Legal Basis: This notice is issued in compliance with Rule 3 of the Digital Personal Data Protection Rules, 2025, which requires a Data Fiduciary to provide a clear notice to Data Principals regarding the processing of their data.
As a leading provider of assessment systems, the privacy and security of individuals whose personal data we process is critical to us. This Privacy Notice explains how we manage and protect your personal data ("data") in accordance with the Digital Personal Data Protection Act, 2023 ("DPDPA") and the Digital Personal Data Protection Rules, 2025.
This notice applies when you:
Visit our website (a "Visitor"),
Use our services as a school representative (a "School User"), or
Use our services as a student or parent (a "Service User").
Our Role: Data Processor vs. Data Fiduciary
For Service Users (Students/Parents via School): For the majority of personal data we process, AssessPrep acts as a Data Processor. Your School is the Data Fiduciary. We process your data strictly under the instructions of your School.
For Direct Users & Visitors: When you sign up directly or browse our website, AssessPrep acts as the Data Fiduciary.
1. What data do we collect? (Itemized Notice)
Legal Basis: As per Rule 3(b)(i) of the DPDPA Rules, AssessPrep is required to share an "itemised description" of the personal data that we collect.
We collect the following specific categories of personal data:
A. Visitors
We collect the following to improve our website and communicate with you:
B. School Users
C. Service Users (Students and Parents)
Note on Special Category Data: We do not process special category data (e.g., race, ethnicity) for our own purposes. Your school may instruct us to process it on their behalf; we do not use it for any other purpose.
2. Minors and Parental Consent
Legal Basis: This section ensures compliance with Rule 10 (Verifiable Consent) and utilizes the exemptions under Rule 12 / Schedule 4 for Educational Institutions.
AssessPrep facilitates assessments for students who may be under the age of 18 ("Minors").
For School-Based Accounts:
Role of the School: As the Data Fiduciary, your School is responsible for obtaining Verifiable Parental Consent before providing us with your data.
Age Verification: The School is responsible for conducting due diligence to confirm that the individual consenting (the parent/guardian) is an adult. AssessPrep relies on the School’s verification as a permitted pathway under the Rules.
Our Role: We process this data solely on the assurance that the School has obtained the necessary valid consents.
3. Cross-Border Data Transfers
Legal Basis: This section outlines compliance with Rule 15, which governs the transfer of personal data outside the territory of India.
AssessPrep is a global platform serving schools in 85+ countries.
Transfer Authorization: Your personal data may be transferred outside the territory of India for processing (e.g., to cloud servers in secure jurisdictions).
Compliance: Any such transfer is subject to compliance with Rule 15 of the DPDPA Rules. We ensure that we meet any conditions imposed by the Central Government, particularly regarding requests to make such data available to foreign States or their agencies.
Purposes of Processing
Legal Basis: This specifies the purpose of processing as required by Rule 3(b)(ii) and claims the exemption for educational tracking under Schedule 4, Part A, Item 3.
We process your data for the following purposes:
Service Delivery: Creating accounts, delivering assessments, and generating analytics.
Assessment Integrity (Proctoring): Preventing fraud/cheating via gaze tracking or screen monitoring.
Note: This tracking is exempt from restrictions on monitoring children as it qualifies as processing for "Educational Activities" under Schedule 4 of the DPDPA Rules.
Data Retention: Retaining logs of processing for a minimum of one year as required by Rule 8(3) for audit and fraud detection purposes.
Data Retention (The "1-Year Rule")
Legal Basis: This policy implements the mandatory retention of logs under Rule 8(3) and the user notification requirement under Rule 8(2).
We retain your personal data only for as long as it is necessary to fulfill the purpose for which it was collected (e.g., until the exam cycle is complete). However, under Indian law, we are required to follow specific retention rules:
Mandatory 1-Year Retention for Logs: To comply with Rule 8(3), even after your exam or service is complete, we are legally required to retain logs of the processing, associated traffic data, and basic personal data for a minimum of one year. We cannot delete this specific data earlier because it is required for security audits, fraud investigations, and compliance checks by the government.
Deletion Due to Inactivity: If you do not use our service for an extended period, we may schedule your data for deletion. In such cases, we will send you a notification at least 48 hours before deletion. If you log in or contact us within that time, your data will be retained; otherwise, it will be permanently erased.
General Deletion: Once the retention period expires and the legal 1-year mandate is met, your personal data will be permanently deleted from our systems unless a longer retention period is required by another applicable law.
Exercising Your Rights (Procedure)
Legal Basis: This outlines the procedure for exercising rights and the grievance redressal mechanism as mandated by Rule 14.
Under the DPDPA 2023, you have rights to Access, Correct, Erase, and Nominate. Here is how you can exercise them:
A. Procedure for Submitting Requests
School Users: Since we are a Data Processor, please submit your request directly to your School. We will assist your School in fulfilling the request.
Direct Users: You may submit a request directly to our Data Protection Officer via email at info@assessprep.com.
B. Identification Requirements
To protect your privacy, we must verify your identity before processing a request. Please include the following in your request:
Full Name and Registered Email Address.
School Name (if applicable).
Customer/Student ID (if available).
A copy of your School ID or other identification may be requested if we cannot verify you through your account credentials.
C. Grievance Redressal & Timelines
If you have a complaint regarding our processing of your data:
Contact: Email our Data Protection Officer (DPO) at info@assessprep.com.
Timeline: We will acknowledge your complaint within 24 hours and resolve it within a reasonable period, not exceeding 90 days from the date of receipt (as per Rule 14).
Escalation: If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India.
Security & Breach Notification
Legal Basis: This details the "Reasonable Security Safeguards" required by Rule 6 and the breach notification protocols mandated by Rule 7.
We are committed to protecting your personal data using "Reasonable Security Safeguards" as required by Indian law. Our security measures include:
Data Protection: We secure your personal data using encryption, obfuscation, masking, or by replacing actual data with virtual tokens to prevent unauthorized reading.
Access Control: We have strict controls in place to limit who can access the computer resources and systems where your data is stored.
Monitoring & Logs: We maintain detailed logs and monitoring systems to track who accesses your data. This allows us to detect unauthorized access, investigate incidents, and prevent them from happening again.
Business Continuity (Backups): We perform regular data backups to ensure that if data is lost or destroyed (e.g., due to a technical failure), we can restore it and continue our services without interruption.
Retention for Security: To help us investigate security incidents, we are legally required to keep these security logs and relevant personal data for a minimum of one year.
Vendor Security: When we use third-party service providers (Data Processors), our contracts legally bind them to use these same security safeguards.
Breach Notification Protocol
In the unlikely event of a Personal Data Breach, we will strictly follow this notification process:
A. Notification to the School/User
We will notify the affected school/user without delay through your user account or registered email/phone. This notice will be concise and clear, providing you with:
Description: The nature, extent, and timing of the breach.
Consequences: How this breach is likely to impact you specifically.
Mitigation: The measures we have implemented (or are implementing) to reduce the risk.
Safety Advice: Steps you can take to protect your own interests (e.g., changing passwords).
Support Contact: The business contact information of a specific person at AssessPrep who can answer your questions.
B. Notification to the Data Protection Board of India
We are also required to notify the Board:
Immediate Intimation: Providing an initial description of the breach, including its nature, extent, location, and timing.
Within 72 Hours: We will submit a detailed report covering the facts/reasons for the breach, mitigation steps taken, findings regarding the person responsible, remedial measures to prevent recurrence, and confirmation that we have notified the affected users.
Contact Information
Legal Basis: This provides contact details for the person able to answer questions about processing, as required by Rule 9.
For any privacy-related questions or to exercise your rights:, contact our DPO, Abhimanyu Jhajharia, at info@assessprep.com.
(Please note: communications with our DPO should be in English.)