Digital Personal Data Protection Act Compliance

1. Our Commitment

StudAI Technologies Pvt. Ltd. is committed to full compliance with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) enacted by the Parliament of India. This document outlines how the StudAI BOS platform aligns with the requirements of the DPDP Act and the measures we have implemented to protect the digital personal data of our users and their organizations.

We continuously monitor regulatory developments and update our practices, policies, and technical controls to maintain compliance as rules and regulations under the DPDP Act are notified.

2. StudAI as Data Fiduciary

Under the DPDP Act, StudAI Technologies Pvt. Ltd. acts as a Data Fiduciary for the personal data it collects directly from users (such as account registration data, contact information, and usage data).

As a Data Fiduciary, we bear the following responsibilities:

• Collecting personal data only for lawful purposes with valid consent.
• Processing data only for the purposes communicated at the time of consent.
• Implementing appropriate technical and organizational security safeguards.
• Ensuring the accuracy and completeness of personal data.
• Deleting personal data once the purpose of processing has been fulfilled, unless retention is required by law.
• Appointing a Grievance Officer to address Data Principal requests.

Where StudAI processes personal data on behalf of a subscribing organization, the organization acts as the Data Fiduciary and StudAI acts as a Data Processor, governed by our Data Processing Addendum.

3. Data Principal Rights

The DPDP Act grants individuals (“Data Principals”) certain rights over their personal data. StudAI supports and facilitates the exercise of these rights:

• Right to Access: You may request a summary of your personal data being processed by StudAI, including the categories of data, the purposes of processing, and the identities of any entities with whom data has been shared.
• Right to Correction: You may request the correction or completion of inaccurate or incomplete personal data. Corrections will be reflected across our systems within a reasonable timeframe.
• Right to Erasure: You may request the deletion of your personal data when it is no longer necessary for the purpose for which it was collected, or when you withdraw consent. Deletion will be completed within 30 days, subject to any legal retention obligations.
• Right to Grievance Redressal: You may raise a grievance with our designated Grievance Officer regarding any aspect of our data processing practices. We will acknowledge your grievance within 48 hours and provide a resolution within 30 days.
• Right to Nominate: You may nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity, in accordance with the provisions of the Act.

Submit requests to privacy@studai.in or through the in-app privacy settings dashboard.

4. Consent

We collect and process personal data only with explicit, informed, and freely given consent from the Data Principal, except where processing is necessary to comply with legal obligations or for legitimate purposes as permitted under the DPDP Act.

Our consent practices include:

• Clear, plain-language descriptions of data collection purposes presented at the time of consent.
• Granular consent options allowing you to choose which types of data processing you authorize.
• Easy-to-use consent withdrawal mechanisms available through account settings at any time.
• Maintaining records of consent, including the date, scope, and method through which consent was obtained.

Withdrawal of consent does not affect the lawfulness of processing performed prior to withdrawal. Upon withdrawal, we will cease processing your personal data and delete it within 30 days, unless retention is required by law.

5. Purpose Limitation

Personal data collected by StudAI is used only for the specific purposes communicated to you at the time of collection. These purposes include:

• Providing and operating the StudAI BOS platform and its features.
• Account management, authentication, and authorization.
• Processing AI-powered features within your organization’s workspace.
• Sending transactional communications (account notifications, billing, security alerts).
• Ensuring platform security and preventing fraud or abuse.
• Complying with applicable legal and regulatory requirements.

We will not process your data for purposes beyond those stated without obtaining fresh consent.

6. Data Localization

All personal data and organization data processed by StudAI BOS is stored exclusively within India on Microsoft Azure India infrastructure:

• Primary Region: Azure Central India (Pune)
• Disaster Recovery Region: Azure South India (Chennai)

No personal data is transferred, mirrored, or replicated to servers outside of India unless explicitly authorized by the Data Principal or required by a competent authority under the DPDP Act. Should the Government of India notify specific countries as approved jurisdictions for data transfer, we will update our practices accordingly.

7. Breach Notification

In the event of a personal data breach, StudAI is committed to the following notification timeline:

• Within 72 hours: Notify the Data Protection Board of India as required under the DPDP Act.
• Within 72 hours: Notify affected Data Principals with details of the breach, potential impact, and remedial measures taken.
• Within 72 hours: Notify subscribing organizations (Data Fiduciaries) where we act as Data Processor, enabling them to fulfill their own notification obligations.

Our incident response procedures include immediate containment, forensic investigation, impact assessment, and implementation of corrective measures. Full details are available in our Security Policy.

8. Children’s Data

StudAI BOS is an enterprise platform designed exclusively for business use. We do not knowingly collect or process personal data of children (individuals under the age of 18 years). Our platform requires users to be at least 18 years of age to create an account.

If we become aware that a child’s personal data has been collected without verifiable parental consent, we will promptly delete such data and take appropriate measures to prevent recurrence.

9. Grievance Officer

In accordance with Section 8(10) of the DPDP Act, we have appointed a Grievance Officer to address your queries and complaints regarding data protection:

If you are not satisfied with the resolution provided by our Grievance Officer, you have the right to file a complaint with the Data Protection Board of India.

10. Contact

For questions regarding DPDP compliance or our data protection practices: