Privacy Policy
GDPR
COPPA
DPDP Act 2023
Effective Date: 1 May 2025 | Last Updated: 6 May 2025
Summary: SPYRAL collects only the data needed to deliver our educational platform. We never sell your data. Students' data is protected with encryption. Parents can request deletion at any time.
1. Who We Are
SPYRAL ("we", "us", "our") is an AI-powered educational platform operated by AIRM Private Limited, registered in India. Our platform provides NEP 2020-aligned learning tools for students, teachers, parents, and schools.
2. Data We Collect
2.1 Account Registration
| User Type | Data Collected | Purpose |
|---|
| Student | Name, class, school, date of birth, email/ID | Account creation, progress tracking |
| Teacher | Name, email, school, employee ID | Account creation, dashboard access |
| Parent | Name, email, phone number, relationship to student | Account creation, progress reports |
| School Admin | School name, admin email, school ID | School management |
2.2 Usage Data
- Learning activity logs (simulations completed, scores, time spent)
- AI challenge attempts and results
- Login timestamps and session duration
- Device type and browser (for compatibility)
2.3 Payment Data
We do not store credit card or payment details. All payments are processed by Razorpay (India) or Stripe (International), which are PCI-DSS compliant. We only receive transaction confirmation and subscription status.
3. How We Use Your Data
- Provide and improve the SPYRAL educational platform
- Generate NEP-aligned performance reports for students
- Send progress updates to parents (with consent)
- AI-powered personalized learning recommendations
- Anonymized platform analytics to improve content quality
- Respond to support requests
- Comply with legal obligations
We do not use student data for advertising, profiling for commercial purposes, or sell data to third parties.
4. Children's Privacy (COPPA Compliance)
SPYRAL serves students including those under 13 years of age. We comply with the Children's Online Privacy Protection Act (COPPA) and equivalent laws.
- Students under 13 can only register through their school or verified parent/guardian
- We collect only the minimum data necessary for educational purposes
- No behavioral advertising is shown to children
- No student data is sold or shared with third parties for commercial purposes
- Parents may request to review, correct, or delete their child's data at any time by emailing privacy@tryspyral.com
- Schools act as intermediaries and are responsible for obtaining parental consent before registering students
5. Data Sharing
We share data only with the following trusted service providers who are contractually bound to protect your data:
| Service | Purpose | Data Shared |
|---|
| MongoDB Atlas (AWS) | Database hosting | All account and activity data (encrypted at rest) |
| Mistral AI | AI-generated questions and feedback | Anonymized question context only — no student PII |
| Razorpay | India payment processing | Name, email, amount |
| Stripe | International payment processing | Name, email, amount |
| Brevo (ex-Sendinblue) | Transactional email | Name, email |
We never sell your personal data to any third party.
6. Data Retention
- Active accounts: Data retained for the duration of the subscription
- After account deletion: Personal data deleted within 30 days; anonymized usage data may be retained for research
- Activity logs: Retained for 5 years (educational audit purposes)
- Payment records: Retained for 7 years (legal/tax requirement)
7. Security
- All data encrypted in transit via TLS 1.2+
- Sensitive fields (phone numbers, contact details) encrypted at rest using AES-256-GCM
- Passwords hashed using bcrypt (minimum 12 rounds)
- JWT-based authentication with short-lived access tokens
- Database hosted on MongoDB Atlas with IP whitelisting and role-based access
- XSS protection via DOMPurify on all user interfaces
- Regular security audits
8. Your Rights
You have the following rights regarding your personal data:
- Access: Request a copy of your data
- Correction: Update inaccurate information
- Deletion: Request deletion of your account and data
- Portability: Receive your data in a machine-readable format
- Objection: Object to certain processing activities
- Withdraw Consent: At any time, without affecting prior processing
To exercise any right, email privacy@tryspyral.com. We will respond within 30 days.
9. GDPR — European Users
If you are located in the European Economic Area (EEA), UK, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR).
Lawful Basis for Processing
- Contract: Processing necessary to provide the platform service
- Legitimate Interest: Platform security, fraud prevention, analytics
- Consent: Marketing communications, optional cookies
- Legal Obligation: Financial records, compliance
Data Transfers
Your data may be stored on servers outside the EEA (India, USA via MongoDB Atlas). We ensure adequate protection through Standard Contractual Clauses (SCCs) with all processors.
Right to Lodge a Complaint
You may lodge a complaint with your local data protection authority. For the UK: ico.org.uk.
10. DPDP Act 2023 — Indian Users
We comply with India's Digital Personal Data Protection Act, 2023.
- We process personal data only for lawful purposes with your consent
- You may withdraw consent at any time by contacting us
- We appoint a Data Fiduciary responsible for compliance: privacy@tryspyral.com
- In case of a data breach, we will notify affected users and the Data Protection Board within 72 hours
- Grievance redressal: Contact our Data Protection Officer at privacy@tryspyral.com — we respond within 30 days
11. Cookies
We use only essential cookies required for authentication and security. We do not use tracking or advertising cookies.
| Cookie | Purpose | Duration |
|---|
| authToken | Authentication session | 7 days |
| refreshToken | Session renewal | 365 days |
| userType | Role-based access | Session |
You can manage cookies in your browser settings. Disabling essential cookies will prevent platform access.
For any privacy-related questions, data requests, or complaints:
We reserve the right to update this policy. Material changes will be notified via email or a prominent notice on the platform at least 14 days in advance.