Privacy Policy
Last updated: April 2026
1. Data Controller
Nalanda Archives ("we", "us", "our") is the data controller for personal data collected through this Platform, operated from Ahmedabad, Gujarat, India. We are an educational platform for children ages 3–14, operated by Karan Kothari.
We comply with the Digital Personal Data Protection Act 2023 (DPDPA, India), the Children's Online Privacy Protection Act (COPPA, United States), and the General Data Protection Regulation (GDPR, European Union) to the extent applicable.
2. Data We Collect
| Category | Data | Purpose |
|---|---|---|
| Account | Email, name (parent/guardian) | Authentication, communications |
| Child profile | First name/nickname, age group, tradition, interests | Story personalisation |
| Usage | Stories read, reading progress, features used | Product improvement, personalisation |
| Payment | Processed by Stripe — card data never stored on our servers | Billing |
| Shipping | Name and delivery address (physical book orders only) | Order fulfillment via Lulu Press |
| Technical | IP address, browser type, device info | Security, service operation |
| Consent | Parental consent timestamp | COPPA / DPDPA compliance record |
3. How We Use Data
- Personalise stories to the child's age group and interests
- Track and display reading progress
- Improve story quality and content safety
- Send transactional emails (welcome, receipts, subscription reminders)
- Process payments and fulfil book orders
- Ensure platform security and prevent abuse
- Maintain parental consent records as required by law
We do not use data for advertising, behavioural tracking, or profiling of children. We do not sell or share personal data with third parties for marketing purposes.
4. Children's Privacy (COPPA)
We do not collect personal information directly from children. All accounts are created by parents or legal guardians who are at least 18 years old. Child profiles contain only a first name (or nickname), age group, and content preferences — no email, phone number, location, photos, or other personal identifiers are collected from children.
By creating an account and adding a child profile, you provide verifiable parental consent for the collection and processing of your child's data as described in this policy. The timestamp of your consent is recorded in your account.
We do not serve advertising to children. We do not engage in behavioural tracking or targeted advertising directed at children. We do not process children's data in any manner likely to cause detrimental effect on a child's well-being.
Parents may review, correct, or delete their child's data at any time through account settings or by contacting privacy@nalandaarchives.com. If you believe we have collected information from a child without proper parental consent, contact us immediately and we will delete such information without delay.
5. GDPR — Lawful Bases & Your Rights
For users in the European Economic Area (EEA), we process personal data on the following lawful bases:
| Processing activity | Lawful basis |
|---|---|
| Account creation & authentication | Contract performance |
| Story personalisation | Contract performance |
| Child profile data | Parental consent (COPPA/GDPR Art. 8) |
| Payment processing | Contract performance |
| Transactional emails | Contract performance / legitimate interest |
| Security & fraud prevention | Legitimate interest |
| Legal obligations (tax records, consent logs) | Legal obligation |
EEA residents have the right to: access, rectify, erase, restrict processing of, and port their personal data; object to processing based on legitimate interest; and lodge a complaint with their national data protection authority. Contact privacy@nalandaarchives.com to exercise these rights. We respond within 30 days.
6. India DPDPA
For users in India, we operate under the Digital Personal Data Protection Act, 2023. We process personal data only for the purposes described in this policy, with your consent. You have the right to access, correct, and erase your personal data.
Our Grievance Officer for DPDPA purposes is Karan Kothari (details in Section 18).
7. AI-Generated Content & Data
Stories are generated using Anthropic's Claude AI and image generation models. We send the child's age group, selected tradition, and story preferences to the AI service. We do not send the child's name, email, or any personally identifiable information to AI services. All inputs to AI services are anonymised or non-personal.
Anthropic's API usage policy prohibits using our API inputs to train their general models. We rely on this contractual protection. We do not use your child's data to train any AI model.
8. Security
Data is stored on encrypted databases hosted on Fly.io (Mumbai region for Indian users). Authentication is handled by Clerk with industry-standard encryption. Images are served via Cloudflare R2 CDN. We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, or destruction.
Despite our best efforts, no internet transmission or storage system is 100% secure. If you suspect any unauthorised access, please notify us immediately.
9. Cross-Border Data Transfers
Your personal data may be transferred to and processed in countries outside India, including the United States, where our service providers operate. We ensure appropriate safeguards are in place, including contractual data protection obligations (standard contractual clauses or equivalent) with all service providers.
10. Data Sharing
We share personal data only with:
- Clerk — Authentication and user management
- Stripe — Payment processing
- Anthropic (Claude) — AI story generation (anonymised data only)
- Fal.ai — AI image generation (no personal data)
- Cloudflare — CDN, security, and DNS
- Vercel — Frontend hosting
- Fly.io — Backend hosting
- Resend — Transactional email
- Lulu Press — Book printing and shipping (name and address only, for physical orders)
- Law enforcement / courts — When required by applicable law or valid legal process
We do not sell personal data. We do not share personal data with advertisers, data brokers, or analytics companies.
11. Cookies
We use strictly necessary cookies for authentication (Clerk session cookies) and security (Cloudflare challenge cookies). We do not use cookies for advertising, behavioural tracking, or analytics profiling of children. You can manage cookie preferences through your browser settings; disabling necessary cookies may affect your ability to log in.
12. Communications Consent
By creating an account, you consent to receive transactional emails (account confirmations, receipts, subscription renewal notices, shipping updates). You may not opt out of strictly transactional messages while your account is active.
We may also send optional product updates, new story announcements, and educational newsletters. You can opt out of these at any time via the unsubscribe link in each email or through account settings.
13. Your Rights
Under applicable data protection laws, you have the right to:
- Access the personal data we hold about you and your child
- Correct inaccurate or incomplete data
- Delete your account and all associated personal data
- Export your data in a portable format
- Withdraw consent for data processing at any time
- Object to processing of your personal data based on legitimate interest
- Lodge a complaint with a data protection authority
To exercise these rights, email privacy@nalandaarchives.com. We respond within 30 days (or 72 hours for urgent child-safety matters).
14. Data Retention Schedule
| Data type | Retention period |
|---|---|
| Account & child profile | Until account deletion; deleted within 30 days |
| Parental consent records | 7 years (legal compliance) |
| Payment records | 7 years (tax and accounting law) |
| Server logs (security) | 90 days |
| Anonymised usage statistics | Indefinite (no personal data) |
| Shipping address | 90 days after order delivery |
15. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights, we will notify you via email and/or a prominent notice on the Platform without unreasonable delay and in any case within 72 hours of becoming aware. We will also notify the relevant data protection authority (including the Data Protection Board of India) as required by applicable law.
16. Cultural Content Disclaimer
Nalanda Archives retells stories drawn from Indian mythological traditions including Hindu, Jain, Buddhist, and Sikh texts. These stories are creative educational retellings and are not authoritative religious texts. We respect the sanctity of these traditions and do not intend to offend any religious community. If you believe any content is culturally inappropriate or disrespectful, please contact content@nalandaarchives.com.
17. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days in advance. The "Last updated" date at the top indicates the most recent revision. Continued use of the Platform after changes take effect constitutes acceptance of the updated policy.
18. Grievance Officer
In accordance with the Information Technology Act, 2000 and the Digital Personal Data Protection Act, 2023 (India), we have appointed a Grievance Officer:
Name: Karan Kothari
Email: grievance@nalandaarchives.com
Platform: nalandaarchives.com
All complaints will be acknowledged within 48 hours and resolved within one month from the date of receipt.
19. Contact
For privacy questions or data requests: privacy@nalandaarchives.com
For general enquiries: hello@nalandaarchives.com