Privacy Policy
EFFECTIVE JUNE 16, 2026
Gradis is a service for children, and we take that responsibility seriously. This policy explains what we collect, why, who we share it with, and the rights you have over it. It is written to comply with the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable Indian law.
1. Who we are
Gradis Private Limited is the data fiduciary for the personal data described here. Our registered office is at Tower 5, 2301, Lodha Woods, Kandivali East, Mumbai 400101. Contact for privacy questions: founder@gradis.ai.
2. Parental consent for children's data
Gradis is used by children aged 10 to 15. The account is created and held by a parent or legal guardian, who provides consent at signup for their child's use of the service. The child cannot create an account directly. The parent is identified by the email address and phone number captured at signup, both of which we use for billing and for direct communication about the child's use of the service. We do not process a child's data for any purpose other than running the service the parent has signed them up for.
You can withdraw consent at any time by cancelling your subscription and writing to founder@gradis.ai to request deletion of your child's data.
3. What we collect
From parents
- Name, email address, phone number.
- Payment details handled by PhonePe Payment Gateway (we do not store card or UPI numbers ourselves).
- Any messages you send to our support email or WhatsApp.
From children
- First name and age (as provided by you at signup).
- The conversations they have with the AI coach.
- The artifacts they create on the platform (writing, drawings, code, audio recordings if they choose to record).
- Activity data: when they log in, how long they spend, which sections they use.
4. Why we collect it
- To run the service: personalise the AI coach, generate reports for parents, save the child's work.
- To bill parents and prevent fraud.
- To send parents updates about their child's activity on Gradis (WhatsApp, email).
- To improve the product. We use aggregated, de-identified data to study what works and what doesn't.
- To meet legal obligations (tax records, audit, response to lawful requests).
5. What we never do
- We do not sell your data or your child's data to anyone.
- We do not share an identifiable child's conversations or artifacts with advertisers, brokers, or any third party for marketing.
- We do not use your child's content to train AI models, our own or anyone else's.
- We do not show your child advertising.
- We do not add you to mailing lists you did not sign up for.
6. Who we share data with (and why)
We use a small number of trusted service providers (sub-processors) to run Gradis. They process data on our instruction only.
- Supabase (database, authentication, storage). Data stored in Supabase's infrastructure in Asia Pacific.
- Anthropic (Claude language model, used by the AI coaches). Conversations with the AI are sent to Anthropic's API for processing. Anthropic does not use API inputs to train its models. Inputs may be retained for up to 30 days for abuse monitoring and are then deleted.
- OpenAI — used for two narrow purposes: (a) content-safety moderation of text a child types, to catch unsafe content before it reaches the AI coach; and (b) transcribing audio when a child or parent uses the voice-record option (via OpenAI's gpt-4o-mini-transcribe model). OpenAI does not use API inputs to train models. Audio is processed for transcription and not retained by OpenAI past the API call. Not used for the coaching conversation itself.
- PhonePe Payment Gateway (RBI-authorised payment aggregator — payment processing). When you subscribe, payment details are handled by PhonePe Payment Gateway directly. PhonePe is a sub-processor of card and UPI data.
- AiSensy (WhatsApp Business message delivery). Parent phone numbers and the message body are shared so Gradis can send updates over WhatsApp.
- Vercel (application hosting). Standard request logs.
- Resend or equivalent (transactional email). Parent email addresses + email contents.
Some of these providers are located outside India (Anthropic, OpenAI, Vercel, Resend are based in the United States). Your account creation and use of Gradis is your consent to these transfers, which we make for the limited purposes of running the service. This list of sub-processors is current and complete as of the effective date of this policy. If we add a new sub-processor that touches your data or your child's data, we will update this policy first.
7. How long we keep data
We keep your account data for as long as your subscription is active, plus the period required for tax, audit, and legal compliance (currently 8 years for financial records under Indian law). When you cancel and request deletion, we delete your child's conversational content and artifacts within 30 days, and retain only the minimum financial records required by law.
Children's conversational data and artifacts are stored separately from parent payment data. Payment information is held only by PhonePe Payment Gateway; we never see or store card or UPI numbers.
8. Security
We use encryption in transit (TLS) and at rest. Access to production data is restricted to a small number of personnel with a business need. We do not store credit card or UPI numbers ourselves.
9. Your rights
Under the DPDP Act, you have the right to:
- Access the personal data we hold about you and your child.
- Ask us to correct inaccurate or outdated data.
- Withdraw consent and ask us to erase data we no longer need.
- Lodge a grievance with our Grievance Officer (see below) or the Data Protection Board of India.
10. Grievance Officer
Under the DPDP Act, our Grievance Officer is the founder, Prakhar Bhandari, reachable at founder@gradis.ai. We will acknowledge any grievance within 7 working days and respond within 30 days.
11. Cookies and analytics
Gradis uses two narrow categories of cookies. We do not use advertising cookies, social-media trackers, or third-party marketing pixels.
Strictly necessary cookies
- Authentication session (`sb-*` cookies set by Supabase Auth): stores your signed-in session so you don't have to re-enter your password on every page. Expires when you sign out or after a period of inactivity. Without this cookie the service cannot function. You cannot opt out without losing the ability to sign in.
- CSRF / security tokens: short-lived cookies set by our framework to prevent cross-site request forgery on sensitive actions like cancelling a subscription. Cleared at the end of each browser session.
Analytics cookies (aggregated, privacy-preserving)
If and when we enable product analytics, we use privacy-preserving analytics (we do not use Google Analytics, Facebook Pixel, or similar third-party advertising trackers). Aggregate data only — we never track an individual child's behaviour across the web. We will update this section if our analytics provider changes.
How to disable cookies
You can clear or block cookies through your browser settings. Blocking strictly-necessary cookies will sign you out and prevent you from using Gradis. Blocking analytics cookies has no effect on functionality.
12. Changes to this policy
We will update this policy as the service evolves. Material changes are communicated by email and posted here with a new effective date.