PRIVACY POLICY
dheelearn.com Effective Date: 22 April 2026 Version: 1.0
This Privacy Policy explains how dheelearn.com ("Dhee", "we", "us", or "our") collects, uses, stores, shares, and protects personal data when you and your child use the Dhee mobile application, website, and related services (the "Service").
This Policy is published in compliance with:
- the Digital Personal Data Protection Act, 2023 ("DPDP Act") and rules thereunder;
- the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011;
- the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021; and
- the Consumer Protection (E-Commerce) Rules, 2020.
By creating an account, providing parental consent for a Child, or otherwise using the Service, you acknowledge that you have read and understood this Policy. This Policy is incorporated by reference into our Terms and Conditions. Capitalised terms not defined here have the meanings given in the Terms.
1. SCOPE AND APPLICABILITY
This Policy applies to: (a) Parents and legal guardians ("Parents") who register a Parent Account; and (b) Children (typically Class 3–7, age 8–13) for whom a Parent Account is created.
A separate set of safeguards (Section 9) applies to Children, who are treated as "data principals who are children" under Section 9 of the DPDP Act.
2. THE DATA WE COLLECT
We follow the principle of data minimisation — we collect only what is strictly necessary to deliver the Service.
2.1 Data You Provide About Yourself (Parent)
| Category | Examples | Source |
|---|---|---|
| Identity | First name, last name | Account setup |
| Contact | Phone number, email address | Firebase Phone Authentication, account setup |
| Authentication | Phone OTP, parent PIN (stored as SHA-256 hash; raw PIN never stored) | Account setup |
| Billing identifier | RevenueCat anonymous app user ID, masked payment instrument metadata (last 4 digits, network) | Subscription purchase |
| Communications | Messages you send to support, safety, or grievance channels | When you contact us |
2.2 Data You Provide About the Child
| Category | Examples | Source |
|---|---|---|
| Identity | First name only | Child profile setup by Parent |
| Educational context | Grade (Class 3–7), board (CBSE / ICSE / IGCSE / IB), school city (optional) | Child profile setup by Parent |
| Avatar selection | Choice of in-app avatar | Child profile setup |
We do not collect the Child's full legal name, date of birth, photograph for profile, school name, address, Aadhaar, or any other government identifier.
2.3 Data Generated Through Use of the Service
| Category | Examples | Retention |
|---|---|---|
| Session transcripts | Text of Dhee's questions and the Child's typed/spoken responses | 90 days, then anonymised |
| Speech audio | Child's voice during a tutoring session | Never stored. Transcribed in real-time and discarded immediately |
| Session photos | Photos of handwritten work uploaded during a session | Deleted within 24 hours of upload |
| Cognitive Portrait | A 4-axis pedagogical model (e.g., conceptual depth, application strength) computed from session signals | Until account deletion |
| Mastery and progress | Concepts mastered, attempts, mastery score, streak, badges | Until account deletion |
| Quota and usage | Daily session minutes, concept count toward free-trial cap | Rolling counters; aggregated after 30 days |
2.4 Device, Technical, and Diagnostic Data
| Category | Examples |
|---|---|
| Device | Model, OS version, app version, device language, time zone |
| Network | IP address (truncated for analytics), connection type |
| Identifiers | Firebase Installation ID, FCM push token, anonymous PostHog distinct ID |
| Diagnostics | Crash reports, ANR reports, non-fatal errors (collected via Firebase Crashlytics on the app and Sentry on the backend) |
| Performance | API latency, audio playback statistics, screen render timings |
2.5 Payment Data
We do not receive, process, or store full card numbers, CVV, UPI VPAs, or net-banking credentials. All payment processing is handled by Apple App Store, Google Play Store, and our subscription manager RevenueCat. We receive only the subscription state (active / trial / cancelled / expired), the plan SKU, the renewal/expiry timestamp, and a tokenised transaction reference for receipt verification.
2.6 Cookies and Similar Technologies
The Dhee mobile application is a native app and does not use browser cookies. The Dhee marketing website (www.dheelearn.com) uses:
- Strictly necessary cookies for session continuity and CSRF protection;
- Analytics cookies via PostHog and Firebase Analytics (anonymised, with India IP truncation), used only to count visits and understand which pages are useful.
No advertising cookies, no third-party tracking pixels, and no cross-site tracking are used anywhere in the Service.
3. HOW AND WHY WE USE YOUR DATA (PURPOSE LIMITATION)
We use personal data only for the following specified purposes, in line with Section 4 and Section 7 of the DPDP Act:
| Purpose | Data Used | Legal Basis (DPDP Act) |
|---|---|---|
| Authenticate the Parent and create the Parent Account | Phone number, OTP, PIN hash | Consent |
| Create and manage the Child profile and learning journey | Child first name, grade, board | Verifiable parental consent (Section 9) |
| Deliver tutoring sessions (generate questions, speak, listen, respond) | Session transcripts, mastery state, Cognitive Portrait | Verifiable parental consent |
| Personalise the Daily Plan and concept selection | Mastery and progress data | Verifiable parental consent |
| Enforce subscription quotas and free-trial limits | Usage counters, subscription state | Performance of contract; legitimate use |
| Process subscriptions, refunds, and tax invoices | Billing identifiers, RevenueCat receipts | Performance of contract; legal obligation (GST) |
| Send service-related notifications (session reminders, streak nudges, billing alerts) | FCM token, name | Verifiable parental consent |
| Maintain safety, prevent abuse, and respond to harmful AI outputs | Session transcripts, error reports | Legitimate use under Section 7 of the DPDP Act |
| Diagnose crashes and improve reliability | Crash and performance diagnostics | Legitimate use |
| Comply with legal obligations (tax, audit, court orders) | As required | Legal obligation |
We will not use personal data for any new purpose without first obtaining fresh consent.
We do not:
- profile children for advertising;
- conduct behavioural monitoring of children for any non-educational purpose; or
- target advertisements to children — each of which is expressly prohibited by Section 9(3) of the DPDP Act.
4. PARENTAL CONSENT (DPDP ACT, SECTION 9)
Because the Service is designed for Children, all data processing relating to a Child is conducted only after we obtain verifiable consent from the Parent or lawful guardian.
4.1 How We Obtain Consent
At the time the Parent creates a Child profile, we present a clear, plain-language consent screen describing: (a) the categories of data collected about the Child; (b) the purposes of processing; (c) the third parties (Section 5) to whom data may be disclosed; (d) the retention periods (Section 6); and (e) the Parent's rights (Section 8).
The Parent's affirmative action to proceed constitutes verifiable consent. The consent record (timestamp, app version, policy version, parent identifier) is stored for the lifetime of the account plus 3 years thereafter, in line with our legal obligations.
4.2 Withdrawing Consent
A Parent may withdraw consent at any time by:
- using the Delete Account option in the Parent app (Settings → Account → Delete); or
- emailing privacy@dheelearn.com from the registered email address.
Withdrawal of consent will result in deletion of the Child's profile and all associated learning data within 30 days, subject to limited retention required for legal, tax, or audit purposes (Section 6.2).
5. SHARING AND DISCLOSURE OF PERSONAL DATA
We do not sell, rent, or trade personal data to anyone, ever. We share data only in the limited circumstances below.
5.1 Sub-Processors and Service Providers
We rely on the following carefully selected processors. Each is bound by a written data-processing agreement requiring confidentiality, purpose limitation, and security standards no lower than our own.
| Processor | Purpose | Data Shared | Hosting Region |
|---|---|---|---|
| Google Cloud Platform (Firestore, Cloud SQL, Cloud Storage, Cloud Run, Memorystore Redis, BigQuery, Pub/Sub, Secret Manager) | Application hosting, databases, file storage | All application data | asia-south1 (Mumbai, India) |
| Firebase (Authentication, Cloud Messaging, Crashlytics, Analytics) | Phone authentication, push notifications, crash reporting, anonymised analytics | Phone number (Auth), FCM token, crash logs, anonymised event names | India + global |
| Anthropic (Claude API) | Generation of Socratic tutoring questions and feedback | Pseudonymised session context (concept ID, prior turns); no Parent identifiers | United States — see Section 7 |
| Google Cloud Vertex AI (Gemini 3.1 Flash TTS) | Converting Dhee's questions into speech | Question text only (no Child identifier) | asia-south1 where available |
| OpenAI (Whisper API, fallback only) | Speech-to-text when on-device recognition confidence is low | Short audio clip (≤ 30 seconds), discarded post-transcription | United States — see Section 7 |
| RevenueCat | Subscription lifecycle and receipt verification | Anonymous app user ID, plan SKU, store receipt | United States; SOC 2 Type II certified |
| Apple App Store / Google Play Store | Payment processing | Per the respective store's privacy terms | Global |
| PostHog Cloud | Product analytics (anonymised) | Anonymous distinct ID, event names, screen names | European Union |
| Sentry | Backend error monitoring | Stack traces, request metadata (PII scrubbed) | European Union |
We review this list at least once per year and update this Policy when sub-processors are added or changed.
5.2 Legal and Regulatory Disclosures
We may disclose personal data when required to do so by Indian law, including in response to:
- a lawful order from a court of competent jurisdiction;
- a written request from an authorised government agency under Section 91 of the Code of Criminal Procedure, 1973 (or its successor) or Section 14 of the DPDP Act;
- enforcement of our Terms or protection of the rights, safety, or property of Dhee, our users, or the public.
We will challenge requests we believe to be overbroad or unlawful. Where legally permitted, we will notify the affected Parent before disclosure.
5.3 Business Transfers
If the operator of dheelearn.com (or its successor entity) is involved in a merger, acquisition, or asset sale, personal data may be transferred to the successor entity. We will notify Parents by email and in-app at least 30 days before any such transfer, and the successor will be bound by terms no less protective than this Policy.
5.4 Aggregated and De-Identified Data
We may share aggregated, statistical, or de-identified data (e.g., "average session duration in Class 6 Science is X minutes") with partners, researchers, or the public. Such data does not identify any individual and is not subject to this Policy.
6. DATA RETENTION
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
6.1 Retention Schedule
| Data Type | Retention Period |
|---|---|
| Voice audio | Not retained (real-time only) |
| Session photos | 24 hours from upload |
| Session transcripts (identified) | 90 days |
| Session transcripts (anonymised, aggregated for safety review) | Up to 2 years |
| Mastery, progress, Cognitive Portrait | Lifetime of the account |
| Parent contact and account data | Lifetime of the account |
| Subscription and tax records | 8 years from the financial year of the transaction (CGST Act, 2017, Section 36) |
| Consent records | Account lifetime + 3 years |
| Crash and diagnostic logs | 90 days |
| Backups | 35 days, then permanently destroyed |
6.2 Deletion on Account Closure
When a Parent deletes the account or withdraws consent:
- Identified personal data is deleted from production systems within 30 days;
- Backups containing the data are purged on the next backup-rotation cycle (within 35 days thereafter);
- Subscription and tax records are retained in a restricted-access archive only as required by Indian tax law; and
- Anonymised analytics already stripped of identifiers may be retained indefinitely.
7. DATA LOCALISATION AND CROSS-BORDER TRANSFERS
The primary stores for personal data — Firestore, Cloud SQL, Cloud Storage, Redis, and BigQuery — are hosted in India (GCP asia-south1, Mumbai).
However, the following limited categories of data are transferred outside India for processing by sub-processors named in Section 5.1:
| Transferred Data | Destination | Safeguards |
|---|---|---|
| Pseudonymised session context for AI tutoring | United States (Anthropic) | Standard contractual clauses; Anthropic API contractually does not use customer data to train its models; no Parent or Child identifiers transmitted |
| Short fallback audio for STT | United States (OpenAI) | Standard contractual clauses; OpenAI API contractually does not use customer data to train its models; audio discarded post-transcription |
| Anonymised analytics events | European Union (PostHog) | EU GDPR adequacy maintained; Indian IP addresses truncated before transmission |
| Scrubbed error stack traces | European Union (Sentry) | EU GDPR adequacy maintained; PII scrubbing rules applied at source |
The Government of India may, by notification under Section 16 of the DPDP Act, restrict transfer of personal data to certain countries. If any such notification affects our sub-processors, we will migrate the relevant workloads or terminate the relationship as required, and update this Policy accordingly.
8. YOUR RIGHTS UNDER THE DPDP ACT
Under Chapter III of the DPDP Act, the Parent (acting on behalf of the Child) has the following rights:
| Right | What It Means | How to Exercise |
|---|---|---|
| Right of Access (s.11) | Obtain a summary of personal data we hold and the processing activities undertaken | Email privacy@dheelearn.com |
| Right of Correction and Erasure (s.12) | Correct inaccurate data, complete incomplete data, update outdated data, and erase data that is no longer needed | Email privacy@dheelearn.com or use in-app Settings |
| Right of Grievance Redressal (s.13) | Have grievances addressed by our Grievance Officer (Section 12) | Email grievance@dheelearn.com |
| Right to Nominate (s.14) | Nominate another individual to exercise these rights in the event of incapacity or death | Email privacy@dheelearn.com |
| Right to Withdraw Consent | Withdraw consent at any time, which will result in account deletion | In-app Delete Account, or email privacy@dheelearn.com |
We will respond to a verified rights request within 30 days. Identity verification (typically OTP on the registered phone number) is required to prevent unauthorised disclosure. There is no charge for the first request in any 12-month period; reasonable charges may apply for repetitive or manifestly unfounded requests.
If you are not satisfied with our response, you may lodge a complaint with the Data Protection Board of India established under the DPDP Act.
9. CHILDREN'S PRIVACY — SPECIAL PROTECTIONS
In addition to the protections elsewhere in this Policy, we apply the following Child-specific safeguards in line with Section 9 of the DPDP Act:
(a) No advertising or behavioural targeting is directed at Children, ever. (b) No tracking of Children is performed across other apps or websites. (c) No social features — Children cannot message, friend, follow, or otherwise communicate with any other user. (d) Age-appropriate AI guardrails — the Claude-powered tutor is constrained by system prompts and content filters to age-appropriate, pedagogically appropriate output, and is restricted to the curriculum scope. (e) No biometric or special-category data is collected. We do not use facial recognition, voiceprints, location, or health data. (f) Minimal child identifiers — only first name, grade, and board are collected; no full name, DOB, address, or government ID. (g) Transparency to Parents — Parents may, at any time, view the Child's session transcripts, progress, and Cognitive Portrait via the Parent tab of the app.
10. SECURITY OF YOUR PERSONAL DATA
We implement reasonable security practices and procedures as required by Section 8(5) of the DPDP Act and Rule 8 of the SPDI Rules, 2011. These include:
- Encryption in transit — TLS 1.2+ for all client-server and inter-service communication.
- Encryption at rest — AES-256 for Firestore, Cloud SQL, Cloud Storage, and backups.
- Secret management — all API keys and credentials are stored in Google Secret Manager; no secret is ever embedded in the mobile app binary or source code.
- Server-side AI calls only — the mobile app never holds an AI provider API key; all Claude, Gemini, and Whisper calls are proxied through our backend.
- JWT authentication at the API gateway for every request to every service.
- Strict Firestore security rules — billing and usage data are server-write-only; client writes are rejected.
- No PII in logs — applications are configured to ensure no transcripts, JWTs, phone numbers, or other identifying data are written to application logs.
- Access controls — production data is accessible only to a small set of authorised engineers under principle of least privilege, with all access audited.
- Vulnerability management — automated dependency scanning, regular penetration testing, and a responsible-disclosure channel at security@dheelearn.com.
No system can be guaranteed 100% secure. While we use industry-standard safeguards, we cannot guarantee absolute security of data transmitted to or from the Service.
11. DATA BREACH NOTIFICATION
In the event of a personal data breach affecting your data, we will, in line with Section 8(6) of the DPDP Act:
(a) notify the Data Protection Board of India without undue delay; and (b) notify affected Parents by email and in-app within 72 hours of becoming aware of the breach, including a description of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address it.
We additionally notify CERT-In within 6 hours as required by the CERT-In Directions of 28 April 2022, where applicable.
12. GRIEVANCE OFFICER (IT RULES, 2021)
In compliance with Rule 3(2) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the contact details of our Grievance Officer are:
Name: Kumar Saurabh Designation: Grievance Officer Email: saurabh@dheelearn.com Hours: Monday to Friday, 10:00 to 18:00 IST (excluding public holidays)
The Grievance Officer will:
- acknowledge receipt of any grievance within 24 hours; and
- dispose of the grievance within 15 days of receipt.
13. DATA PROTECTION OFFICER (DPDP ACT)
Under Section 10 of the DPDP Act, where Dhee is notified as a Significant Data Fiduciary, a Data Protection Officer ("DPO") will be appointed and reachable at:
Name: [TO BE APPOINTED if/when classified as SDF] Email: dpo@dheelearn.com
Until such notification, queries that would otherwise be directed to the DPO may be sent to privacy@dheelearn.com, and our Grievance Officer remains the primary point of escalation.
14. THIRD-PARTY LINKS
The Service may contain occasional links to external educational resources (for example, NCERT, DIKSHA, CK-12, Wikipedia). These third-party websites operate under their own privacy policies. We are not responsible for the practices of those services. We encourage Parents to review their privacy notices before allowing the Child to interact with them.
15. CHANGES TO THIS POLICY
We may update this Policy from time to time. When we do:
- the Effective Date at the top will be revised;
- the previous version will be archived and made available on request; and
- if the change is material (for example, a new category of data, a new sub-processor in a new country, or a new purpose), we will give the Parent at least 30 days' advance notice by email and in-app, and — where required by law — request fresh consent before the change takes effect.
Continued use of the Service after the Effective Date constitutes acceptance of the revised Policy, except where fresh consent is required.
16. CONTACT US
For all privacy-related queries, requests, and complaints:
| Purpose | Channel |
|---|---|
| Exercising DPDP rights (access, correction, erasure, withdrawal) | privacy@dheelearn.com |
| Grievance Officer escalation | grievance@dheelearn.com |
| Reporting harmful or inappropriate AI output | safety@dheelearn.com |
| Security vulnerability disclosure | security@dheelearn.com |
| General support | support@dheelearn.com |
This Privacy Policy is governed by the laws of India. Any disputes arising under or in connection with it are subject to the exclusive jurisdiction of the courts at Bengaluru, Karnataka, in accordance with Section 15 of our Terms and Conditions.