Privacy Policy

This Policy covers how we treat both Personal Data and Operational Data collected when you install, access, or use Square1 Ai.

• Personal Data — Information that identifies or can be used to identify you, such as your name, email address, phone number, date of birth, school or institution name, and role (student, teacher, or parent).
• Operational Data — Technical information generated through your use of the platform, such as device type, browser version, IP address, session duration, and usage patterns.

We use the data we collect to:

• Provide, operate, and maintain our AI-enhanced learning platform.
• Personalise your learning experience, including adaptive content recommendations.
• Process transactions and manage your account.
• Communicate with you about updates, security alerts, and support.
• Analyse usage trends to improve our services and develop new features.
• Comply with legal obligations and enforce our Terms of Use.
• Detect, prevent, and address fraud, abuse, or security incidents.
• Manage waitlist registrations and send related notifications.

Where the GDPR applies, we rely on the following legal bases. Where India’s Digital Personal Data Protection Act, 2023 (DPDP Act) applies, consent is required for processing of Indian users, and we do not rely on “legitimate interest” as a legal basis under the DPDP Act.

• Consent — Marketing communications, non-essential cookies, and waitlist sign-ups.
• Contract — Account creation, service delivery, and payment processing.
• Legitimate Interest — Analytics, product improvement, fraud prevention, and security (not relied upon for Indian users under the DPDP Act).
• Legal Obligation — Tax compliance, responding to lawful requests, and regulatory reporting.

We do not sell your personal data. We may share information with the following categories of recipients:

• Service Providers: Hosting, analytics, payment processing, email delivery, and customer support vendors operating under data processing agreements.
• Educational Institutions: Progress reports and usage data shared with schools or districts under FERPA-compliant agreements.
• Legal & Safety: When required by law, regulation, or legal process, or to protect the rights, safety, or property of Square1 Ai, our users, or the public.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, subject to confidentiality obligations.

We retain personal data only as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

• Active Accounts: Data is retained for the duration of the account’s active use, plus a reasonable wind-down period.
• Inactive Accounts: Accounts inactive for 24 months may be anonymised or deleted after notice.
• Legal Holds: Certain data may be retained longer when required for legal proceedings or regulatory audits.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

To exercise any of these rights, please contact us at privacy@square1ai.com. We will respond within 30 days (or within other timeframes required by applicable law).

We take children’s privacy seriously. In compliance with COPPA, we do not knowingly collect personal information from children under the age of 13 without verifiable parental consent.

• Where a child’s school has consented on behalf of a parent as a COPPA-permitted “school official,” data will be used solely for educational purposes.
• Parents or guardians may review, request deletion of, or refuse further collection of their child’s data by contacting us.
• We do not serve targeted advertising to children under 13.

When we process student education records on behalf of an educational institution, we act as a “school official” under FERPA. In this capacity:

• We use student education records solely for the educational purposes defined in our agreement with the institution.
• We do not disclose student education records to third parties except as permitted under FERPA or directed by the institution.
• We maintain reasonable security measures to protect student records from unauthorised access.
• Parents and eligible students may direct rights requests to their educational institution.

Square1 Ai is based in Sri Lanka and our servers may be located in different jurisdictions. When we transfer personal data across borders, we ensure adequate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions where applicable.
• Binding corporate rules or equivalent protections under the Sri Lanka PDPA.
• Where India’s DPDP Act applies, international transfers are made only where permitted under the DPDP Act and supported by appropriate safeguards, including using the DPDP “blacklist model” (i.e., transfers are made only to jurisdictions not identified as restricted/blacklisted by the Data Protection Board of India). For clarity, Sri Lanka is not treated as a restricted/blacklisted jurisdiction under this model.

We use cookies and similar technologies for the following purposes:

• Essential Cookies: Enable core functionality such as authentication and security.
• Analytics Cookies: Help us understand how visitors interact with our platform (e.g., Google Analytics).
• Preference Cookies: Remember your settings, language, and display preferences.

You can manage your cookie preferences through our consent management tool (powered by Cookiebot) displayed upon your first visit. You may also adjust cookie settings in your browser at any time.

We implement industry-standard technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Regular vulnerability assessments and penetration testing.
• Role-based access controls and multi-factor authentication for internal systems.
• Incident response procedures, including India’s DPDP breach-notification approach: CERT-In notification within 6 hours of detection of a cyber security incident, Data Protection Board of India (DPBI) notification without delay, and a detailed follow-up report within 72 hours. The report includes the nature and extent of the breach, likely impact, root cause analysis, mitigation measures, and a summary of individual notifications. Affected users will be notified without applying a materiality threshold (and for breaches affecting Indian users under 18, parents/guardians will also be notified directly).

While no system is 100% secure, we continuously review and improve our security practices.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:

• Posting the revised policy on this page with an updated “Last Updated” date.
• Sending an email notification to registered users when required by law.
• Displaying an in-app notification for significant changes.

Continued use of our platform after any modification constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For EU/EEA residents, you also have the right to lodge a complaint with your local Data Protection Authority. For Sri Lankan residents, complaints may be directed to the Data Protection Authority of Sri Lanka.

For India’s DPDP Act (2023), you may submit grievances and data requests to our Grievance Officer at grievance.india@square1ai.com. The Grievance Officer will acknowledge and resolve your grievance within 7 working days; if you are unsatisfied with the resolution, you may escalate your complaint to the Data Protection Board of India.

DPDP Act penalty warning: non-compliance may lead to penalties under the DPDP Act, including up to ₹200 crore for breach-notification failures and children’s data violations, and up to ₹250 crore for security failures. Repeated penalty instances may result in the Data Protection Board of India directing blocking of access to our services in India.