Skip to content

Privacy Policy

Last updated: April 2026

1. Data Controller

Nalanda Archives ("we", "us", "our") is the data controller for personal data collected through this Platform, operated from Ahmedabad, Gujarat, India. We are an educational platform for children ages 3–14, operated by Karan Kothari.

We comply with the Digital Personal Data Protection Act 2023 (DPDPA, India), the Children's Online Privacy Protection Act (COPPA, United States), and the General Data Protection Regulation (GDPR, European Union) to the extent applicable.

2. Data We Collect

CategoryDataPurpose
AccountEmail, name (parent/guardian)Authentication, communications
Child profileFirst name/nickname, age group, tradition, interestsStory personalisation
UsageStories read, reading progress, features usedProduct improvement, personalisation
PaymentProcessed by Stripe — card data never stored on our serversBilling
ShippingName and delivery address (physical book orders only)Order fulfillment via Lulu Press
TechnicalIP address, browser type, device infoSecurity, service operation
ConsentParental consent timestampCOPPA / DPDPA compliance record

3. How We Use Data

  • Personalise stories to the child's age group and interests
  • Track and display reading progress
  • Improve story quality and content safety
  • Send transactional emails (welcome, receipts, subscription reminders)
  • Process payments and fulfil book orders
  • Ensure platform security and prevent abuse
  • Maintain parental consent records as required by law

We do not use data for advertising, behavioural tracking, or profiling of children. We do not sell or share personal data with third parties for marketing purposes.

4. Children's Privacy (COPPA)

We do not collect personal information directly from children. All accounts are created by parents or legal guardians who are at least 18 years old. Child profiles contain only a first name (or nickname), age group, and content preferences — no email, phone number, location, photos, or other personal identifiers are collected from children.

By creating an account and adding a child profile, you provide verifiable parental consent for the collection and processing of your child's data as described in this policy. The timestamp of your consent is recorded in your account.

We do not serve advertising to children. We do not engage in behavioural tracking or targeted advertising directed at children. We do not process children's data in any manner likely to cause detrimental effect on a child's well-being.

Parents may review, correct, or delete their child's data at any time through account settings or by contacting privacy@nalandaarchives.com. If you believe we have collected information from a child without proper parental consent, contact us immediately and we will delete such information without delay.

5. GDPR — Lawful Bases & Your Rights

For users in the European Economic Area (EEA), we process personal data on the following lawful bases:

Processing activityLawful basis
Account creation & authenticationContract performance
Story personalisationContract performance
Child profile dataParental consent (COPPA/GDPR Art. 8)
Payment processingContract performance
Transactional emailsContract performance / legitimate interest
Security & fraud preventionLegitimate interest
Legal obligations (tax records, consent logs)Legal obligation

EEA residents have the right to: access, rectify, erase, restrict processing of, and port their personal data; object to processing based on legitimate interest; and lodge a complaint with their national data protection authority. Contact privacy@nalandaarchives.com to exercise these rights. We respond within 30 days.

6. India DPDPA

For users in India, we operate under the Digital Personal Data Protection Act, 2023. We process personal data only for the purposes described in this policy, with your consent. You have the right to access, correct, port, and erase your personal data.

Data localisation. Personal data of users we identify as India-resident is primarily processed and stored in India — our backend runs on Fly.io Mumbai, and our Postgres user tables (Supabase) are provisioned in the nearest supported region. Transactional processing that MUST leave India (Anthropic / OpenAI in the United States, Stripe for card-network settlement, Clerk for authentication) is authorised under DPDPA §16 as necessary for the service, is bound by contractual data-protection obligations with each processor, and is described in Section 10 (Sub-Processors) below.

Data-principal rights. Under DPDPA §11-15 you may request access, correction, updating, erasure, and grievance redressal at any time by writing to our Grievance Officer or through your Account page. We will acknowledge within 7 days and resolve within 30 days.

Our Grievance Officer for DPDPA purposes is Karan Kothari (details in Section 18).

7. AI-Generated Content & Data

Stories and illustrations are generated by third-party AI services. We use Anthropic (Claude) for story text and OpenAI (gpt-image-2) for illustrations. To personalise a story, the following child inputs are sent to these services:

  • First name — sent to Anthropic so the story addresses the child directly (participatory pipeline only; retelling pipeline uses neutral pronouns).
  • Age group (e.g., 6-8) — sent to both providers to calibrate reading level and content depth.
  • Chosen tradition, deity, and theme — sent to both providers to select scriptural source and visual style.
  • Child's photograph — only if you have explicitly opted in to Priest Personalisation. When opted in, the photo is sent to OpenAI to render the child as a witness inside illustrations. Photos are not stored on our servers longer than the render lifetime, and are transmitted over TLS with signed URLs.
  • Prior chat history (up to 20 turns) — sent to Anthropic so the character remembers the current conversation.

We do not send email addresses, payment details, or last names to AI services. All child inputs are sanitised for prompt-injection risk before transmission.

Both Anthropic and OpenAI's API usage policies prohibit using our API inputs to train their general models. We rely on these contractual protections and confirm the setting in each provider's enterprise dashboard. We do not use your child's data to train any AI model ourselves.

8. Security

Data is stored on encrypted databases hosted on Fly.io (Mumbai region for Indian users). Authentication is handled by Clerk with industry-standard encryption. Images are served via Cloudflare R2 CDN. We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, or destruction.

Despite our best efforts, no internet transmission or storage system is 100% secure. If you suspect any unauthorised access, please notify us immediately.

9. Cross-Border Data Transfers

Your personal data may be transferred to and processed in countries outside India, including the United States, where our service providers operate. We ensure appropriate safeguards are in place, including contractual data protection obligations (standard contractual clauses or equivalent) with all service providers.

10. Sub-Processors

We use the following sub-processors to run the service. Each has a Data Processing Agreement (DPA) with us that limits their use of your data to the purpose stated below.

  • Clerk — Authentication, session management, and user profile storage (US-based).
  • Stripe — Payment processing, subscription management, and billing (US-based).
  • Anthropic — Claude LLM for story generation, chat characters, and safety review. Receives first name, age, tradition, theme, and up to 20 chat turns (US-based).
  • OpenAI — gpt-image-2 for story illustrations and embeddings. Receives age, tradition, theme, and (opt-in only) the child's photograph (US-based).
  • Cloudflare (R2 + CDN) — Object storage for generated images and CDN delivery (regional CDN, EU/APAC edge).
  • Vercel — Frontend hosting and edge middleware (US-based).
  • Fly.io (Mumbai) — Backend API and Celery worker hosting; primary data residency for Indian users (India-based).
  • Supabase — Postgres database for user profiles, subscriptions, and consent audit trail (US/EU multi-region).
  • Resend — Transactional email (sign-in, subscription receipts, child-safety alerts to parents) (US-based).
  • Lulu Press — Book printing and shipping. Receives name and shipping address only, for physical orders you place.
  • Law enforcement / courts — When required by applicable law or a valid legal process.

We do not sell personal data. We do not share personal data with advertisers, data brokers, or analytics companies. We do not use tracking pixels or cross-site cookies.

Our current sub-processor list is versioned at privacy_policy_version: 2026-07-11. We give at least 14 days' notice before adding a new sub-processor, via email to the account holder.

11. Cookies

We use strictly necessary cookies for authentication (Clerk session cookies) and security (Cloudflare challenge cookies). We do not use cookies for advertising, behavioural tracking, or analytics profiling of children. You can manage cookie preferences through your browser settings; disabling necessary cookies may affect your ability to log in.

12. Communications Consent

By creating an account, you consent to receive transactional emails (account confirmations, receipts, subscription renewal notices, shipping updates). You may not opt out of strictly transactional messages while your account is active.

We may also send optional product updates, new story announcements, and educational newsletters. You can opt out of these at any time via the unsubscribe link in each email or through account settings.

13. Your Rights

Under applicable data protection laws, you have the right to:

  • Access the personal data we hold about you and your child
  • Correct inaccurate or incomplete data
  • Delete your account and all associated personal data
  • Export your data in a portable format
  • Withdraw consent for data processing at any time
  • Object to processing of your personal data based on legitimate interest
  • Lodge a complaint with a data protection authority

To exercise these rights, email privacy@nalandaarchives.com. We respond within 30 days (or 72 hours for urgent child-safety matters).

14. Data Retention Schedule

Data typeRetention period
Account & child profileUntil account deletion; deleted within 30 days
Parental consent records7 years (legal compliance)
Payment records7 years (tax and accounting law)
Server logs (security)90 days
Anonymised usage statisticsIndefinite (no personal data)
Shipping address90 days after order delivery

15. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights, we will notify you via email and/or a prominent notice on the Platform without unreasonable delay and in any case within 72 hours of becoming aware. We will also notify the relevant data protection authority (including the Data Protection Board of India) as required by applicable law.

16. Cultural Content Disclaimer

Nalanda Archives retells stories drawn from Indian mythological traditions including Hindu, Jain, Buddhist, and Sikh texts. These stories are creative educational retellings and are not authoritative religious texts. We respect the sanctity of these traditions and do not intend to offend any religious community. If you believe any content is culturally inappropriate or disrespectful, please contact content@nalandaarchives.com.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days in advance. The "Last updated" date at the top indicates the most recent revision. Continued use of the Platform after changes take effect constitutes acceptance of the updated policy.

18. Grievance Officer

In accordance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023 (India), we have appointed a Grievance Officer:

Name: Karan Kothari
Email: grievance@nalandaarchives.com
Platform: nalandaarchives.com

All complaints will be acknowledged within 48 hours and resolved within one month from the date of receipt.

19. Contact

For privacy questions or data requests: privacy@nalandaarchives.com

For general enquiries: hello@nalandaarchives.com