1. Overview & Scope
This Privacy Policy ("Policy") governs the collection, processing, storage, transfer, and protection of Personal Data by Devithor AI Space Private Limited (hereinafter "Devithor," "we," "us," or "our"), a company incorporated under the Companies Act, 2013, bearing CIN U68200TS2025PTC207956, with its registered office at Jadcherla, Mahbubnagar District, Telangana – 509301, India.
This Policy applies to all individuals who access or interact with Devithor AI Space through our website (devithoraispace.com), our digital platforms (including the SK Challenge EdTech Portal, Partner Command Dashboard, and Business SaaS Automation Suite), mobile applications, and any other service offered by Devithor AI Space Private Limited (collectively, the "Services").
This Policy has been prepared in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) of India, and where applicable, the General Data Protection Regulation (GDPR) of the European Union, the Personal Data Protection Act (PDPA) of Singapore, the UAE Federal Decree-Law No. 45/2021 on Personal Data Protection, the Australian Privacy Act 1988, and the UK Data Protection Act 2018.
Applicable User Categories
By using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree to this Policy, you must immediately discontinue use of our Services.
2. Data We Collect
We collect personal data only to the extent necessary to provide our Services, fulfil contractual obligations, comply with legal requirements, and operate our business responsibly.
3. Legal Basis for Processing
We rely on the following legal grounds to process your personal data, in accordance with applicable data protection legislation:
Where you have provided explicit, freely-given, informed, and unambiguous consent — particularly for AI profiling, marketing communications, and optional data processing. Consent may be withdrawn at any time without affecting prior lawful processing.
Processing required to fulfil our contractual obligations to you — including exam delivery, partner dashboard operations, commission settlement, territory assignment, and SaaS service delivery.
Processing necessary to comply with applicable laws — including KYC obligations under PMLA, tax reporting requirements, court orders, regulatory audits, and law enforcement requests under proper legal process.
Processing necessary for our legitimate business interests where those interests are not overridden by your rights — including platform security, fraud prevention, product improvement analytics, and internal research, subject to a documented balancing test.
In exceptional circumstances where processing is necessary to protect the life or safety of a person — including emergency situations involving minor students using our EdTech platform.
4. How We Use Your Data
We process your personal data strictly for specified, explicit, and legitimate purposes. We do not process personal data in ways incompatible with the purpose for which it was originally collected.
What We Never Do: We do not sell your personal data to third parties. We do not use your data for targeted advertising through third-party ad networks. We do not process sensitive personal data (biometrics, religion, political views) without explicit consent and regulatory compliance.
5. AI & Automated Decision-Making
Devithor AI Space operates advanced AI systems — collectively known as Devithor Intelligence — comprising autonomous AI agents for examination delivery, talent assessment, partner performance optimisation, and business workflow automation. We are committed to responsible, transparent, and explainable AI.
Automated Decision-Making Disclosure
Certain AI-driven outputs — including exam scores, talent tier classifications, career pathway recommendations, partner tier determinations, and fraud risk assessments — constitute automated decisions that may have significant effects on data subjects. In compliance with GDPR Article 22 and DPDPA Section 7, you have the right to:
- Request a human review of any automated decision that materially affects you
- Receive a meaningful explanation of the logic, significance, and likely consequences of any AI-generated output concerning you
- Contest or correct any AI-generated profile, score, or recommendation
- Opt out of profiling used for purposes other than core service delivery
Our AI systems process examination response patterns, spatial reasoning indicators, engagement metrics, and partner performance history. We implement algorithmic impact assessments (AIAs) for all high-risk AI use cases and conduct regular bias audits to ensure fairness across demographic groups.
Proctoring AI: Our computer vision-based exam proctoring system analyses video feeds in real time to detect examination violations. This data is processed locally during the exam session and is not permanently stored, transmitted to third parties, or used for purposes beyond examination integrity verification.
7. International Data Transfers
Devithor AI Space operates across 7 global markets. Personal data may be processed in India, Singapore, the UAE, Malaysia, the United Kingdom, the United States, and Australia, as well as through cloud infrastructure providers whose servers may be located in multiple jurisdictions.
For transfers of personal data outside India, we implement the following safeguards as required under the DPDPA and applicable international frameworks:
- Standard Contractual Clauses (SCCs) approved by competent regulatory authorities for EU/UK data subjects
- Adequacy decisions or equivalent transfer mechanisms under Singapore PDPA
- Data localisation measures for categories of sensitive data specified by Indian regulatory authorities
- Binding Corporate Rules (BCRs) under development for intra-group transfers at scale
- Contractual obligations requiring overseas recipients to provide equivalent protection to Indian data principals
AI model inference (processing of your data by our AI systems) may occur on servers hosted by our AI API providers. All such providers are bound by Data Processing Agreements specifying prohibited uses, security obligations, and deletion timelines.
India-First Data Principle: Personal data of Indian citizens is primarily stored and processed within India. Cross-border transfers occur only where operationally necessary and subject to the safeguards described above.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods are determined based on data category, regulatory requirements, and business necessity.
| Data Category | Retention Period | Basis |
|---|---|---|
| Account & Identity Data | 5 years post account closure | Legal obligation (PMLA, IT Act) |
| Examination Records & Scores | 7 years from exam date | Educational integrity & disputes |
| AI-Generated Talent Profiles | 3 years or until consent withdrawn | Consent-based |
| Partner KYC Documents | 10 years post partnership end | PMLA compliance |
| Commission & Financial Records | 8 years | Income Tax Act, Companies Act |
| Proctoring Session Data | Deleted within 24 hours post-exam | Minimal retention principle |
| Technical & Usage Logs | 12 months rolling | Security & fraud prevention |
| Marketing Communications | Until consent withdrawn | Consent-based |
| Legal Correspondence | Duration of legal proceedings + 3 years | Legal obligation |
Upon expiry of the applicable retention period, personal data is securely deleted, anonymised, or pseudonymised in accordance with our Data Destruction Policy. Anonymised or aggregated data that cannot be re-linked to an individual is not subject to retention limits.
9. Your Rights as a Data Principal
You have the following rights with respect to your personal data. These rights may be subject to limitations under applicable law. We respond to all valid requests within 30 days (extendable to 60 days for complex requests, with notice).
Obtain confirmation of whether we process your data, access a copy of your personal data, and receive information about how it is used.
Request correction of inaccurate, incomplete, or outdated personal data. We will update records or provide reasons for declining within the statutory timeline.
Request deletion of your personal data where the processing purpose has been fulfilled, consent withdrawn, or processing is unlawful — subject to legal retention obligations.
Receive your personal data in a structured, commonly-used, machine-readable format and transmit it to another controller where technically feasible.
Object to processing based on legitimate interest, restrict processing during a dispute, and withdraw consent for profiling and automated decision-making.
Not be subject to solely automated decisions with significant effects. Request human review and a meaningful explanation of any AI-generated output affecting you.
Nominate an individual to exercise your data rights in the event of your incapacity or death — specific to Indian DPDPA framework.
Lodge a complaint with our Grievance Officer. If unresolved within 30 days, escalate to the Data Protection Board of India under DPDPA or the relevant supervisory authority under GDPR.
How to Exercise Your Rights
Submit a written request to privacy@devithoraispace.com with: (1) your full name and registered email, (2) the specific right you wish to exercise, (3) sufficient information to verify your identity. We do not charge a fee for valid requests unless repetitive or manifestly unfounded.
10. Children's Privacy
⚠️ Special Protections for Minors
The SK Challenge EdTech platform is designed for students including those under 18 years of age. We apply heightened privacy protections to all data subjects under 18 in compliance with DPDPA Section 9 and international best practices for children's data.
- Parental or guardian consent is obtained before processing personal data of users under 18, in accordance with DPDPA Section 9(1)
- We do not behaviorally track, profile for commercial purposes, or display targeted advertising to any user identified as a minor
- Examination and performance data of minors is accessible only to the student and their registered parent/guardian
- AI-generated career recommendations for minors are advisory only and are clearly communicated as non-deterministic
- We implement age verification at registration for our student portal. False age declarations by guardians do not negate the minor protections applied by our system
- Proctoring video data for minor examinees is processed in-device and deleted within 24 hours without human review unless a violation is flagged, at which point only the relevant segment is retained
- Data of minors is not transferred internationally except where necessary for AI inference processing, with equivalent protection guaranteed under DPAs
- Upon request by a parent or guardian, we will delete all data of a minor user except where retention is legally mandated
11. Security Measures
We implement industry-leading technical, administrative, and physical safeguards to protect your personal data against unauthorised access, disclosure, alteration, and destruction.
AES-256 encryption at rest; TLS 1.3 in transit for all data communications
Every access request is verified regardless of network origin; no implicit trust
Complete logical separation between student, partner, and admin data environments
RBAC with least-privilege principle; access logs maintained for all privileged operations
Periodic third-party security assessments and vulnerability disclosure program
72-hour breach notification protocol to supervisory authorities; affected users notified within 7 days
Data Breach Protocol: In the event of a personal data breach, we will notify the Data Protection Board of India within 72 hours and affected data subjects within 7 business days where the breach is likely to result in high risk to rights and freedoms. Notification will include: nature of breach, data categories affected, likely consequences, and remedial measures taken.
13. Student-Specific Privacy Policy
Given the sensitivity of student data — particularly for minor users — this section sets out additional commitments applicable to all SK Challenge platform users:
- Student examination data is owned by the student (or guardian if minor) and licensed to Devithor solely for the purpose of service delivery and product improvement in anonymised form
- Exam results and talent profiles are never shared with employers, colleges, or third parties without explicit written consent from the student (and guardian if minor)
- Career pathway recommendations are generated by AI and are explicitly advisory — they do not constitute professional career counselling and should not be relied upon as sole career guidance
- Students may request deletion of all assessment data upon account closure, subject to the 7-year statutory record-keeping requirement for examination integrity
- Parents or guardians of minor students may request a complete data report, correction of inaccurate records, or full deletion (subject to statutory minimums) via our Grievance Officer
- We do not share student performance data with territorial partners — partners see only aggregate regional metrics without individual student identification
- Photographs and video collected during proctoring are processed solely for examination integrity and are never used for facial recognition databases or biometric profiling
14. Partner-Specific Privacy Policy
Territorial Partners are both data subjects and data controllers-in-fact for the operational data they generate. This section governs Devithor's obligations to partners and partners' obligations regarding end-user data within their territories:
- Partner KYC data (identity documents, bank details) is processed under PMLA obligations and retained for the statutory period. This data is accessible only to authorised compliance personnel
- Commission and revenue data is confidential and not disclosed to other partners or third parties except as required by law or with your consent
- Partners are contractually prohibited from independently collecting, storing, or processing personal data of students, schools, or businesses through Devithor's platform
- Territory performance data — student counts, enrollment metrics, revenue figures — is processed under the legitimate interest basis to deliver the Partner Command Dashboard and is scoped strictly to your assigned territories
- Partner data processing activities that constitute independent controllership (e.g., partners maintaining their own CRM records) are governed by the Partner Agreement and applicable law
- Upon partnership termination, access to the Partner Command Dashboard is immediately revoked and partner data is retained only for the statutory period before secure deletion
- Platinum-tier partners with board-level access are subject to additional confidentiality and data access agreements (NDA) with specific obligations regarding Devithor's proprietary AI systems and R&D data
15. Grievance Officer & Contact
In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer.
Response Timeline: Grievances will be acknowledged within 48 hours and resolved within 30 days. Complex matters may require up to 60 days with notice. If unresolved within 30 days, you may escalate to the Data Protection Board of India (once constituted under DPDPA) or the relevant supervisory authority in your jurisdiction (e.g., ICO for UK; CNIL for France; PDPC for Singapore).
16. Changes to This Policy
We review and update this Privacy Policy periodically to reflect changes in our data processing practices, legal requirements, and business operations. Material changes will be communicated to registered users via email at least 15 days before taking effect.
The version history of this Policy is maintained and available upon request. Continued use of our Services after the effective date of any amendment constitutes acceptance of the revised Policy. Where changes require renewed consent, we will seek it explicitly before processing.