by the Income Tax Act, 1961 and the Companies Act, 2013. These records do not include quiz answers or score data.
Aggregate analytics. Once data is irreversibly de-identified (no individual can be re-linked), it may be retained indefinitely for product analytics and research.

11.Your rights as a Data Principal

Sections 11–14 of the DPDP Act give you the following rights. You can exercise any of them by emailing the Grievance Officer (§16) — there is no charge for the first request in a 12-month period.

Right to access (§11). A summary of the personal data we hold about you, the purposes for which it is processed, and the sub-processors that have received it.
Right to correction (§12). Correction of inaccurate or out-of-date data. For institutional accounts, name and email corrections are normally made by the school administrator; we will assist if the school is unresponsive.
Right to erasure (§12). Deletion of your data, subject to retention required by law and to the school's legitimate institutional interest while you remain enrolled.
Right to grievance (§13). Lodge a grievance with the Grievance Officer; if the response is unsatisfactory, you may approach the Data Protection Board of India under §27.
Right to nominate (§14). Nominate another individual to exercise your rights in case of incapacity or death.
Right to withdraw consent. Where processing is based on consent, you may withdraw it at any time. Withdrawal does not affect lawful processing already done.
Right to data portability. Receive your quiz history and topic scores in a machine-readable format (JSON).

For students below the age of 18, these rights are exercised by the parent or lawful guardian. On the student's 18th birthday, full rights transfer to the student.

12.Security

We follow the industry standards expected of an Indian SaaS platform:

In transit: TLS 1.3 on all endpoints. HSTS enforced. No HTTP fallback.
At rest: Database is encrypted by Neon using AES-256. Application secrets are stored in Vercel encrypted environment variables, never in source control.
Multi-tenant isolation: Every query in the platform is filtered by schoolId at the application layer; no cross-tenant query path exists.
Authentication: Email + password. Passwords are hashed with bcrypt (cost factor 10+). Sessions are short-lived signed JWTs (7 days, stored in HttpOnly, Secure, SameSite=Lax cookies).
Access control: Five roles — admin, principal, teacher, student, parent — each with strictly scoped API permissions. Principals can only manage users in their own school; teachers can only see students in classes they are assigned to.
Payment data: We never store card numbers, CVVs, UPI handles, or netbanking credentials. All payment capture is delegated to Razorpay, which is PCI-DSS certified.
Vulnerability handling: We accept responsible-disclosure reports at security@tristack.tech. We aim to acknowledge within 2 business days and resolve critical issues within 14 days.

13.Cookies & tracking

STAT uses only first-party cookies, all of which are strictly necessary or functional:

Cookie	Purpose	Duration
next-auth.session-token (HttpOnly)	Authentication session (signed JWT)	7 days
school-subdomain	Routes the user to the correct tenant in dev environments	1 day
stat-theme	Stores chosen visual theme	1 year

We do not use any cookies or storage for advertising, retargeting, cross-site tracking, A/B testing of minors, or behavioural analytics.

14.Breach notification

In the event of a personal-data breach, we will notify the Data Protection Board of India and each affected Data Principal in the form and manner required under §8(6) of the DPDP Act and the rules made thereunder, without undue delay and in any case within 72 hours of confirmation of the breach. The notification will describe: (i) the nature of the breach, (ii) the categories and approximate number of records affected, (iii) the likely consequences, (iv) the measures taken or proposed, and (v) contact details for further information.

15.Changes to this policy

We will revise this policy when our practices change or when the law changes. The current version and a dated changelog are always available at this URL. Material changes — for example, the addition of a new sub-processor or a new category of data — will be notified by email to school administrators and Sankalp parents at least 30 days before they take effect. Continued use of STAT after a notified change constitutes acceptance of the revised policy.

16.Grievance Officer & contact

As required by §10 of the DPDP Act and Rule 5(9) of the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, we have appointed a Grievance Officer.

Grievance Officer

Name: The Designated Grievance Officer, Tristack Technologies LLP

Email: grievance@tristack.tech

Privacy queries: privacy@tristack.tech

Security disclosures: security@tristack.tech

Postal: Tristack Technologies LLP, India (full registered address available on request)

Response SLA: Acknowledgement within 7 days; substantive response within 30 days, in line with §13(2) DPDP Act.

If our response does not resolve your concern, you may approach the Data Protection Board of India under §27 of the DPDP Act, or any consumer forum of competent jurisdiction in India.