Privacy Policy

4.8 AI Assessment and Academic Data

The Platform's AI assessment system processes:

• Student responses to assessments and assignments

• Assessment submission timestamps

• AI-generated scores and evaluations

• AI-generated textual feedback on submissions

• Comparison of student performance against learning objectives

4.9 Communication Data

Communications within the Platform are stored and may be analyzed:

• Messages between Teachers and Students

• Messages between Teachers and Parents

• Announcements posted by institutional staff

• Feedback and comments from Teachers

• Metadata about communications (sender, recipient, timestamp)

SECTION 5 - PURPOSES OF PROCESSING AND LEGAL BASIS

OneLern processes personal data only for legitimate educational and operational purposes. For each category of data processing, we have identified the legal basis under the DPDP Act, 2023:

5.1 Educational Service Delivery

Purpose: To provide K-12 educational technology services, including content access, learning management, and communication between students, teachers, and parents.

Legal Basis: Consent (from users) + Contractual Necessity (with Schools under Subscription agreement)

5.2 AI-Powered Automated Assessments

Purpose: To evaluate student work, provide feedback, and assist teachers in understanding student learning.

Legal Basis: Explicit Consent (required for minors; provided by parent/guardian)

5.3 Performance Tracking and Educational Analytics

Purpose: To generate reports on student performance, learning progress, and institutional performance metrics to support educational decision-making.

Legal Basis: Consent + Legitimate Educational Interest (improvement of educational services)

5.4 Communication and Notifications

Purpose: To send messages, notifications, and progress updates to students, teachers, and parents.

Legal Basis: Consent + Contractual Necessity

5.5 Platform Security and Fraud Prevention

Purpose: To detect and prevent unauthorized access, fraud, abuse, or security threats to the Platform.

Legal Basis: Legitimate Interest (protection of platform security and user accounts)

5.6 Platform Improvement and Optimization

Purpose: To analyze platform usage, identify technical issues, and improve features and user experience.

Legal Basis: Consent + Legitimate Interest

5.7 Legal Compliance

Purpose: To comply with legal obligations under Indian law, respond to law enforcement requests, and preserve legal evidence.

Legal Basis: Legal Obligation

5.8 Parental Monitoring

Purpose: To allow parents and guardians to monitor their child's educational progress and performance.

Legal Basis: Consent (parent provides this consent on behalf of the child)

SECTION 6 - VERIFIABLE PARENTAL/GUARDIAN CONSENT FOR MINOR STUDENTS

The Digital Personal Data Protection Act, 2023 imposes a critical requirement: before processing personal data of any individual under 18 years of age (a "Child" under the DPDP Act), OneLern MUST obtain the verifiable consent of that child's parent or legal guardian.

6.1 Scope of Requirement

Since the OneLern Platform is designed for K-12 educational use, the vast majority of users are Minors (children under 18). This requirement applies to almost all student data processing.

6.2 School Responsibility

The Schools that subscribe to OneLern are responsible for:

• Collecting verifiable parental/guardian consent BEFORE creating student accounts

• Maintaining records of consents obtained

• Ensuring consents clearly state the purposes of data processing

• Providing parents with copies of the Privacy Policy and Terms of Service

• Re-obtaining consent if processing purposes materially change

6.3 Consent Mechanism

Schools may use either:

• Physical signed consent forms (which can be scanned and stored)

• Digital/online consent forms with e-signature or OTP verification

• Parent/Guardian login and acceptance at first account access

The specific consent mechanism used by each School may vary, but must constitute "verifiable" consent (i.e., OneLern and the School must be able to evidence that consent was obtained).

6.4 OneLern's Obligation

OneLern will:

• Clearly explain parental consent requirements to Schools at onboarding

• Not create student accounts without School confirmation that parental consent has been obtained

• Provide Schools with pre-drafted consent forms and notices

• Assist Schools in collecting and managing consents

• Include parental consent confirmation fields in School onboarding workflows

6.5 Parental Withdrawal

Parents may withdraw consent at any time by contacting OneLern's Grievance Officer. Withdrawal of consent will stop further processing of that child's data, though prior processing remains valid.

SECTION 7 - AI AUTOMATED ASSESSMENTS AND DATA PROCESSING

The OneLern Platform includes artificial intelligence-powered assessment tools. This section explains how AI assessments work and how data is processed.

7.1 How AI Assessment Data is Processed

When a Student submits an assignment or assessment:

14. The Student's response is uploaded to the Platform

15. The AI system analyzes the response against learning objectives and rubrics

16. The AI system generates a preliminary score and written feedback

17. The Teacher reviews the AI output and makes a final assessment decision

18. The final assessment result is communicated to the Student and Parent

7.2 Data Used for AI Processing

The AI system processes:

• Student response content (text, code, answers)

• Assignment instructions and learning objectives

• Assessment rubrics or grading criteria

• Student's prior performance data (to provide personalized feedback)

• Grade/class level (to calibrate assessment difficulty)

7.3 Storage and Retention

All AI assessment data (student responses, AI outputs, teacher feedback, final scores) is stored on secure servers located in India and retained according to the data retention schedule in Section 8.

7.4 Key Limitation: AI Outputs Are Not Final

We emphasize that AI assessment outputs (scores, feedback) are preliminary. Teachers must independently review and approve all AI outputs before they become part of the Student's official record. AI assessments are tools to support teachers, not final academic judgments.

SECTION 8 - DATA RETENTION

OneLern retains personal data only for as long as necessary to provide Services and comply with legal obligations. Different data categories have different retention periods:

8.1 Student Data

Student personal data (name, date of birth, grade, roll number) and academic data (assessments, performance data, attendance) are retained:

• During the period when the Student is actively enrolled and the School has an active Subscription with OneLern

• Plus 1 year after the School's Subscription terminates or the Student is removed from the Platform

• After 1 year, Student data is securely deleted unless the School requests extended retention

8.2 Teacher and Staff Data

Teacher and institutional staff data is retained:

• During the period of employment/authorization at the School

• Plus 2 years after the Teacher leaves the School or authorization is revoked

• After 2 years, data is securely deleted unless required for legal compliance

8.3 Parent Data

Parent/Guardian personal data is retained:

• During the period when the parent is actively using the Platform to monitor their child

• Plus 1 year after the child is no longer enrolled or the School Subscription terminates

8.4 Usage Logs and Technical Data

Login logs, activity logs, access logs, and technical debugging data are retained:

• For 2 years for security compliance, forensic investigation, and audit purposes

• Older logs are securely deleted unless required by law

8.5 AI Assessment Data

AI-generated assessments and student responses are retained:

• Same retention period as Student data (during enrollment plus 1 year)

8.6 Secure Deletion

When data is deleted, it is permanently removed from all OneLern systems and backups using encryption key destruction or secure wiping methods that prevent recovery.

SECTION 9 - DATA SHARING AND THIRD PARTIES

OneLern shares personal data with carefully selected parties only when necessary and for legitimate purposes. This section describes who may access personal data and under what conditions.

9.1 Internal Access Within Schools

Personal data is visible to authorized personnel within the School based on their role:

• School Admins: Can access all student, teacher, and school data

• Teachers: Can access student data only for their assigned classes/students

• Parents: Can access their own child's data only

• Students: Can access their own profile and academic data

Access is controlled through role-based access controls (RBAC) implemented in the Platform.

9.2 Sub-Processors

OneLern may engage third-party service providers ("Sub-Processors") to process personal data on OneLern's behalf:

Common categories of Sub-Processors include:

• Cloud hosting providers (for data storage and backup)

• Payment processors (for subscription billing)

• Email service providers (for notifications and communications)

• Security and monitoring services (for fraud detection and security)

• Analytics providers (for platform improvement)

All Sub-Processors are contractually bound by Data Processing Agreements that impose data protection obligations equivalent to OneLern's own obligations. OneLern maintains a current list of Sub-Processors available on request.

9.3 Legal Authorities and Compliance

OneLern may disclose personal data to government authorities, law enforcement, or courts:

• When legally required by an order, warrant, subpoena, or court mandate

• When necessary to protect public safety or prevent crime

• When necessary to protect OneLern's legal rights or comply with laws

OneLern will provide notice to affected individuals of such disclosures unless legally prohibited.

9.4 Data Sharing Prohibited

OneLern explicitly does NOT:

• Sell personal data to third parties

• Share data with marketers, advertisers, or commercial entities

• Engage in behavioral marketing or profiling of minors

• License personal data to external organizations

• Use student data to create detailed psychological or behavioral profiles

• Target advertising or marketing to minor students

9.5 School Data Sharing

Schools themselves may have policies about how they share student data with parents, government agencies, or educational authorities. OneLern facilitates such sharing through the Platform but does not directly share data on behalf of Schools without authorization.

SECTION 10 - DATA SECURITY

OneLern implements comprehensive technical and organizational security measures to protect personal data against unauthorized access, loss, alteration, and disclosure. Security is a priority and aligns with the requirements of IT (SPDI) Rules, 2011.

10.1 Encryption

Data is protected through encryption at multiple levels:

• Data in Transit: All data transmitted between user devices and OneLern servers is encrypted using TLS/SSL protocols (HTTPS)

• Data at Rest: Sensitive data stored on servers is encrypted using industry-standard encryption algorithms

• Database Encryption: Student personal and academic data stored in databases is encrypted

10.2 Access Controls

Access to personal data is restricted through:

• Role-Based Access Control (RBAC): Users can access only data relevant to their role

• Strong Authentication: Users must authenticate with secure passwords

• Credential Management: Passwords are hashed and salted; never stored in plain text

• Session Management: User sessions timeout after inactivity; users must re-authenticate

10.3 Monitoring and Logging

OneLern monitors data access and system activity:

• Access Logs: All access to personal data is logged with timestamps and user identification

• Audit Trails: Changes to data are logged to prevent unauthorized alterations

• Real-Time Monitoring: Systems are monitored for suspicious activity and intrusion attempts

10.4 Regular Security Testing

OneLern conducts:

• Annual Penetration Testing: External security experts test for vulnerabilities

• Vulnerability Scanning: Automated tools regularly scan for security weaknesses

• Code Reviews: Software is reviewed for security vulnerabilities before deployment

10.5 Data Breach Response

In the event of a security breach:

• OneLern will promptly investigate the breach

• Affected individuals will be notified within 72 hours

• Schools will be notified within 24 hours

• OneLern will cooperate with law enforcement as required

• Remedial measures will be implemented to prevent recurrence

10.6 Secure Infrastructure

OneLern uses:

• Secure servers in certified data centers located in India

• Firewalls and intrusion detection systems

• Physical security controls at data center facilities

• Regular security patches and updates

SECTION 11 - RIGHTS OF DATA PRINCIPALS UNDER DPDP ACT 2023

The Digital Personal Data Protection Act, 2023 grants all data subjects (individuals whose personal data is processed) specific rights. OneLern respects and facilitates the exercise of these rights.

11.1 Right to Access Information

You have the right to know what personal data OneLern holds about you. You may submit a request to receive:

• A copy of all personal data we hold about you

• Information about how and why the data is being processed

• Information about who has access to your data

To exercise this right, contact the Grievance Officer. OneLern will provide the requested information within 30 days.

11.2 Right to Correction and Erasure

You have the right to correct inaccurate personal data and request erasure of unnecessary data:

• Right to Correction: If your personal data is inaccurate or incomplete, you may request correction

• Right to Erasure: If personal data is no longer necessary for the purposes it was collected, you may request deletion

Exceptions: Erasure requests may be denied if data must be retained for legal compliance or if retention is justified by compelling legitimate interests.

11.3 Right to Grievance Redressal

If you believe your data has been processed in violation of your rights, you have the right to file a grievance:

• File with OneLern's Grievance Officer (Section 12 below)

• If unsatisfied with OneLern's response, appeal to the Data Protection Board of India

11.4 Right to Nominate

You may nominate another individual to exercise your data protection rights on your behalf. This is useful if you become incapacitated or deceased. The nominated individual must provide legal documentation of their authority.

11.5 Right to Withdraw Consent

You may withdraw your consent to data processing at any time by contacting the Grievance Officer. Withdrawal of consent will stop future processing, but does not affect the validity of prior processing that occurred with valid consent.

SECTION 12 - GRIEVANCE OFFICER AND DATA PROTECTION CONTACT

OneLern designates a Grievance Officer to handle complaints, requests, and grievances related to personal data processing and data protection.

12.1 Grievance Officer Details

19. Name: [Insert Full Name]

20. Designation: Data Protection Officer / Grievance Officer

21. Organization: FortunaPIX Private Limited (OneLern)

22. Email: legal@onelern.com

23. Address: Plot No. 101, Kavuri Hills - Phase II, Hyderabad, Telangana 500033, India

24. Telephone: [Insert Telephone Number]

12.2 How to File a Grievance

To file a grievance or request related to your personal data:

25. Send an email to legal@onelern.com with "Grievance" or "Data Access Request" in the subject line

1. Provide your name, email, and details of your request or complaint

2. Specify which right you are exercising (access, correction, erasure, etc.)

3. Attach any supporting documentation

12.3 OneLern's Response Obligation

OneLern will:

26. Acknowledge receipt of your grievance or request within 5 business days

1. Conduct a fair and impartial investigation

2. Provide a substantive response within 30 days of receipt

3. If more time is needed, provide interim updates every 15 days

4. Provide information about appeal options if you are dissatisfied

12.4 Appeal to Data Protection Board

If you are dissatisfied with OneLern's response, you may appeal to the Data Protection Board of India (once operational) or seek remedy through other legal channels. Information about appeals will be provided in OneLern's response.

12.5 No Retaliation

OneLern will not discriminate against, penalize, or retaliate against any individual for filing a grievance in good faith or exercising their data protection rights.

SECTION 13 - CROSS-BORDER DATA TRANSFERS

OneLern processes personal data of Indian users exclusively on servers located within India. Personal data of users in India is not transferred outside India except:

• As required by law or court order

• With explicit written consent from the data subject

• If the Indian government notifies that a particular country has adequate data protection (under DPDP Act provisions not yet in force)

This policy aligns with DPDP Act 2023 principles that personal data of Indian residents must generally be processed in India.

SECTION 14 - COOKIES AND TRACKING TECHNOLOGIES

The Platform may use cookies and similar technologies to enhance user experience and analyze usage patterns.

14.1 Types of Cookies

The Platform uses:

• Essential Cookies: Required for authentication and session management; necessary for Platform functionality

• Preference Cookies: Store user preferences (language, theme, etc.)

• Analytics Cookies: Track usage patterns to improve Platform features and performance

• Security Cookies: Protect against fraud and security threats

14.2 Cookie Management

Users can manage cookies through their browser settings. Disabling essential cookies may limit Platform functionality. For more information, see your browser's privacy settings or contact the Grievance Officer.

14.3 Tracking Technologies

OneLern may use web beacons, pixels, and similar tracking technologies for analytics and security purposes. No behavioral profiling or targeting is performed on minor students.

SECTION 15 - CHILDREN'S DATA SPECIAL PROVISIONS

Since the Platform is designed for K-12 educational use, special protections apply to Student data:

15.1 Mandatory Parental Consent

Parental/guardian consent is mandatory before any Student data processing. Schools must evidence this consent.

15.2 No Behavioral Monitoring or Profiling

OneLern will not:

• Conduct behavioral monitoring of Students

• Create psychological or personality profiles of Students

• Use algorithms to predict Student behavior or personality

• Engage in behavioral targeting or persuasion techniques

15.3 No Targeted Advertising

OneLern does not display targeted advertising to Students and does not use Student data for advertising purposes.

15.4 Data Minimization

OneLern collects the minimum amount of personal data necessary to provide educational services. Schools are encouraged to implement similar principles.

15.5 Extra Security for Student Data

Student personal data receives enhanced security protections including stronger encryption, more frequent security audits, and additional access controls.

15.6 Parental Monitoring

Parents have tools to monitor their child's educational progress, including viewing assignment submissions, assessment results, and progress reports.

SECTION 16 - CHANGES AND UPDATES TO THIS POLICY

OneLern may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or other factors.

16.1 Notice of Changes

For material changes to this Policy, OneLern will:

• Provide at least 30 days' written notice to Schools and users

• Announce changes via email to the institutional contact address

• Publish updated Policy on the Platform with clear marking of changes

16.2 Continued Use After Changes

Continued use of the Platform after the effective date of Policy changes constitutes acceptance of the revised Policy. Users who do not accept changes may request termination of their account.

16.3 Access to Policy Versions

OneLern maintains archived versions of this Policy. Previous versions are available on request to the Grievance Officer.

SECTION 17 - CONTACT INFORMATION

For any questions, requests, or concerns regarding this Privacy Policy and our data practices:

Email: legal@onelern.com

Grievance Officer: [Insert Name], legal@onelern.com

Institution Support: schools@onelern.com

Mailing Address: Plot No. 101, Kavuri Hills - Phase II, Hyderabad, Telangana 500033, India

Website: www.onelern.com | www.onelern.school

This Privacy Policy was last updated: April 8, 2026

Effective Date: April 8, 2026

‍

‍