Skip to main content
SkilfoTerms of Service

Privacy Policy

Last updated: 24 March 2026

1. Introduction

Skilfo ("we", "us", "our") is a learner portfolio platform designed for children aged 6–18 in India. We are committed to protecting the privacy of all users, especially children, in compliance with the Digital Personal Data Protection (DPDP) Act, 2023 and its Rules, 2025. This policy explains how we collect, use, store, and protect personal data.

2. Data Fiduciary

Skilfo operates as a Data Fiduciary under the DPDP Act. Our Grievance Officer can be reached at the contact information provided on our Grievance Portal.

3. Data We Collect

  • Account data: Email address, hashed password, user role (parent/student/coach/teacher/school admin)
  • Profile data: Display name, avatar, date of birth, grade, city, state (city/state are never shown publicly)
  • Portfolio content: Achievements, certificates, projects, artwork, media files uploaded by users
  • Activity data: Badges earned, academy memberships, event participation, skill tags
  • Technical data: IP address, browser type, access timestamps (for security and compliance)

4. Children's Data — Special Protections

Under Section 9 of the DPDP Act, processing children's data requires verifiable parental consent. We implement the following safeguards:

  • Child accounts can only be created by a registered parent
  • All child content defaults to PRIVATE visibility
  • Parents control privacy settings (Family / Link Only / Public)
  • No behavioral tracking or targeted advertising for children
  • No data is sold or shared with third-party advertisers
  • AI features process only the data necessary and do not retain child data beyond the session
  • EXIF metadata is stripped from uploaded images

5. Purpose of Processing

We process personal data solely for:

  • Creating and managing learner portfolios
  • Issuing and verifying digital badges
  • Generating AI-assisted skill mapping and progress reports (HPC)
  • Enabling data sharing between academies and schools (with explicit parental consent)
  • Sending notifications about account activity, approvals, and events
  • Content moderation for child safety

6. Data Sharing

We share data only in the following circumstances:

  • Academy → School: Only with explicit parental consent via our Data Sharing Consent system
  • Public portfolios: Only items explicitly made public by the parent/student
  • Badge verification: Badge verify pages show badge name, issuer, and recipient handle
  • Legal obligations: When required by law, court order, or regulatory authority

We do not sell, rent, or trade personal data to any third party.

7. Data Storage & Security

  • All data is stored on servers located in India
  • Passwords are hashed using bcrypt (never stored in plaintext)
  • OTP codes are bcrypt-hashed with automatic expiry and attempt lockout
  • HTTPS encryption for all data in transit
  • Helmet.js security headers enabled
  • JWT tokens with short expiry and refresh rotation
  • Application logs retained for 180 days per CERT-In requirements

8. Your Rights Under DPDP Act

As a Data Principal, you have the right to:

  • Access: Request a copy of all your personal data
  • Correction: Update or correct your personal data through your profile settings
  • Erasure: Request deletion of your account and all associated data
  • Withdraw Consent: Revoke data sharing consents at any time
  • Grievance Redressal: File a complaint through our Grievance Portal
  • Nominate: Nominate another person to exercise your rights in case of death or incapacity

To exercise these rights, visit your account settings or contact our Grievance Officer.

9. Data Retention

  • Active accounts: data retained while account is active
  • Deleted accounts: all personal data erased within 30 days, except where legally required
  • Expired OTPs: automatically purged
  • Application logs: retained for 180 days per CERT-In Directions 2022
  • Consent records: retained for audit purposes even after revocation

10. Data Breach Notification

In the event of a personal data breach, we will:

  • Report to CERT-In within 6 hours as required by CERT-In Directions 2022
  • Notify the Data Protection Board of India as required under DPDP Act
  • Inform affected users via email and in-app notification
  • Document the breach, impact, and remedial actions taken

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email and in-app notification at least 30 days before taking effect. Continued use of Skilfo after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related queries, contact our Grievance Officer through the Grievance Portal or email us at privacy@skilfo.com.

Terms of ServiceBack to Skilfo