DPDP Compliance

1. Our role under DPDP

India's Digital Personal Data Protection Act, 2023 (“DPDP Act”) governs the processing of digital personal data of individuals in India. Under DPDP:

• A Data Fiduciary is the entity that decides the purpose and means of processing personal data.
• A Data Processor processes data on behalf of the Fiduciary.
• A Data Principal is the individual whose data is processed.

For data uploaded by schools using ClassGini:

• The school is the Data Fiduciary — they decide what student/staff data to collect and why.
• ClassGini is the Data Processor, processing that data strictly per the school's instructions and these terms.
• Students, parents, and staff are the Data Principals whose data is processed.

For data you give us directly (your account, billing details, support tickets), ClassGini is the Data Fiduciary.

2. Lawful processing

We process personal data only when one of the lawful grounds under DPDP applies:

• Consent — clear, specific, informed, free, unconditional, and unambiguous. We use opt-in checkboxes for marketing communications and analytics cookies.
• Certain legitimate uses — to provide the Service the school has subscribed to, for legal compliance, for safety, or for medical emergencies.

Schools must obtain their own lawful basis (typically parental consent) before uploading minors' data to the platform. ClassGini relies on the school's representation that such consent exists.

3. Data Principal rights

Under DPDP, Data Principals have the right to:

• Access — request a summary of personal data being processed and the identities of all Fiduciaries / Processors who have it.
• Correction & erasure — request that inaccurate or outdated data be corrected, or that data no longer required be erased.
• Grievance redressal — raise complaints with the Data Fiduciary (your school) or with us.
• Nominate — appoint another individual to exercise rights in case of death or incapacity.
• Withdraw consent — at any time, with the same ease as it was given. Withdrawal does not affect prior lawful processing.

Primary channel: write to your school's administrator first (they are the Data Fiduciary). If the matter is not resolved, write to ClassGini at grievance@classgini.com.

4. Children's data

DPDP defines a child as anyone under 18 years of age. Processing children's data requires verifiable parental consent. ClassGini does not directly collect children's data from children — schools (as Data Fiduciaries) are responsible for obtaining and maintaining parental consent. We:

• Do not run behavioural tracking, targeted advertising, or surveillance on student accounts.
• Do not process children's data for any purpose detrimental to their well-being.
• Provide age-appropriate features (no public profiles, no peer-to-peer payment links, no untrusted external integrations).

5. Security safeguards

• TLS 1.2+ in transit; AES-256 for backups at rest.
• Role-based access control with the principle of least privilege.
• OTP gating for destructive operations (account/school deletion, admin password changes).
• Audit logs of administrative actions retained for at least 1 year.
• Annual independent security review.
• Encrypted backups, geographically distributed, retained per Data Deletion Policy.

6. Personal data breach

In the event of a personal data breach affecting Indian users, ClassGini will:

• Notify the Data Protection Board of India within the timeline prescribed under DPDP rules.
• Notify affected schools (Fiduciaries) without undue delay so they can in turn notify their Data Principals.
• Provide details of the breach: nature, categories of data, approximate number of records, likely consequences, mitigation steps taken.

To report a suspected breach, write to security@classgini.com with as much detail as you safely can.

7. Cross-border transfers

Our primary infrastructure is in India. Limited operational data (error logs, performance metrics) may transit through service providers in jurisdictions designated as permissible under DPDP Section 16. We do not transfer personal data to countries restricted by the Government of India.

8. Data retention

We retain personal data only as long as needed to provide the Service and meet legal obligations. See our Data Deletion Policy for specifics. Schools can request early deletion of personal data of a Data Principal who is no longer associated with them (e.g. an alumnus, a former parent), subject to lawful retention obligations.

9. Significant Data Fiduciary considerations

Where ClassGini is itself a Data Fiduciary (for our own account/billing data), we monitor whether we cross thresholds that would categorize us as a Significant Data Fiduciary under DPDP. If so, we will appoint a Data Protection Officer in India and undergo periodic Data Protection Impact Assessments as required.

10. Grievance officer

For DPDP-related complaints, contact our Grievance Officer:

Name: Grievance Officer
Email: grievance@classgini.com
Address: ClassGini Inc., Bengaluru, Karnataka — India

We respond within 30 days of receipt. If not resolved to your satisfaction, you may escalate to the Data Protection Board of India.

11. Updates

DPDP rules and operational guidelines are still being clarified by the Government of India. We update this page as new rules come into force. Material changes are also notified to school administrators by email.

This page provides a plain-language overview of our DPDP compliance posture. It is not legal advice. Schools and individuals should consult their own counsel for specific compliance questions.