DPDP compliance.

1. Data fiduciary identity

Under §2(i) of the Digital Personal Data Protection Act, 2023, the Data Fiduciary for personal data collected via bandlingo.edu and the Bandlingo mobile app is:

Bandlingo Edutech Pvt Ltd
CIN: U85499CH2023PTC051234 (indicative)
Registered office: 1st Floor, The Social, Sector 7, Chandigarh, India 160007

2. Notice and consent (§5 & §6)

We give notice at three moments: (a) at account creation, (b) immediately before any new category of data is collected, (c) before any change in processing purpose. Each notice contains the items prescribed by §5(1): nature of data, purpose, rights, and grievance contact.

Consent is requested in plain English, in distinct opt-in form (no pre-ticked boxes), with the ability to withdraw at the same level of ease. We record the timestamp and version of every consent so we can replay it on request.

3. Lawful purposes (§7)

Processing occurs under the following grounds:

• Specific consent (§7(a)) — for all primary service delivery: scoring practice, returning feedback, building shortlists, filing visa paperwork.
• Performance of contract (§7(c)) — for billing, refund processing, and statutory tax records.
• Compliance with law (§7(d)) — for tax records, anti-fraud, and lawful access requests.
• Public interest (§7(e)) — not applicable. We do not rely on this ground.

4. Data processors (§8(2))

We engage processors under written contracts that bind them to our security and confidentiality standards. The current list:

Processor	Role	Location
Amazon Web Services India	Cloud infrastructure	Mumbai (ap-south-1)
Razorpay Software Pvt Ltd	Payment processing	India
Plausible Insights OÜ	Cookie-less analytics	Estonia, EU
OpenAI / Anthropic (selectively)	Specific AI scoring tasks, with de-identified payloads	USA
SendGrid (Twilio)	Transactional email	USA

5. Cross-border transfers (§16)

The Government of India publishes a list of countries to which transfers are restricted. Our default posture is to keep personal data inside India. Where a transfer outside India is necessary — for analytics aggregation or for an AI scoring task — we transfer only de-identified, aggregated payloads, and only to processors in jurisdictions not currently on the restricted list.

If the restricted-country list is updated, we update our processor configuration within 14 days.

6. Rights of data principals (§11–14)

You can exercise the following rights free of charge:

• §11 — Right to information. A summary of personal data processed, processing activities, and the identities of recipients.
• §12 — Right to correction and erasure. Correct inaccurate data; erase data no longer needed; complete incomplete data.
• §13 — Right to grievance redressal. Escalate concerns to our grievance officer, who responds within 30 days.
• §14 — Right to nominate. Nominate another individual to exercise your rights in case of incapacity.

Requests: [email protected]. We acknowledge within 3 business days and resolve within 30.

7. Breach notification (§8(6))

In the event of a personal data breach, we notify the Data Protection Board of India and affected Data Principals within 72 hours of becoming aware of the breach. Notification includes the nature of the breach, categories of data affected, likely consequences, and mitigation steps taken.

We maintain a documented breach response runbook and conduct a tabletop exercise twice a year.

8. Grievance officer (§10)

Pending the operationalisation of §10 thresholds for Significant Data Fiduciaries, we voluntarily appoint a grievance officer:

Grievance officer: [email protected]
Data Protection Officer: [email protected]
Postal address: 1st Floor, The Social, Sector 7, Chandigarh 160007.

9. Audit and review

This compliance posture is reviewed by an external auditor every 12 months. The most recent audit summary is available on request under NDA. We re-publish this page after every material rule change, every audit, and at minimum annually.