India's Digital Personal Data Protection Act ("DPDP Act") sets out how companies must handle the personal data of people in India, especially the data of children. As a service used by parents and children, we treat DPDP not as a checklist but as the floor.
This page is a one-page summary of where we stand. It is a companion to our full Privacy Policy, which remains the authoritative document.
We collect only what's needed to analyse a child's schoolwork for their parent. No data is processed for an unrelated purpose without fresh consent.
✓ In placeThe Graddly app shows a short, readable consent screen before any account creation, explaining what we collect and why. Consent can be withdrawn from Profile at any time.
✓ In placeAccounts are held by parents/guardians ≥ 18. By adding a child profile, the parent provides verifiable consent on the child's behalf. We do not profile children for advertising, and we show no ads.
✓ In placeOriginal photos are deleted within 90 days of upload. Only the text analysis is retained, so you can look back at past weeks. You can delete everything via Profile → Delete account.
✓ In placePhotos live in Cloudflare R2 with short-lived signed URLs (15-min expiry). Data in transit is TLS 1.3. Database access is restricted by least-privilege roles.
✓ In placeEmail hello@graddly.com to access, correct, or erase data; we respond within 7 working days. Most actions are also self-serve in the app.
✓ In placeIn the unlikely event of a personal data breach, we will notify affected users and the Data Protection Board of India within 72 hours of discovery.
✓ Policy in placeOur Data Protection Officer is reachable at hello@graddly.com. For the registered postal address, see our Contact page.
✓ In placeWrite to hello@graddly.com. If you're not satisfied with our response, you may also contact the Data Protection Board of India.