Privacy Policy

---

# Privacy Policy for GuruSkool

**Effective Date:** March 15, 2026
**Last Updated:** March 15, 2026

---

## 1. Introduction

Welcome to GuruSkool ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Service").

**Important:** Please read this privacy policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by all the terms of this Privacy Policy. If you do not agree with this policy, please do not access or use the Service.

**Organization Details:**
- **Company Name:** YindusAI
- **Address:** Victoria 3806
- **Email:** admin@yindus-ai.com.au
- **Website:** https://yindus-ai.com.au

---

## 2. Information We Collect

### 2.1 Personal Information You Provide

We collect information that you voluntarily provide when using our Service:

**Account Information:**
- Full name
- Email address
- Phone number
- Password (encrypted)
- Organization/institution affiliation
- User role (student, coordinator, administrator, etc.)

**Profile Information:**
- Date of birth
- Gender
- Profile photo (optional)
- Contact preferences
- Language preferences

**Educational Data:**
- Student enrollment information
- Class attendance records
- Academic period information
- Program enrollment data
- Assessment and grade information
- Contact relationships (parent/guardian links)

**Contact Information:**
- Contact details for parents/guardians
- Emergency contact information
- Relationship to student

### 2.2 Information Automatically Collected

**Device and Usage Information:**
- Device type and model
- Operating system and version
- Unique device identifiers
- IP address
- Browser type and version
- App version
- Time zone settings
- Device language

**Usage Data:**
- Features accessed
- Time spent in the app
- Navigation patterns
- Button clicks and interactions
- Session duration
- Crash reports and error logs

**Location Information:**
- General location (city/region level) derived from IP address
- We do NOT collect precise GPS location data

### 2.3 Biometric Information

If you enable biometric authentication (Face ID, Touch ID, or fingerprint):

- **What We Collect:** We store a secure token indicating biometric authentication is enabled
- **What We DON'T Collect:** We do NOT collect, store, or transmit your actual biometric data (facial scans, fingerprints)
- **How It Works:** Biometric authentication is handled entirely by your device's secure hardware. We only receive a success/failure response
- **Your Control:** You can enable or disable biometric authentication at any time in the app settings

**Platform-Specific Details:**
- **iOS:** Uses Apple's Secure Enclave; biometric data never leaves your device
- **Android:** Uses Android Keystore; biometric data never leaves your device

### 2.4 Information from Third-Party Services

We do NOT collect information from social media or other third-party services except as described in Section 4 (Third-Party Services).

---

## 3. How We Use Your Information

We use the collected information for the following purposes:

### 3.1 Service Provision
- Create and manage user accounts
- Provide educational management features (attendance, enrollment, classes)
- Enable communication between users (students, parents, coordinators)
- Process and fulfill service requests
- Provide customer support

### 3.2 Service Improvement
- Analyze usage patterns to improve user experience
- Develop new features and functionality
- Identify and fix bugs and technical issues
- Conduct research and analytics

### 3.3 Security and Fraud Prevention
- Verify user identity
- Detect and prevent fraud, abuse, and security incidents
- Enforce our Terms of Service
- Comply with legal obligations

### 3.4 Communication
- Send important service updates and notifications
- Respond to inquiries and support requests
- Send administrative information (policy changes, account updates)
- Send educational notifications (attendance reminders, class schedules)

**Note:** We do NOT use your information for marketing or advertising purposes without your explicit consent.

---

## 4. Third-Party Services

We use trusted third-party services to operate our Service. These providers have access to your information only to perform tasks on our behalf and are obligated to protect your information.

### 4.1 Supabase (Backend Infrastructure)
- **Purpose:** Database, authentication, and backend services
- **Data Shared:** All user data stored in our database
- **Location:** United States (AWS)
- **Privacy Policy:** https://supabase.com/privacy
- **Security:** End-to-end encryption, SOC 2 Type II certified

### 4.2 Cloudflare (Security and Performance)
- **Purpose:** DDoS protection, content delivery, security
- **Data Shared:** IP address, device information, request metadata
- **Privacy Policy:** https://www.cloudflare.com/privacypolicy/
- **Security:** GDPR and Privacy Shield compliant

### 4.3 Cloudflare Turnstile (CAPTCHA Protection)
- **Purpose:** Bot detection and security verification
- **Data Shared:** Browser metadata, interaction patterns (no personal data)
- **Privacy Policy:** https://www.cloudflare.com/privacypolicy/
- **Note:** Privacy-friendly alternative to traditional CAPTCHAs

### 4.4 Sentry (Error Tracking)
- **Purpose:** Crash reporting and error monitoring
- **Data Shared:** Error logs, device information, app version
- **Privacy Policy:** https://sentry.io/privacy/
- **Data Handling:** Personal information is scrubbed from error reports

### 4.5 Expo (Development and Distribution)
- **Purpose:** App development, building, and distribution
- **Data Shared:** Basic usage analytics, crash reports
- **Privacy Policy:** https://expo.dev/privacy
- **Note:** Only used during development and updates

---

## 5. Data Storage and Security

### 5.1 Where Your Data is Stored
- **Primary Storage:** United States (Supabase/AWS infrastructure)
- **Backup Storage:** Automated backups stored in secure, encrypted data centers
- **Biometric Data:** NEVER stored by us; remains on your device only

### 5.2 How We Protect Your Data

**Encryption:**
- Data in transit: TLS 1.3 encryption (HTTPS)
- Data at rest: AES-256 encryption
- Passwords: bcrypt hashing (industry-standard)
- PIN codes: bcrypt hashing with salt

**Access Controls:**
- Role-based access control (RBAC)
- Row-level security (RLS) policies
- Multi-factor authentication (MFA) available
- Regular security audits

**Security Measures:**
- Regular vulnerability scanning
- Penetration testing
- CAPTCHA protection against bots
- Rate limiting to prevent abuse
- Secure development practices

**Note:** While we implement industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

---

## 6. Data Retention

### 6.1 How Long We Keep Your Data

**Active Accounts:**
- Account data: Retained while your account is active
- Educational records: Retained for legal compliance (typically 7 years for educational records)
- Usage logs: Retained for 90 days
- Error logs: Retained for 30 days

**Inactive Accounts:**
- Accounts inactive for 2 years may be archived or deleted
- You will receive a notification 30 days before account deletion

**After Account Deletion:**
- Personal information: Deleted within 30 days
- Educational records: May be retained for legal compliance (anonymized)
- Aggregated analytics: Retained indefinitely (fully anonymized)

### 6.2 Legal Retention Requirements

We may retain certain information longer when required by law, such as:
- Educational records (7 years in most jurisdictions)
- Financial records (7 years)
- Legal compliance and dispute resolution

---

## 7. Your Privacy Rights

### 7.1 Rights Under GDPR (European Users)

If you are in the European Economic Area (EEA), you have the following rights:

- **Right to Access:** Request copies of your personal data
- **Right to Rectification:** Request correction of inaccurate data
- **Right to Erasure:** Request deletion of your data ("right to be forgotten")
- **Right to Restrict Processing:** Request limitation of data processing
- **Right to Data Portability:** Receive your data in a portable format
- **Right to Object:** Object to processing of your data
- **Right to Withdraw Consent:** Withdraw consent at any time

**Legal Basis for Processing:**
- Consent: For optional features (biometric authentication, notifications)
- Contract: To provide the Service you requested
- Legal Obligation: To comply with applicable laws
- Legitimate Interests: To improve and secure our Service

### 7.2 Rights Under CCPA (California Users)

If you are a California resident, you have the following rights:

- **Right to Know:** Know what personal information is collected
- **Right to Delete:** Request deletion of personal information
- **Right to Opt-Out:** Opt-out of the sale of personal information (Note: We do NOT sell personal information)
- **Right to Non-Discrimination:** Not be discriminated against for exercising your rights

### 7.3 How to Exercise Your Rights

**In-App:**
- Go to Settings → Security & Privacy → Data Management
- Request account deletion directly from the app
- Download your data (coming soon)

**By Email:**
- Email us at: admin@yindus-ai.com.au
- Include: Your name, email, and specific request
- We will respond within 30 days

**Verification:**
- We may ask for verification to protect your privacy
- Provide: Email address and account details

---

## 8. Children's Privacy (COPPA Compliance)

### 8.1 Age Restrictions

GuruSkool is designed for educational institutions and may be used by students of all ages under the supervision of educational coordinators and parents/guardians.

**For Users Under 13:**
- Accounts must be created by a parent, guardian, or educational institution
- We collect only information necessary for educational purposes
- Parental consent is obtained through the educational institution
- Parents have the right to review, delete, or refuse further collection of their child's information

**For Users 13-17:**
- May create accounts with parental/guardian consent
- Certain features may be restricted

### 8.2 Parental Rights

Parents and guardians have the right to:
- Review their child's personal information
- Request deletion of their child's information
- Refuse further collection of their child's information
- Request information about our data practices

**To Exercise Parental Rights:**
- Email: admin@yindus-ai.com.au
- Include: Child's name, email, and your relationship
- Verification may be required

---

## 9. Data Sharing and Disclosure

### 9.1 We Do NOT Sell Your Data

We do NOT sell, rent, or trade your personal information to third parties for marketing purposes.

### 9.2 When We Share Your Data

We may share your information only in the following circumstances:

**With Your Consent:**
- When you explicitly authorize us to share information

**Within Your Organization:**
- Educational coordinators can access student information within their assigned region/center
- Parents/guardians can access their linked students' information
- Administrators can access information for their organization

**Service Providers:**
- Third-party services listed in Section 4 (under strict confidentiality agreements)

**Legal Requirements:**
- To comply with laws, regulations, or legal processes
- To respond to lawful requests from public authorities
- To protect our rights, property, or safety
- To prevent fraud or security threats

**Business Transfers:**
- In connection with a merger, acquisition, or sale of assets (users will be notified)

---

## 10. International Data Transfers

### 10.1 Cross-Border Data Transfers

If you access our Service from outside the United States, your data may be transferred to and stored in the United States.

**Safeguards:**
- We comply with applicable data protection laws
- Use standard contractual clauses approved by the European Commission
- Implement additional security measures for international transfers

**Your Consent:**
By using the Service, you consent to the transfer of your information to the United States and other countries where our service providers operate.

---

## 11. Cookies and Tracking Technologies

### 11.1 Technologies We Use

**Mobile App:**
- **Secure Storage:** Used to store authentication tokens securely
- **Local Storage:** Used for app settings and offline functionality
- **Session Tokens:** Used to maintain your login session

**Web Version:**
- **Essential Cookies:** Required for authentication and security
- **Analytics Cookies:** Used to understand usage patterns (optional)

### 11.2 Your Choices

**Mobile App:**
- Clear app data in device settings
- Log out to clear session data

**Web Browser:**
- Adjust browser settings to block cookies
- Use browser privacy/incognito mode

---

## 12. Your Choices and Controls

### 12.1 Account Settings

**Access and Update:**
- Update your profile information in Settings
- Change password, email, or phone number
- Manage notification preferences

**Privacy Settings:**
- Enable/disable biometric authentication
- Set session duration preferences
- Manage data sharing preferences

### 12.2 Communications

**Opt-Out:**
- Disable push notifications in device settings
- Unsubscribe from email communications (link at bottom of emails)
- Note: You cannot opt-out of essential service communications (security alerts, account updates)

### 12.3 Account Deletion

**How to Delete:**
- Go to Settings → Security & Privacy → Delete Account
- Confirm deletion request
- Your data will be deleted within 30 days

**What Happens:**
- Personal information is permanently deleted
- Educational records may be retained for legal compliance (anonymized)
- Deletion is irreversible

---

## 13. Do Not Track Signals

Our Service does not respond to Do Not Track (DNT) signals because there is no industry standard for DNT. We will update this policy if a standard is established.

---

## 14. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

---

## 15. Changes to This Privacy Policy

### 15.1 How We Update

We may update this Privacy Policy from time to time. When we make changes:
- We will update the "Last Updated" date at the top
- For material changes, we will notify you via:
- In-app notification
- Email (to your registered email address)
- Prominent notice on our website

### 15.2 Your Continued Use

Your continued use of the Service after changes are posted constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, please stop using the Service and delete your account.

---

## 16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices:

**Email:** admin@yindus-ai.com.au
**Mail:** YindusAI ,Victoria 3806, Australia
**Response Time:** We will respond to your inquiry within 30 days.

---

## 17. Dispute Resolution

### 17.1 Informal Resolution

If you have a privacy concern, please contact us first. We will attempt to resolve the issue informally.

### 17.2 Formal Dispute Resolution

If we cannot resolve your concern informally:

**For EU Users:**
- You have the right to lodge a complaint with your local data protection authority
- List of EU authorities: https://edpb.europa.eu/about-edpb/board/members_en

**For California Users:**
- Contact the California Attorney General's Office
- Website: https://oag.ca.gov/

**For Other Users:**
- Disputes will be resolved in accordance with the laws of Victoria, Australia

---

## 18. Legal Basis for Processing (GDPR)

We process your personal information based on the following legal grounds:

- **Consent:** For optional features (biometric authentication, marketing communications)
- **Contract:** To provide the Service you requested (account management, educational features)
- **Legal Obligation:** To comply with applicable laws (educational record retention, tax laws)
- **Legitimate Interests:** To improve our Service, ensure security, and prevent fraud

You have the right to withdraw consent or object to processing based on legitimate interests at any time.

---

## 19. Additional Information for Specific Regions

### 19.1 Australia

For Australian users, we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988.

**Your Rights:**
- Access and correct your personal information
- Make a complaint to the Office of the Australian Information Commissioner (OAIC)
- Website: https://www.oaic.gov.au/

### 19.2 Canada

For Canadian users, we comply with the Personal Information Protection and Electronic Documents Act (PIPEDA).

**Your Rights:**
- Access and correct your personal information
- Withdraw consent for certain uses
- Make a complaint to the Privacy Commissioner of Canada
- Website: https://www.priv.gc.ca/

### 19.3 United Kingdom

For UK users, we comply with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

**Your Rights:**
- Same rights as EU users under GDPR
- Make a complaint to the Information Commissioner's Office (ICO)
- Website: https://ico.org.uk/

---

## 20. Summary

**Key Points:**
- ✅ We collect only information necessary to provide our educational management Service
- ✅ We do NOT sell your personal information
- ✅ We use industry-standard security measures to protect your data
- ✅ You have rights to access, correct, and delete your information
- ✅ You can disable biometric authentication at any time
- ✅ We comply with GDPR, CCPA, COPPA, and other privacy regulations

**Questions?** Contact us at admin@yindus-ai.com.au

---

**Document Version:** 1.0
**Effective Date:** March 15, 2026
**Last Updated:** March 15, 2026

© 2026 YindusAI. All rights reserved.