EXECUTIVE SUMMARY AND COMMITMENT

Teachrity ("we," "us," "our," or "Company") recognizes that educational data is among the most sensitive personal information entrusted to any organization. This Privacy and Security Policy outlines our comprehensive approach to collecting, processing, storing, protecting, and responsibly managing personal information from educational institutions, students, teachers, and other users of our AI-powered simulation platform. This policy reflects our commitment to transparency, accountability, and the highest standards of data protection, even as we work toward formal SOC 2 Type II certification and increasingly align our practices with GDPR principles to serve educational institutions across diverse jurisdictions.

The Teachrity platform is designed exclusively for educational and learning purposes. We process data to deliver AI-enabled simulation training, conversational learning experiences, micro-teaching evaluation, skill development simulations, and related educational services. As educational technology evolves to include voice interactions, conversational role-plays, and advanced analytical features, this policy establishes clear boundaries around how such data is collected, used, retained, and protected.

1. SCOPE AND APPLICABILITY

1.1 Who Is Covered by This Policy

This Privacy and Security Policy applies to:

• Educational Institutions (Customers): Universities, colleges, teacher training institutions, B.Ed colleges, MBA programs, BBA programs, B.Com programs, and corporate training organizations that subscribe to Teachrity services.
• End Users: Students, teachers, educators, faculty members, and other individuals who access or use Teachrity's platform directly or through their educational institution.
• Data Subjects: Any individual whose personal data is processed by Teachrity in connection with delivering or supporting our services.

The policy covers all forms of personal data processed by Teachrity through our website (www.teachrity.com), mobile applications, APIs, and any features, tools, or services that require registration or data submission.

1.2 Third-Party Sites and Services

Our website and services may contain links to third-party websites, applications, or services that are not operated or controlled by Teachrity. This Privacy Policy does not apply to third-party websites or services, and we are not responsible for their privacy practices. We strongly recommend that you review the privacy policies of any third-party services you access.

1.3 International Scope

Teachrity currently operates primarily in India and serves educational institutions across India. However, given the global nature of educational technology and our aspirations to expand internationally, this policy incorporates principles and safeguards that align with international privacy standards including GDPR requirements for EU users.

2. DEFINITIONS AND KEY CONCEPTS

2.1 Personal Data

Personal data refers to any information relating to an identified or identifiable natural person. In the context of Teachrity services, this includes:

• Identifiers: Name, email address, phone number, institutional email address, IP address, device identifier, and any unique identifier assigned by Teachrity.
• Educational Information: Student records, academic performance, assessment scores, transcript data, learning progress, educational history, course enrollment, grades, feedback, and educational achievements.
• Professional Information: Teacher qualifications, credentials, work history, employment status, institutional affiliation, role within the educational institution.
• Communication Data: Emails, chat messages, feedback submissions, survey responses, and any written communications made through Teachrity's platform.
• Voice and Conversational Data: Voice recordings from simulations, conversational transcripts, voice interaction logs, and metadata about voice interactions.
• Biometric Data: Voice prints, vocal patterns, and voice-derived characteristics that may be collected during voice-based simulations or conversational interactions.
• Behavioral Data: Login patterns, platform usage statistics, feature usage, interaction frequency, assessment completion patterns.
• Technical Data: Browser type, operating system, device type, connection speed, and other technical information about how users interact with our systems.

2.2 Processing and Data Controller

Data processing refers to any operation performed on personal data, including collection, storage, use, analysis, transmission, deletion, or any other handling of information. Teachrity acts as a data controller when we determine the purposes and means of data processing. In cases where we process data on behalf of educational institutions, we act as a data processor.

2.3 Voice and Biometric Data

Voice-based simulations and conversational AI features represent a significant evolution in educational technology. Voice data includes the raw audio recording and any derived data extracted from that audio. Because voice contains both linguistic information and potentially unique biometric identifiers, we treat it with heightened security measures.

3. DATA COLLECTION: WHAT WE COLLECT AND WHY

3.1 Data Collected from Educational Institutions and Users

A. Mandatory Information for Account Setup and Service Delivery

When an educational institution partners with Teachrity or when a user creates an account, we collect essential information necessary to deliver services:

• Institution Details: Institution name, type, address, point of contact information, department details, institutional website.
• User Profile Information: Full name, email address, phone number, job role or student status, department affiliation.
• Account Credentials: Usernames, encrypted passwords, security questions, and authentication factors.

Purpose: This information is strictly necessary to set up accounts, authenticate users, deliver platform services, and provide technical support.

B. Educational and Performance Data

As users engage with Teachrity's simulations and learning tools, we collect extensive educational data:

• Simulation and Assessment Data: All interactions within educational simulations, assessment scores, learning outcomes, self-evaluation responses.
• Voice Simulation Data: Voice recordings of simulation attempts, transcripts, timestamps, and related metadata.
• Conversational AI Interaction Data: Complete conversation transcripts, dialogue metadata.
• Learning Analytics: Login frequency, feature usage, time on platform, assessment completion rates.

Purpose: Essential to deliver personalized learning experiences, track educational progress, generate performance assessments, and provide learning analytics.

C. Communication and Support Data

• Support communications, email messages, chat logs, support tickets.
• Institutional communications regarding contracts, feature requests, integration issues.
• In-platform communication between students and teachers.

D. Technical and System Data

• Device information, usage logs, authentication events.

Purpose: Necessary to maintain platform security, diagnose technical issues, prevent fraud, and ensure service availability.

3.2 Data We Do NOT Collect

To respect privacy and align with data minimization principles, Teachrity explicitly does not collect:

• Precise geographic location (no GPS tracking)
• Genetic data
• Health information (except when voluntarily disclosed in educational context)
• Financial information (handled by third-party payment processors)
• Emotion inference from voice or video
• Personal financial or sensitive lifestyle data (religious beliefs, political opinions, etc.)

4. HOW WE COLLECT DATA

4.1 Direct Collection

Data is collected directly from users and institutions through:

• Account registration forms
• Platform interactions and simulations
• Voice and conversational simulations
• Institutional integration with student information systems
• Voluntary submissions (feedback forms, survey responses)
• Administrative uploads by institution staff

4.2 Automated Data Collection

• Cookies and Tracking Technologies: We use cookies to track user preferences, maintain sessions, and analyze platform usage.
• Analytics Tools: We use analytics services to understand platform navigation and feature usage.
• Server Logs: Automatic logging of technical information for security monitoring.
• Audio and Video Recording: Captured during simulations with explicit consent.

4.3 Data Received from Third Parties

• Data from institutional systems (SIS, LMS integrations)
• Third-party authentication providers (SSO)
• LLM providers and service vendors (metadata only)

5. SPECIAL CONSIDERATIONS FOR VOICE AND CONVERSATIONAL AI DATA

5.1 What Constitutes Voice and Biometric Data

Voice data collected during Teachrity simulations includes:

• Raw audio recordings
• Transcripts (text versions of spoken words)
• Voice metadata (date, time, duration, audio quality)
• Voice biometric data (unique vocal characteristics)

5.2 Collection and Consent for Voice Data

Explicit Consent Requirement: Teachrity collects voice data only with explicit, informed consent obtained before recording begins.

• Direct User Notification: Clear disclosure before recording with affirmative consent required.
• Consent Documentation: Maintained records of when consent was granted.
• Easy Opt-Out: Users can withdraw consent at any time.

5.3 Use of Voice Biometric Data

Teachrity's voice simulations may involve analysis of voice characteristics for educational purposes:

• Voice recognition for student identification (optional, requires separate consent)
• Speech quality metrics for learning feedback
• Speaker diarization in multi-speaker simulations

Important Limitation: Teachrity does not create permanent voice biometric templates for identification or tracking purposes. We do not sell, lease, trade, or use voice biometric data for commercial purposes.

5.4 Conversational AI Transcripts and Data Retention

Complete transcripts are generated during conversational simulations, including student responses, AI system responses, and technical metadata.

Retention: Transcripts are retained for 12 months after completion, then deleted unless institutional records require longer retention.

5.5 Use of Data for AI Model Improvement

Teachrity uses conversational data to improve AI system accuracy and educational effectiveness with the following protections:

• Anonymization and pseudonymization of training data
• Sensitive information redaction
• Institutional data segregation
• Opt-out mechanisms available

Third-Party LLM Providers: We configure all API calls to opt out of data retention by providers like OpenAI, Google, and Anthropic.

6. SPECIAL PROTECTIONS FOR MINORS AND YOUTH

6.1 Age of Users and Minor Definition

Teachrity recognizes that educational users include minors (individuals under 18 years old). We comply with COPPA (US), GDPR (EU), and India's DPDP Act.

6.2 Parental Consent for Minors

School Official Exception: Educational institutions often serve as agents of parents and can consent to data collection on parents' behalf under COPPA.

Even with school consent, parents have rights including:

• Notification for voice recording and biometric data
• Opt-in consent for optional advanced analytics
• Right to opt-out of voice/biometric data collection
• Parent portal access to view child's learning progress

6.3 Data Protection for Minors in Voice and Conversational Simulations

• Shorter Retention: Voice recordings of minors retained for only 30 days (vs. 90 days for adults)
• Limited Biometric Analysis: No voice biometric templates for users under 18
• No Emotion Detection: Not used for any user, especially minors
• Parental Right to Deletion: Can request deletion at any time

6.4 Age Verification and Digital Literacy

Institutions confirm age categories when setting up classroom profiles, and teachers can configure age-appropriate features and analytics.

7. LEGAL BASIS AND PURPOSE LIMITATION

7.1 Why We Process Data: Legal Bases

Teachrity processes personal data only when we have legal justification:

• A. Performance of a Contract: Necessary to deliver contracted services
• B. Legal Obligation: Required by law (backups, security logging, incident reporting)
• C. Legitimate Interests: Platform improvement, security, technical diagnostics
• D. Consent: For non-essential uses like voice biometric analysis or AI model training

7.2 Purpose Limitation

Core Principle: Teachrity collects data for specific educational purposes and does not use data for purposes unrelated to education without explicit consent.

Permitted Uses:

• Delivering platform services and features
• Generating personalized learning recommendations
• Providing performance feedback
• Creating learning analytics reports
• Improving educational effectiveness
• Fraud prevention and security monitoring

Prohibited Uses:

• Selling student data to third parties
• Creating personal profiles for non-educational purposes
• Targeting advertisements to students
• Sharing with insurance, employers, or financial institutions without consent

8. DATA SHARING AND THIRD-PARTY TRANSFERS

8.1 Principle of Minimal Sharing

We share personal data with third parties only when necessary to deliver services, comply with legal requirements, or protect safety. We do not sell educational data.

8.2 Categories of Third Parties Who May Receive Data

A. Service Providers and Data Processors

• Cloud Infrastructure Providers: AWS, Google Cloud, Microsoft Azure (with Data Processing Agreements)
• Payment Processors: Stripe, Razorpay (PCI-DSS compliant, no educational data)
• LLM Providers: OpenAI, Google, Anthropic (minimized data, opt-out of retention)
• Email and Communication Providers: AWS SES for transactional emails
• Transcription Services: Contractually prohibited from retaining audio
• Analytics Tools: Configured to minimize PII collection

B. Educational Institutional Partners

Data flows between Teachrity and institution systems (SIS, LMS). Institutions retain ownership and control.

C. Law Enforcement and Legal Requests

Data disclosed only when required by law, with verification of legitimacy and minimum disclosure.

D. Institutional Administrators and Educators

Role-based access control ensures educators see only relevant data for their teaching responsibilities.

E. Aggregated and De-Identified Data

May be shared with educational researchers, industry partners for product development, or public reporting (no individual identification).

8.3 Cross-Border Data Transfers

Data stored primarily on Indian servers. For international transfers, we implement Standard Contractual Clauses and comply with data localization requirements.

8.4 Prohibition on Commercial Data Sharing

Teachrity explicitly does NOT:

• Sell student data to marketing companies
• Share with insurance, employers, or financial institutions for profiling
• Allow third-party advertisers to target students
• Share with data brokers or licensing companies

9. DATA RETENTION AND DELETION

9.1 General Retention Principles

We retain personal data only for as long as necessary to fulfill the purpose for which it was collected.

9.2 Retention Schedules by Data Type

A. Active Account Data

• Student Enrollment and Profile: 3 years after graduation/withdrawal
• Educational Performance Data: 7 years from enrollment
• Learning Analytics: 2 years from last activity
• Communication Records: 1 year after course ends

B. Voice and Biometric Data (Special Schedule)

• Voice Recordings: 30 days after simulation completion
• Transcripts: 90 days after simulation
• Voice Biometric Templates: NOT created or retained permanently
• Conversational AI Transcripts: 12 months from conversation date

C. Institutional and Account Management Data

• Account Credentials: Retained while account exists
• Administrative Audit Logs: 1 year
• Payment Records: 7 years (tax/accounting requirements)

D. Technical and System Data

• Server Logs: 90 days
• Backup Copies: 30-90 days (incremental), 1 year (monthly archives)
• Session Cookies: Deleted at logout or after 24 hours

9.3 Account Deletion and Data Erasure

User-Initiated Deletion: Students, teachers, or institutions can request deletion within 30-60 days, except for legally required data.

Deletion Process: All databases, backups, and copies updated, deletion logged, written confirmation provided.

9.4 Institutional Records and Academic Requirements

Institutions responsible for long-term retention of academic records. Teachrity provides complete data exports for institutional archives.

10. DATA SECURITY AND TECHNICAL SAFEGUARDS

10.1 Commitment to Security by Design and Default

We are actively implementing controls for SOC 2 Type II certification. Our security approach includes technical and organizational controls.

10.2 Technical Security Controls

A. Encryption

• In Transit: TLS 1.2 or higher
• At Rest: AES-256 bit encryption
• Voice Recordings: Encrypted immediately upon collection
• Key Management: Secure KMS with restricted access and rotation

B. Access Controls

• Strong authentication with MFA support
• Role-based access control (RBAC)
• Principle of least privilege
• Access logging for all sensitive data

C. Network and Infrastructure Security

• Firewalls, intrusion detection, DDoS protection
• Secure cloud infrastructure (AWS, Google Cloud)

D. Application Security

• Secure development practices
• Regular security testing and penetration testing
• Dependency management and code review

E. Data Backup and Recovery

• Automated encrypted backups
• Regular backup testing
• Documented disaster recovery plan

10.3 Organizational Security Measures

• Data Protection Officer engagement
• Privacy Impact Assessments for new features
• Privacy training for employees
• Written information security policies
• Vendor assessment and monitoring

10.4 Progress Toward SOC 2 Type II Certification

Teachrity is actively implementing SOC 2-aligned controls across Security, Availability, Processing Integrity, Confidentiality, and Privacy. We expect to pursue formal certification in 2026-2027.

11. DATA BREACH NOTIFICATION AND INCIDENT RESPONSE

11.1 Definition of a Data Breach

A data breach is unauthorized or accidental unauthorized access, disclosure, loss, destruction, or alteration of personal data.

11.2 Breach Detection and Assessment

Detection through automated alerts, user reports, and audit log reviews. Immediate isolation and assessment within 6 hours.

11.3 Notification Timeline and Process

• Internal Assessment: 0-24 hours
• Regulatory Notification: 24-72 hours (GDPR: 72 hours to DPA)
• Affected Individual Notification: 24-72 hours
• Institutional Notification: Within 24 hours

11.4 Breach Notification Content

Notifications include what happened, what data was affected, who was affected, when it happened, recommended actions, Teachrity's response, and contact information.

11.5 Post-Breach Actions

Root cause analysis, remediation, authority notification, institutional briefing, public communication if necessary, and continuous improvement of security controls.

12. USER RIGHTS AND DATA SUBJECT REQUESTS

12.1 Right to Access (Data Subject Access Requests)

Request a copy of all personal data we hold. Submit to privacy@teachrity.com. Response within 30 days.

12.2 Right to Correction (Data Rectification)

Request correction of inaccurate or incomplete personal data. Response within 30 days.

12.3 Right to Erasure (Right to Be Forgotten)

Request deletion under certain circumstances. Deletion from production systems within 30 days, backups within 90 days.

12.4 Right to Data Portability

Receive personal data in structured, machine-readable format. Response within 30 days.

12.5 Right to Object and Restrict Processing

Object to certain uses or request processing restrictions. Response within 30 days.

12.6 Right to Withdraw Consent

Withdraw consent for processing at any time. We cease the specific processing activity immediately.

12.7 Right to Lodge a Complaint

File complaints with your Data Protection Authority (EU/EEA, India, California AG, etc.).

12.8 Exercising Your Rights

Submit written requests to privacy@teachrity.com. Acknowledge receipt within 5 days, substantive response within 30 days. No fees or retaliation.

13. EDUCATIONAL INSTITUTION RESPONSIBILITIES AND PARENTAL CONSENT

13.1 Institution as Data Controller

Educational institutions are typically the data controller; Teachrity is the data processor. Institution owns all data and determines permitted uses.

13.2 Institutional Consent and Data Processing Agreement

Institutions must:

• Conduct privacy review
• Obtain parental consent through enrollment process
• Execute Data Processing Agreement with Teachrity
• Maintain consent and agreement records

13.3 Institutional Notification of Data Collection

Institutions should provide clear notice about data collection, use, protection, retention, rights exercise, and voice recording.

13.4 Parental Rights and Involvement

• Consent mechanisms at enrollment and for voice/biometric features
• Parental access to child's data through institutional portals
• Right to opt-out of voice simulations or advanced analytics

13.5 Institutional Responsibilities for Compliance

Institutions responsible for obtaining consents, providing notice, monitoring Teachrity's compliance, responding to data requests, maintaining legal compliance, and breach response.

14. POLICY UPDATES AND GOVERNANCE

14.1 Changes to This Policy

We may update this policy as services evolve. Significant changes communicated 30 days before taking effect. Material negative changes require explicit consent.

14.2 Contact Information for Privacy Inquiries

• Privacy Inquiries and Data Subject Requests:
  Email: privacy@teachrity.com
• Security Incident Reports:
  Email: security@teachrity.com
• Institutional Partnerships:
  Email: partnerships@teachrity.com
• General Inquiries:
  Website: www.teachrity.com

14.3 Dispute Resolution

Internal Resolution: Contact privacy@teachrity.com, investigation within 30 days, escalation available.

External Resolution: Lodge complaint with Data Protection Authority in your jurisdiction.

14.4 Policy Governance and Review

Annual internal review by leadership team, legal counsel, and privacy advisors. External compliance advisors ensure alignment with laws and best practices.

15. CONCLUSION

The Teachrity platform is built on the foundation that educational data is sacred and must be handled with the utmost care and responsibility. This Privacy and Security Policy reflects our commitment to transparency, accountability, minimization, security, respect, and compliance.

As educational technology continues to evolve—particularly with advances in voice-based learning, conversational AI, and educational analytics—Teachrity remains committed to advancing educational outcomes while protecting the privacy and security of the individuals who trust us with their learning data.

We welcome questions, feedback, and collaboration with educational institutions, privacy advocates, and regulators to ensure that Teachrity continues to set the highest standards for privacy and security in educational technology.

This policy was effective January 2026 and reflects Teachrity's current and aspirational practices. As Teachrity pursues formal SOC 2 Type II certification and GDPR compliance enhancements, this policy may be updated to reflect newly implemented certifications and compliance milestones.