Privacy Policy

1.1. CertifAI acts as a "Data Fiduciary" (as defined under the DPDP Act, 2023) with respect to the personal data collected through the Platform.

1.2. We process personal data only for lawful, specified, and transparent purposes. We collect only the minimum data necessary to provide and improve our services.

1.3. This policy applies to all users of the Platform, including Students, Trainers, Institute Administrators, Parents/Guardians, and website visitors.

We collect the following categories of personal data:

2.1. Information You Provide

• Account Information: Full name, email address, phone number, password (hashed and salted), date of birth (for age verification), and role (student, trainer, parent, institute admin).
• Profile Information: Profile picture (optional), educational background, professional role, and organisation affiliation (if applicable).
• Payment Information: Payment method, transaction ID, order amount, payment status. Note: Credit/debit card details and bank account numbers are processed and stored exclusively by Razorpay and are never stored on CertifAI servers.
• Learning Content: Portfolio entries, journal entries, quiz responses, assessment answers, capstone project submissions, and lab outputs.
• Communication Data: Support emails, feedback, and communications with CertifAI staff.
• Parental Consent Data: Parent/guardian name, email, and consent records for minor users (ages 13-17).

2.2. Information Collected Automatically

• Learning Progress Data: Session completion status, quiz scores, module progress, assessment results, skill badges earned, time spent per session, and overall programme progression.
• AI Interaction Logs: Conversations with the AI Trainer feature, including prompts sent and responses received, for the purpose of improving the educational experience and ensuring safety compliance.
• Device & Technical Data: IP address, browser type and version, operating system, device type, screen resolution, and referring URL.
• Usage Data: Pages visited, features used, click patterns, session duration, and navigation paths.

We collect and process personal data for the following purposes:

• Service Delivery: To create and manage your account, deliver educational content, track learning progress, administer assessments, and issue certificates.
• Payment Processing: To process payments, issue receipts, manage refunds, and maintain financial records as required by law.
• Personalisation: To provide adaptive learning experiences through the AI Trainer, personalise content recommendations, and tailor the platform experience to your learning pace and style.
• Assessment & Certification: To evaluate quiz responses, grade portfolio entries and capstone projects (including AI-assisted grading), verify academic integrity, and issue verifiable certificates.
• Communication: To send transactional emails (registration confirmation, payment receipts, assessment results), educational notifications (session reminders, progress updates), and support correspondence.
• Platform Improvement: To analyse usage patterns, identify technical issues, improve content quality, enhance AI features, and develop new functionality.
• Safety & Compliance: To detect and prevent fraud, enforce our Terms of Service, ensure academic integrity, comply with legal obligations, and protect the rights and safety of users.
• Certificate Verification: To maintain a public verification system that allows third parties (employers, institutions) to verify the authenticity and validity of CertifAI certificates.

We process your personal data on the following legal bases:

• Consent: You provide explicit consent when creating your account and agreeing to this policy. For minors (ages 13-17), verifiable parental consent is obtained as required under the DPDP Act, 2023.
• Contractual Necessity: Processing necessary to perform our contract with you (the Terms of Service), including delivering educational content, processing payments, and issuing certificates.
• Legitimate Interest: Processing necessary for our legitimate business interests, such as platform improvement, fraud prevention, and analytics, where such interests are not overridden by your rights.
• Legal Obligation: Processing necessary to comply with applicable laws, including Indian tax regulations, the IT Act 2000, and the DPDP Act 2023.

5.1. We do not sell your personal data. We will never sell, rent, or trade your personal information to third parties for marketing purposes.

5.2. We share data with the following categories of third-party service providers ("Data Processors") who assist us in operating the Platform:

• Razorpay Software Pvt. Ltd. (Payment Processing): Receives payment-related data (name, email, payment method, transaction amount) to process payments securely. Razorpay is a PCI DSS-compliant, RBI-licensed payment aggregator. Razorpay's privacy policy governs their handling of payment data.
• Brevo (Sendinblue) (Email Services): Receives email addresses and names to deliver transactional emails (registration confirmation, payment receipts, assessment results, password resets) and educational notifications.
• OpenAI / Anthropic (Claude) (AI Features): Receives anonymised or pseudonymised learning interaction data to power AI Trainer conversations and AI-assisted grading. We minimise personal identifiers sent to AI providers and rely on session-based tokens where possible.
• Amazon Web Services (AWS) (Cloud Infrastructure): Hosts the Platform infrastructure and stores data. We use AWS India Region (ap-south-1, Mumbai) as the primary data storage location.

5.3. All third-party service providers are bound by data processing agreements that require them to process your data only as instructed by CertifAI and to implement appropriate security measures.

5.4. We may disclose your data if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of CertifAI, its users, or the public.

5.5. In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity, subject to the same privacy protections described in this policy. You will be notified of any such transfer.

5.6. For Institute and School accounts: limited student progress data (session completion, quiz scores, assessment results, certificates earned) may be shared with the associated Institute/School administrators and assigned Trainers as necessary for programme delivery.

6.1. Essential Cookies: We use strictly necessary cookies that are essential for the Platform to function, including authentication tokens, session identifiers, and security cookies. These cannot be disabled.

6.2. Analytics Cookies: We may use analytics cookies to understand how users interact with the Platform, measure traffic patterns, and identify areas for improvement. These cookies collect aggregate, anonymised data.

6.3. Preference Cookies: We may use cookies to remember your preferences, such as theme settings, language, and notification preferences.

6.4. We do not use advertising or tracking cookies. We do not engage in behavioural advertising or cross-site tracking.

6.5. You can manage cookie preferences through your browser settings. Disabling essential cookies may impair the functionality of the Platform.

6.6. For more information about cookies, visit www.allaboutcookies.org.

7.1. Primary Storage: Your personal data is stored on Amazon Web Services (AWS) servers located in the India region (ap-south-1, Mumbai), ensuring that data primarily resides within India.

7.2. Database Security: Data is stored in encrypted databases with access restricted to authorised personnel and systems only.

7.3. Backups: Regular automated backups are maintained to prevent data loss. Backup data is subject to the same security controls as primary data.

7.4. Encryption: All data in transit is encrypted using TLS 1.2 or higher (HTTPS). Sensitive data at rest is encrypted using AES-256 or equivalent standards.

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy, or as required by law:

After the retention period expires, data is securely deleted or irreversibly anonymised.

Under the DPDP Act, 2023, and applicable data protection laws, you have the following rights:

• Right to Access: You may request a summary of the personal data we hold about you and the processing activities performed on it.
• Right to Correction: You may request correction or update of inaccurate or incomplete personal data. You can update most information directly through your account settings.
• Right to Erasure: You may request deletion of your personal data, subject to legal retention requirements and legitimate business needs (such as certificate verification records and financial records).
• Right to Data Portability: You may request a copy of your personal data in a structured, commonly used, machine-readable format. This includes your learning progress, portfolio entries, and assessment results.
• Right to Withdraw Consent: You may withdraw your consent for data processing at any time. Withdrawal of consent does not affect the lawfulness of processing performed before the withdrawal. Note that withdrawing consent may result in loss of access to certain Platform features or the Platform entirely.
• Right to Grievance Redressal: You have the right to lodge a complaint with the Data Protection Board of India established under the DPDP Act, 2023, if you believe your data has been processed in violation of applicable law.
• Right to Nominate: Under the DPDP Act, you have the right to nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any of these rights, please contact our Data Protection Officer at support@certifaiedu.com with the subject line "Data Rights Request". We will respond to your request within 30 days.

10.1. The Platform is not intended for children under the age of 13. We do not knowingly collect personal data from children under 13. If we discover that we have inadvertently collected data from a child under 13, we will promptly delete it.

10.2. For users aged 13 to 17, verifiable parental or guardian consent is required before account creation, as mandated by the DPDP Act, 2023.

10.3. Parents/guardians can create a parent account on the Platform to provide consent, monitor their child's progress, and manage their child's data.

10.4. Parents/guardians have the right to review the personal data collected from their child, request correction or deletion, and withdraw consent at any time.

10.5. We implement additional safeguards for minor users, including restricted AI Trainer interaction modes and content filtering, in compliance with applicable child safety regulations.

10.6. School Mode delivery follows additional data minimisation protocols, collecting only the data strictly necessary for educational delivery within the school environment.

We implement comprehensive technical and organisational measures to protect your personal data:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS with TLS 1.2 or higher.
• Encryption at Rest: Sensitive data stored in our databases is encrypted using AES-256 or equivalent standards.
• Password Hashing: User passwords are hashed using bcrypt with salt, ensuring that plaintext passwords are never stored.
• Access Controls: Role-based access control (RBAC) ensures that only authorised personnel can access user data, based on the principle of least privilege.
• CAPTCHA Protection: Authentication endpoints are protected with CAPTCHA to prevent automated attacks.
• Rate Limiting: API rate limiting is implemented to prevent brute-force attacks and abuse.
• Regular Security Audits: We conduct periodic security assessments and vulnerability testing of our systems.
• Secure Development Practices: Our development team follows secure coding practices, including input validation, parameterised queries, and protection against common vulnerabilities (OWASP Top 10).

While we strive to protect your personal data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

12.1. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, CertifAI will notify the Data Protection Board of India within 72 hours of becoming aware of the breach, as required by the DPDP Act, 2023.

12.2. We will also notify affected users without undue delay, providing information about the nature of the breach, the data affected, the likely consequences, and the measures taken to address the breach.

12.3. We maintain an incident response plan to quickly detect, contain, and remediate data breaches.

13.1. CertifAI Educational Services is operated by DIGIAEON Services Pvt. Ltd., headquartered in Dubai, UAE. Certain operational data may be transferred to the UAE for company administration and management purposes.

13.2. Primary user data storage remains in India (AWS Mumbai region). Cross-border transfers are limited to operational necessities and are conducted in compliance with the DPDP Act, 2023, which permits transfers to jurisdictions not restricted by the Central Government of India.

13.3. Data shared with third-party service providers (such as Razorpay, Brevo, OpenAI, Anthropic) may be processed in jurisdictions outside India. We ensure that appropriate contractual safeguards are in place to protect your data.

13.4. For users located in the European Economic Area (EEA), we ensure that cross-border transfers are conducted in compliance with GDPR requirements, using Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.

CertifAI has designated a Data Protection Officer (DPO) responsible for overseeing data protection strategy and compliance. You may contact our DPO for any privacy-related inquiries or concerns:

• Data Protection Officer
• CertifAI Educational Services
• Email: support@certifaiedu.com
• Subject line: "DPO — [Your Query]"

15.1. While CertifAI primarily serves the Indian market, we recognise the rights of users located in the European Economic Area (EEA), United Kingdom, and other jurisdictions with comprehensive data protection laws.

15.2. For users subject to the GDPR, the following additional rights apply:

• Right to Restriction of Processing: You may request restriction of processing in certain circumstances, such as when you contest the accuracy of the data or object to processing based on legitimate interest.
• Right to Object: You may object to processing based on legitimate interest or for direct marketing purposes.
• Automated Decision-Making: Where automated processing (including AI-assisted grading) produces legally significant effects, you have the right to request human review of the decision.
• Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority.

15.3. For GDPR-specific requests, please contact support@certifaiedu.com with the subject line "GDPR Request".

16.1. We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by email and/or through a prominent notice on the Platform at least 30 days before the changes take effect.

16.2. Your continued use of the Platform after the updated policy becomes effective constitutes your acceptance of the changes. If you do not agree to the updated policy, you should discontinue use of the Platform and contact us to delete your account.

16.3. The "Last updated" date at the top of this policy indicates the most recent revision date.

For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us: