DPDP Consulting for EdTech
Get DPDP help for EdTech children's data, parental consent, academic records and vendor risk.
Discuss this page with an LLM
Now replace the sandwich shop with your EdTech company. Where does personal data enter? Where does it sit? Who else touches it?
EdTech DPDP Self-Check
Start here to understand why DPDP is relevant to EdTech. Before any other task, first understand how personal data moves through the business.
What is EdTech?
In this context, EdTech means education platforms, online courses, learning apps, coaching systems, school software, LMS tools and student-support workflows that collect or use student, parent, teacher, payment, attendance, performance or learning-progress data.
Children's data
- Do you collect age, class, school, parent details or learning progress?
- Can you separate child, parent and guardian data?
- Do you know which users are under 18?
Consent
- Can you prove where consent came from?
- Is consent collected before data is used for the stated purpose?
- Can consent be withdrawn without breaking the entire account flow?
Tracking and profiling
- Do you track usage, performance, attention, behavior or drop-offs?
- Is any of this used for ads, recommendations or nudges?
- Are analytics tools collecting user identifiers?
Vendors and SDKs
- Which CRMs, email tools, payment tools, analytics tools and support tools receive personal data?
- Do contracts say they process data only on your instructions?
- Can you delete or export data from each vendor?
Retention
- What happens when the service ends?
- What happens when a user leaves?
- What data is kept for certificates, invoices, disputes or regulatory records?
First action
- Map one user journey from sign-up to completion.
- Mark where data is collected, stored, shared, used for communication and deleted.
If this self-check exposed more than three unclear answers, the next useful step is a DPDP data journey map.
Book a DPDP clarity callEdTech Company Analyses
Great Learning
Great Learning’s policy is a classic example of an EdTech firm clinging to 'implied consent' and vague retention timelines—both of which are now illegal under India's DPDP Act. While they are transparent about what they collect, the lack of granular control for the user creates a massive compliance gap.
Unacademy
Unacademy tracks learning behaviors, exam preparation patterns, and live class participation for millions of aspirants — many minors. At 42/100, the absence of DPDP Section 9 child protections and indefinite retention of learning data that reveals career ambitions creates significant compliance gaps.
Classplus
Classplus handles sensitive student data but its policy is stuck in the pre-2023 legal era. While its security tech is solid, the lack of verifiable parental consent and granular user controls creates significant legal risk under the new DPDP Act.
Frequently asked questions
Do we need parental consent if a school buys our platform for their students?
Yes, if your platform processes student data directly, you are a Data Fiduciary. You must ensure the school’s contract includes a mechanism for verifiable parental consent that satisfies DPDP standards.
Can we use student performance data to market advanced courses to parents?
You cannot bundle marketing consent with the main service agreement. You must provide a separate opt-in for parents to receive promotional offers based on their child’s learning progress.
How do we handle "Right to Erasure" for permanent academic records?
If a law requires you to keep records for a specific period, that law overrides the DPDP deletion request. However, you must still delete non-essential data like login IP logs or marketing preferences.