- LEGAL DOCUMENT
Privacy Policy
Effective Date: 24th January 2026

Your Data Protection
We implement
comprehensive security
measures to safeguard
your information

FERPA & COPPA Compliant
Full compliance with
education privacy laws
across multiple
jurisdictions

Your Rights
Access, correct, or
delete your personal
data at any time
This Privacy Policy applies to visitors of the TutorCloud website and users of the TutorCloud platform:
- Students (school-linked and independent)
- Parents or legal guardians
- Teachers and educators
- School and district administrators
- Adult learners
- Visitors to our website and platform
Separate contractual agreements may apply to schools, districts, and institutional customers. Where such
agreements exist, they govern data handling for school-linked students in addition to this policy.
Depending on how TutorCloud is used, we act in different legal capacities:
2.1 School-Linked Students
- The school or district is the Data Controller.
- TutorCloud acts as a Data Processor and, where applicable, as a “school official” with legitimate
educational interest. - Data is processed only on documented instructions from the school or district.
2.2 Independent Students, Parents, Teachers, and Adult Learners
- TutorCloud acts as the Data Controller.
- We determine the purposes and means of processing personal data in accordance with this policy.
3.1 Information You Provide
- Name, email address, and account credentials
- Role information (student, parent, teacher, administrator)
- Grade level and subjects
- Parent or guardian contact details where required
3.2 Educational and Academic Data
- Readiness check and benchmark assessment results
- Learning plans and progress data
- Session history and mastery states
- Teacher-assigned or AI-recommended learning activities
3.3 Usage and Technical Data
- Log files, access timestamps, and activity records
- Device and browser information
- IP address and approximate location
TutorCloud provides services to children in K–12 education.
- We collect children’s personal data only for educational purposes.
- Parental or institutional consent is obtained as required by law.
- Children’s data is never used for advertising or marketing.
- Parents and schools may review, correct, or request deletion of children’s data, subject to applicable legal obligations.
A separate Children’s Privacy Notice provides additional detail.
We use personal data only for legitimate and lawful purposes, including:
- Providing and operating the TutorCloud platform
- Creating and managing learning plans
- Generating AI-based instructional content and learning recommendations
- Supporting teaching, facilitation, and academic progress
- Account management and user support
- Security, fraud prevention, and system integrity
- Legal and regulatory compliance
TutorCloud’s AI systems generate instructional content and learning recommendations but do not make automated decisions that determine academic outcomes, grades, advancement, or eligibility.
Depending on jurisdiction, we rely on one or more of the following:
- Consent (including parental consent for children)
- Performance of a contract
- Compliance with legal obligations
- Legitimate educational or operational interests
- Instructions from schools or districts (for school-linked students)
We may share personal data only with:
- Schools or districts (for school-linked students)
- Authorized teachers and administrators
- Service providers and sub-processors supporting platform operations
- Legal or regulatory authorities where required by law
We do not sell personal data.
TutorCloud operates globally. Personal data may be transferred and stored outside the user’s country of
residence.
Where required by law, we implement appropriate safeguards, such as contractual
protections, access controls, and security measures, to ensure lawful cross-border data transfers.
We retain personal data only for as long as necessary to:
- Fulfill educational and contractual purposes
- Comply with legal obligations
- Resolve disputes and enforce agreements
Retention periods may vary based on user role and applicable law. School-linked student
data is retained according to
school or district instructions unless otherwise required by law.
We implement administrative, technical, and organizational safeguards to protect personal data, including:
- Role-based access controls
- Encryption where appropriate
- Audit logs and monitoring
- Incident response procedures
No system is completely secure, but we take reasonable steps to protect personal data
from unauthorized access, loss, or misuse.
These safeguards operate within TutorCloud’s internal information security and AI risk management framework.
Depending on your location, you may have the right to:
- Access your personal data
- Correct inaccurate data
- Request deletion or restriction
- Withdraw consent
- Object to certain processing
- Lodge a complaint with a data protection authority
Requests can be submitted using the contact details below. Requests relating to school-linked students may be
handled in
coordination with the school or district.
TutorCloud uses cookies and similar technologies to:
- Maintain sessions
- Improve platform functionality
- Analyze usage patterns
Details are provided in our Cookie Policy.
We may update this Privacy Policy from time to time. Material changes will be communicated through the platform or other appropriate means.
For privacy-related inquiries, requests, or complaints, contact:
Privacy Officer
TutorCloud
Email: [email protected]
Capitalized terms used but not defined in this Privacy Policy shall have the meanings assigned to them in the TutorCloud Definitions & Glossary.
TutorCloud India Private Limited is a company incorporated under the Companies Act, 2013, having its registered office at #31, 4th Floor, Above A2B Restaurant, Hebbal Outer Ring Road, Bengaluru, Karnataka 560094. TutorCloud is a “Data Fiduciary” within the meaning of Section 2(i) of the DPDPA in respect of personal data processed under this Policy.
This Policy applies to:
- Students (of all ages, including K-12 learners and adult learners aged 18 years and above) who use the Services directly or through a School, District, or Institution;
- Parents and legal guardians of Students under the age of 18 who provide verifiable consent under Section 9 of the DPDPA;
- Teachers, tutors, and administrators using the Services for educational delivery;
- Schools, districts, coaching institutes, colleges, universities, and other educational institutions (collectively, “Institutions”) that license the Services under our institutional (B2B2C) offering;
- Visitors to our website and any prospective users, donors, applicants, or business contacts.
This Policy does not apply to personal data processed by third parties whose services or websites you may access through the Services. Please review their respective privacy policies.
Certain Approved Equivalent: A category of data-processing activity approved by the Government of India where standard consent requirements may be modified.
Child: An individual who has not completed eighteen (18) years of age, as defined under Section 2(f) of the DPDPA.
Consent: Free, specific, informed, unconditional, and unambiguous indication of the Data Principal’s wishes, signified by clear affirmative action, as required under Section 6 of the DPDPA.
Consent Manager: A person registered with the Data Protection Board of India who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw consent.
Data Fiduciary: TutorCloud India Private Limited, being the person who alone or in conjunction with others determines the purpose and means of processing personal data.
Data Principal: The individual to whom the personal data relates; where the individual is a Child or a person with a disability, this includes their Parent or lawful guardian.
Data Processor: Any person who processes personal data on behalf of a Data Fiduciary.
Institution / School User: A school, district, coaching centre, college, university, or other educational entity that licenses the Services and its authorised users (administrators, teachers, students associated with the Institution).
Parent: A parent or lawful guardian of a Child.
Personal Data: Any data about an individual who is identifiable by or in relation to such data, as defined under Section 2(t) of the DPDPA.
Personal Data Breach: Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity, or availability of personal data.
Sensitive Personal Data or Information (SPDI): Categories of information defined under Rule 3 of the SPDI Rules, including password, financial information, physical/physiological/mental health condition, sexual orientation, medical records, and biometric information.
Significant Data Fiduciary (SDF): A Data Fiduciary or class of Data Fiduciaries notified as such by the Central Government under Section 10 of the DPDPA.
Services: The TutorCloud.AI website, mobile applications, AI tutor, adaptive learning engine, generative learning content, proctoring features, and all related products, features, and offerings.
We collect the following categories of personal data, subject always to the consent obligations set out in Section 5 below.
3.1 Information you provide directly
- Identity and contact data — full name, username/handle, email address, mobile number, date of birth, gender (optional), country/state, and preferred language.
- Account credentials — password (stored in hashed form), security questions, two-factor authentication tokens.
- Profile data — grade/class, board of education, subjects of interest, learning goals, profile photograph (optional), and biographical details you choose to share.
- Parental/guardian data — for Students under 18, the Parent’s name, relationship to the Student, contact details, and government-issued ID reference (where required for verification of parental consent).
- Learning content and submissions — assignments, essays, code, drawings, quiz answers, voice recordings, and any content you generate or upload.
- Communications — messages sent through in-app chat, support tickets, feedback surveys, and correspondence with our team.
- Payment data — for paid subscriptions, billing name, billing address, GSTIN (if applicable), and last four digits of payment card / masked payment identifiers. Full payment card numbers are collected and processed by our PCI-DSS compliant payment processors and are not stored on our servers.
3.2 Information collected automatically
- Device and technical data — IP address, device type, operating system, browser type and version, unique device identifiers, mobile network information, and time zone.
- Usage data — pages viewed, features used, time spent, clickstream data, session duration, learning progress and performance metrics, error logs, and crash reports.
- Location data — approximate location derived from IP address (city/region level). We do not collect precise GPS location without your explicit consent.
- Cookies and similar technologies — see our Cookie Policy in Part III.
3.3 Information from third parties
- From Institutions — when you access the Services through your school, district, or institution, we may receive rostering data (name, grade, class, teacher assignments, student ID) from your Institution or through single sign-on (SSO), Learning Management System (LMS), Student Information System (SIS), or one-roster integration providers.
- From SSO providers — if you sign in using a third-party identity provider, we receive the profile information you authorise them to share (name, email, profile photo, and unique identifier).
- From payment processors — transaction confirmation, subscription status, and refund status.
- From your Parent or teacher — if a Parent or teacher creates an account on your behalf, they may provide the information listed in Section 3.1.
3.4 AI-generated interaction data
When you interact with our AI tutor, voice-based features, adaptive learning engine, generative content tools, or webcam-enabled engagement/proctoring features, we process the inputs you provide (text prompts, voice recordings, webcam frames where applicable) and the outputs the system returns, along with associated metadata (timestamps, model version, session identifier). See Section 7 for further detail on how AI features process your data.
- Directly from you — when you register, complete your profile, submit content, communicate with us, make a payment, or otherwise interact with the Services.
- Automatically — through cookies, log files, analytics tools, and similar technologies as you navigate and use the Services.
- From your Parent or Institution — where a Parent, teacher, or Institution creates your account, enrols you into a class, or provides supplementary data (e.g., grade, roster).
- From third-party integrations — SSO providers, LMS/SIS/rostering providers, and payment processors, subject to your (or your Institution’s) authorisation.
- From publicly available sources — for verification, fraud prevention, or business development purposes.
In accordance with Sections 4, 5, 6, and 7 of the DPDPA, we process personal data only for the lawful purposes stated below and either on the basis of your consent or, where permitted, on the basis of certain legitimate uses recognised under Section 7 of the DPDPA.
5.1 Purposes of processing
- Providing the Services — Creating and managing your account; delivering learning content; personalising your experience; enabling AI-powered tutoring, adaptive learning, and generative content features.
- Institutional service delivery — Rostering, class management, teacher-student communication, progress reporting to Institutions, gradebook synchronisation, and administrative analytics for Institutions.
- Parental oversight — Facilitating Parent access to a Child’s account, progress, and safety controls.
- Communication — Responding to your queries; sending service notices, security alerts, transactional confirmations, and (where you have opted in) marketing or newsletter communications.
- Safety, security, and abuse prevention — Detecting, investigating and preventing fraud, cheating, harassment, abusive content, security incidents, and breaches of our Terms of Use.
- Payments and billing — Processing subscription payments, invoicing, taxation, refunds, and financial reconciliation.
- Legal and regulatory compliance — Complying with applicable law, court orders, regulator directions, and lawful requests from public authorities.
- Product research and improvement — Analysing aggregated and de-identified usage data to improve the Services, develop new features, and conduct educational research.
- Business operations — Corporate audits, risk management, internal reporting, and (in the event of a merger, acquisition, or reorganisation) transfer of your data to a successor entity subject to equivalent protections.
5.2 Lawful basis
We process personal data under the DPDPA on one or more of the following bases:
- Consent (Section 6, DPDPA) — for most processing activities, we rely on your free, specific, informed, unconditional, and unambiguous consent, obtained through clear affirmative action.
- Verifiable parental consent (Section 9, DPDPA) — for processing personal data of a Child (under 18), we obtain verifiable consent from the Parent before processing.
- Legitimate uses (Section 7, DPDPA) — including where the Data Principal has voluntarily provided personal data for a specific purpose without indicating objection, for compliance with judgment/decree/order of a court or authority, for medical emergency, or for employment-related purposes (as applicable).
- Contractual necessity — where processing is necessary for the performance of a contract to which you are a party (e.g., a paid subscription).
5.3 Consent Notice and Withdrawal
Where processing is based on consent, we present a plain-language notice at or before the point of collection, containing the information required under Section 5 of the DPDPA and Rule 3 of the DPDP Rules 2025. You may withdraw your consent at any time by writing to us at [email protected] or using the in-app consent-management dashboard. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal, and may impact your ability to use certain parts of the Services.
We also support consent management through Consent Managers registered with the Data Protection Board of India, once such a facility is operational under the DPDP Rules
We adopt the reasonable security practices set out in the SPDI Rules for any Sensitive Personal Data or Information we may collect (for example, financial information for subscription payments). We do not collect biometric data, health information, sexual orientation data, caste, religion, or political opinions of Data Principals as part of the Services, and you should not upload such data to your account or into our AI features.
Where we use webcam-based engagement or proctoring, we process video imagery strictly on an opt-in basis, only during authorised sessions, and only for the disclosed purpose. Recordings, where required by an Institution, are retained under the Institution’s data-processing instructions and are not used to train any AI model.
Our Services include AI-powered features. This section describes how those features work and the protections we apply.
7.1 AI features
- AI tutor / chatbot — text-based conversational tutoring, hint generation, explanation, and Q&A.
- Voice/speech recognition — spoken answers and voice-based practice.
- Adaptive learning and personalisation — recommending content, difficulty, and next-best-action based on your learning trajectory.
- Generative content — producing essays, images, code, feedback and worked solutions as learning aids.
- Video/webcam analysis — proctoring and engagement analytics (opt-in and disclosed at the point of collection).
7.2 Use of third-party Large Language Models (LLMs) and AI APIs
We use third-party AI service providers (including large language model APIs and speech-processing APIs) to power certain AI features. In doing so, we apply the following privacy-by-design safeguards:
- No PII in prompts — we do not transmit your name, email, mobile number, date of birth, account identifier, Institution identifier, physical address, payment details, or other directly identifying personal data to third-party LLM/AI providers. Inputs are stripped, tokenised, or pseudonymised before transmission.
- No training on user data — our contractual arrangements with third-party AI providers expressly prohibit them from using inputs or outputs generated through the Services to train, fine-tune, or improve their generally-available models.
- Zero-retention or short-retention modes — wherever available, we enable zero-retention or short-retention configurations offered by AI providers.
- Contractual protections — all third-party AI providers are engaged under written agreements imposing confidentiality, security, and purpose-limitation obligations equivalent to those required under Section 8 of the DPDPA.
- Human oversight and safety filters — we deploy safety filters, content moderation, and human review mechanisms to reduce hallucination, bias, and harmful output.
7.3 AI limitations and your acknowledgement
AI-generated output is provided as a learning aid and may contain errors, omissions, or outdated information. You should independently verify any factual, mathematical, or citation-related content. AI features are not a substitute for professional advice (medical, legal, financial, psychological, etc.). Do not include personal data, sensitive information, or the personal data of others in your inputs to AI features.
TutorCloud is committed to protecting the personal data of Children. Under Section 9 of the DPDPA, a Child is any individual who has not completed 18 years of age.
8.1 Verifiable Parental Consent
Before processing the personal data of a Child, we obtain verifiable consent from the Child’s Parent or lawful guardian in the manner prescribed under the DPDP Rules. Verifiable consent may be obtained through methods such as government-issued digital identity verification (e.g., DigiLocker), a signed consent form, a Parent-linked email confirmation, a small payment verification, or another Government-recognised method.
8.2 Restrictions on processing Children’s data
- We do not undertake behavioural monitoring or targeted advertising directed at Children.
- We do not process Children’s data in any manner likely to cause detrimental effect on the well-being of the Child.
- We restrict public-facing features (e.g., open profiles, public forums) for Child accounts by default.
- We do not knowingly sell, rent, or trade Children’s personal data.
8.3 School-mediated consent
Where a Child accesses the Services through an Institution as part of the Institution’s educational programme, the Institution acts as the Child’s authorised representative for the purpose of providing certain consents necessary to deliver the educational service, subject to the Institution first obtaining the Parent’s consent as required under applicable education and privacy laws.
When TutorCloud is licensed by an Institution for educational purposes (“Institutional Services”):
- The Institution is the Data Fiduciary in respect of Students enrolled by the Institution; TutorCloud acts as a Data Processor under written instructions from the Institution.
- The processing is governed by our Data Processing Agreement (DPA) with the Institution, in addition to this Policy.
- Rostering, class assignment, progress reports, and administrator dashboards are provided to the Institution and its authorised users (teachers, administrators) only.
- Student personal data collected under the Institutional Services is not used for marketing purposes or for the development of unrelated features.
- Institutional Services are delivered in a manner designed to comply with applicable education laws in India, including the National Education Policy, 2020 and CBSE/State Board rostering guidance where applicable.
10.1 Parental rights
- Access — to view the categories of personal data collected from the Child.
- Correction — to correct or update inaccurate or outdated data.
- Deletion — to request deletion of the Child’s account and personal data (subject to retention obligations under law).
- Withdrawal of consent — to withdraw consent for further processing at any time.
- Complaint — to file a complaint with the Data Protection Board of India.
10.2 Parental responsibilities
- Provide accurate information at the time of granting consent.
- Supervise the Child’s use of the Services in accordance with the Terms of Use.
- Educate the Child about safe online conduct, appropriate use of AI features, and confidentiality of account credentials.
- Notify us promptly if you believe the Child’s account has been compromised or is being used inappropriately.
- Ensure that the Child does not submit personal data (their own or of others), sensitive personal information, or objectionable content into any AI feature.
We do not sell your personal data. We disclose personal data only in the circumstances described below:
- Service providers and processors — cloud hosting, database and storage providers, analytics platforms, communication tools (email, SMS, video), payment processors, customer support tools, and AI/LLM API providers. All such processors are engaged under written contracts imposing confidentiality, security, and purpose-limitation obligations equivalent to those required under Section 8 of the DPDPA.
- Institutions — where you use the Services through your Institution, your personal data is shared with the Institution and its authorised users for the educational purposes described in Section 9.
- Parents/guardians — for Child accounts, we share the Child’s account information, learning activity, and safety-related data with the linked Parent.
- Third-party integrations — SSO, LMS, SIS, rostering, communication, or payment integrations that you or your Institution authorise. Such third parties process your data under their own privacy policies.
- Legal requests — to law enforcement agencies, courts, regulators, or other public authorities where required by law, court order, or regulatory direction, or where necessary to protect the rights, property, or safety of TutorCloud, our users, or others.
- Business transfers — in connection with a merger, acquisition, financing, reorganisation, sale of assets, or insolvency, subject to the acquiring party undertaking to honour equivalent privacy protections.
- Aggregated or de-identified data — statistical, aggregated, or de-identified data that cannot reasonably be used to identify you may be shared for research, benchmarking, marketing, or product development.
We host personal data of Indian Data Principals within India. Primary data storage and processing infrastructure for the India Services is located within the territory of India.
In limited circumstances — such as when your data is processed by a third-party AI/LLM provider whose service is delivered from outside India, or for global business support functions — personal data (in pseudonymised form where practicable) may be transferred to jurisdictions outside India. Any such transfer will:
- Comply with Section 16 of the DPDPA and any restrictions notified by the Central Government from time to time (including any list of restricted jurisdictions);
- Be effected under written contracts imposing equivalent protection;
- Exclude, wherever possible, directly identifying personal data.
If the Central Government notifies any jurisdiction as restricted, we will cease transfers to that jurisdiction within the timeframes prescribed.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention criteria are set out below.
| Category | Retention Period |
|---|---|
| Account data (name, email, credentials) | For the duration of your active account plus 90 days after account closure, unless a longer period is required by law. |
| Learning content and progress | For the duration of the account; upon account closure, retained in de-identified/aggregated form for research and product improvement. |
| Payment and tax records | 8 years from the end of the relevant financial year, as required under the Companies Act, 2013 and Income Tax Act, 1961. |
| Institutional data | In accordance with the retention period specified in the DPA with the Institution; typically for the duration of the licence plus 12 months, subject to Institutional deletion instructions. |
| Support tickets and communications | 36 months from the date of resolution. |
| Cookies and analytics logs | As specified in the Cookie Policy (Part III). |
| AI interaction logs | 90 days for operational logs; longer retention (up to 12 months) for safety and abuse investigations. |
| Video/webcam recordings (proctoring) | As instructed by the requesting Institution; typically deleted within 90 days of session completion unless required for dispute resolution. |
Upon expiry of the retention period, we securely delete or irreversibly anonymise the personal data. You may request deletion at any earlier point in accordance with Section 15.
In accordance with Section 8(5) of the DPDPA, Rule 8 of the DPDP Rules, and Rule 8 of the SPDI Rules, we implement reasonable technical, physical, and organisational security measures, including:
- Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
- Role-based access control (RBAC), least-privilege access, and multi-factor authentication for administrative access.
- Network segregation, firewalls, intrusion-detection systems, and continuous security monitoring.
- Regular vulnerability assessments, penetration testing, and code reviews.
- Security awareness training for all personnel with access to personal data.
- Documented incident response and breach notification procedures.
- Alignment with ISO/IEC 27001 (ISMS) and ISO/IEC 27701 (PIMS) frameworks.
No system is completely secure. If you believe your account has been compromised, please notify us immediately at [email protected].
Sections 11 to 14 of the DPDPA grant you the following rights in respect of your personal data:
- Right to information — obtain a summary of the personal data being processed and processing activities.
- Right to correction and erasure — request correction of inaccurate/misleading data, completion of incomplete data, updating of outdated data, and erasure of personal data no longer necessary for the disclosed purpose.
- Right to grievance redressal — approach our Grievance Officer (see Section 17) with any concern.
- Right to nominate — nominate another individual to exercise your rights in the event of your death or incapacity.
- Right to withdraw consent — at any time, with prospective effect.
- Right to file a complaint with the Data Protection Board of India (see Section 17).
15.1 How to exercise your rights
You may exercise your rights by:
- Using the in-app privacy dashboard under Settings > Privacy;
- Writing to our Grievance Officer at the address in Section 17;
- Engaging a registered Consent Manager (once available).
We will respond to your request within thirty (30) days of receipt (or such shorter period as prescribed under the DPDP Rules). We may verify your identity and, in the case of a Child, may require verification of the Parent’s identity before acting on the request.
Our use of cookies, pixels, web beacons, local storage, and similar technologies is described in the Cookie Policy set out in Part III of this document. Where consent is required, we will present a cookie consent interface at your first visit and allow you to update your preferences at any time.
17.1 Grievance Officer
In accordance with Rule 3(11) of the Intermediary Rules and Section 8(9) of the DPDPA, we have appointed a Grievance Officer:
- Name: Nishil Deepak
- Designation: Grievance Officer, TutorCloud India Private Limited
- Email: [email protected]
- Postal address: #31, 4th Floor, Above A2B Restaurant, Hebbal Outer Ring Road, Bengaluru, Karnataka 560094
- Response commitment: We will acknowledge receipt of your grievance within 48 hours and aim to resolve it within 45 days from the date of receipt.
17.2 Data Protection Officer (DPO)
If we are notified as a Significant Data Fiduciary under Section 10 of the DPDPA, we will appoint a Data Protection Officer whose contact details will be published on the Services. Interim contact: [email protected]
17.3 Data Protection Board of India
If you are dissatisfied with our response, you may lodge a complaint with the Data Protection Board of India constituted under Section 18 of the DPDPA, once operational, or with the Ministry of Electronics and Information Technology (MeitY) in the interim.
Changes to this Policy and Contact
TutorCloud India Private Limited
#31, 4th Floor, Above A2B Restaurant, Hebbal Outer Ring Road,
Bengaluru, Karnataka 560094
Email: [email protected]