BidyaBidya

Privacy Policy

Effective date: 2026-05-15 (v0.2-draft)

This policy describes what information Bidya collects, why we collect it, how we use it, and the rights you have over it. Bidya is designed for use by middle and high school students, often via a parent-managed account; child-data protections (COPPA in the US, the Digital Personal Data Protection Act 2023 in India, and equivalent regimes elsewhere) apply.

1. What we collect

1.1 Account information

  • Parent accounts: email address, password hash (managed by Supabase Auth — we never see the plaintext password), display name, and acceptance timestamps for each consent document.
  • Student profiles: display name (typically a first name or nickname), grade level, preferred curriculum. A student profile may optionally have its own email and password if the parent invites the student to log in directly.

1.2 Learning data

  • Practice and quiz attempts, including the question shown, the student's answer, whether the answer was correct, and any AI-generated feedback.
  • Mastery levels per concept (computed from practice and quiz performance over time).
  • Explanation requests and the AI-generated explanations delivered to the student.
  • Chat messages between the student and the tutor (when the chat surface is used).
  • Reports submitted by students or parents about question quality.

1.3 Content the student submits

  • Text problems and photographs / screenshots that a student attaches to the “Help with a problem” flow.
  • Voice recordings, when voice features are used (not yet generally available at the time of this draft).

1.4 Technical data

  • Standard server logs (timestamps, IP address, user agent, request paths) used for diagnostics and abuse prevention.
  • Error reports, when an error occurs in the application (delivered via Sentry).
  • Aggregate page-view analytics collected by Umami, our self-hosted analytics tool. Umami stores page path, referrer, device class, country (derived from IP and then discarded), and a hashed anonymous identifier — it does not use cookies or cross-site identifiers, and it does not track individual users across sessions.
  • When you submit a “Report a problem” from the floating footer button, we record the page you were on, your user-agent string, the message text, and any contact email you choose to include.

2. What we don't collect

  • Third-party advertising identifiers, social-media trackers, or any tracking pixel that follows you across other sites. We do not run advertising on the Service and do not share data with ad networks.
  • Sensitive personal data unrelated to learning (e.g., health, political affiliation, religious belief).
  • Behavioral profiles about students for purposes other than improving their own learning experience.

3. How we use the data

  • To deliver the Service: surface the right curriculum, generate explanations and practice items, grade attempts, and track mastery.
  • To improve the Service: aggregated and anonymized analysis of performance and content quality, and review of flagged AI output.
  • To communicate with parents: account notifications, confirmation emails, and (where opted in) summary reports of their child's activity.
  • To meet legal obligations: respond to lawful requests, enforce the Terms of Service, and prevent abuse of the Service.

4. AI providers

We use three external AI services:

  • Anthropic Claude — runtime explanation, hint, walkthrough, and chat generation. When a student asks for an explanation or interacts with the chat tutor, the request (question text, prior conversation context, and any attached image) is sent to Anthropic to produce the response.
  • Azure OpenAI (GPT-5.4)— offline content authoring. We use it to bulk-generate the curriculum scaffolding, question bank items, and pre-cached explanations the student later sees. These calls happen at authoring time on our servers and do not include any individual student's identity or learning history; the prompt is the concept definition plus the target grade.
  • Microsoft Azure Neural HD TTS — narration audio synthesis. The text we send is the narration script for a cached explanation; the resulting audio is stored in our Supabase Storage and served to students.

We do not send a student's full identity (name, email) to any AI provider — only the content needed to produce the response and, where required, a server-side pseudonymous identifier.

5. Storage and security

  • Data is stored in PostgreSQL hosted by Supabase, currently in the Asia-Pacific (Tokyo) region. Cross-border transfer to Japan is permitted under applicable data protection law, including India's Digital Personal Data Protection Act 2023.
  • Audio narration and rendered figures are stored in Supabase Storage; signed URLs (where private) expire after one hour.
  • Connections use TLS in transit. Database access is restricted via row-level security policies on student-facing tables.
  • Passwords are managed by Supabase Auth and stored as bcrypt hashes; we never see plaintext.

6. Data sharing

We share data only with the providers that operate parts of the Service on our behalf (collectively, “Subprocessors”):

  • Supabase — Postgres database, authentication, and file storage.
  • Render — backend application hosting.
  • Vercel — frontend application hosting.
  • Anthropic — runtime LLM (Claude) for explanations, hints, chat, and walkthroughs.
  • Microsoft Azure (OpenAI service) — offline content authoring (GPT-5.4); no student data sent.
  • Microsoft Azure (Speech / TTS) — narration audio synthesis.
  • Upstash — Redis-compatible cache for rate limiting.
  • Sentry — error and performance monitoring.
  • Umami — self-hosted analytics (cookie-less, no cross-site tracking).
  • Resend — transactional email, only if and when email notifications are enabled (the pilot does not currently send any).

We do not sell personal data to anyone. We may disclose data when required by law, to enforce our Terms, or to investigate suspected abuse. In the event of a corporate change (acquisition, merger), data may transfer subject to the successor entity's commitment to honor this policy.

7. Children's privacy

Where a student is under the legal age of consent in their jurisdiction (under 13 in the United States; under 18 in India under the DPDP Act 2023), parental consent is required before we collect or process the student's data. The parent provides this consent during signup.

  • A parent has the right to access, correct, or delete the child's data, and to withdraw consent at any time.
  • We do not knowingly serve advertising to children, profile children for advertising, or sell children's data.
  • A parent can request deletion by emailing singh.chandranshu@gmail.com; we will delete or anonymize the child's data within 30 days, subject to legal retention obligations.

8. Your rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you or your child.
  • Correct inaccurate or incomplete data.
  • Delete your account and associated data.
  • Export your data in a portable format.
  • Withdraw consent for processing where the processing relies on consent.
  • Lodge a complaint with your data protection authority.

To exercise any of these rights, contact singh.chandranshu@gmail.com. We will respond within the timeframe required by applicable law (typically 30 days).

9. Retention

We retain account and learning data for as long as the account is active. After deletion, learning attempts and mastery records may be retained in anonymized form (with the link to the student removed) for service-improvement analysis. Server logs are retained for up to 90 days for security and diagnostic purposes.

10. Changes to this policy

We may update this policy from time to time. When we do, we'll post the updated version here, bump the version string, and ask existing users to re-accept on their next sign-in if the change is material.

11. Contact

Questions about this policy or your data: singh.chandranshu@gmail.com.