Privacy Policy

Last Updated: October 27, 2025

Introduction and Scope

Your privacy is critically important to us at Xplainity. This Privacy Policy explains what information we collect, how we use and share that information, and your rights and choices with respect to your information. This Policy applies to all users of Xplainity’s website, application, and services worldwide (collectively, the “Service”). By using Xplainity, you consent to the data practices described in this Policy. If you do not agree with any part of this Privacy Policy, please do not use our Service. We encourage you to read this document carefully and contact us if you have any questions.

Who We Are: When we refer to “Xplainity” (or “we” or “us”), we mean MATHFIT EDUCATION PRIVATE LIMITED, the company that owns and operates the Xplainity platform. MATHFIT Education Private Limited is an Indian company (CIN U85491MP2024PTC070824) with a registered address at 39/2 New Palasiya Main Road, Indore, Madhya Pradesh, 452001, India. For the purposes of data protection laws, MATHFIT Education Private Limited is the “data controller” of personal information collected through Xplainity (except where we process personal data solely on behalf of a school or institution, in which case we act as a “data processor” – see Educational Use below).

Contact Us: If you have any questions or concerns about this Privacy Policy or our data practices, please contact our team at kshitij.jain@xplainity.com. (For grievances or rights requests, see the Your Rights and Choices section below for more contact details.)

1. Information We Collect

We collect personal data and usage data in order to provide and improve our Service. The types of information we may collect fall into a few categories: (A) Information you provide to us directly; (B) Information we collect automatically; (C) Information from third parties; and (D) Information specifically related to educational use (students and schools). We outline each of these below.

A. Information You Provide Directly: When you interact with Xplainity, you may choose to give us certain information, including:

  • Account Registration Information: When you sign up for an account (as an educator, student, or other user), we will ask for basic information such as your full name, email address, username, password, and possibly organization/school name or code. If you are an instructor or institutional representative, we may also ask for details like your role/title and the name of your institution.
  • Profile Information: You may have the option to add additional details to your profile, such as a profile picture, biographical information, grade level or subject specialization (for teachers), or other details. Providing this info is optional and can be edited or removed at any time.
  • Content and Submissions: We collect any content you actively submit through the Service. For example, if you are a teacher creating a quiz or lesson, we collect the questions, answers, explanations, or resources you input. If you are a student interacting with Xplainity, we collect your responses, answers, essays, oral responses (if the platform supports audio input), or any other materials you submit. This also includes any files you upload or share (images, PDFs, etc.), as well as any feedback, comments, or messages you send through the platform (such as messages to customer support or communications in forums or class groups, if those exist on Xplainity).
  • Contact and Communication Info: If you sign up for newsletters or opt in to receive updates, we will collect your email and communication preferences. If you contact us via email or other channels (e.g., customer support requests, or providing testimonials), we will collect the information you share in those communications (your contact details and the content of your email or message).
  • Payment Information: (If applicable) If you make a purchase or subscribe to a paid plan, our third-party payment processor (e.g., payment gateways) will collect your payment card details and billing information. Note: Xplainity itself does not store your full payment card information – that is handled by the secure payment provider. We will receive certain information about the transaction, such as your name, email, payment amount, and confirmation that the payment was processed.
  • Surveys and Research: From time to time, we may invite users to participate in surveys, user research, or beta testing of new features. If you choose to participate, you may provide us with additional information or feedback. Participation in such activities is always voluntary.

B. Information Collected Automatically: Whenever you use an online service, certain information gets created and logged automatically. Xplainity is no exception. We use common tracking technologies (like cookies, web beacons, and similar) to collect some usage data. This includes:

  • Device and Connection Information: We collect data about the devices you use to access the Service, such as your device type (e.g., laptop, tablet, phone), operating system name and version, browser type and version, and device identifiers (like IP address or mobile device ID). We also note the timestamps of your visits and how you connected (e.g., through a particular app version, or from which referring website).
  • Usage and Activity Data: We collect information about your activity on Xplainity, including pages or screens you view, the features you use, the links you click, search queries you make, time spent on different parts of the Service, and other statistical information. For example, we may log when you start and finish a particular lesson or quiz, which content you interact with, and your performance on assignments or quizzes. If our platform uses AI-driven interactions (like a chatbot or tutoring session), we may log the conversation for quality assurance and to improve the AI (see How We Use Information below).
  • Cookies and Similar Technologies: Xplainity uses cookies (small text files stored in your browser) and similar technologies (such as local storage, pixels, or SDKs in our app) to recognize you and collect information. Cookies help us in various ways, such as keeping you logged in, remembering your preferences, and understanding how you navigate through our content. We use:
    • Strictly Necessary Cookies: These are essential for the Service to function (e.g., session cookies that keep you logged in or remember items in a workflow).
    • Functional Cookies: These remember your settings and preferences (e.g., your chosen language or user interface customizations) to provide a more personalized experience.
    • Analytics Cookies: These help us understand user behavior on our site, so we can improve. We may use third-party analytics tools (like Google Analytics or similar) that set their own cookies to collect aggregated information about users (for instance, number of visitors, pages visited, referral sources). We do not use these analytics cookies to identify you personally; they provide generalized statistics.
    • No Advertising Cookies: As of the Last Updated date of this Policy, we do not use third-party advertising or targeting cookies on Xplainity. We do not show third-party ads or sell your data for advertising purposes. If this ever changes, we will update this Policy and obtain any necessary consents.

Your Choices: Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies or alert you when cookies are being sent. However, if you disable cookies, some features of the Service may not function properly (for example, you might not be able to stay logged in). For more details, see the Your Rights and Choices section below or our (if listed separately).

  • Location Information: We do not ask for or track precise GPS location, but from your IP address we can infer an approximate geographic region or country. This helps us comply with regional legal requirements (for example, showing EU users a cookie consent banner or handling data in compliance with GDPR) and to measure usage across regions.

C. Information from Third Parties: We may receive information about you from third-party sources in a few situations:

  • Single Sign-On / Social Logins: If you choose to register or log in through third-party authentication services (for example, “Sign in with Google” or via an institutional single sign-on system), those services will share certain data with us to verify your identity and set up your account. Typically, this includes basics like your name and email, and potentially other info from your profile (the specific info depends on what you or your admin authorize). We only use this information for authentication and to populate your profile.
  • Institutional Accounts: If Xplainity is used in an educational institution setting, an administrator or teacher at your school may provide information about users. For instance, a teacher might roster a class by providing us a list of student names and emails or student IDs to create accounts. We treat such information with special care (see section D below).
  • Service Providers: We may receive information from service providers or tools we use to run the Service. For example, analytics providers might provide aggregated demographic or preference information (like “X% of users in a certain region use feature Y”), or payment processors might send confirmation of your subscription status which we use to update your account.
  • Publicly Available or Other Sources: If you are an educator or school official, we might (in rare cases) supplement your profile with publicly available information (for example, adding a school name based on an email domain, or verifying an educator’s credentials through a public teacher registry if available) to ensure only authorized educators access certain features. If you participate in our community forums or social media and tag us, we might obtain your handle or comments via those channels.

We will treat any information obtained from third parties according to the practices described in this Privacy Policy, plus any additional restrictions imposed by the source (for instance, the terms of the API or contract with the third party).

D. Educational Use and Student Data: Xplainity is designed to be used by educators and learners, including K-12 students, college students, or other trainees. We are committed to protecting student data and complying with applicable student privacy laws (such as the U.S. Family Educational Rights and Privacy Act – FERPA, and similar laws). This means:

  • When a teacher, school, or district (the “Institution”) uses Xplainity with students, personal information of those students that is provided to Xplainity or generated within Xplainity under the direction of the Institution is considered “Student Data.”** Student Data may include, for example: student name, email or login identifier, class or group membership, assignment results, performance metrics, and any work or content the student creates on Xplainity (e.g., answers, essays, projects).
  • We use Student Data only for educational purposes – to provide the Service to the Institution and its students, and for improving the educational features of our platform. We do not use Student Data for any commercial purpose beyond providing the Service (no advertising, no selling of student personal info, etc.).
  • FERPA: If FERPA applies (for U.S. schools), Xplainity will act as a “School Official” with a “legitimate educational interest” in receiving and processing student education records, as per 34 CFR § 99.31(a)(1). We agree to abide by the limitations and requirements of FERPA regarding educational records. This means we won’t redisclose Student Data except as directed by the school or as allowed by law, and parents/eligible students may have the right to access and correct education records stored with us by coordinating with their educational institution.
  • Parental Consent (COPPA): If Xplainity is used for children under 13 in the United States, we rely on the school or educational institution to obtain any necessary parental consent for the online collection of personal information from children, as permitted under COPPA (Children’s Online Privacy Protection Act). We do not knowingly allow a child under 13 to sign up directly without appropriate consent; accounts for children are typically created by a teacher or parent. If we become aware that we have collected personal data from a child under 13 (outside the school context) without consent, we will delete that information.
  • Minimal Data Collection: We aim to collect the minimal amount of personal data from students necessary to provide our educational Service. Often, this might be just a username or an email and some performance data. Where possible, we offer features like using pseudonymous identifiers or class codes instead of full student names, to minimize exposure of personal info.
  • Student Work and Performance: The content students create while using Xplainity (e.g., responses to quizzes, projects, essays, or conversations with tutoring AI) may be viewed by their teacher and by us (for purposes of providing feedback, grading functionality, or customer support). We treat this content as part of Student Data. It is typically only accessible to the student themselves, their educators, authorized school administrators, and Xplainity personnel (as needed to provide and support the service). We do not make student submissions public unless explicitly shared with permission (for example, if a teacher or student chooses to publish something to a broader audience, which would only be done with appropriate consent).

Summary of Data Types: In short, we collect identifiers (like name, email, login ID), user content (submissions, communications), device and usage info (IP, device, browsing data), and for educational users, student records data as provided by schools. Some of this data may be considered “personal data” or “personal information” under various laws (it identifies or relates to an identifiable individual). We will now explain how we use and protect this information.

2. How We Use Information

Xplainity uses the collected information for various legitimate purposes related to our educational mission and business operations. We commit to only using personal data in ways that are compatible with the purposes for which we collected it, or for purposes you subsequently authorize. The main ways we use information include:

  • To Provide and Operate the Service: We process data to authenticate you when you log in, to display the appropriate content (for example, showing your classes, your saved work, or tailored content based on your role as student or teacher), and to enable you to participate in learning activities. For instance, if you’re a student, we use your submissions to provide you feedback or grades and to show your progress to your teacher; if you’re a teacher, we use your account information to roster your classes and show you analytics about student performance.
  • To Customize and Improve the User Experience: We may use data like your past activities, preferences, or profile to personalize the content shown to you. For example, we might recommend certain lessons or activities based on subjects you’ve engaged with, or pre-fill your name and school on certain forms for convenience. We also use aggregated usage data and feedback to understand how users interact with Xplainity and to identify areas for improvement. This informs feature development and user interface enhancements.
  • To Develop and Enhance our Services (Research & Development): Xplainity is constantly working on new features (particularly AI-driven educational tools). We use data (including, in some cases, de-identified or aggregated Student Data) to train our algorithms, improve our content library, and refine our AI models. For example, analyzing common wrong answers can help us improve hints or explanations; studying overall usage patterns can help us optimize the platform’s performance and design. Whenever feasible, we use anonymized or aggregated data for these purposes – meaning individuals are not identifiable in the data sets we analyze for R&D. If we use any Student Data for product improvement, we ensure it’s in compliance with student privacy laws (e.g., under FERPA, using education records for legitimate educational interests in improving instruction).
  • To Communicate with You: We use your contact information to send you necessary communications about the Service. This includes:
    • Account and Transactional Messages: e.g., verification emails, password reset emails, confirmations of account creation or subscription payments, class invitations, or announcements about critical Service updates (like changes that may affect your use).
    • Educational Communications: e.g., sending teachers summaries of student progress, or sending students notifications about assignments due or feedback available from their teacher.
    • Promotional & Newsletters: With your consent (where required), we may send occasional newsletters, product updates, event invitations, or offers. For example, we might send educators tips on new features or invite you to webinars. You can always opt-out of these marketing communications (see Your Rights and Choices). We do not send promotional emails to student users who are minors – they may receive only service-related notifications, and those primarily via the platform or via their teacher.
    • Surveys and Feedback: We might reach out to collect feedback or invite you to provide a testimonial or participate in research. Participation is voluntary.
  • For Customer Support: If you contact us with a problem or question, we will use your information to respond. This might include looking into your usage logs, the content of error messages, or any screenshots you send. We may also use your feedback to troubleshoot issues and ensure our support team improves the Service. Support communications with you may be stored for future reference (to train our team, to track recurring issues, etc.).
  • To Ensure Safety, Security, and Integrity: We monitor and use data to keep our platform safe. This includes:
    • Preventing Misuse: We may use automated tools and manual reviews to monitor for suspicious or harmful activities on the Service – for example, detecting accounts spamming others, attempts to bypass security, or content that violates our policies (such as plagiarism detection in student submissions, or filtering of inappropriate content).
    • Enforcing Terms: Data is used to investigate and enforce compliance with our Terms of Service and other policies. If we receive reports of misconduct, we will review relevant data (which could include user content, audit logs, etc.) to determine what happened and take appropriate action (like warning, suspension, or reporting to authorities if needed).
    • Fraud Prevention: For any commerce aspects, we might use IP and other device data to prevent fraudulent transactions or account takeovers.
    • Network & Information Security: We use data like IP addresses and device info to guard against DDoS attacks, bot abuse, or other cybersecurity threats. Our systems also log events for auditing (like login attempts, changes made to records) to maintain accountability and detect anomalies.
  • Legal Compliance: There are situations where we must process personal data to comply with legal obligations, such as:
    • Accounting and Tax: Keeping records of transactions and payments for financial regulations.
    • Child Privacy and Consent Management: Keeping track of parental consent forms or school designations for under-13 users to demonstrate COPPA compliance.
    • Responding to Legal Requests: If we receive a lawful subpoena or court order, we may need to provide certain data (see How We Share Information below for more detail on legal disclosures).
    • Exercise of Rights: If you exercise privacy rights (like requesting access to your data or deletion), we will use your information to verify your identity and fulfill your request.
  • Other Purposes (with Notice/Consent): If we ever need to use your information for purposes materially different from the ones listed above, we will update this Privacy Policy and, if required, request your consent. For example, if in the future we consider using personal data for a new analytics initiative or sharing data in a new partnership, we would ensure it’s transparent and lawful (and if necessary, seek consent).

Legal Bases for Processing (for users in the EU/UK and other regions with similar laws): We process personal data under several legal justifications:

  • Performance of a Contract: Much of our data use is to provide you the Service under our Terms of Service – for example, using your data to set up your account, deliver content, and manage your subscription. We need this data to provide the Service you expect.
  • Legitimate Interests: We often process data for purposes that are in our legitimate business interests, which are not overridden by your data protection interests or fundamental rights and freedoms. Examples: improving our platform, ensuring security, communicating product updates to teachers, or understanding how users interact with our site. When we rely on this basis, we consider and balance any potential impact on you (both positive and negative) and your rights. We do not use personal data where our interests are outweighed by the impact on individuals (unless we have consent or a legal obligation).
  • Consent: In specific cases, we rely on your consent. For instance, sending marketing emails to non-customer individuals, or using certain cookies in jurisdictions where consent is required, or collecting a child’s data in a non-school context (with parent consent). Where we rely on consent, you have the right to withdraw it at any time (which won’t affect the lawfulness of processing before withdrawal).
  • Legal Obligation: Some processing is done because we have a legal duty – such as retaining transaction records for tax law, or providing information to authorities if lawfully required.
  • Public Interest / Official Authority: This is unlikely to apply to Xplainity’s context, except in the educational domain perhaps where we partner with public institutions – but generally, we do not perform tasks in the public interest or under government mandate that would form a legal basis.

If you have questions about the legal basis of how we process your personal data, you can contact us for more information.

3. How We Share or Disclose Information

We do not sell your personal information to third parties for profit. However, in order to operate our business and provide our services, we sometimes need to share information with third parties, as detailed below. Whenever we share data, we take steps to protect it (for example, through contracts that require recipients to keep it confidential and use it only for the authorized purpose). Here are the scenarios where we share information:

  • Service Providers (Processors): We use trusted third-party companies and individuals to help us run Xplainity (these are sometimes called “vendors”, “sub-processors” or “service providers”). They perform services on our behalf, such as:
    • Hosting and Infrastructure: (e.g., cloud storage providers, server hosting services) that store our databases, files, and enable our application to function on the internet.
    • Email and Communication: services to send transactional emails, newsletters, or in-app messages (for example, services like SendGrid or similar).
    • Analytics: tools that help us understand user behavior and monitor performance (e.g., Google Analytics, or other product analytics platforms).
    • Customer Support: systems for managing support tickets or live chat, if we use any (where support communications may be stored).
    • Payment Processors: to securely handle credit card transactions or subscription billing (they receive your payment data to process payments, but are not permitted to use it for other purposes).
    • AI Services: If our platform uses third-party AI or machine learning APIs to process user queries (for example, sending a student’s question to an AI service to generate an answer), we would share the necessary data (the question content) with that AI provider solely to get the result for the user, and we would ensure such providers are under strict obligations to protect that data and not retain or use it beyond providing the service.

These service providers are bound by contractual obligations to only process personal information as instructed by us and for the purposes we specify, and to implement adequate security measures. We do not allow our vendors to use your personal data for their own marketing or other purposes unrelated to the service they’re providing to us.

  • Within a Classroom/Educational Setting: If you are using Xplainity as part of a class or institution:
    • Teacher ↔︎ Student: Teachers and authorized school administrators can view the personal information and activity of students in their classes. For instance, a teacher can see the assignments a student has completed, their scores, and any content they submit. They may also see the student’s profile information. This is a core function of the Service (to facilitate instruction and feedback).
    • Student Visibility: Students may see certain information about their class and fellow class members as configured by the teacher or platform (for example, a class leaderboard, or discussion posts under a teacher’s moderation). However, outside of such class contexts, student personal info is not visible to other students.
    • Parent Access: If a parent or guardian seeks access to their child’s information, we may, after verifying identity, provide it or direct them to obtain it through the child’s teacher/school (particularly in compliance with laws like FERPA, which often require parent inquiries to go through the educational institution).
  • Business Transfers: If there is a merger, acquisition, reorganization, sale of assets, or financing of our company (Xplainity/MATHFIT Education Pvt. Ltd.), your information may be transferred to a successor or affiliate as part of that transaction. We will ensure that any such entity is bound by terms that are at least as protective of your privacy as those in this Policy, and we will provide notice on our website and/or via email before your personal data is subject to a different privacy policy. You will have the opportunity to opt out of any such transfer if it results in a new use of your information not covered by this Policy.
  • Legal Compliance and Protection: We may disclose your information to third parties (including governmental authorities, law enforcement, or private litigants) if we determine that such disclosure is reasonably necessary to:
    • Comply with any applicable law, regulation, legal process, or valid governmental request (e.g., a court order, subpoena, or search warrant). We will attempt to notify you of requests for your data before disclosing, unless prohibited by law or if there is a clear security concern that makes notifying impractical.
    • Enforce our Terms of Service, investigate and defend ourselves against any third-party claims or allegations, or protect the security or integrity of our platform.
    • Protect the rights, property, or safety of Xplainity, our users, our employees, or others. For example, we may share information with law enforcement or relevant organizations if we believe in good faith that someone is at risk of harm or that illegal activity is taking place (such as fraud or a threat to school safety).
  • Anonymized or Aggregated Data: We may share information that has been anonymized or aggregated (so it does not identify you personally) with third parties for legitimate purposes. For instance, we might publish reports or blog posts about trends or insights in education, such as “X% of students improved their scores after using our tool” or “the most popular STEM topics this year on Xplainity,” which would be based on aggregated data. Such information will not contain personal data and is not subject to this Privacy Policy in the same way (because it’s not identifiable).
  • With Your Consent: In cases where you have given us explicit consent to share your information, we will do so according to the terms of that consent. For example, if you agree that we can share your testimonial with your name on our website, or if you use a feature that explicitly says it will share data with an outside party (for instance, if you choose to connect your Xplainity account with a third-party app and you approve the data transfer). You have the right to revoke such consent at any time, and we will stop any future sharing that relied on it (but we cannot undo any sharing that already happened with your permission).

Important: We do not share student personal information for any non-educational or commercial purposes. We do not sell or rent user data. We do not share personal data with advertisers or ad networks. If our policies in this regard change in the future, we will obtain appropriate consent and comply with applicable laws prior to such change.

4. International Data Transfers

Xplainity is based in India, but we serve users around the world. This means that your personal information may be transferred to, processed, and stored in countries other than your own. Specifically, our primary servers and operations are in India, and possibly in other jurisdictions (for example, we may use cloud hosting in data centers located in the United States or European Union or other regions, depending on our service providers).

Data Protection Laws Vary: Different countries may have different data protection laws than those in your country. For instance, if you are in the European Economic Area (EEA) or United Kingdom, you should be aware that India (where our company is located) and other countries where data might be processed may not be deemed to provide the same level of data protection as in the EU/UK law. However, we take measures to ensure that your personal information receives an adequate level of protection wherever it is processed.

Safeguards for International Transfers: When we transfer personal data out of regions like the EEA, UK, or Switzerland, we rely on legal mechanisms such as:

  • Standard Contractual Clauses (SCCs): We may incorporate EU Commission-approved standard data protection clauses into our contracts with recipients of the data (for example, with our service providers or within our corporate group if applicable). These clauses contractually oblige the recipient to protect personal data according to the EU’s standards.
  • Adequacy Decisions: In some cases, we may transfer data to countries that have been officially deemed “adequate” by the European Commission or relevant authority (meaning they provide sufficient data protection under law). For example, transfers to entities in countries like Canada or Japan might fall under this if applicable.
  • Consent and Derogations: In limited cases, we might rely on your explicit consent to transfer data (for example, if you explicitly request a service that involves sending your data to a third country), but generally we avoid this and use structural safeguards.

By using the Service, you acknowledge that your information may be transferred to our facilities and those third parties with whom we share it as described in this Privacy Policy, regardless of where they are located. We will do our best to ensure any international transfers comply with applicable legal requirements. If you would like more details about the safeguards we put in place for cross-border transfers, you can contact us.

5. Data Retention and Deletion

How long do we keep your information? We keep personal information only for as long as necessary to fulfill the purposes for which we collected it (as described in this Policy), unless a longer retention period is required or permitted by law. In practice, this means:

  • Active Account Data: For as long as you have an active account with Xplainity, we will retain your profile information, account credentials, and the content and data associated with your use of the Service. This is necessary to provide you with ongoing services (e.g., to show your historical performance or content).
  • Inactive Accounts: If you cease using Xplainity, we generally will retain your account information for a period in case you return, unless you request deletion. We might define an “inactive” period (e.g., if no login for 1-2 years) after which we purge or anonymize data, but we will provide notice before significant deletion of account data.
  • Deleted Accounts: If you choose to delete your account (or a teacher or school administrator deletes a student account, or we delete an account due to violation or inactivity), we will remove or anonymize personal information associated with that account within a reasonable time frame. It may take us some time to fully delete all associated data from backups and caches, but we will cease using your data for active purposes immediately upon account deletion.
    • Some data that does not personally identify you may be retained (for example, aggregated data about general usage, or anonymized records for statistical purposes).
    • Note for educational records: If a student or parent requests deletion of student data, we may need to retain certain minimal information to demonstrate compliance or for legal reasons (see below), but we will remove personal identifiers.
  • Content Removal: If you delete specific content (like edit or delete an entry, or a teacher deletes a class), that content will no longer be accessible to you or other authorized users via the interface. However, copies of it might remain in system backups or logs for a short period before those are overwritten. We may also retain it if necessary for legal disputes or investigations (again, see below).
  • Legal and Operational Retention: We might retain data for longer periods if necessary for:
    • Compliance with Laws: For example, financial records of transactions are kept for accounting/tax, typically at least 7 years as required by law.
    • Dispute Resolution: If we are resolving a dispute or if we reasonably believe there is a prospect of litigation relating to your information or use of our services, we will retain relevant information until the issue is resolved.
    • Safety and Abuse Prevention: Data about accounts terminated for abuse or policy violations may be kept to prevent repeat abuse or to cooperate with law enforcement (e.g., IP addresses or email of users banned for misconduct may be kept to block their attempts to rejoin).
    • Backups: Our routine backups of the database might incidentally capture some data that has been since deleted by a user. These backups are securely stored and used only for disaster recovery. They are rotated and overwritten periodically, so any deleted data would be fully purged in the normal backup cycle (typically within a few weeks).

When we no longer have a legitimate need or legal obligation to keep your personal information, we will securely delete it or anonymize it. If deletion is not feasible (for example, because your data is stored in backup archives), then we will securely store it and isolate it from further processing until deletion is possible.

6. Data Security Measures

We take data security seriously and have implemented a variety of measures to guard your personal information against unauthorized access, alteration, disclosure, or destruction. While no website or internet transmission is completely secure, we strive to follow best practices and continually improve our safeguards. Our measures include:

  • Encryption: We use encryption to protect data in transit and at rest. All connections to Xplainity’s website are forced to use HTTPS (TLS encryption) to prevent eavesdropping. For sensitive personal data and passwords, we also encrypt those in our databases and/or use one-way hashing (for passwords) so that even in the unlikely event of a data breach, the data would be of limited use to an attacker.
  • Access Controls: We limit access to personal data strictly to personnel and service providers who need to know the information in order to perform their duties (principle of least privilege). Within our company, only authorized employees (for example, those in customer support, engineering, or compliance who have been trained in data handling) can access user data, and even then, they can only do so for legitimate work purposes. All employees are bound by confidentiality agreements. Administrative access to our systems is protected with strong authentication (such as multi-factor authentication) to prevent unauthorized logins.
  • Secure Development Practices: Our engineering team follows secure coding guidelines. We regularly update our software dependencies and apply security patches to address known vulnerabilities. We also perform testing (including unit tests, integration tests, and occasionally third-party security audits or pentests) on our platform to identify and fix vulnerabilities.
  • Network and Application Security: We deploy firewalls and monitoring systems to guard our infrastructure. Suspicious activities (such as repeated failed logins, strange patterns of requests) are logged and investigated. We utilize security services and tools to detect potential intrusions or malware.
  • Regular Backups: We create regular backups of critical data to ensure we can recover from any unexpected events, such as a hardware failure or security incident. Backups are encrypted and stored in secure, geographically distributed locations to add redundancy.
  • Third-Party Due Diligence: When we select service providers that will handle personal data, we vet their security practices. We choose reputable companies with strong security track records, and we include privacy and security requirements in our contracts with them. For example, if we use a cloud hosting provider, we ensure it has appropriate certifications (like ISO 27001, SOC 2, etc.) or if we use an email service, that it supports encryption and compliance measures.
  • Training and Awareness: We train our staff about data privacy and security. Team members are made aware of best practices (like identifying phishing attempts, safeguarding credentials, and respecting user privacy). We maintain internal policies on handling user data safely.
  • Incident Response: We have an incident response plan in place. This means if a security breach or incident is detected, we will take immediate steps to mitigate it, investigate the scope, and notify affected parties and regulators as required by law. We will also take measures to prevent future incidents (such as patching, additional monitoring, etc.).
  • User Responsibilities: Despite our efforts, it’s also important that you play a role in keeping your data secure. Never share your password with others, use unique and strong passwords, and notify us if you suspect any unauthorized access to your account. We also encourage you to log out of the Service and close your browser when you have finished a session, especially if you are using a public or shared computer.

No system is impenetrable. While we cannot guarantee absolute security of information (and you should be careful with how you handle your own data and access), we will continue to update and enhance our security measures as new technologies and best practices emerge. In the unfortunate event of a data breach affecting your personal information, we will follow applicable data breach notification laws, which may include notifying you and relevant authorities.

7. Your Rights and Choices

You have rights and choices regarding your personal data and how we handle it. We strive to provide you with access to your data and the ability to update or delete it whenever possible. The availability of some rights may depend on where you live (different laws provide different rights), but we aim to honor the key privacy principles for all our users. Here are the rights and options you typically have:

  • Access Your Data: You have the right to request a copy of the personal information we hold about you. For most users, much of your data is accessible directly through the platform (e.g., you can view your profile details, your content submissions, your grades or progress). If you require a comprehensive export or have trouble finding specific information, you can contact us at kshitij.jain@xplainity.com to request an data export. We may need to verify your identity (to ensure we don’t give your data to someone else). We will provide the information in a common format, and for EU users, this is the right of access under GDPR.
  • Rectify / Correct Your Data: If any personal information we have about you is inaccurate or incomplete, you have the right to ask us to correct it. You can usually do this by logging into your account and editing your profile or settings (for example, updating your name if it’s misspelled, or changing an email address). If you cannot change something yourself, contact us and we will correct it for you if possible.
  • Delete Your Data (Right to Erasure): You can request deletion of your personal information. The easiest way to do this is often by deleting your account through the Service interface (if that feature exists). Teachers or administrators can also delete student accounts in some cases. When an account is deleted, we will remove or anonymize personal data as described in our retention section. If you want us to specifically delete certain data (like a particular piece of content you provided) without deleting your whole account, you can also contact us for assistance. Please note, in some cases we may retain certain data after a deletion request if we have a legal obligation or legitimate reason (which we will communicate to you if applicable). For example, if a student requests deletion of data that the school needs to keep a record of, we might anonymize it rather than fully delete, in line with educational record-keeping obligations.
  • Data Portability: In some jurisdictions (like the EU), individuals have the right to data portability – to obtain some of their information in a structured, commonly used, and machine-readable format, and to have it transferred to another data controller where technically feasible. For Xplainity, if you need an export of your data for portability purposes, let us know and we will work with you to provide the most suitable format (for example, CSV files of your records).
  • Withdraw Consent: Where we rely on consent for processing your personal data (for example, for sending marketing emails or collecting certain optional data), you have the right to withdraw your consent at any time. Withdrawing consent will not affect the lawfulness of any processing we did based on your consent before withdrawal. To withdraw consent for marketing, you can simply click the “unsubscribe” link in any marketing email or adjust your email preferences in your account settings. For other consent withdrawals, contacting us is the best approach. If you withdraw consent for a service that requires it (like an optional feature that uses your data), you may lose access to that feature or functionality.
  • Opt-Out of Communications: As mentioned, you can opt out of marketing or newsletter emails at any time. You can also manage some notifications through your account settings. Note that we will still send you essential service or transactional communications (like account alerts, password resets, class assignments, etc.) as those are necessary for using the Service. If you truly do not want any communications, that would require deleting your account.
  • Object or Restrict Processing: In certain situations, you have the right to object to our processing of your personal information or ask us to restrict processing. For example, if we are processing your data based on our legitimate interest and you have a particular situation that makes you want to object to that processing, you can. Or if you contest the accuracy of your data or the lawfulness of processing, you can request a temporary restriction while the issue is resolved. We will honor such requests where required by applicable law. In practical terms, if you, for instance, don’t want your data used for analytics, you could contact us to discuss opting out (though since our analytics is usually aggregated and not personal, the impact may be minimal). If you object to processing that is fundamental to the service (like say, you object to us processing your content altogether), we might need to advise you to delete your account because we cannot provide the service without processing your content.
  • California Privacy Rights: If you are a resident of California, you have specific rights under the California Consumer Privacy Act (CCPA) (as amended by the CPRA): the right to know what personal information we collect, the right to access that information, the right to deletion (with similar exceptions as mentioned above), the right to correct inaccurate information, the right to opt-out of “sale” or “sharing” of personal info (note: Xplainity does not sell personal data, nor do we share it for cross-context behavioral advertising, so this right is more about being informed), and the right not to receive discriminatory treatment for exercising your rights. California law also allows requesting information about third parties we have shared data with for their direct marketing; however, Xplainity does not share data with third parties for their own direct marketing purposes without consent. If you are a California resident and have a specific request, please reach out using the contact info provided. We will verify your identity and respond as required by law (usually within 45 days).
  • GDPR Supervisory Authority: If you are in the EU/EEA or UK and believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority. For example, in the UK that would be the Information Commissioner’s Office (ICO), in Ireland the Data Protection Commission (DPC), etc. We encourage you to contact us first so we can try to resolve any issues directly.

How to Exercise Your Rights: To make any request related to your personal data, you can contact us at kshitij.jain@xplainity.com with the subject line “Privacy Request” or similar. Please clearly describe your request – what data or action you are looking for – and include information that will help us verify your identity (e.g., the email associated with your Xplainity account, and perhaps a confirmation from within the account if necessary). For certain requests, we may ask for additional verification (especially for sensitive requests like accessing data or deleting an account, we need to ensure the requester is legitimate). We will respond to your request as soon as we can, typically within 30 days. If we need more time or cannot fulfill your request (due to an applicable legal exception), we will inform you and provide an explanation.

Note for Educational Users: If your data has been provided by a school or teacher (i.e., Student Data under FERPA or similar laws), your rights might be exercised in coordination with your school. For example, a student’s parent who wants to review or delete their child’s information should ideally approach the school, and we will work with the school to honor that request. We may forward requests from students or parents to the relevant institution and coordinate as required by laws like FERPA which give the school primary control over the education record. We will also notify the school of any significant changes a student or parent makes to personal information (if required by law).

We are committed to empowering you with control over your information. There is no charge for exercising your rights (except if a request is manifestly unfounded or excessive, in which case we might charge a reasonable fee or refuse). We will not retaliate or deny you services if you choose to exercise your privacy rights. Our goal is to maintain your trust by handling your requests with respect and care.

8. Children’s Privacy

Protecting the privacy of young users is especially important to Xplainity. Our Service may be used by children under the age of 18 (for instance, as part of a school’s educational program or with parental guidance), and we are committed to complying with applicable laws such as COPPA (Children’s Online Privacy Protection Act) in the U.S., and similar laws around the world that govern the collection of data from minors. Here’s what we do:

  • Parental Consent for Under 13 (COPPA): We do not knowingly collect personal information from children under 13 unless (a) we have obtained verifiable parental consent directly, or (b) the child’s school, district, or teacher has represented to us that they have authority to provide consent for the child’s use of Xplainity for an educational context (the “school consent” mechanism allowed by COPPA). In practice, this means if a child under 13 is using Xplainity at home, we would require a parent to sign them up or provide permission. If the child is using it through a school or teacher, we rely on the school to obtain any necessary parental permission and to act in the best interests of the child’s privacy.
  • Limited Data for Children: We try to limit the data we collect from children to just what is needed for the educational activity. Typically, a child user might only need to provide a username (which could be a pseudonym or code) and a class code to join, rather than an email. We encourage using non-identifiable usernames for young students when possible. Any additional information (like age, grade level, etc.) is primarily to customize the experience and is provided by the school/teacher or optional.
  • No Marketing to Kids: We do not send marketing or promotional communications to users who are identified to us as under 18, and certainly not to those under 13. We do not display third-party ads in the student interface, and we do not sell children’s personal information.
  • Parental Rights: If you are a parent or guardian and you believe your child under 13 (or under the relevant age in your country) has provided us personal information without your consent, please contact us at kshitij.jain@xplainity.com. We will promptly investigate and delete the information if we find that we have collected it in violation of applicable law. If your child is using Xplainity through a school, you can also contact your child’s teacher or school, who can work with us to address any concerns. Under laws like COPPA and FERPA, parents (or eligible students) have the right to review personal information held by the service, request deletion, and refuse further collection or use of the child’s information. We honor these rights and typically coordinate with the school to fulfill such requests in an educational context.
  • Age Restrictions: If a user indicates they are under the age of digital consent in their region (for example, under 16 in some EU countries, or under 13 in the U.S.), certain features may be disabled for them (such as social features or any data sharing not directly related to the educational purpose). We may also restrict account creation for very young users unless through a verified educator or parent. Our Terms of Service also reflect these age-related conditions.
  • Teachers and Schools as Intermediaries: For educational use, we consider teachers and schools to be partners in protecting student privacy. We expect educators to supervise students’ use of Xplainity, ensure that no unnecessary personal data is shared by students on the platform, and to communicate with parents about the use of our Service in the classroom. We provide educators with resources and settings to maintain a safe environment (for example, teachers may have control over what content students can see or share).

If you have any questions about our practices with regard to children’s personal information, please contact us. We strive to make our Privacy Policy clear and understandable for users of all ages, and we are happy to provide additional explanations for young users or their parents as needed.

9. Updates to this Privacy Policy

We may update or modify this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will revise the “Last Updated” date at the top of this Policy. For significant changes, we will also provide a more prominent notice – for example, by posting a notice on our website’s homepage or dashboard, or by sending an email notification to users (for critical updates, especially those that may require your consent or have a significant impact on your rights).

Your continued use of Xplainity after a Privacy Policy update signifies your acceptance of the revised terms, to the extent permitted by law. If you do not agree to any changes, you should stop using the Service and, if you choose, delete your account. We encourage you to review this Policy periodically to stay informed about how we are protecting your information.

For prior versions of this Privacy Policy, you may contact us if you wish to see a historical copy. We maintain an archive of past privacy policies as part of our compliance efforts.

10. Compliance and Data Protection Framework

(See the next section below for details on our broader compliance with international data protection laws and practices. This section outlines the frameworks and principles we adhere to, such as GDPR compliance, Indian data protection law, etc.)

In summary, your trust is extremely important to us. We built Xplainity with privacy and security in mind and we will continue to prioritize the protection of your personal information. If you have any questions or concerns about this Privacy Policy or Xplainity’s data practices, please reach out to us at kshitij.jain@xplainity.com – we are here to help.

Thank you for being part of the Xplainity community and for reviewing our Privacy Policy. Happy learning!

Questions about this policy? Contact us.