Last modified: April 8, 2026
This Privacy Notice contains information that must be provided to you under GDPR Articles 13 & 14 and equivalent Caribbean data protection laws. Please read this carefully.
Data Controller:
Your Institution (School or Ministry of Education) is the Data Controller and determines the purposes and means of processing your personal data on the OneLern Platform.
Data Processor:
FortunaPIX Inc. (USA) and FortunaPIX Private Limited (India), operating as OneLern, process data on behalf of your Institution.
Contact Information:
FortunaPIX Inc. (USA) - [USA Address to be inserted]
FortunaPIX Private Limited - Plot No. 101, Kavuri Hills - Phase II, Hyderabad, Telangana 500033, India
Email: legal@onelern.com | Website: www.onelern.com
Purposes and Legal Bases for Processing:
OneLern processes your personal data for the following purposes based on the following legal bases:
1. Providing Educational Services (Lawful basis: Contract with your Institution; Consent from data subject)
2. AI-Powered Automated Assessments (Lawful basis: Explicit consent from Student or parent)
3. Performance Analytics and Reporting (Lawful basis: Contract; Legitimate interests; Consent)
4. Communications with Users (Lawful basis: Contract; Legitimate interests)
5. Platform Security and Fraud Prevention (Lawful basis: Legitimate interests; Legal obligation)
6. Compliance with Legal Obligations (Lawful basis: Legal obligation; Public task)
International Data Transfers:
Your data is transferred to India. Safeguards: Standard Contractual Clauses (SCCs), encryption, contractual protections, and audit rights. See Section 6 below for full details.
Data Retention:
Student data is retained for the duration of active subscription plus 2 years. Teacher and Parent data is retained for duration of service plus 1-3 years. See Section 7 below for full details.
Your Rights:
You have the following rights under applicable data protection law:
• Right of Access: Obtain a copy of your personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your data
• Right to Restrict Processing: Limit how your data is processed
• Right to Data Portability: Receive your data in machine-readable format
• Right to Object: Object to certain types of processing
• Right to Withdraw Consent: Withdraw any consent you have given
• Right Not to be Subject to Automated Decisions: Right to human review of AI assessments
Data Protection Officer:
OneLern has appointed or is considering appointment of a Data Protection Officer given the large-scale processing of children's data. Contact: [DPO Contact to be inserted if appointed]
Supervisory Authority:
You have the right to lodge a complaint with the data protection supervisory authority in your territory:
• British Virgin Islands: BVI Information Commissioner's Office
• Antigua and Barbuda: Office of the Ombudsman (Data Protection Division)
• Saint Lucia, Grenada, Saint Kitts & Nevis: Relevant national authority
OneLern (FortunaPIX Inc. and FortunaPIX Private Limited) is committed to protecting your privacy and ensuring transparency in how we process your personal data. This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, how long we retain it, how we protect it, and what rights you have regarding your data.
This Privacy Policy applies to all users of the OneLern Platform in Caribbean territories (British Virgin Islands, Antigua and Barbuda, Saint Lucia, Grenada, Saint Kitts and Nevis) and internationally. It is designed to comply with GDPR standards, the BVI Data Protection Act 2021, the Antigua Data Protection Act 2013, and other applicable Caribbean data protection laws.
All capitalized terms not defined herein have the meanings set forth in the Terms of Service.
The Institution (School or Ministry of Education) at which you study, work, or are an administrator is the "Data Controller" under data protection law. The Data Controller determines the purposes for which your personal data is processed and the means by which it is processed.
For example, if you are a Student, your school is the Data Controller and decides what student data will be collected for educational purposes. If you are a Teacher, your school is the Data Controller and decides what teacher data is necessary for educational management.
OneLern (FortunaPIX Inc. and FortunaPIX Private Limited) acts as the "Data Processor." The Data Processor processes your personal data on behalf of the Data Controller, following the Data Controller's instructions. OneLern does not independently decide what personal data to collect or how to use it for purposes other than providing the educational services requested by your Institution.
OneLern Legal & Compliance
Email: legal@onelern.com
Mailing Address: FortunaPIX Private Limited, Plot No. 101, Kavuri Hills - Phase II, Hyderabad, Telangana 500033, India
Website: www.onelern.com
OneLern collects different categories of personal data depending on your role on the Platform:
For Students using the Platform:
• Student name, date of birth, age
• Grade level / year of study, school name, class assignments
• Academic performance data: scores, grades, test results, assessment outcomes
• Work submitted: essays, assignments, projects, answers to assessments
• AI assessment data: automated scores and feedback generated by AI features
• Learning progress: topics completed, lessons viewed, time spent on activities
• Communications: messages to/from teachers and other students on the Platform
For Teachers using the Platform:
• Teacher name, email address, phone number (if provided)
• Professional information: subject(s) taught, grade level(s), school
• Login activity: timestamps of login/logout, dates and times of access
• Content created: assessments, assignments, rubrics, educational materials created by teacher
• Communications: messages to students and parents
For Parents/Guardians using the Platform:
• Parent/Guardian name, email address (used as login ID in Caribbean territories)
• Relationship to student(s)
• Phone number (if provided)
• Communication preferences: frequency of updates, notification settings
• Login activity and access to child's progress information
For School Administrators and management staff:
• Administrator name, email, phone (if provided)
• Job title, school affiliation
• Login activity and administrative actions performed
For all users, we automatically collect certain technical information:
• IP address and device identifiers
• Device type: smartphone, tablet, laptop
• Operating system and version: Android, iOS, Windows
• App version and browser type
• Timestamps of login, logout, and activity
• Duration of sessions and frequency of use
• Features accessed and how features are used
• Content viewed or completed
• Time spent on activities and lessons
• Error messages or technical issues encountered
OneLern processes your personal data for the following purposes, based on the following lawful bases under GDPR Article 6 and equivalent Caribbean law:
Lawful basis: Performance of contract with your Institution; Explicit consent (for children and parents)
We process your personal data to provide the educational services you/your Institution have subscribed to, including: delivering course content, conducting assessments, tracking progress, providing teacher feedback, generating reports for institutional management, and facilitating communication between teachers, students, and parents.
Lawful basis: Explicit, informed consent (required for students and parents)
We use artificial intelligence to automatically grade student work and generate assessment feedback. This processing requires explicit consent from students (age 13+) or parents (for students under 13 or for all students under 18 in institutional settings). AI assessment results are provided as tools for educators and must be reviewed by qualified teachers before use in academic decisions.
Lawful basis: Performance of contract; Legitimate interests; Consent
We process your data to generate performance analytics, track learning progress, produce reports for teachers and administrators, create dashboards showing student engagement and achievement, and analyze educational outcomes. This helps teachers understand student learning and schools understand their effectiveness.
Lawful basis: Contract; Legitimate interests
We use your email address and contact information to send notifications, updates, messages from teachers/administrators, important platform announcements, and support responses. For parents in Caribbean territories, the parent's email address is used as the login identifier and primary contact method.
Lawful basis: Legitimate interests; Legal obligation
We process personal data to prevent unauthorized access, detect fraudulent activity, monitor for security threats, prevent academic dishonesty (e.g., cheating on assessments), comply with our security obligations, and protect the integrity of the Platform.
Lawful basis: Legitimate interests
We may use anonymized and aggregated data to understand how the Platform is used, identify areas for improvement, develop new features, optimize the user experience, conduct educational research, and improve AI assessment accuracy. This processing uses only anonymized or aggregated data where possible.
Lawful basis: Legal obligation; Public task
We process data as required by applicable law, including: data protection law compliance, response to lawful government requests, government education reporting requirements for schools and ministries, and law enforcement cooperation where required.
The OneLern Platform serves K-12 students (ages 5-18). The majority of users are minors (under 18). Special protections apply to children's personal data.
Under GDPR Article 8, for processing based on consent, a child must be at least 13 years old to consent independently. For children under 13, parental/guardian consent is required. HOWEVER, for K-12 educational platforms involving minors, best practices and institutional policies often require parental consent for ALL students under 18.
OneLern REQUIRES parental/guardian consent for ALL Student users under 18 before any personal data is processed. This is documented through OneLern's Parental Consent Forms or equivalent forms compliant with applicable law.
The Institution (School/Ministry) is responsible for obtaining, documenting, and maintaining written evidence of parental consent before student accounts are created. The Institution confirms to OneLern that it has obtained valid parental consent.
Because we process children's data, we implement enhanced protections:
• No behavioral profiling of children
• No targeted advertising or marketing to children
• Minimal collection of personal data (only data necessary for education)
• Enhanced security measures protecting children's data
• Strict access controls limiting who can view children's data
• No selling of children's data to third parties
Parents/guardians may withdraw parental consent at any time by contacting the school or OneLern at legal@onelern.com. Upon withdrawal, the student's account will be deactivated and data will be handled as described in the Data Retention section.
ALL personal data processed through the OneLern Platform is transferred from the Caribbean Territory where you reside or work and is processed on servers located in India. This includes all categories of data: Student data, Teacher data, Parent/Guardian data, School Administrator data, and technical data.
India is NOT recognized as providing an adequate level of data protection equivalent to GDPR or applicable Caribbean data protection law standards. Therefore, the transfer of personal data from a Caribbean Territory (or any GDPR-aligned jurisdiction) to India requires specific legal safeguards.
OneLern relies on the following safeguards for international data transfers:
The transfer of personal data from your Caribbean Territory to India is protected by Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision 2021/914). These clauses are adapted and incorporated into the Data Processing Addendum between your Institution and OneLern. The SCCs establish contractual obligations requiring that personal data transferred to India receives appropriate protection.
You may request a copy of the SCCs by contacting legal@onelern.com.
OneLern has conducted a Transfer Impact Assessment (TIA) to evaluate the risks associated with transferring Caribbean personal data to India. The TIA assesses:
• Indian legal framework: The DPDP Act 2023, Information Technology Act 2000, and SPDI Rules
• Government access to data: Whether Indian government can require access to personal data transferred to India
• Legal remedies available: What legal protections and remedies are available to Caribbean data subjects in India
• Data subject rights: Whether data subjects can exercise their GDPR/Caribbean law rights when data is processed in India
A copy of the Transfer Impact Assessment is available upon request at legal@onelern.com.
In addition to SCCs, OneLern implements the following technical and organizational safeguards to protect data transferred to India:
All data in transit to India is encrypted using TLS 1.2 or higher. All data at rest in Indian servers is encrypted using AES-256 or equivalent, making the data unreadable to persons without decryption keys, including hosting infrastructure staff.
Access to personal data in Indian servers is restricted through role-based access controls (RBAC). Only authorized personnel with a specific business need can access personal data. Most staff in India involved in Platform maintenance do not have access to customer personal data.
OneLern's Indian operations are bound by contractual obligations to apply GDPR-equivalent data protection standards, including restrictions on use of data, confidentiality obligations, and prohibitions on disclosure.
Your Institution and supervisory authorities have audit rights to monitor OneLern's Indian operations and verify compliance with data protection obligations.
If OneLern engages sub-processors in India or other locations, all sub-processors are contractually bound by the same data protection obligations.
OneLern is continuously evaluating additional safeguards to enhance protection of Caribbean personal data transferred to India, including:
• Pseudonymization of student data where technically feasible
• Regular security audits and penetration testing of Indian infrastructure
• Privacy-enhancing technologies
• Training for all personnel accessing personal data in India
If you object to the transfer of your personal data to India, your Institution should contact OneLern at legal@onelern.com to discuss alternative arrangements or data hosting options. If no alternative can be arranged, you may choose not to use the Platform.
OneLern retains personal data only as long as necessary for the purposes for which it was collected. Specific retention periods are as follows:
• Active Student Status: Data is retained during the period the student is actively enrolled and using the Platform.
• Post-Enrollment: For 2 years after the student withdraws or graduates, data is retained for educational continuity (transcript records, achievement records, progress history).
• Deletion or Anonymization: After 2 years, data is securely deleted or anonymized for analytics purposes.
• During Employment: Retained while the teacher/staff member is employed by the Institution and using the Platform.
• Post-Employment: For 3 years after the teacher/staff member leaves, data is retained for professional records and potential future reference.
• Deletion: After 3 years, data is securely deleted.
• Active Child Status: Retained while the child is actively using the Platform.
• Post-Enrollment: For 1 year after the child's account is deactivated, data is retained for account management and potential reinstatement.
• Deletion: After 1 year, data is securely deleted.
• Login/logout timestamps, IP addresses, and device information are retained for 2-3 years for security compliance.
• Usage analytics: Aggregated and anonymized usage data may be retained indefinitely for Platform improvement.
Notwithstanding the above, personal data may be retained longer if:
• Required by applicable law (e.g., education law requiring permanent educational records)
• Subject to a legal dispute or litigation
• Subject to a data subject access request (retained until request is resolved)
• Required for compliance with government reporting or audit requests
When data is deleted, it is done securely through cryptographic erasure or physical destruction of storage devices, ensuring data cannot be recovered.
OneLern shares personal data only with authorized recipients and only when necessary for the purposes described in this Privacy Policy.
Your personal data is shared within your Institution on a role-based, need-to-know basis:
• Student data is visible to: the Student, the Student's enrolled Teachers, School Administrators, and authorized school staff.
• Teacher data is visible to: the Teacher, School Administrators, and authorized school staff.
• Parent/Guardian data is visible to: the Parent/Guardian, the Child's Teachers, and authorized school staff.
If the Institution is a government school, the Ministry of Education may have rights to access aggregate or individual student data as required by law for government education reporting, accountability, or planning purposes. Any such access is governed by applicable government data policies and laws.
OneLern may engage sub-processors (third-party service providers) in India to assist with data processing. A list of current sub-processors is maintained and updated in the Data Processing Addendum, Annex III. All sub-processors are contractually bound by the same data protection obligations as OneLern.
OneLern will disclose personal data to legal authorities or government agencies only when:
• Required by applicable law in a Caribbean Territory or India
• Required by valid court order, warrant, or legal process
• Necessary to protect public safety, prevent crime, or protect persons from harm
OneLern will notify affected data subjects of such disclosure unless legally prohibited from doing so.
OneLern does NOT:
• Sell personal data to third parties
• Share data with marketing companies or advertisers
• Share children's data with non-educational third parties
• Disclose personal data for purposes other than those described in this Privacy Policy
Under GDPR, BVI DPA 2021, Antigua DPA 2013, and applicable Caribbean data protection law, you have the following rights regarding your personal data:
You have the right to obtain confirmation of whether your personal data is being processed and to request a copy of such data. Upon receiving an access request, OneLern will:
• Provide you with all your personal data in a clear, structured format
• Respond within 30 calendar days
• Provide the information free of charge
To submit an access request: Email legal@onelern.com with subject "Access Request - [Your Name, Territory]"
You have the right to correct any inaccurate or incomplete personal data. You may:
• Update your information directly in your account settings
• Request your school administrator to correct information
• Submit a rectification request to legal@onelern.com
OneLern will process rectification requests within 30 days.
You have the right to request deletion of your personal data. OneLern will delete your data upon request EXCEPT where:
• Data is required by applicable law (e.g., educational records retention laws)
• Data is necessary for legal claims or defense
• Data is necessary for exercise of free speech or other legal rights
• Data is necessary for public interest purposes
To request erasure: Email legal@onelern.com with subject "Erasure Request - [Your Name, Territory]"
You may request that OneLern restrict the processing of your personal data while you dispute its accuracy, challenge the lawfulness of processing, or request further information. Restricted data will be marked and not processed except for storage or with your consent.
To request restriction: Email legal@onelern.com with subject "Restriction Request - [Your Name, Territory]"
You have the right to receive your personal data in machine-readable format (such as CSV, JSON, or Excel) and to transmit such data to another organization. OneLern will:
• Provide all your personal data in standard, machine-readable format
• Respond within 30 days
• Provide the data free of charge
To request data portability: Email legal@onelern.com with subject "Portability Request - [Your Name, Territory]"
You have the right to object to processing of your personal data where such processing is based on legitimate interests. OneLern will stop processing your data unless it can demonstrate compelling legitimate reasons that override your rights.
To file an objection: Email legal@onelern.com with subject "Objection - [Your Name, Territory]"
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. In the context of OneLern:
• AI-powered automated assessments constitute automated processing that significantly affects students
• All AI assessment results must be reviewed by qualified human educators before making final academic decisions
• Students and parents have the right to request human review of any AI assessment
• No final grade, promotion decision, or academic determination can be made based solely on AI assessment without educator review
To request human review of an AI assessment: Contact your Teacher, School Administrator, or email legal@onelern.com with subject "Human Review Request - [Student Name, Assessment]"
Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal. To withdraw consent: Email legal@onelern.com with subject "Consent Withdrawal - [Your Name, Territory]"
You have the right to lodge a complaint with the data protection supervisory authority in your territory. Competent authorities are:
• British Virgin Islands: BVI Information Commissioner's Office
• Antigua and Barbuda: Office of the Ombudsman (Data Protection Division)
• Saint Lucia, Grenada, Saint Kitts & Nevis: Relevant national authority or government ombudsman office
To exercise any of the above rights, contact:
OneLern Legal & Compliance Department
Email: legal@onelern.com
Subject Line: [Data Subject Right - Your Name - Territory]
OneLern will verify your identity and will respond to rights requests within 30 calendar days. If we cannot process your request within 30 days, we will notify you of an extension (up to 60 days total).
10.1 Security Measures. OneLern implements comprehensive technical and organizational security measures to protect personal data from unauthorized access, alteration, or loss:
• In Transit: All data transmitted between user devices and OneLern servers is encrypted using TLS 1.2 or higher
• At Rest: All data stored on OneLern servers is encrypted using AES-256 or equivalent encryption
• Role-based access control (RBAC): Only authorized personnel with a specific need-to-know can access personal data
• Multi-factor authentication (MFA): School Administrators must use MFA to access administrative functions
• Logging and monitoring: All access to sensitive data is logged and monitored for suspicious activity
• Penetration testing: Regular authorized security testing of the Platform
• Vulnerability assessments: Regular scans for security vulnerabilities
• Security audits: Annual security audits conducted by third-party auditors
• OneLern maintains data breach detection systems and incident response procedures
• In the event of a suspected breach, OneLern will investigate, notify affected parties within 24 hours, and cooperate with supervisory authorities regarding 72-hour breach notification requirements
• All OneLern personnel with access to personal data are required to complete data protection and privacy training
• Confidentiality agreements: All staff members are bound by confidentiality agreements
11.1 DPIA Requirement. Given the large-scale processing of children's personal data, the use of AI for automated decisions affecting students, and international transfers to India, OneLern has conducted Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35 and equivalent Caribbean law.
DPIAs have been completed for:
• Large-scale processing of children's personal data (K-12 students)
• AI-powered automated assessments that affect student academic outcomes
• International transfer of personal data from Caribbean territories to India
Summaries of the DPIAs are available upon request by contacting legal@onelern.com.
DPIAs are reviewed and updated annually and whenever processing activities change significantly.
• Maintain login sessions
• Remember user preferences
• Analyze Platform usage (with analytics cookies)
You may manage cookie preferences in your browser settings. However, disabling essential cookies may prevent the Platform from functioning properly.
13.1 Right to Modify.
OneLern may modify this Privacy Policy at any time to reflect changes in practices, technology, legal requirements, or other factors.
Material modifications will be communicated to Institutions with at least 30 days' advance written notice. Changes affecting data protection obligations, international transfers, or data subject rights will receive 30+ days' notice.
If changes significantly affect data protection, OneLern may consult with applicable supervisory authorities before implementation.
Continued use of the Platform after the effective date of modified Privacy Policy constitutes acceptance of the modifications.
OneLern Legal & Compliance Department
Email: legal@onelern.com
Mailing Address: FortunaPIX Private Limited, Plot No. 101, Kavuri Hills - Phase II, Hyderabad, Telangana 500033, India
Website: www.onelern.com
If you have concerns about OneLern's data protection practices or wish to lodge a complaint, you may contact the supervisory authority in your territory:
British Virgin Islands:
BVI Information Commissioner's Office
Antigua and Barbuda:
Office of the Ombudsman (Data Protection Division)
Saint Lucia, Grenada, Saint Kitts & Nevis:
Relevant national data protection authority or government ombudsman
