Compliance & Data Protection Framework

At Xplainity, we are committed to maintaining the highest standards of compliance with global data protection laws and ensuring that our practices meet or exceed legal requirements in every jurisdiction we operate. We understand that our users (including schools, educators, students, and individual learners) trust us with sensitive data, and we do not take that responsibility lightly. This section outlines the key laws, regulations, and frameworks we adhere to, as well as the internal measures we have put in place to uphold data privacy and security. Our goal is not only to comply with the letter of the law but also to embrace its spirit – fostering transparency, accountability, and user empowerment.

1. International Privacy Law Compliance

Xplainity (operated by MATHFIT Education Private Limited in India) is mindful of the major privacy regulations around the world and strives to comply with each as applicable:

  • European Union/EEA – General Data Protection Regulation (GDPR): We recognize and adhere to the GDPR’s stringent requirements for handling personal data of individuals in the European Economic Area. This includes principles of lawfulness, fairness, and transparency in processing; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
    • Lawful Bases: We ensure that for each processing activity involving EEA users’ personal data, we have a valid legal basis (as detailed in our Privacy Policy – e.g., consent, contract necessity, legitimate interests, etc.).
    • Data Subject Rights: We have procedures to facilitate GDPR rights – such as access, rectification, erasure (right to be forgotten), restriction, objection, and data portability. EEA users can exercise these rights as described in our Privacy Policy’s “Your Rights” section, and we are committed to fulfilling requests within the GDPR’s timeframes.
    • Data Protection Officer: While our organization may be small, we have designated an internal lead for data protection compliance. You can reach our data protection contact at kshitij.jain@xplainity.com for any GDPR-related queries. (If in the future we formally appoint a DPO or EU representative, we will update our documentation accordingly.)
    • Cross-Border Transfers: As noted, when transferring data out of the EU (for instance, to India or U.S. servers), we utilize Standard Contractual Clauses and other safeguards to ensure an adequate level of protection.
    • Breach Notification: In the unlikely event of a personal data breach, we have a process in place to notify the relevant supervisory authority within 72 hours and affected individuals without undue delay when required by GDPR.
  • United Kingdom – UK GDPR & Data Protection Act 2018: Post-Brexit, we apply equivalent standards for UK users as we do for EU users. We treat the UK’s data protection regime on par with the EU’s. UK users have the same rights, and we will cooperate with the UK Information Commissioner’s Office (ICO) as needed. Transfers from the UK are handled via UK’s International Data Transfer Agreement/Addendum alongside SCCs.
  • United States – COPPA, FERPA, CCPA/CPRA and more:
    • COPPA (Children’s Online Privacy Protection Act): We comply with COPPA for any users under 13. We do not collect personal info from children under 13 in the U.S. without obtaining verifiable parental consent (directly or via school as an agent of the parent). Our Privacy Policy’s Children’s Privacy section details this. We also honor parents’ rights to review and delete their children’s information as required by COPPA.
    • FERPA (Family Educational Rights and Privacy Act): For schools in the U.S. that use Xplainity and thereby entrust us with student education records, we designate ourselves as a “School Official” under FERPA, meaning we: (i) use student data only for the purposes authorized by the school (educational purposes, not for our commercial gain), (ii) do not re-disclose student education records except as permitted by FERPA or directed by the school, and (iii) work under the direct control of the school regarding use and maintenance of education records. We sign agreements or terms with schools that reflect our FERPA compliance, and we support schools in providing parents and eligible students their FERPA rights (access, amendment, etc.).
    • CCPA/CPRA (California Consumer Privacy Act & California Privacy Rights Act): For California residents, although as a not-huge company we might not yet meet CCPA’s applicability thresholds, we voluntarily align with many of its principles as a best practice. We do not “sell” personal information as defined in CCPA. If any California user wants to exercise rights (knowledge, access, deletion, correction, opt-out of sale/sharing), we will honor those requests as described in our Privacy Policy. We also extend the right to limit use of sensitive personal info (though we typically do not collect sensitive categories like precise geolocation, social security numbers, etc., from our users). We have a method for verifying and responding to consumer requests within the statutory time frames.
    • State Student Privacy Laws: Many U.S. states have specific laws on student data privacy (like SOPIPA in California, NY Education Law 2-d, etc.). We monitor such legislation and ensure our policies align: for instance, we don’t use student data for targeted advertising, and we sign or abide by data privacy agreements required by school districts.
    • Other U.S. Laws: If our service ever touches regulated data (e.g., health data under HIPAA, which is unlikely for an ed-tech platform, or if we handle financial info, which is only via third-party processors), we would comply accordingly. Currently, we focus on educational data, but we remain aware of the broader legal landscape.
  • India – Information Technology Act & Data Protection Law:
    • IT Act 2000 and IT Rules 2011: In India, we comply with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. This includes having a clear privacy policy (this document), obtaining consent for collecting “Sensitive Personal Data or Information” (SPDI) like passwords, financial info, etc., providing an option to opt-out, designating a Grievance Officer, and maintaining reasonable security practices (we follow ISO 27001/industry best practices as our standard, even if not formally certified yet). We have indeed appointed a Grievance Officer as required, reachable at kshitij.jain@xplainity.com (Attention: Grievance Officer). The Grievance Officer will address any user grievances regarding our processing of information within the timelines prescribed by law (currently, we aim to acknowledge complaints within 24-48 hours and resolve within one month or as required by the new law).
    • Digital Personal Data Protection Act, 2023 (DPDP Act): India has enacted a new comprehensive data protection law in 2023. We are aligning our practices to comply with the DPDP Act as it comes into force. Key principles we uphold in line with this law:
      • Consent and Notice: We seek consent from individuals before processing their personal data, unless another lawful basis applies. Our Privacy Policy serves as notice of what data we collect and how we use it. Consent (when taken) is intended to be free, specific, informed, and unambiguous. We allow users to withdraw consent as easily as it was given.
      • Data Minimization: We only collect data that is necessary for the purposes for which it will be used.
      • Purpose Limitation: We process personal data only for the purposes that we have communicated to the user (or that are obvious in context). If we need to use data for a new purpose, we will seek fresh consent or update our privacy documentation accordingly.
      • Data Principals’ Rights: The DPDP Act provides rights such as the right to access information, the right to correction and erasure, the right to grievance redressal, etc. We have processes to support these rights (very similar to GDPR processes). Users in India can contact our Grievance Officer to exercise these rights.
      • Data Security & Breach Notification: We implement security safeguards as mandated. If there’s a personal data breach likely to result in harm to users, we will notify the Data Protection Board of India and affected users as required.
      • Storage Limitation: We won’t retain personal data beyond what is necessary for the purpose, or as required by law. Our retention policy reflects this principle (see Privacy Policy above).
      • Accountability: We maintain records of data processing, conduct due diligence on data processors, and will carry out Data Protection Impact Assessments for high-risk processing as needed. If required, we will register with the Data Protection Board or appoint Data Auditors when those provisions become applicable.
  • Canada – PIPEDA: For Canadian users, we adhere to the principles of the Personal Information Protection and Electronic Documents Act. This is largely covered by what we do for GDPR and others: obtaining consent, identifying purposes, limiting collection, allowing access and correction, etc. We also comply with Canada’s anti-spam law (CASL) by ensuring we only send marketing emails with appropriate consent and including easy opt-out mechanisms.
  • Australia – Privacy Act 1988 and APPs: We follow the Australian Privacy Principles for any Australian user data: we are transparent about our collection and use, we provide access/correction rights, and we take steps to secure personal information. We do not typically disclose Australian personal information overseas except as described (which would include India/U.S.), and when we do, our contractual measures (SCCs etc.) ensure protection roughly equivalent to the APP standards.
  • Brazil – LGPD: If we have Brazilian users, we handle their data in compliance with the Lei Geral de Proteção de Dados. Similar to GDPR, LGPD emphasizes legal bases, data subject rights, and data protection principles. We have appointed an individual (the same privacy lead) to act as the point of contact (Encarregado/DPO) for LGPD purposes. Brazilian users can contact kshitij.jain@xplainity.com for any LGPD-related concerns. We also accommodate rights like confirmation of processing, data access, correction, anonymization/blocking/deletion of unnecessary data, data portability, and information about public and private entities with whom data is shared.
  • Other Regions: We endeavor to respect privacy laws in all jurisdictions. This includes:
    • New Zealand Privacy Act, Brazil’s LGPD, Japan’s APPI, South Africa’s POPIA, and others to the extent our user base extends there. Our policies generally align with the core principles found in these laws: openness, purpose specification, security safeguards, individual participation, and accountability.
    • If we expand or specifically target a region, we will update our practices to ensure full compliance (for example, if we have users in China, we’d consider relevant provisions of China’s PIPL; currently we do not operate in China).

In essence, we design our privacy program to meet the toughest standards, so that by doing so we inherently meet the requirements of less stringent regimes as well. Where local nuances exist, we incorporate those as needed (for instance, handling of national ID numbers, or marketing preferences).

2. Internal Data Protection Measures

Beyond legal compliance, Xplainity has implemented an internal framework of practices and policies to manage data responsibly:

  • Privacy by Design: We integrate privacy considerations into our product development lifecycle. When designing new features or processing activities, we evaluate their impact on user privacy and try to minimize data collection and maximize user control from the outset. For example, if adding an analytics feature, we might choose to aggregate data or hash identifiers so it’s less intrusive. If introducing a new user profile field, we consider if it’s truly necessary. We also perform Data Protection Impact Assessments (DPIAs) for high-risk features (like any involving sensitive data or systematic monitoring).
  • Employee Training and Access Control: All team members at Xplainity are trained in the basics of data privacy and security. They learn about the importance of user privacy, our confidentiality expectations, and how to handle personal data properly. Employee access to data is strictly role-based: e.g., a developer may have access to databases for maintenance but only through secure methods; a support agent may access user account info to help with an issue, but only if necessary. We log and monitor administrative access to detect any inappropriate access. All employees and contractors sign confidentiality and data protection agreements.
  • Vendor Management: Whenever we engage a third-party service (such as cloud hosting, an email delivery service, an AI API, etc.), we conduct due diligence to ensure that they have robust privacy and security practices. We enter into Data Processing Addendums (DPAs) with each relevant vendor, which contractually bind them to protect personal data to a high standard, extend GDPR-like obligations (if applicable), and assist us in fulfilling user rights requests. We maintain a list of sub-processors which we can provide to enterprise clients or regulators upon request (and we will make available to users as needed, possibly via our website or documentation). Key sub-processors include [for example: Amazon Web Services (hosting), Google Workspace (for internal communication), Stripe or Razorpay (payments), etc. – we will list actual ones as relevant]. We also endeavor to host data in regions that make sense for our users (for instance, EU user data can be stored in EU data centers if feasible, or at least on trusted clouds with SCCs).
  • Audits and Certifications: As a growing company, we plan to pursue relevant certifications and audits to validate our security and privacy posture. For instance, in the future we may undergo a SOC 2 Type II audit for security, availability, and confidentiality controls. We may also seek ISO 27001 certification when resources permit, as a demonstration of our commitment to information security management. Currently, we might rely on the certifications of our infrastructure providers (for example, if hosted on AWS or Azure, leveraging their compliance). We conduct periodic self-assessments against standards and if we work with enterprise customers (like school districts or companies), we are open to responding to their security/privacy questionnaires or participating in assessments to assure them of our practices.
  • Record-Keeping: We maintain records of processing activities (ROPAs) that detail what personal data we handle, why, where it’s stored, who has access, how long it’s kept, etc. This helps ensure we meet accountability requirements under laws like GDPR and India’s DPDP Act. It also is useful internally to map data flows and identify any potential gaps or risks.
  • Grievance and Dispute Resolution: In accordance with Indian law and good practice, we have a Grievance Redressal mechanism. Users can file complaints or concerns about their data (or any aspect of our service) to our Grievance Officer at kshitij.jain@xplainity.com. We commit to acknowledging complaints within 24-72 hours and resolving them within one month, providing explanations or resolutions as appropriate. If a user is not satisfied with our resolution, we will inform them of any further appeal process (like approaching a data protection authority or other dispute resolution bodies). For EU users, this dovetails with their right to contact a supervisory authority if needed.
  • Transparency and User Control: We try to be transparent in our UX as well – not just in lengthy policies. This means clear prompts when we ask for data or consent (e.g., explaining why we ask for an email or a camera access request for a feature), and providing in-app controls where possible (like toggling certain privacy settings). We have or are building features like the ability for users to download their data, delete their account, change privacy settings on profiles (e.g., who can see what), etc., directly without always having to email support.
  • Anonymous & Anonymized Usage: Wherever feasible, we allow some use of the Service without collecting personal info. For example, if we have public content, users might browse or practice without logging in. Also, for research and improvement, as mentioned earlier, we prefer anonymized data sets. If we share data with research collaborators or publish findings, we strip out personal identifiers. If we ever work on case studies or product promotion involving user stories, we will either anonymize the identity or seek explicit permission for revealing any personal details.
  • Data Protection Culture: Our leadership prioritizes privacy and compliance as part of our core values. We treat user trust as a key business asset. This means even beyond formal rules, we ask ourselves, “Is this the right thing to do with user data? Are we being respectful and ethical?” and we encourage users to give feedback on our privacy practices.

3. Special Notes on Data Handling Practices

  • Subprocessors and Data Localization: A list of our key subprocessors (companies that process personal data on our behalf) can be provided on request or via our website’s compliance page. We ensure each subprocessor is compliant with relevant laws (for instance, U.S. companies we use may be certified under programs like EU-U.S. Data Privacy Framework if applicable, or at least contractually bound by SCCs; Indian processors follow our security requirements, etc.). If certain customers (like a school district) require data to be stored only in a particular country due to local law, we are open to discussing solutions (like regional hosting or dedicated instances) as we scale our enterprise offerings. At present, data is primarily stored in secure cloud servers that may reside in [specify likely region, e.g., AWS Mumbai region for main data, plus backups in another region for redundancy, etc.]. We will be transparent about where data is stored.
  • Incident Response and User Notification: If any personal data is compromised despite our safeguards, we have a plan to inform affected users promptly. For example, in line with many laws, if a breach is likely to result in a high risk to individual rights (such as identity theft or harm), we will notify those individuals and relevant authorities (DPA/Board) as required. We will provide information on what happened, what data is affected, what we are doing about it, and any steps users should take to protect themselves. We view such transparency as essential for maintaining trust.
  • Third-Party Content and Integrations: If Xplainity integrates with other services or contains links (like a link to a YouTube video for educational content, or an option to log in via Google, etc.), we ensure that we either have appropriate agreements in place or, at minimum, clearly inform users that their interaction with that third-party is separate. For example, if a teacher embeds a YouTube clip in a lesson, students clicking it are subject to YouTube’s privacy policy. We would advise teachers not to include external content that could track students unnecessarily. For any core integration (like Google Classroom API usage), we abide by those platforms’ data use rules (e.g., Google API Services user data policy if applicable).
  • Cookie Compliance: We display cookie consent notices in jurisdictions where required (like the EU). Users can choose to accept or reject non-essential cookies. Our (if provided separately or as part of the Privacy Policy) details the types of cookies in use and their purposes, fulfilling obligations under ePrivacy Directive / GDPR, etc. For instance, we might have a banner: “Xplainity uses cookies to ensure you get the best experience. By continuing, you consent to our cookies, or see settings.” We honor Do Not Track signals to the extent possible (though note DNT is not a widely adopted standard, we currently do not serve targeted ads anyway).
  • Regular Reviews: We periodically review our privacy and compliance practices in light of new laws (for example, as India’s DPDP Act gets implemented via rules, or if U.S. federal privacy law arises, etc.). We also keep an eye on guidance from privacy authorities (like Article 29 Working Party/EDPB in EU, FTC in US, etc.) to align with recommended best practices (like handling of AI data ethically, which is relevant to us).

4. How We Can Help You with Compliance

If you are an institutional client (like a school or a company using Xplainity for employees), we understand you might need certain assurances and documents from us to satisfy your own legal obligations:

  • We can sign a Data Processing Agreement (DPA) that outlines how we as a processor handle your data in compliance with laws like GDPR Article 28 or similar requirements. This typically includes our obligations on data security, subprocessor disclosures, assistance with data subject requests, etc. We have a standard DPA ready for clients who require it.
  • We can provide security questionnaires or allow audits within reason to enterprise customers, to demonstrate our controls. We might have a security whitepaper or audit report we can share under NDA.
  • We comply with educational privacy pledges. For example, we adhere to the Student Privacy Pledge (if we sign it formally) which is a public commitment in the U.S. to safeguard student data. We also ensure our terms incorporate requirements of laws like SOPIPA (no targeted ads to students, no selling student data, etc.).
  • If your organization is in Europe, we can discuss EU representative arrangements if needed (for now, our user base might be limited, but if Article 27 requires an EU rep for us, we will appoint one). Similarly, if in UK, a UK rep if needed.
  • Data Requests & Government Access: We have never received a government demand for user data as of this writing. Should we receive one, we will scrutinize it carefully and only comply if it’s legally valid and necessary. We would also try to redirect it to the user or institution when appropriate (for instance, if law enforcement wants student data, we’d typically require them to go through the school unless legally compelled otherwise, due to FERPA). We maintain a transparency report internally and would publish metrics if it becomes relevant and not sensitive.

5. Continuous Improvement

Compliance is not a one-time effort but a continuous process. Xplainity’s leadership is dedicated to regularly reviewing and enhancing our data protection framework. We allocate resources for privacy and security improvements, and we solicit feedback from our users and partners. If you, as a user or client, ever see an area where we can do better regarding privacy/security/compliance, we encourage you to let us know.

Key Takeaway: We aim to be proactive about compliance rather than reactive. By building a strong foundation of trust and data protection, we not only avoid legal issues but also create a better, more trustworthy service for everyone.

Thank you for reading about our compliance and data protection efforts. We believe that privacy is a fundamental right and a cornerstone of effective educational technology. Xplainity will continue to uphold these principles as we grow and serve learners and educators worldwide.

Questions about this policy? Contact us.