Privacy & Data Protection

    Privacy Policy

    How GYANAMA collects, uses, stores, shares, and protects information across our website, web dashboard, and Android application.

    Effective May 4, 2026 · ARCOS Technologies Private Limited · India

    This Privacy Policy describes how ARCOS Technologies Private Limited, operator of the GYANAMA brand (“GYANAMA”, “we”, “us”, or “our”), handles personal information when you use the GYANAMA website at https://gyanama.com, our school management dashboard, and the “Gyanama” Android mobile application (collectively, the “Services”). We are based in India and currently serve schools and users located in India only. By using the Services, you agree to the practices described below.

    1. Who We Are

    GYANAMA is an AI-powered school management platform built for K-12 schools in India. The Services are owned and operated by ARCOS Technologies Private Limited, a company incorporated in India with its registered office at 04, Block C, Sector 63 (near Sector 62 Metro), Noida — 201309, Uttar Pradesh, India. The Services are intended to be used by school administrators, principals, teachers, non-teaching staff, students, and the parents or legal guardians of those students, on behalf of and under the authority of the school that subscribes to GYANAMA.

    Under the Digital Personal Data Protection Act, 2023 (“DPDP Act”), the subscribing school is the Data Fiduciary for student, parent, teacher, and staff data processed through the Services, and GYANAMA acts as a Data Processor on the school's behalf in accordance with our agreement with the school. For information you submit directly to GYANAMA through this website (for example, a demo request), GYANAMA is the Data Fiduciary.

    2. At a Glance — Data Safety Summary

    The plain-language summary below mirrors the categories that the Google Play “Data Safety” form asks about. Complete details and qualifications are in the rest of this Policy.

    What we DO
    • Collect only the data the school needs to run school operations.
    • Encrypt all traffic in transit using HTTPS/TLS.
    • Allow users to request deletion of their data.
    • Restrict access using role-based permissions.
    • Store primary data on servers located in India.
    What we do NOT do
    • Sell personal data to anyone.
    • Show third-party advertisements anywhere in the Services.
    • Build advertising or behavioural-tracking profiles of users (including children).
    • Allow our AI sub-processors to train on student data.
    • Collect precise location, contacts, SMS, call logs, or microphone audio from your device.
    Data we collect, by Google Play category
    • Personal info: full name, email, mobile number, date of birth, gender, role, school identifiers (employee ID, roll number), parent / guardian names and contact numbers and emails (entered by the school for student records).
    • Photos & videos: chat / homework / doubt / announcement attachments that the user explicitly captures with the camera or picks from the gallery.
    • Files & docs: documents the user explicitly chooses to share or upload (PDF, Word, Excel, PowerPoint, MP4/MOV video).
    • Messages: in-app chats, announcements, doubts, leave applications, anti-bullying reports, and form responses entered by the user.
    • App activity: features used, screens viewed, last-seen presence, audit logs, crash logs.
    • App info and performance: device model, OS version, app version, language, IP address.
    • Device or other identifiers: push-notification token, per-device identifier used to bind the token to your account.
    • Audio (AI Voice Assistant only): audio is streamed to a multimodal AI model during outbound calls placed by the school's AI School Voice Assistant. A recording of the call is kept securely only for a short period (currently up to 3 days) to produce and verify the transcript and to investigate disputes, and is then automatically and permanently deleted; the text transcript and summary are retained with the school's other records.
    Data shared with sub-processors
    • Your mobile number is shared with our SMS gateway provider so it can deliver one-time passwords to your phone.
    • Mobile number is shared with our telephony provider when the school's AI Voice Assistant places an outbound absentee call to a parent.
    • Photos, videos, files, and documents uploaded by the user are stored on our object-storage provider, Cloudflare R2.
    • Push token and notification text are shared with our push-notification provider when you have notifications enabled.
    • Prompts and uploaded documents for AI features are sent to our AI-model provider only for the duration of the requested output.
    • For an AI Voice Assistant call, the parent's and student's names, the school name, and the relevant attendance summary are shared with our AI voice provider (which operates outside India) so it can speak naturally about the right child. No other student records are shared during the call.

    3. Information We Collect

    We collect only the information necessary to operate the Services. The categories below describe what we collect, depending on how you interact with us.

    a. Information you or your school provide

    • Demo and contact requests (website): first name, last name, email address, phone number, school name, approximate number of students, and any message you choose to send.
    • School onboarding: school name, address, principal contact details, school logo (optional), academic configuration (classes, sections, subjects), and the subscription plan.
    • Internal administrator accounts (used only by GYANAMA staff and authorised school super-admins on the operations console): username and a password stored as a one-way salted hash, plus an optional time-based one-time password (TOTP) secret for two-factor authentication.
    • App user accounts (Principal, Teacher, Coordinator, Manager, Student): full name, mobile phone number, email address (optional), gender (Male/Female), date of birth, role, school, and role-specific identifiers (employee ID, designation, and the classes/subjects assigned to a teacher; class and roll number for a student). App users sign in with their mobile number and a one-time password (OTP); the platform does not store an app-user password.
    • OTP delivery to your phone: when you request a sign-in OTP, the platform passes your mobile number and the one-time password to our SMS gateway sub-processor (see Section 7) so the OTP message can be delivered to that number. The OTP itself is stored only as a one-way hash in our cache and is automatically removed after 5 minutes.
    • Photos, videos, and documents you choose to upload: if you tap the camera or photo-picker button to attach an image or video to a chat message, or pick a document for the chat, homework, doubt, announcement, or AI Quiz workflows, that file is uploaded to our object-storage sub-processor (Cloudflare R2 — see Section 7) and is referenced by the relevant record in our database.
    • Student records (entered by the school): name, date of birth, gender, class and section, roll number, attendance counts, marks and assessments, and parent/guardian information including father's name, mother's name, guardian's name, and their phone numbers and email addresses.
    • Communication and academic content: chat messages, announcements, homework, doubts, calendar events, leave requests, forms and form responses, syllabus entries, and chat attachments (images, videos in MP4/MOV, and documents in PDF / Word / Excel / PowerPoint formats) that users send through the platform.
    • Anti-bullying / incident reports: if a user submits a Report Bullying entry from inside the app, we record the reporter, the name of the alleged bully, the class concerned, and the description of the incident, so that the school administration can review and resolve it.
    • Uploaded files: academic content such as PDFs uploaded to the Quiz feature, attachments shared in chat, announcements, doubts, or homework.

    b. Information collected automatically

    • Device and log information: device model, operating system version, app version, language, timestamps of activity, error and crash logs, and the IP address used to reach our servers.
    • Usage data: features used, screens viewed, authentication events, presence (last-seen) timestamps, and audit-log entries describing actions taken in the platform — used for security, troubleshooting, and improving the product.
    • Push notification identifiers: a push-notification token generated by the device, used solely to deliver in-app notifications, and a per-device identifier used to bind the token to your account.

    The mobile app does not collect precise location (GPS), contacts, SMS, call logs, microphone audio, or background activity from your device.

    c. Information from optional Android permissions

    The app requests the following permissions only when needed:

    • INTERNET: required for the app to talk to GYANAMA servers.
    • POST_NOTIFICATIONS (Android 13+): used to deliver alerts you have subscribed to (announcements, attendance, homework, fee reminders, chat messages, etc.).
    • CAMERA: used only when you explicitly choose to capture a photo (for example, a profile picture or a chat attachment). The camera is never used in the background.
    • READ_MEDIA_IMAGES, READ_MEDIA_VIDEO (Android 13+): used only when you explicitly pick an image or video from your gallery to attach to a chat or upload to your profile.
    • File picker (system): used only when you explicitly select a document to share through chat or upload as homework, doubt, announcement attachment, or PDF for the Quiz feature.

    Each of these permissions can be revoked at any time from your device settings; revoking a permission may disable the corresponding feature.

    d. Information stored on your device

    The Android app stores authentication tokens in Android's encrypted secure storage and keeps an on-device cache of your messages, drafts, and conversations (using a local database) so the app works offline and starts quickly. This data stays on your device and is removed when you sign out or uninstall the app.

    4. How We Use Information

    We use information for the following purposes only:

    • To provide, operate, and maintain the school management features (attendance, marks, exam reports, timetable, calendar, announcements, chat messaging, homework, doubts, leave applications, forms, syllabus, anti-bullying reports, and an in-app AI assistant).
    • To authenticate users via mobile-number OTP, secure accounts, prevent fraud, and detect abuse of the Services.
    • To deliver in-app and push notifications that the school or user has configured.
    • To deliver outbound voice calls from the AI School Voice Assistant for the absentee-call workflow (see Section 5), using the parent's phone number on record, when the school has enabled the relevant escalation feature.
    • To respond to demo requests, sales enquiries, and support tickets.
    • To diagnose crashes, fix bugs, and improve performance and reliability.
    • To generate aggregated, de-identified analytics that help schools understand their own usage of the platform. We do not build advertising profiles.
    • To comply with applicable Indian law and respond to lawful requests from public authorities.

    We do not sell personal information. We do not share personal information with third parties for their own advertising or marketing, and we do not display third-party advertisements anywhere in the Services.

    5. AI Features

    GYANAMA includes optional AI-powered features. These features are enabled by the subscribing school for its own users.

    • AI Quiz / homework generator: when an authorised user uploads a textbook PDF or chapter, the file (or the relevant portion of it) is sent to a large-language-model service to extract chapters, build a search index, and generate quiz questions. Numeric representations of the text are stored in our infrastructure to power retrieval.
    • AI School Voice Assistant: when the school enables attendance escalation or similar workflows, our system can place an outbound voice call to the parent's registered phone number. During the call the audio is streamed in real time to a multimodal AI model that understands the audio and generates a spoken reply. To conduct the call we share the parent's and student's names, the school name, and the relevant attendance summary with this AI voice provider so it can speak naturally about the right child; we do not share other student records during the call. We store call metadata (start/end time, status, duration), a text transcript and summary of the conversation, and the alert that triggered the call. A recording of the call is stored securely on our servers in India for a short period (currently up to 3 days) to generate and verify the transcript and summary and to investigate disputes or suspected fraud; after this period the recording is automatically and permanently deleted. Transcripts and summaries are retained with the school's other records under Section 11.
    • AI helpers in the dashboard (where present) operate on inputs explicitly submitted by an authorised user for that feature.

    We do not want our AI sub-processors to use student personal data to train their general-purpose foundation models, and we send only the minimum data required for the requested output. We use these providers under terms that, to our knowledge, do not permit them to use that data to train their general-purpose models, and we are continuing to strengthen these contractual protections. AI outputs may be incomplete or inaccurate; the school is responsible for reviewing AI-generated content before relying on it or distributing it.

    6. Children's Privacy & Google Play Families Policy

    The Services are intended for use in schools and may include records of children under the age of 18. GYANAMA does not market the Services directly to children, and children do not create accounts on their own. All student accounts are created and administered by the subscribing school.

    In line with the DPDP Act, 2023, processing of a child's personal data requires verifiable consent of the parent or lawful guardian. By onboarding a school onto GYANAMA, the school confirms to us that it has obtained the necessary consents from parents and guardians at the time of admission to enable a school management system, and that the school has the legal authority to share student information with GYANAMA for that purpose.

    In addition, where the Gyanama Android application is distributed through the Google Play Store and may reach users under the age of 13, GYANAMA commits to compliance with Google Play's Families Policy and the related Designed for Families requirements. Specifically:

    • The app contains no third-party advertisements, no behavioural advertising, and no monetisation that would otherwise be restricted under the Families Policy.
    • The app does not include any SDK that the developer has not whitelisted as suitable for child-directed services.
    • The app does not collect persistent advertising identifiers (Android Advertising ID) or use them for any purpose.
    • The app does not transmit personal information to third parties for advertising or behavioural-profiling purposes.
    • The app does not include in-app purchases targeted at children, social-network features that allow strangers to contact a child, or location-based features.
    • Where age-restricted features become available, the app applies a neutral age-screen and treats users under the relevant threshold as children for the purposes of this Policy.

    Parents and guardians who wish to review, correct, or request deletion of their child's data should contact the school directly; the school can act on the request through its GYANAMA administrator console, and we will assist the school as needed. Parents may also contact our Grievance Officer (Section 16) at any time.

    7. How We Share Information

    We share personal information only in the following limited circumstances:

    • Within the school: Information entered into the Services is visible to authorised users of the same school based on role-based permissions configured by the school administrator (for example, a class teacher sees their class; a parent sees only their own child).
    • With service providers who help us run the Services. Each is bound by confidentiality and data-protection obligations and processes data only on our instructions, strictly for the purposes described below:
      • Cloud hosting and database services (located in India) for application servers, MongoDB databases, and backups.
      • Cloudflare R2: S3-compatible object storage where every photo, video, document, and AI-feature PDF that a user uploads is stored. Each file is accessed only via short-lived signed URLs (typically about 15 minutes for direct uploads and about 30 minutes for downloads), so links cannot be shared indefinitely.
      • SMS gateway provider: when you request a sign-in OTP, we transmit your mobile number and the OTP message body to this provider so it can deliver the SMS to your phone. The provider is contractually restricted to using this information solely to deliver our messages.
      • Push-notification delivery services for in-app and lock-screen notifications, which receive your device push-token and the notification payload.
      • Telephony services to place outbound voice calls from the AI School Voice Assistant for the absentee-call workflow, which receive the parent's mobile number and the call script.
      • Artificial-intelligence model services to power the AI Quiz, in-app AI assistant, summarisation, and Voice Assistant features. Inputs are limited to the prompt or document you submit for the requested output.
      • Website hosting, serverless form-processing, email delivery, and a scheduling/booking service for the public marketing site at gyanama.com (used only for marketing-website interactions, not for in-app data).
    • For legal reasons: when required to comply with Indian law, a valid court order, or a lawful request from a competent authority, or to protect the rights, safety, or property of GYANAMA, our users, or the public.
    • Business transfers: in the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to the same protections described in this Policy. We will notify subscribing schools before any such transfer takes effect.

    We do not share personal information with advertisers, data brokers, or analytics services that build cross-app or cross-site profiles. Subscribing schools may request the current list of named service providers under the terms of their agreement with GYANAMA. We give schools reasonable advance notice when we add or replace a category of service provider that materially affects how their data is processed.

    8. Data Storage and Location

    Our primary application servers, databases, and backups are located in India. Some of the service providers referred to in Section 7 (such as the push-notification, object-storage, AI-model, and telephony providers, and the website hosting and form services) operate global infrastructure, so limited operational data may be processed outside India by those providers. Such transfers are governed by each provider's contractual safeguards and applicable Indian law, and they are limited to the data each provider needs for its specific function. We do not transfer personal data to any country that the Government of India has notified as a restricted jurisdiction under the DPDP Act.

    9. Data Security

    We take reasonable security measures to protect personal data, including:

    • HTTPS/TLS encryption for all traffic between the app, the dashboard, and our servers (including a Let's Encrypt certificate on our API endpoints).
    • One-way salted hashing of internal staff passwords using bcrypt; no app-user password is stored at all (sign-in is by mobile-number OTP).
    • One-way salted hashing of OTPs in our cache, with an automatic 5-minute expiry.
    • Two-factor authentication for the internal operations console.
    • Role-based access control inside each school's tenant, configured by the school administrator.
    • Audit logging of administrative actions.
    • Rate limiting and CSRF protection on web endpoints; bot-protection on the public marketing forms.
    • Short-lived signed URLs for uploaded files, so direct download links are not shareable indefinitely.
    • Least-privilege access for our staff, granted only on a need-to-know basis.
    • Multi-tenant isolation so one school's data is not visible to another.

    No method of transmission or storage is perfectly secure; if you believe your account has been compromised, please contact us immediately at info@gyanama.com.

    10. Security Incident Response

    In the unlikely event of a personal-data breach affecting the Services, we will (a) investigate and contain the incident as soon as we become aware of it, (b) notify the Data Protection Board of India and affected schools within the timelines required by the DPDP Act and the rules made under it, and (c) provide schools with the information they need to inform affected individuals. Schools are responsible for cascading such notifications to their own users (parents, students, teachers, staff) where required.

    11. Data Retention

    We retain personal data for as long as the school's subscription is active and for a reasonable period thereafter to allow the school to export records and to meet our legal, accounting, and audit obligations. When a school terminates its subscription, we delete or anonymise the school's personal data within 90 days of the end of the contractual wind-down period, except where retention is required by law. AI voice-call recordings are kept securely for a short period (currently up to 3 days) and then automatically and permanently deleted; transcripts and summaries follow the same retention as the school's other records. OTPs are stored as one-way hashes in our cache and are automatically removed after 5 minutes. Demo and enquiry leads submitted through the website are retained for up to 24 months and then deleted, unless you become a customer.

    12. Your Rights Under the DPDP Act

    Subject to the DPDP Act, 2023 and other applicable Indian law, you may:

    • Access the personal data we hold about you and obtain a summary of how it is processed.
    • Request correction or updating of inaccurate or incomplete data.
    • Request erasure of your personal data, subject to lawful retention obligations.
    • Withdraw consent that you have previously given, without affecting the lawfulness of processing carried out before withdrawal.
    • Nominate another individual to exercise these rights on your behalf in the event of death or incapacity.
    • Lodge a grievance with our Grievance Officer (see Section 16). If your grievance is not resolved, you may approach the Data Protection Board of India.

    If you are a student, parent, teacher, or staff member of a GYANAMA-subscribed school, please first raise these requests with your school. The school has the controls in the GYANAMA administrator console to fulfil most requests directly. We will assist the school where additional support is needed.

    13. Account Deletion

    How to delete your account and personal data
    1. If you are a student, parent, teacher, or staff member of a subscribing school: contact your school administrator to deactivate your account or remove your personal data from the school's GYANAMA tenant. The school can act on the request immediately through its administrator console.
    2. If you are a school administrator wishing to delete the entire school account, or if your school is unable to act on your request: send an email from the email address on file (or from the registered mobile number for app users) to info@gyanama.com with the subject line “Account Deletion Request”.
    3. We will verify the identity of the requester and confirm receipt within 7 days, and complete deletion within 30 days, except where retention is required by law (for example, tax or audit records).
    4. What is deleted: profile information, content you uploaded, communication history, and identifiers we hold about you. What may be retained for up to the period required by law: minimum financial / billing records, tamper-evident audit logs (with personal identifiers redacted where feasible), and content that other users have legitimately preserved (for example, an announcement received by another school user before deletion).

    The web URL of this section, https://gyanama.com/privacy-policy#account-deletion, can be used as the “Account deletion” URL when filling out the Google Play store listing.

    14. Cookies and Similar Technologies

    Our website and web dashboard use strictly necessary cookies and local storage to keep you signed in, remember preferences, and protect against abuse. We do not use third-party advertising cookies or cross-site tracking. The Android application does not use browser cookies; it uses encrypted local secure storage for session tokens and an on-device database for offline data, as described in Section 3(d).

    15. Third-Party Links

    The Services may contain links to third-party websites or services (for example, links shared in chat, links inside an announcement, or links to our scheduling provider on the website). We do not control those websites and are not responsible for their privacy practices. Please review their privacy policies before submitting any personal information to them.

    16. Grievance Officer and Contact

    If you have questions, concerns, or grievances about this Policy or about how your personal data is handled, please contact our Grievance Officer:

    • Mr. Rachit Mittal — Grievance Officer (Co-founder & CTO)
    • ARCOS Technologies Private Limited
    • 04, Block C, Sector 63 (near Sector 62 Metro), Noida — 201309, Uttar Pradesh, India
    • Email: info@gyanama.com
    • Phone: +91 63758 69217 (direct) or +91 93528 51376 (office)

    For general support and account-related questions you can also write to gyanamaedu@gmail.com. We will acknowledge grievances within a reasonable time and aim to resolve them within the timelines required by the DPDP Act, 2023 and the rules made under it.

    17. Changes to This Policy

    We may update this Policy from time to time to reflect changes in our Services, technology, legal requirements, or business practices. When we make material changes, we will update the “Effective Date” below and, where appropriate, notify subscribing schools through the dashboard or by email. The previous version of this Policy will be archived and made available on request to subscribing schools. Your continued use of the Services after changes take effect constitutes acceptance of the updated Policy.

    Effective Date: May 4, 2026

    GYANAMA