This policy explains what personal data Edudron Technologies Pvt. Ltd. (“Edudron”, “we”, “us”) collects, why we collect it, how long we keep it, and the rights you have over it. It applies to edudron.com, the Edudron mobile applications, and the institute-hosted instances we operate on behalf of educational institutions.
Edudron is the Data Fiduciary for personal data of individual learners who sign up directly with us. For students enrolled through an institute, the institute is the Data Fiduciary and Edudron is a Data Processor; the institute’s own privacy policy governs that processing.
At a glance
The table below summarises what we collect, why, how long, and who sees it. The detailed sections below are authoritative; this is a navigation aid, not a substitute.
| What | Why | How long | Who sees it |
|---|
| Account & identity | Run the service | Account life + 24 months | You, your institute, Edudron staff |
| Course progress | Deliver courses, issue certificates | 7 years | You, your institute, employers you choose |
| Payment records | Bill, account, tax | 8 years | You, your institute, Razorpay, tax authorities |
| Technical logs | Security, reliability | 90 days | Edudron security & SRE |
| Cookies (essential) | Sign-in, security | Session – 12 months | Your browser only |
1. Who this policy applies to
In short. If you signed up yourself, we are the Data Fiduciary. If your institute enrolled you, they are the Data Fiduciary and we are their Data Processor.
Under the Digital Personal Data Protection Act, 2023 (“DPDP Act”), a Data Principal is the individual to whom personal data relates — that is, you. A Data Fiduciary is the entity that decides why and how personal data is processed. A Data Processor processes personal data on behalf of a Data Fiduciary, under a written contract.
- Direct sign-ups (e.g. an individual learner who creates an account on edudron.com): Edudron is the Data Fiduciary.
- Institute-enrolled students, faculty, and staff: the institute is the Data Fiduciary; Edudron is the Data Processor. For requests relating to your data, you may approach either party — we will route as appropriate.
- Prospective customers, applicants, and website visitors: Edudron is the Data Fiduciary for the limited data you submit to us (e.g. contact forms, newsletter sign-ups).
2. What we collect
In short. We collect what we need to run a learning platform — account details, course progress, payments — plus essential technical data. No advertising IDs, no precise location, no biometrics.
2.1 Account data
- Name, email address, phone number, date of birth
- Institute affiliation, programme, batch, and section (where applicable)
- Profile photograph, if you choose to upload one
- Password hash (we never store plain-text passwords; we use Argon2id)
2.2 Course-progress data
- Enrolments, lecture-completion timestamps, quiz attempts, and assessment scores
- Coding-sandbox submissions, project artefacts you upload, viva recordings
- Certificates issued and their cryptographic verification hashes
- Faculty feedback comments and rubric scores
2.3 Payment data
- For institute fee collection we use Razorpay as our payment processor. Edudron does not store full card numbers, CVVs, or banking credentials. We retain the transaction ID, amount, status, GST invoice metadata, and the last four digits of the instrument used.
- Razorpay’s own privacy policy governs the card / UPI / netbanking data they process: razorpay.com/privacy.
2.4 Technical & device data
- IP address (truncated after 30 days), browser and OS version, device model
- Error reports and performance traces via Sentry (anonymised device IDs)
- Product-usage events (e.g. “assignment opened”, “quiz submitted”) — first-party only, no third-party advertising trackers
2.5 Job-portal data
- Profile information you publish to the job portal (CV, skills, projects), applications submitted, employer messages received
- Interview status, offer letters issued through the platform, and the institute’s placement-cell visibility flags
2.6 Cookies & similar technologies
We use the following categories of cookies and local storage:
- Strictly necessary — session ID, CSRF token, sign-in state. Cannot be disabled; the service does not function without them.
- Functional — language preference, theme, last-visited course. Lifetime 12 months.
- Analytics (first-party) — aggregated usage of features. We do not share this with third-party analytics or advertising providers. Signed-in users can opt out from Settings → Privacy inside the Edudron app; everyone else can write to privacy@edudron.com.
We do not use third-party advertising cookies, social-media tracking pixels, or cross-site retargeting.
2.7 Communications with us
- Support tickets and the email correspondence attached to them
- Onboarding-call recordings, only with the explicit consent of every participant
- Survey and feedback responses, with the option to respond anonymously
2.8 Data we deliberately do not collect
- Biometric data (face, fingerprint, iris)
- Precise geolocation; we infer city-level location only from IP for security alerts
- Advertising identifiers (IDFA / AAID)
- Sensitive personal data under SPDI Rules 2011 — passwords (only as hashes), financial information beyond what Razorpay returns, physical/medical health, sexual orientation, biometric or genetic data
3. Lawful basis for processing (DPDP §7)
In short. Most of what we do is “legitimate use” under DPDP §7 — you signed up for a service and we’re running it. Marketing and optional features require your explicit consent, which you can withdraw anytime.
| Data category | Lawful basis |
|---|
| Account, course progress, certificates | Performance of the user’s account / institute agreement (DPDP §7(a)) |
| Payment records, tax invoices | Compliance with legal obligation (GST Act, Income Tax Act, Companies Act) |
| Security telemetry, fraud detection | Legitimate use — to maintain a safe service (DPDP §7(g)) |
| Marketing newsletters, product updates | Free, specific, informed consent — opt-in; withdrawable |
| Onboarding-call recordings | Consent of all participants, before recording starts |
| Children & minors (under 18) | Verifiable consent of a parent or lawful guardian (DPDP §9) |
4. Why we process it
We process personal data only for the following specific, lawful purposes:
- To provide the service — delivering courses, recording progress, issuing certificates, matching candidates to roles, hosting institute administration workflows.
- To bill and account — generating invoices, processing institute payments, complying with GST and Income Tax obligations, producing audit trails.
- To secure the platform — detecting fraud, abuse, brute-force log-ins, unauthorised access, and CSAM uploads.
- To improve Edudron — aggregated, de-identified usage analytics. We do not train AI models on identifiable student content without an institute’s explicit, written instruction (see §5).
- To communicate with you — service emails (mandatory: password resets, security notices, billing); product newsletters (consent-based, with one-click unsubscribe).
- To comply with law — responding to valid Indian legal process, tax filings, and regulatory inquiries.
5. AI, machine learning & automated processing
In short. Faculty decide. AI assists. We never train models on a student’s identifiable content without the institute’s written instruction, and no consequential academic decision is made by AI alone.
5.1 What we use AI for
- Course-outline drafts and lesson-plan suggestions for faculty to edit
- Auto-grading multiple-choice and coding questions against a published rubric
- Plagiarism similarity checks
- Search and recommendations within a learner’s own enrolled courses
5.2 What we do not do
- We do not train foundation models on identifiable student work, submissions, or recordings.
- We do not make solely-automated decisions that materially affect a student’s academic standing (e.g. final grade, certification, expulsion). A human faculty member must review and sign off.
- We do not share student content with third-party AI providers without the institute’s data-processing agreement in place. Our default AI provider is Azure OpenAI with data residency in India.
5.3 Your AI rights
You can request a human review of any AI-influenced output (e.g. a coding auto-grade) by contacting privacy@edudron.com or your institute’s academic coordinator.
6. Children & minors
In short. For users under 18 we require verifiable parental or guardian consent and we do not run behavioural profiling or targeted advertising. We never do targeted advertising on anyone.
DPDP §9 imposes additional duties on Data Fiduciaries processing the personal data of children (defined as individuals under 18) and persons with disabilities who have a lawful guardian. Edudron applies these duties as follows:
- Verifiable consent — at sign-up, the parent or lawful guardian is the consenting party. We verify via a one-time code sent to a guardian-provided phone or email; for institute-enrolled minors, the institute attests it has obtained guardian consent.
- No behavioural tracking — we do not build behavioural profiles of minors, do not run targeted advertising of any kind, and do not allow third parties to do so via our platform.
- No tracking-based features — recommendation systems for minors are limited to content the student or their faculty has selected.
- Easier deletion — a minor (or their guardian) can request immediate deletion of optional content (profile photo, recordings, free-text reflections). Academic records subject to the 7-year retention obligation are retained but locked from marketing-style use.
7. How we secure your data
In short. TLS 1.2+ everywhere, AES-256 at rest, role-based access, MFA for staff, annual VAPT, breach notification within 72 hours.
- Encryption in transit — TLS 1.2 minimum (1.3 preferred) for all public endpoints, mTLS between internal services.
- Encryption at rest — AES-256 for the primary database, customer-uploaded files, and database backups.
- Access control — role-based access with least-privilege defaults, quarterly access reviews, mandatory MFA for all Edudron staff and contractors with any production access.
- Audit logs — every administrative action against learner data is logged and retained for 18 months.
- Vulnerability management — annual third-party VAPT, continuous dependency scanning (Snyk), and a public security disclosure programme (security@edudron.com).
- Compliance trajectory — ISO 27001 audit scheduled for FY2026–27. SOC 2 Type II for the platform tenant under planning.
- Incident response — confirmed personal-data breaches are reported to the Data Protection Board of India and the affected Data Principals within 72 hours of confirmation, per DPDP §8(6).
Full details: see our security page.
8. How long we keep it
Retention is purpose-bound. We delete or anonymise data once its lawful purpose ends.
- Account data: for as long as your account is active, plus 24 months after closure — to handle audit, billing disputes, and certificate-verification requests from employers.
- Course progress & certificates: 7 years from the date the certificate is issued, in line with NAAC accreditation and AICTE record-keeping norms, so transcripts and certificate verifications remain available.
- Payment data: 8 years from the financial-year end, per the Income Tax Act and the Companies Act.
- Technical logs: 90 days, then deleted. IP addresses are truncated to /24 after 30 days.
- Support tickets: 3 years after closure, then anonymised and aggregated for training and quality review.
- Marketing communications opt-in: until you withdraw consent.
- Onboarding-call recordings: 12 months, then deleted automatically.
9. Sharing & sub-processors
In short. We share data only with your institute, employers you choose, and a short list of operational vendors below. We do not sell personal data.
We share personal data only with:
- The institute you are enrolled with, where you are a student of theirs.
- Employers, only for profile information you have explicitly published to the job portal, and only after you apply to a role.
- Law enforcement or regulators, only when compelled by a valid Indian legal process.
We use the following sub-processors. Each is bound by a written data-processing agreement and processes data only on our documented instructions.
| Sub-processor | Purpose | Data shared | Region |
|---|
| Microsoft Azure | Hosting, primary database, file storage | All platform data | Central India, South India |
| Razorpay | Payment processing | Name, email, phone, payment instrument | India |
| SendGrid (Twilio) | Transactional email | Email address, message content | US (with EU sub-processors) |
| Twilio | OTP / SMS (sign-in & alerts) | Phone number, OTP code | India (Mumbai) |
| Sentry | Error & performance monitoring | Anonymised device IDs, error traces | Frankfurt, EU |
| Cloudflare | CDN, DDoS protection, WAF | IP address, request metadata | Edge (Indian PoPs preferred) |
| Azure OpenAI | AI authoring & auto-grading | Prompts and responses — no model training | India |
We notify institute administrators at least 30 days before adding or replacing a sub-processor with access to student data.
We do not sell personal data. We do not share it with advertising networks.
10. Cross-border transfer
All personal data is stored primarily in Microsoft Azure’s Central India and South India regions. Limited operational telemetry may be processed by Sentry’s Frankfurt region and SendGrid’s US infrastructure for the narrow purposes set out in §9; this data contains no student academic content.
Per DPDP §16, the Central Government may restrict transfers to specified countries. Edudron monitors these notifications and will update sub-processor regions as required.
11. Your rights under DPDP 2023
As a Data Principal, you have the rights set out in Chapter III of the DPDP Act:
- Right to information (§11) — a summary of the personal data we process about you and the processing activities.
- Right to correction & erasure (§12) — correct inaccurate or incomplete data; erase data once the purpose has ended, subject to the retention obligations in §8 of this policy.
- Right to grievance redressal (§13) — see §13 below.
- Right to nominate (§14) — nominate an individual to exercise your rights in case of death or incapacity.
- Right to withdraw consent — for processing that relies on consent (e.g. marketing). Withdrawal does not affect lawful processing before withdrawal.
To exercise any of these rights, write to privacy@edudron.com from the email address registered on your account, or use our contact form. We respond within 30 days. There is no charge for a reasonable first request; we may charge a nominal fee for repeated or manifestly excessive requests.
If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India through its official channels (once notified by the Central Government under DPDP §18).
12. Users outside India
In short. Edudron is built for Indian institutes and Indian law governs. If you’re using Edudron from outside India, you still have rights — write to us and we’ll honour them in good faith.
Edudron operates primarily under Indian law. If you access Edudron from outside India:
- You may still exercise access, correction, deletion, and consent-withdrawal rights via privacy@edudron.com.
- For users in the EEA / UK, the legal bases set out in §3 broadly correspond to the GDPR bases of contract, legal obligation, legitimate interests, and consent. We do not have a GDPR Article 27 representative; please contact us directly.
- Your data is transferred to and stored in India. By using Edudron from outside India you acknowledge this transfer. We protect it with the technical and organisational measures described in §7.
- Disputes are governed by the laws of India and subject to the jurisdiction of the courts of Bengaluru.
13. Grievance officer
In accordance with the DPDP Act 2023 (§13) and the Information Technology Act 2000, our Grievance Officer is:
Ms. Priya Sharma
Grievance Officer, Edudron Technologies Pvt. Ltd.
14, 100 Feet Road, Indiranagar, Bengaluru — 560 038
Email: grievance@edudron.com
Response SLA: 7 working days · Resolution SLA: 30 days
Our Data Protection Officer can be reached at dpo@edudron.com for questions involving substantial volumes of data or institute-level processing decisions.
14. Changes to this policy
We will notify registered users by email at least 14 days before any material change. Material changes include new sub-processors with access to student data, new categories of personal data collected, new purposes of processing, or changes to retention. The “last updated” date at the top of this page always reflects the current version, and we maintain a public change log of prior versions on request.
15. Contact
General privacy queries: privacy@edudron.com. Data Protection Officer: dpo@edudron.com. Security disclosures: security@edudron.com.
We’re happy to answer questions in English, Hindi, Tamil, or Kannada. See also our terms and security pages.