"Controller" — The entity (coaching centre, teacher, or individual user) who determines the purposes and means of processing personal data. When a coaching centre uploads student data or a teacher pushes content to students, the centre or teacher acts as Controller. Individual students acting on their own behalf are also Controllers of their own data.
"Processor" — Study Cabinet / Snippetz, operated by Pulakit Bararia, which processes personal data on behalf of the Controller.
"Data Subject" — The individual whose personal data is processed (students, teachers, parents, and other users).
"Personal Data" — Any information relating to an identified or identifiable natural person as defined under applicable data protection law including India's DPDPA 2023, the EU GDPR, the UK GDPR, and other applicable laws.
"Processing" — Any operation performed on personal data including collection, storage, use, transmission, disclosure, and deletion.
"GDPR" — The EU General Data Protection Regulation (2016/679) and the UK GDPR as applicable.
"DPDPA" — India's Digital Personal Data Protection Act 2023.
"SCCs" — Standard Contractual Clauses as adopted by the European Commission for international data transfers.
This Data Processing Agreement ("DPA") sets out the obligations of the Processor when processing Personal Data on behalf of the Controller through the Study Cabinet application. The Processor provides an AI-powered study management platform including course management, topic tracking, exam scheduling, attendance tracking, grade management, AI-assisted study tools (EDITH), coaching centre operations, teacher-student communication, fee and salary management, and file storage.
This DPA applies automatically when the Controller uses the App to process Personal Data of Data Subjects. By using the App to process others' data, the Controller agrees to be bound by this DPA. A separate signed copy is available upon request at snippetzlabs@gmail.com.
Nature and Purpose of Processing: Providing an AI-powered study management platform as described in the Terms of Service and Privacy Policy.
Categories of Data Subjects: Students, teachers, tutors, coaching centre administrators, parents, and guardians.
Types of Personal Data Processed: Identity data (name, email, hashed password, avatar, role); academic data (courses, topics, notes, assignments, grades, exam records, timetable, attendance); financial data (fee records, salary records, payment status); centre data (centre name, class names, member roles, invite codes, permissions); communication data (push notifications, teacher pushes, chat messages, in-app notifications); AI interaction data (prompts, AI-generated content, cached AI outputs); file data (uploaded documents, attachments, course materials); preference data (theme, Pomodoro settings, sound preferences); and usage data (page views, feature usage, session duration if analytics enabled).
Special Categories of Data (Sensitive Data): None intentionally collected. Controllers are prohibited from uploading sensitive data (health information, biometric data, genetic data, political opinions, religious beliefs, sexual orientation, etc.). If such data is inadvertently uploaded, the Controller bears full responsibility and must notify the Processor immediately.
The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do otherwise by law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
The Processor shall ensure that all persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (HTTPS/TLS 1.3) and at rest (AES-256), access controls through Row-Level Security (RLS) policies ensuring users can only access their own data, authentication via Supabase Auth with bcrypt password hashing, regular security updates, and automated daily backups with point-in-time recovery.
The Processor shall only engage sub-processors in accordance with Section 7 of this DPA.
The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to data subject rights requests.
The Processor shall assist the Controller in ensuring compliance with obligations regarding security of processing, breach notification, and data protection impact assessments.
At the Controller's election, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless storage is required by law.
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA.
The Controller shall ensure that the processing of Personal Data through the App is lawful, fair, and transparent to Data Subjects. This includes obtaining all necessary consents from Data Subjects, including parental consent for Data Subjects under 18 (or the applicable age of digital consent).
The Controller shall provide Data Subjects with a privacy notice that covers the processing described in this DPA. The Controller may use our Privacy Policy for this purpose or provide their own.
The Controller is responsible for the accuracy, quality, and legality of the Personal Data uploaded or entered into the App. The Controller shall not upload or process special category data (sensitive data) through the App.
The Controller shall not use the App for processing that violates applicable data protection laws.
The Controller shall respond to data subject rights requests in a timely manner and cooperate with the Processor when such requests require Processor action.
The Controller shall ensure that any third parties (including teachers, staff, or other centre personnel) who access Personal Data through the App are bound by equivalent confidentiality and data protection obligations.
India (DPDPA 2023): The Controller confirms they have obtained verifiable parental consent for any Data Subjects under 18 before uploading or processing their data through the App.
EU/UK (GDPR): The Controller confirms they have a lawful basis for processing as required under Article 6 of the GDPR and have obtained parental consent under Article 8 for children under 16 (or the applicable lower age).
US (COPPA): The Controller confirms they have obtained parental consent for children under 13 before uploading or processing their data.
The Processor shall, to the extent technically feasible and within its control: enable Data Subjects to access, correct, and delete their data through App settings; forward any data subject request received directly to the Controller within 5 business days; provide reasonable assistance to the Controller in fulfilling data subject rights requests; and make available data portability exports in JSON format upon Controller request.
The Controller is primarily responsible for responding to data subject rights requests. The Processor will assist as described above. The Processor shall not respond to a data subject request on behalf of the Controller without prior authorisation, except where required by law.
The Controller authorises the Processor to engage the following sub-processors:
Supabase Inc. — Provides database, authentication, file storage, and realtime services. Located in the United States / multi-region. Accessed data: all Personal Data stored in the App. Safeguards: SOC 2 compliant, encryption at rest and in transit, DPA in place.
Groq Inc. — Provides AI inference processing for the EDITH assistant. Located in the United States. Accessed data: AI prompts, academic context, IP address, request metadata. Safeguards: Groq does not train on API data, enterprise-grade security.
Tavily (via Groq) — Provides web search capability. Only accessed when the user explicitly triggers a web search within EDITH. Accessed data: AI-generated search queries.
Google LLC — Provides analytics processing if enabled, font delivery, and CDN services. Located in the United States / Global. Accessed data: usage data, IP address, user-agent. Safeguards: data anonymised, Google's applicable terms and safeguards apply.
Notification of New Sub-Processors: The Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance. The Controller may object to such changes within 14 days of notice. If the objection is reasonable and cannot be resolved, the Controller may terminate the service.
In the event of a data breach involving Personal Data processed under this DPA, the Processor shall notify the Controller without undue delay and within 48 hours of becoming aware of the breach. The notification shall include a description of the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences of the breach, measures taken or proposed to address the breach, and a contact point for further information.
The Processor shall cooperate fully with the Controller in investigating and remediating the breach. The Controller is responsible for notifying supervisory authorities and affected Data Subjects as required by applicable law. The Processor will assist the Controller in making such notifications where required.
The Processor shall retain Personal Data only for the duration of the service agreement or as described in the Privacy Policy, whichever is longer. Upon termination of the service or upon Controller request, account data and academic data shall be deleted within 30 days. Financial records shall be retained for 7 years (or as required by tax law). AI cached outputs shall be deleted within 30 days. Backups containing Personal Data shall be deleted within 90 days. The Processor may retain anonymised or aggregated data that no longer identifies Data Subjects for analytical purposes.
Personal Data may be transferred to and processed in the United States and other countries where sub-processors operate. For Data Subjects in the EU/UK/EEA, transfers are safeguarded by Standard Contractual Clauses (SCCs) as adopted by the European Commission, Data Processing Agreements with each sub-processor, and technical controls ensuring data is processed only for specified purposes. Copies of the applicable SCCs are available upon request at snippetzlabs@gmail.com.
India (DPDPA 2023): Transfers from India are made to countries approved by the Indian government as having adequate data protection standards. We will update this DPA as required when the Indian government notifies adequate jurisdictions under Section 16 of the DPDPA.
UK: Transfers from the UK are made under the UK International Data Transfer Agreement (IDTA) or SCCs with UK Addendum, available upon request.
The Controller may audit the Processor's compliance with this DPA up to once per calendar year, at the Controller's expense. Audits shall be conducted with reasonable notice (minimum 30 days) and during business hours. The Processor shall provide all information necessary to demonstrate compliance and shall cooperate with the audit.
If the Controller is a coaching centre with limited resources, audits may be satisfied by the Processor providing SOC 2 reports, ISO certifications, or equivalent third-party audit documentation in lieu of an on-site audit. For individual users and small centres, the Processor's published Privacy Policy and security documentation serve as evidence of compliance.
Each party's liability arising out of or related to this DPA shall be subject to the limitations set out in the Terms of Service. Nothing in this DPA shall limit or exclude liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, breaches of confidentiality or data protection obligations, or any liability that cannot be limited or excluded by applicable law.
For Controllers in India: This DPA shall be governed by the laws of India, with courts in Mumbai, Maharashtra having exclusive jurisdiction.
For Controllers in the European Union: This DPA shall be governed by the laws of Ireland.
For Controllers in the United Kingdom: This DPA shall be governed by the laws of England and Wales.
For Controllers in other jurisdictions: This DPA shall be governed by the laws of India.
Processor / Data Controller: Pulakit Bararia
Email: snippetzlabs@gmail.com
Application: Study Cabinet (Snippetz)
For questions, requests for a signed copy of this DPA, or to exercise any rights — email the above address. We aim to respond within 24 hours.