Privacy Policy

Last updated 2026-05-18 · Version 2.0

At a glanceWe collect what we need to grade your IELTS practice and bill you. We do not use your essays or recordings to train AI models. You can export everything and delete your account at any time. Indian users: we comply with the Digital Personal Data Protection Act 2023 — see §10 for Grievance Officer.

1. Who we are

DigiSurf Academy is operated by DigiSurf Australia Pty Ltd (the international operator) and DIGIROX Edu Pvt Ltd (the Indian operator and Data Fiduciary for Indian users under the DPDP Act 2023). We provide AI-powered IELTS preparation tools at app.digisurfacademy.com. DigiSurf Academy is an independent platform and is not affiliated with the British Council, IDP, or Cambridge Assessment English.

This notice is available in English. For Hindi, Tamil, Telugu, Bengali, Marathi, Gujarati, Kannada, Malayalam, Punjabi, or Odia versions, email languages@digisurfacademy.com (DPDP §5(3)).

2. Data we collect, purpose, and lawful basis

Under DPDP §5(1)(a) we map each category to a specific purpose and basis:

Data category	Purpose	Lawful basis
Email, password (hashed), display name	Account creation, login, receipts	Contract
Test answers, band scores, timing, attempt history	Service delivery, progress tracking	Contract
Writing essays + AI feedback	AI scoring; band > 7.0 + your opt-in → community display	Contract + separate consent for community
Speaking audio + transcript + speech metrics	AI scoring; band > 6.0 + your opt-in → community display	Contract + separate consent for community
Razorpay payment ID, plan, expiry, payment metadata	Process payments; issue tax invoices	Contract + legal obligation (GST)
Device fingerprint, IP, audit logs	Fraud prevention, rate-limiting, security	Legitimate use (DPDP §7(a))
Essential session cookies (Supabase auth, Turnstile)	Keep you signed in; block bots	Strictly necessary
Analytics cookies	Anonymised usage analytics	Consent — off by default

3. How AI scoring works (and what we don't do)

When you submit a Writing or Speaking task, the text or audio is sent to AI sub-processors (see §5) to produce a band score, criterion breakdown, quoted-evidence feedback, and a model answer. Speaking audio is also transcribed by a speech-to-text service so the AI grader can analyse fluency, lexical range, grammar, and pronunciation indicators (WPM, filler-word count, pause length, low-confidence words).

We do not use your recordings, transcripts, or essays to train AI models. Our AI sub-processors operate under zero-retention or 30-day-retention API terms with no training rights; copies of those Data Processing Addenda are available on request.

4. Community display — opt-in only

Community Top Performers is a peer-learning feature visible to logged-in DigiSurf users. After scoring:

If your Speaking band is ≥ 6.0, you'll be asked at the score page whether to publish the recording and your display name. Default is OFF.
If your Academic Writing task band is ≥ 7.0, you'll be asked whether to publish an essay excerpt and your display name. Full essay text is visible only to other registered users who themselves scored ≥ 6.0 on the same task; copying / downloading is disabled by UI and prohibited by Terms §5.

You can revoke any time from the score page (Delete attempt) — community removal completes within ~60 seconds and platform deletion is immediate.

5. Sub-processors & cross-border transfers (DPDP §16)

Some of your data is processed outside India by the following sub-processors:

Sub-processor	Purpose	Country	Safeguard
Supabase	Authentication + Postgres database	EU / US (project region)	DPA, encryption at rest
Cloudflare R2	Audio + image object storage	Global edge	DPA, encryption in transit + at rest
Cloudflare Turnstile	Bot / captcha protection	Global edge	DPA
Razorpay	UPI, cards & net banking payments	India	RBI-authorised PA-PG, PCI-DSS Level 1
Resend	Transactional email (verification, receipts, password reset)	USA	DPA, no marketing reuse
AI scoring providers	Grade essays + transcripts	USA	Zero-retention API terms; no training; DPA
Speech-to-text + text-to-speech providers	Transcribe speaking audio; native model-answer TTS	USA	DPA, no training
Vercel	Web hosting + edge functions	USA / Global	DPA, SOC 2
Meta Platforms (Pixel + Conversions API)	Ad measurement on public marketing pages (hashed email/phone only; no test content)	USA / Global	Business Tools Terms; hashed PII

India's Ministry of Electronics & Information Technology has not currently restricted any of these jurisdictions under DPDP §16. We use contractual safeguards (DPAs, SCCs where applicable) for every cross-border flow.

6. Your rights as a Data Principal (DPDP §11-§14)

Access & export. Account → Export — download all your data as JSON.
Correction & updating. Account → Profile — fix any inaccurate or outdated personal data.
Erasure. Account → Delete — permanent removal of your account and all User Content within 30 days (audit logs retained per §7).
Withdraw consent. Account → Privacy → Withdraw AI consent. Consequence: you lose AI scoring + community features. Past processed data is deleted within 30 days of withdrawal.
Nominate a representative (DPDP §14). Account → Nominee — appoint another individual to exercise your rights on your behalf in event of death or incapacity.
Grievance. File via §10 below; escalate to the Data Protection Board of India if unresolved within 30 days.

7. Retention

Audio recordings + essays + transcripts: 18 months from creation, or until you delete the attempt — whichever is sooner.
Band scores, answers, attempt history: while your account is active for progress tracking; deleted on account deletion.
Audit + security logs: 24 months for fraud prevention and DPDP §8(7) compliance.
Razorpay payment metadata + tax invoices: 8 years (Indian Income Tax Act and CGST Act retention).
Inactive accounts: auto-purged after 36 months of no login, with 30-day email warning before deletion.

8. Children (DPDP §9)

The DPDP Act defines "child" as anyone under 18. Users under 18 require verifiable parental consent:

16-17 year-olds must provide a parent / guardian email at signup; the parent receives a unique confirmation link before the account is activated. Pro purchases require an additional parent confirmation at checkout.
Users under 16 are not permitted.
We do not profile, behaviourally track, or run targeted advertising on accounts flagged as belonging to a child.

9. Cookies & tracking

Essential cookies (cannot be disabled while signed in): Supabase auth (`sb-*`), Cloudflare Turnstile, session CSRF.

Advertising measurement (Meta Pixel): on our public marketing pages we use the Meta (Facebook) Pixel and Conversions API to measure ad performance. Meta receives the page viewed, the action taken (sign-up, purchase), your IP and browser user-agent, and — for sign-ups and purchases only — your email and phone in irreversibly hashed form. We never send Meta your test content, essays, recordings or scores. Full detail and opt-out in the Cookie Policy.

Optional analytics: off by default. We do not currently run a separate analytics vendor; if we add one (e.g. Vercel Analytics) the cookie banner will list it and require fresh opt-in.

Manage your preferences any time via the Cookie preferences link in the page footer. See the full Cookie Policy.

10. Grievance Officer (India)

For DPDP, IT Rules 2021, and CP-E-Commerce Rules 2020 grievances:

Email: grievance@digisurfacademy.com
Acknowledgement: within 48 hours · Resolution: within 30 days as required by DPDP §13 and IT Rules 2021.

Unresolved complaints may be escalated to the Data Protection Board of India (DPDP §27).

11. Personal data breaches (DPDP §8(6))

If we become aware of a personal data breach affecting you, we will notify you and the Data Protection Board of India without undue delay, and in any case within 72 hours of discovery, with: nature of the breach, categories and approximate number of users affected, likely consequences, and mitigation steps.

12. Significant Data Fiduciary readiness

If we are notified as a Significant Data Fiduciary under DPDP §10, we will appoint an India-resident Data Protection Officer, conduct annual DPIAs and independent audits, and publish the DPO's contact here.

13. International users (GDPR parity)

Users in the EU / UK retain GDPR / UK GDPR rights: access, rectification, erasure, restriction, portability, object, withdraw consent, complain to your supervisory authority. The Grievance Officer (§10) is the primary point of contact; we will respond within one month.

14. Contact

Privacy queries: privacy@digisurfacademy.com (or the Grievance Officer above). General: info@digisurfaustralia.com.au.