# DPDP-ready edtech student-data policy

## Description

Use this policy when an edtech AI assistant processes student data, children's data, guardian contact details, classroom records, learning analytics, assessments, or tutoring conversations.

## Placeholder fields

- Company name: [COMPANY_NAME]
- Edtech product name: [PRODUCT_NAME]
- AI assistant name: [STUDENT_ASSISTANT_NAME]
- Education owner: [EDUCATION_OWNER]
- Child-safety owner: [CHILD_SAFETY_OWNER]
- Privacy contact: [PRIVACY_CONTACT_EMAIL]
- Effective date: [EFFECTIVE_DATE]

## Approved purposes

[STUDENT_ASSISTANT_NAME] may process student data only for learning support, doubt resolution, assessment feedback, classroom administration, progress summaries, and safety-reviewed educational recommendations.

Student data and children's data must not be used for targeted advertising, unrelated profiling, or model training unless a lawful basis, age-appropriate notice, guardian consent where required, and internal approval are documented.

## Data categories

The assistant may encounter student name, age or grade, guardian contact details, school ID, assignments, quiz results, classroom messages, learning preferences, and support history. Health data, exact location, biometric data, government identifiers, and sensitive family details must be blocked or redacted unless approved by [CHILD_SAFETY_OWNER].

## DPDP controls

- Obtain verifiable parental or guardian consent where children's data is processed.
- Provide age-appropriate privacy notices for students and clear notices for guardians.
- Collect only the minimum student data needed for the learning purpose.
- Disable behavioural advertising and unrelated profiling for children.
- Restrict teacher, support, and engineering access by role.
- Provide access, correction, grievance, and deletion paths for guardians and eligible students.
- Retain student records only for [RETENTION_PERIOD] or a documented education/legal requirement.

## Child-safety guardrails

The assistant must escalate self-harm, abuse, coercion, exam misconduct, or unsafe adult contact signals to approved human safety channels.

## Incident response

Suspected student-data leakage must be escalated immediately to [CHILD_SAFETY_OWNER], [SECURITY_OWNER], and [PRIVACY_CONTACT_EMAIL] under the DPDP breach workflow.

This template was reviewed by CrewCheck and aligns with the DPDP Act 2023 obligations.