Privacy Policy

1. Introduction

Welcome to into3.ai ("into3," "we," "us," or "our"). into3.ai is an AI-powered adaptive learning platform designed for children in classes 6 through 12 in India. Our platform uses real-time adaptive engine (RTAE) technology to personalize the learning experience by monitoring engagement signals and cognitive markers during each session.

We are deeply committed to protecting the privacy and security of all our users, especially children. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you or your child uses our platform, website (into3.ai), and related services (collectively, the "Services").

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you are a parent or legal guardian registering a child under the age of 18, you consent to this policy on behalf of your child.

into3.ai is operated by into3, located at A-116, Urbtech Trade Centre, Sec-132, Gautam Buddha Nagar-201304, Uttar Pradesh, India. For any privacy-related inquiries, please contact us at info@into3.ai.

2. Information We Collect

We collect the following categories of information to deliver and improve our adaptive learning Services:

a) Parent/Guardian Information

• Full name, email address, phone number, and mailing address
• Account credentials (encrypted passwords and authentication tokens)
• Payment and billing information (processed through secure third-party payment processors; we do not store full payment card numbers)
• Communication preferences and correspondence history

b) Child Learning Data

• Name, age, grade/class (6–12), and school name
• Subject preferences, curriculum selections, and learning goals
• Assessment scores, quiz results, assignment completion records, and progress metrics
• Learning pace, knowledge retention patterns, and mastery levels across topics
• 27 cognitive markers including attention span, comprehension depth, problem-solving approach, response accuracy, conceptual linking ability, working memory utilization, critical thinking patterns, analytical reasoning, error pattern recognition, learning velocity, knowledge transfer capability, metacognitive awareness, spatial reasoning, verbal processing, numerical fluency, sequential logic, abstract reasoning, creative problem solving, information synthesis, decision-making speed, recall precision, contextual understanding, adaptive flexibility, focus endurance, task-switching efficiency, collaborative learning readiness, and self-correction frequency

c) Engagement Signals

• Our platform monitors 14 engagement signals per second during active learning sessions. These include: click/tap frequency, scroll behavior, time-on-task per question, response latency, pause duration, navigation patterns, hint usage frequency, re-read patterns, answer revision behavior, interactive element engagement, session duration, idle time detection, content interaction depth, and voluntary exploration rate
• These signals are processed in real time by our RTAE to dynamically adjust content difficulty, pacing, and presentation style

d) Device and Technical Information

• Device type, model, operating system, and browser version
• Screen resolution and display settings
• IP address (anonymized for analytics), general geolocation (city/state level only)
• Network connection type and stability metrics
• Unique device identifiers (used solely for session management and security)
• App version, crash logs, and performance diagnostics

3. How We Collect Data

a) Registration and Account Setup

When a parent or guardian creates an account and registers a child on into3.ai, we collect the personal information provided during the registration process. Parents provide their own contact details and their child's academic information necessary to configure the adaptive learning environment.

b) Real-Time Adaptive Engine (RTAE) Monitoring

During active learning sessions, our proprietary RTAE continuously monitors 14 engagement signals per second to build a dynamic learner profile. This data is collected passively through the child's interaction with the platform — no cameras, microphones, or biometric sensors are used. All engagement data is processed on-device where possible and transmitted to our servers using end-to-end encryption. The RTAE uses this data solely to adapt lesson content, difficulty, and pacing in real time.

c) Cookies and Similar Technologies

We use strictly necessary cookies and local storage to maintain session state, remember user preferences, and ensure platform security. We also use limited analytics cookies to understand aggregate usage patterns and improve platform performance. We do not use advertising cookies or tracking pixels. No third-party advertising networks have access to data collected through our platform. For more details, see Section 10 (Cookies & Tracking).

4. How We Use Data

We use the information we collect for the following purposes:

a) Personalization and Adaptive Learning

• To build and maintain individualized learner profiles based on cognitive markers and engagement signals
• To dynamically adjust content difficulty, pacing, question types, and instructional approaches in real time
• To identify knowledge gaps and recommend targeted remediation pathways
• To recognize learning strengths and provide enrichment opportunities

b) Platform Analytics and Improvement

• To analyze aggregate, de-identified usage patterns to improve our algorithms, content quality, and pedagogical effectiveness
• To conduct internal research on learning science and adaptive education methodologies
• To monitor platform performance, diagnose technical issues, and optimize system reliability

c) Communication

• To send parents and guardians progress reports, learning milestones, and performance summaries for their children
• To notify users of important account or service updates, security alerts, and policy changes
• To respond to support requests and feedback submitted through our contact channels

d) Safety and Legal Compliance

• To verify parental consent and authenticate user identities
• To detect and prevent fraud, abuse, or unauthorized access to the platform
• To comply with applicable legal obligations, including COPPA, GDPR-K, and the India DPDP Act

5. Children's Privacy

Protecting the privacy of children is of paramount importance to into3.ai. Our platform is designed specifically for children in classes 6–12, and we implement the following safeguards:

a) COPPA Compliance

Although into3.ai is primarily operated in India, we voluntarily comply with the U.S. Children's Online Privacy Protection Act (COPPA) as a matter of best practice. We obtain verifiable parental consent before collecting any personal information from children under the age of 13. Our consent mechanism requires a parent or guardian to create the account, verify their identity, and explicitly authorize their child's use of the platform.

b) Parental Consent

No child account can be created without the direct involvement and verified consent of a parent or legal guardian. Parents must provide their own identification and consent before any child data is collected or processed. Consent can be withdrawn at any time by contacting us at info@into3.ai or through the parental dashboard.

c) No Advertising to Children

into3.ai does not display any advertisements — behavioral, contextual, or otherwise — to children on our platform. We do not serve ads, we do not permit third-party ad networks, and we do not use children's data for any advertising or marketing purpose whatsoever.

d) Parental Rights

• Parents have the right to review all personal information collected from their child
• Parents may request correction of inaccurate data
• Parents may request deletion of their child's personal information at any time
• Parents may refuse further collection or use of their child's data, which may result in the inability to use certain platform features
• Parents may download a copy of their child's data in a machine-readable format

6. Data Sharing and Disclosure

We do not sell, rent, lease, or trade personal information of any user — adult or child — to any third party, under any circumstances.

We may share limited information only in the following circumstances:

a) Service Providers

We engage a limited number of trusted third-party service providers who assist us in operating the platform (e.g., cloud hosting, payment processing, email delivery, customer support tools). These providers are contractually bound to use personal information solely to perform services on our behalf, are prohibited from using it for their own purposes, and are required to maintain equivalent or greater security standards.

b) Legal Requirements

We may disclose personal information if required to do so by law, regulation, legal process, or enforceable governmental request. We may also disclose information to protect the rights, safety, or property of into3.ai, our users, or the public, or to detect, prevent, or address fraud, security, or technical issues.

c) Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, user data may be transferred as part of the transaction. In such cases, we will ensure the acquiring entity is bound by this Privacy Policy or provide users notice and the opportunity to opt out before any changes to data handling practices take effect.

d) Aggregated and De-identified Data

We may share aggregated, de-identified data that cannot reasonably be used to identify any individual for research publications, academic partnerships, and platform improvement purposes.

7. Data Security

We implement robust technical and organizational measures to protect the personal information we collect:

a) Encryption

• In Transit: All data transmitted between users' devices and our servers is encrypted using TLS 1.3 (Transport Layer Security). All API communications use HTTPS exclusively.
• At Rest: All personal data stored on our servers is encrypted using AES-256 encryption. Database backups are similarly encrypted and stored in secure, access-controlled environments.

b) Access Controls

• Access to personal data is restricted to authorized personnel on a strict need-to-know basis
• Multi-factor authentication is required for all administrative access to systems containing user data
• Role-based access control (RBAC) ensures employees can only access data necessary for their specific job functions
• All access to personal data is logged and audited regularly

c) India-Based Data Centers

All primary data storage and processing occurs in data centers located within India, in compliance with the Digital Personal Data Protection Act, 2023. Our data centers maintain ISO 27001 certification, SOC 2 Type II compliance, and physical security controls including biometric access, 24/7 surveillance, and environmental monitoring.

d) Incident Response

We maintain a documented incident response plan. In the event of a data breach that poses a risk to users' rights and freedoms, we will notify affected users and relevant regulatory authorities within 72 hours of becoming aware of the breach, as required by applicable law.

8. GDPR-K Compliance

For users located in the European Union (EU) or European Economic Area (EEA), into3.ai processes personal data in compliance with the General Data Protection Regulation (GDPR), including its enhanced protections for children's data (commonly referred to as GDPR-K).

a) Lawful Basis for Processing

We process personal data on the following lawful bases: (i) consent of the parent or guardian, (ii) performance of a contract (the provision of our learning services), and (iii) legitimate interests (platform security and improvement), provided such interests do not override the fundamental rights and freedoms of the data subject, particularly where the data subject is a child.

b) Data Subject Rights

EU/EEA users (and parents acting on behalf of their children) have the following rights under GDPR:

• Right of Access: The right to obtain confirmation of whether personal data is being processed and to access that data
• Right to Rectification: The right to have inaccurate personal data corrected without undue delay
• Right to Erasure: The right to have personal data deleted ("right to be forgotten") when the data is no longer necessary for its original purpose or when consent is withdrawn
• Right to Restriction: The right to restrict processing of personal data in certain circumstances
• Right to Data Portability: The right to receive personal data in a structured, commonly used, machine-readable format
• Right to Object: The right to object to processing based on legitimate interests
• Right to Lodge a Complaint: The right to lodge a complaint with a supervisory authority in the EU/EEA

To exercise any of these rights, please contact our Data Protection team at info@into3.ai. We will respond to all valid requests within 30 days.

c) International Data Transfers

If personal data of EU/EEA users is transferred outside the EEA (e.g., to our servers in India), we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, and that the transfer complies with Chapter V of the GDPR.

9. India DPDP Act Compliance

into3.ai is fully committed to compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) of India, which governs the processing of digital personal data within India.

a) Data Principal Rights

Under the DPDP Act, users ("Data Principals") have the following rights:

• Right to Information: The right to obtain a summary of personal data being processed, the purpose of processing, and the categories of third parties with whom data has been shared
• Right to Correction and Erasure: The right to request correction of inaccurate or misleading personal data and erasure of data that is no longer necessary for its stated purpose
• Right to Grievance Redressal: The right to register a grievance with into3.ai regarding the processing of personal data. We have appointed a Grievance Officer who can be reached at info@into3.ai
• Right to Nominate: The right to nominate another individual to exercise rights on behalf of the Data Principal in the event of death or incapacity

b) Consent

We obtain free, specific, informed, unconditional, and unambiguous consent from parents or guardians before processing any personal data of their children. Consent is obtained through a clear affirmative action during the registration process. Parents may withdraw consent at any time through the parental dashboard or by writing to info@into3.ai. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal.

c) Data Fiduciary Obligations

As a Data Fiduciary under the DPDP Act, into3.ai maintains reasonable security safeguards, processes data only for lawful purposes for which consent was obtained, ensures data accuracy, and deletes personal data upon withdrawal of consent or when it is no longer needed for its stated purpose.

10. Cookies & Tracking Technologies

into3.ai uses a minimal set of cookies and similar technologies strictly for platform functionality and performance:

a) Strictly Necessary Cookies

These cookies are essential for the operation of our platform. They include session cookies that maintain your login state, security tokens that protect against cross-site request forgery, and preference cookies that remember your language and accessibility settings. These cookies cannot be disabled without impairing platform functionality.

b) Analytics Cookies

We use first-party analytics to understand aggregate usage patterns such as page views, session durations, and feature adoption rates. This data is collected in aggregate form and cannot be used to identify individual users. We do not use Google Analytics or any third-party analytics service that independently tracks users across websites.

c) What We Do Not Use

• We do not use advertising or retargeting cookies
• We do not use third-party tracking pixels or beacons
• We do not participate in cross-site tracking or behavioral advertising networks
• We do not use fingerprinting techniques to identify devices across sessions
• We do not share cookie data with any third party for advertising purposes

d) Managing Cookies

You can manage or delete cookies through your browser settings. Please note that disabling strictly necessary cookies may prevent certain features of the platform from functioning properly. For detailed instructions on managing cookies, consult your browser's help documentation.

11. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

a) Active Accounts

While a user account remains active, we retain all associated personal data, learning records, and engagement data necessary to provide our adaptive learning services and maintain the continuity of the child's learning profile.

b) Account Deletion

Upon receiving a verified request to delete an account, we will delete or anonymize all personal data associated with that account within 30 days. Certain data may be retained in encrypted backup systems for up to 90 days before permanent deletion, and limited data may be retained as required by applicable law (e.g., financial transaction records).

c) Inactive Accounts

If an account remains inactive for a continuous period of 24 months, we will notify the registered parent or guardian by email and provide 60 days to reactivate the account before initiating the data deletion process.

d) De-identified Data

Aggregated, de-identified data that cannot be used to identify any individual may be retained indefinitely for research, analytics, and platform improvement purposes.

12. Parental Controls & Rights

into3.ai provides parents and legal guardians with comprehensive controls over their children's data and platform experience:

a) Parental Dashboard

• View all personal information collected about your child
• Access detailed learning progress reports, cognitive marker summaries, and engagement analytics
• Set session time limits and schedule permitted usage windows
• Control which subjects and content categories are accessible to your child
• Enable or disable specific platform features

b) Data Access and Export

• Request a complete copy of all data associated with your child's account in a machine-readable format (JSON or CSV)
• Download progress reports and assessment records at any time

c) Data Correction and Deletion

• Request correction of any inaccurate personal information
• Request partial deletion of specific data categories (e.g., engagement signal history) while retaining the account
• Request complete account and data deletion

d) Consent Management

• Withdraw consent for data collection at any time
• Modify the scope of consent (e.g., permit basic learning data collection but opt out of engagement signal monitoring, which may limit adaptive features)

To exercise any of these rights, log into your parental dashboard or contact us at info@into3.ai. We will process all requests within 15 business days.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons.

a) Notification of Changes

For material changes to this Privacy Policy — particularly those affecting the collection, use, or sharing of children's personal data — we will provide prominent notice through one or more of the following methods: (i) email notification to all registered parents and guardians at least 30 days before the changes take effect, (ii) a prominent banner on our platform, and (iii) an in-app notification upon the parent's next login.

b) Consent for Material Changes

If we make material changes to how we collect or use children's personal data, we will obtain renewed parental consent before applying those changes to existing users. Continued use of the platform after the effective date of non-material changes constitutes acceptance of the updated policy.

c) Version History

We maintain a version history of this Privacy Policy. Previous versions can be requested by contacting info@into3.ai.

14. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Company: into3
• Address: A-116, Urbtech Trade Centre, Sec-132, Gautam Buddha Nagar-201304, Uttar Pradesh, India
• Email: info@into3.ai

For GDPR-related inquiries, you may also contact our Data Protection team at the same email address. We aim to respond to all privacy-related inquiries within 10 business days.

If you are unsatisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction, including the Data Protection Board of India under the DPDP Act, or your local supervisory authority under the GDPR.

15. Effective Date

This Privacy Policy is effective as of March 26, 2026. This is the first published version of the into3.ai Privacy Policy.

By using into3.ai, you confirm that you have read and understood this Privacy Policy and agree to the collection, use, and processing of information as described herein.