Privacy Policy — Sthara School OS

1. Introduction

Sthara School OS ("we", "our", or "us") is a cloud-based educational management platform operated in India. We are committed to protecting the personal data of all users — students, teachers, parents, and administrators — in accordance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable laws.

This Privacy Policy describes how we collect, use, store, and protect personal data when you use our platform. By using Sthara, you consent to the practices described here.

2. Who We Are (Data Fiduciary)

For the purposes of the DPDP Act 2023, Sthara School OS is the Data Fiduciary responsible for determining the purposes and means of processing your personal data. Each registered institution (school) is a separate Data Principal with respect to their students and staff.

📬 Data Protection Contact: privacy@sthara.in

3. Data We Collect

We collect only the minimum data necessary to provide our services:

Category	Data Collected	Purpose
Identity	Name, email address, role (student/teacher/admin)	Account creation & authentication
Educational	Class, subjects, assignment submissions, grades	Core learning management
Biometric-adjacent	Handwritten answer images (uploaded by student)	AI-powered grading only
Wellness	Mood check-in values (anonymous numeric score)	Classroom wellbeing monitoring
Usage	IP address, login timestamps	Security & rate limiting
School Info	School name, city, curriculum, contact	School profile & onboarding

We do NOT collect: Aadhaar numbers, PAN, biometric data, financial information, or any sensitive personal data beyond what is listed above.

4. How We Use Your Data

To provide AI-powered homework grading, tutoring, and quiz generation
To display student progress reports to teachers and parents
To enable teacher-student communication through assignments
To monitor classroom wellness trends (aggregated, not individual)
To secure the platform against unauthorized access
To improve our AI models and service quality (anonymized data only)

We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.

5. Data of Minors (Children Under 18)

Our platform serves students who may be minors. In compliance with Section 9 of the DPDP Act 2023:

Student accounts are created and managed by the school (the institution acts as guardian)
We do not serve targeted advertising to any users, especially minors
Student data is never used to profile individuals for commercial purposes
Parents can request access to or deletion of their child's data via the school administrator

6. AI Processing & Third-Party Services

Our platform uses the following third-party AI and cloud services:

Service	Provider	Purpose	Data Shared
Gemini AI	Google LLC	Homework grading, tutoring, quiz generation	Assignment text & images (no PII)
Firebase Auth	Google LLC	User authentication	Email, UID
Firestore	Google LLC	Database storage	All structured data
Firebase Storage	Google LLC	Image storage	Submission images
YouTube Data API	Google LLC	Educational video search	Search queries only

Google LLC processes data under their own privacy policy and Data Processing Agreements compliant with international data protection standards. Data is stored in regions that comply with Indian data localization requirements where available.

7. Data Retention

Data Type	Retention Period
Student assignments & grades	Duration of enrollment + 1 year
Student images (submissions)	90 days after grading
Chat/tutor conversations	6 months rolling window
Wellness mood scores	1 academic year
Login/access logs	90 days
School records	Duration of subscription + 2 years

8. Your Rights Under the DPDP Act 2023

As a Data Principal, you have the following rights:

Right to Access: Request a copy of your personal data
Right to Correction: Request correction of inaccurate data
Right to Erasure: Request deletion of your data (subject to legal holds)
Right to Grievance Redressal: Contact our Data Protection Officer
Right to Nominate: Nominate someone to exercise rights on your behalf

To exercise these rights, contact your school administrator or email us at privacy@sthara.in. We will respond within 72 hours.

9. Security

We implement industry-standard security measures including:

Firebase ID token authentication on all API endpoints
Rate limiting to prevent abuse and DDoS attacks
School-level data isolation (multi-tenancy)
HTTPS-only communication
Images stored in Firebase Storage (not as database blobs)
No plaintext password storage (Firebase Auth handles this)

10. Cookies & Session Data

We use a minimal session cookie (__session) to maintain your login state across page navigations. This cookie:

Contains your Firebase ID token
Expires after 1 hour (refreshed on activity)
Is deleted when you sign out
Is not used for tracking or advertising

11. Changes to This Policy

We may update this policy periodically. When we do, we will update the "Last updated" date at the top of this page and notify school administrators via email. Continued use of Sthara after changes constitutes acceptance of the revised policy.

12. Contact & Grievance Officer

Data Protection Officer / Grievance Officer
Sthara School OS
Email: privacy@sthara.in
Response time: Within 72 hours
Escalation: Data Protection Board of India (once operational)