Introduction
CRIAA ("CRIAA", "we", "us" or "our") operates the Craqit digital learning platform (the "Platform") and provides educational programmes, activity kits and board games under the CRIAA Education, CRIAA Digital and CRIAA Home brands. We are committed to protecting the privacy and personal data of all individuals who interact with our products and services.
This Privacy Policy ("Policy") explains how we collect, use, disclose, store and protect your personal information when you visit our website, use the Craqit app, purchase our products, enrol in our programmes or otherwise interact with CRIAA. It is intended to comply with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and the Digital Personal Data Protection Act, 2023 ("DPDP Act").
By accessing our website, downloading or using the Craqit app, purchasing a CRIAA product or providing your personal information to us, you acknowledge that you have read, understood and agree to the practices described in this Policy. If you do not agree, please do not use our services.
Plain language summary: We collect personal data to provide and improve our services, keep students safe, communicate with you and comply with law. We do not sell your personal data. We take the privacy of children especially seriously.
Who We Are
CRIAA is an educational technology and curriculum solutions company incorporated in India. We operate the Craqit digital learning platform, deliver the CRIAA Education programme to schools and institutions, and produce CRIAA Home activity kits and board games, all with the shared mission of integrating 21st century skills development into learning for children across India.
For the purposes of the DPDP Act, 2023, CRIAA acts as the Data Fiduciary in relation to the personal data it collects and processes. Where we process data strictly on behalf of schools or institutional partners, we may also act as a Data Processor in accordance with the terms of our agreements with those institutions.
Registered Address: [CRIAA Registered Address], India.
Contact: info@criaa.in
Scope & Applicability
This Policy applies to:
- Students who use the Craqit app or participate in CRIAA Education programmes, including minors whose data is provided by a parent, guardian or school.
- Parents and guardians who register on behalf of a child, purchase CRIAA Home products or interact with us directly.
- Educators and school staff who use CRIAA Education resources, the Craqit platform or our professional development services.
- School and institutional administrators who enter into partnerships or licensing agreements with CRIAA.
- Website visitors who browse our website or submit enquiry forms without creating an account.
- Any other individual who provides personal information to CRIAA in connection with our products or services.
This Policy does not apply to third-party websites, applications or services that may be linked from our platform. We encourage you to review the privacy policies of those third parties independently.
Information We Collect
We collect personal information in the following categories, depending on how you interact with CRIAA:
| Category | Examples | How Collected |
|---|---|---|
| Identity Data | Full name, username, date of birth, gender, profile photograph | Registration, account creation |
| Contact Data | Email address, mobile number, postal address, city, state, PIN code | Registration, order placement, enquiry forms |
| Institutional Data | School name, class, grade, roll number, institution type | School onboarding, student registration |
| Learning Data | Activities completed, quiz scores, evaluation results, progress reports, time spent on platform, submissions | Platform usage, Craqit app activity |
| Transaction Data | Order history, products purchased, payment reference numbers, delivery address | In-app purchases, CRIAA Home orders |
| Technical Data | IP address, device type, operating system, browser type, app version, session data, crash reports | Automatic collection via app and website |
| Usage Data | Pages visited, features used, click patterns, search queries within the platform | Analytics tools, cookies |
| Communications Data | Enquiry content, support messages, feedback submitted, email correspondence | Contact forms, email, in-app support |
| Parental Consent Data | Parent/guardian name, relationship to child, consent records, verification details | Minor registration process |
Sensitive Personal Data or Information (SPDI): Under the SPDI Rules 2011, certain categories of data are classified as sensitive. Where applicable, we may collect health-related information (e.g. accessibility requirements) or financial information strictly for transaction processing. Such data is handled with enhanced security measures and collected only with explicit consent.
We do not collect Aadhaar numbers, biometric data, caste, religion, political views or any data not reasonably necessary for the purposes set out in this Policy.
How We Use Your Information
We use the personal information we collect for the following purposes:
- Service Delivery: To create and manage accounts, provide access to the Craqit platform and CRIAA Education programmes, and process orders for CRIAA Home products.
- Personalised Learning: To tailor learning pathways, recommend activities, track progress and generate evaluation reports that are meaningful to each student.
- Assessment & Reporting: To assess submitted activities, generate performance data, produce feedback reports and share learning outcomes with students, parents and schools as appropriate.
- Communication: To respond to enquiries, send service-related notifications, share programme updates, deliver order confirmations and provide customer support.
- Safety & Compliance: To verify the age of users, obtain parental consent for minors, detect fraudulent activity, investigate complaints and comply with legal obligations.
- Platform Improvement: To analyse usage patterns, identify technical issues, conduct research into learning effectiveness, and improve the design and content of our products.
- Marketing Communications: To send information about new products, programmes and updates — strictly where you have given consent or where we have a legitimate interest and you have not opted out.
- Legal Obligations: To comply with applicable Indian law, respond to court orders, statutory authorities or law enforcement requests, and enforce our Terms of Use.
We do not sell your personal data. We do not trade, rent or sell your personal information to third parties for commercial or marketing purposes, under any circumstances.
Legal Basis for Processing
Under the Digital Personal Data Protection Act, 2023 ("DPDP Act"), we process personal data on the following lawful bases:
- Consent: Where you or, in the case of a child under 18, your parent or legal guardian, has given clear, free, specific, informed and unambiguous consent to the processing of personal data for a stated purpose. You may withdraw consent at any time, though this may affect your ability to use our services.
- Contractual Necessity: Where processing is necessary to perform a contract with you — for example, delivering the Craqit platform, fulfilling an order or providing CRIAA Education services to a school.
- Legal Obligation: Where processing is required to comply with a legal obligation applicable to CRIAA under Indian law.
- Legitimate Interests: Where processing is necessary for our legitimate interests — such as improving our platform, preventing fraud, or communicating relevant product updates — provided those interests are not overridden by your rights and interests.
- Vital Interests: In exceptional circumstances, where processing is necessary to protect the life or safety of a data principal or another person.
Sharing Your Information
We may share personal information with the following categories of recipients, strictly as necessary and with appropriate safeguards in place:
- Schools & Institutional Partners: Where a student has been registered through a school partnership, we share learning data, progress reports and evaluation outcomes with the relevant institution.
- Parents & Guardians: We share a child's learning progress, activity completions and evaluation results with verified parents or guardians as part of our service.
- Service Providers & Processors: We engage trusted third-party service providers for cloud hosting, payment processing, email communication, analytics and customer support.
- Expert Evaluators: Submitted activities on the Craqit platform are reviewed by CRIAA's trained evaluators.
- Legal & Regulatory Authorities: We may disclose personal data to courts, law enforcement agencies, regulators or other government authorities where required by law.
- Business Transfers: In the event of a merger, acquisition, restructuring or sale of CRIAA's business or assets, personal data may be transferred to the acquiring entity, subject to the same privacy protections described in this Policy.
We do not transfer personal data outside India except where strictly necessary for service delivery, in which case we ensure adequate contractual safeguards are in place consistent with the DPDP Act and applicable rules.
Children's Privacy
Special protection for minors. A significant portion of CRIAA's users are children. We take the protection of children's personal data extremely seriously and have implemented specific safeguards in compliance with the DPDP Act, 2023, which classifies all persons under 18 as children requiring enhanced data protection.
- Verifiable Parental Consent: Before processing the personal data of any child, we obtain verifiable consent from a parent or legal guardian. Where registration is facilitated through a school, the school represents that it has obtained the necessary consents from parents.
- No Behavioural Profiling of Children: We do not engage in behavioural monitoring, targeted advertising or profiling of children in a manner detrimental to their well-being, as required under Section 9 of the DPDP Act.
- No Tracking for Commercial Purposes: We do not use children's data for commercial profiling, advertising targeting or data brokering of any kind.
- Age-Appropriate Design: The Craqit platform is designed with child safety in mind — with moderated content, restricted social features, and privacy-by-default settings for all users identified as minors.
- Parental Access & Control: Parents and guardians may access, review, correct or delete their child's personal data at any time by contacting our Grievance Officer.
- School Responsibility: Where CRIAA Education is deployed through a school, the school acts as the primary point of consent and communication with parents, and is responsible for ensuring appropriate consents are in place under their data processing agreement with CRIAA.
Data Storage & Security
We implement reasonable security practices and procedures as required under the SPDI Rules, 2011 and the DPDP Act, 2023 to protect personal data against unauthorised access, disclosure, alteration, loss or destruction. Our security measures include:
- Encryption: Personal data is encrypted in transit using TLS/SSL protocols and at rest using industry-standard encryption.
- Access Controls: Access to personal data is restricted to authorised personnel on a need-to-know basis, with role-based access controls and audit logging.
- Secure Infrastructure: Our platform is hosted on trusted cloud infrastructure with SOC 2 and ISO 27001 certified providers.
- Regular Security Reviews: We conduct periodic security assessments, vulnerability testing and code reviews to identify and address potential risks.
- Incident Response: We maintain a data breach response procedure. In the event of a personal data breach that poses a risk to data principals, we will notify the Data Protection Board of India and affected users as required by law.
- Employee Training: All CRIAA staff with access to personal data receive training on data protection obligations and security practices.
While we take all reasonable precautions, no system of data transmission or storage can be guaranteed to be 100% secure. We encourage users to use strong passwords, keep login credentials confidential and notify us immediately if they suspect unauthorised access to their account.
Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our general retention periods are as follows:
| Data Type | Retention Period | Basis |
|---|---|---|
| Account & identity data | Duration of account + 2 years after closure | Service delivery, legal compliance |
| Learning & assessment data | Duration of programme + 3 years | Educational records, dispute resolution |
| Transaction & payment data | 7 years from transaction date | Financial records, tax compliance |
| Communication records | 3 years from last interaction | Support, legal compliance |
| Technical & usage logs | 12 months on a rolling basis | Security monitoring, platform improvement |
| Marketing consent records | Until consent is withdrawn + 1 year | Legal compliance, audit trail |
| Parental consent records | Duration of child's account + 3 years | DPDP Act compliance |
Upon expiry of the applicable retention period, personal data is securely deleted or anonymised so that it can no longer be attributed to an identifiable individual. Data that forms part of aggregated, anonymised analytics is not subject to deletion timelines as it cannot identify any individual.
Cookies & Tracking Technologies
Our website and Craqit platform use cookies and similar tracking technologies to improve your experience, analyse usage and ensure the platform functions correctly. We use the following types of cookies:
- Strictly Necessary Cookies: Essential for the platform to function — including session management, login authentication and security. These cannot be disabled without affecting platform functionality.
- Analytics Cookies: Used to understand how users interact with our platform — including pages visited, time spent and features used. We use this data only to improve our services and not to identify individual users commercially.
- Preference Cookies: Store your settings and preferences (such as language and display options) so you do not have to re-enter them each session.
- Marketing Cookies: Used only where you have explicitly consented, to track the effectiveness of communications and provide relevant information about CRIAA products. We do not use third-party advertising cookies for behavioural targeting of children.
You may manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our website or platform. For the Craqit mobile app, tracking preferences can be managed through your device's privacy settings.
Your Rights
Under the Digital Personal Data Protection Act, 2023 and the SPDI Rules, 2011, you have the following rights in relation to your personal data. To exercise any of these rights, please contact our Grievance Officer using the details in Section 15.
You have the right to obtain a summary of the personal data we hold about you and the purposes for which it is being processed.
You have the right to request correction of inaccurate, incomplete or outdated personal data we hold about you.
You may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, subject to legal retention requirements.
Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
You have the right to raise a grievance with our Grievance Officer and receive a response within the timeframe specified by law.
You have the right to nominate another individual who may exercise your data rights on your behalf in the event of death or incapacity.
We will respond to all valid requests within 30 days of receipt. In complex cases, we may extend this period by a further 30 days with prior notice. We do not charge a fee for exercising these rights, except where requests are manifestly unfounded or excessive.
If you are dissatisfied with our response, you have the right to lodge a complaint with the Data Protection Board of India once constituted under the DPDP Act, 2023.
Third-Party Links & Services
Our website and Craqit platform may contain links to or integrations with third-party services — including payment gateways, delivery partners and educational resource providers. These third parties operate independently of CRIAA and have their own privacy policies.
CRIAA is not responsible for the privacy practices of third-party services. We encourage you to review the privacy policy of any third-party website or service you access through our platform before providing any personal information. The inclusion of a link does not imply endorsement of that third party's privacy practices.
Where we engage third-party processors (such as payment gateways compliant with PCI-DSS standards), we ensure appropriate contractual data processing agreements are in place before any personal data is shared.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, applicable law or best practices. All updates will be posted on this page with a revised "Last Updated" date at the top.
Where changes are material — meaning they significantly affect how we collect, use or share your personal data — we will provide prominent notice through the Craqit app, by email to registered users, or by other appropriate means at least 15 days before the changes take effect.
Your continued use of our services after the effective date of a revised Policy constitutes your acceptance of those changes. If you do not agree to the revised Policy, you should discontinue use of our services and may request deletion of your account.
Previous versions of this Policy are available on request from our Grievance Officer.
Grievance Officer
In accordance with the Information Technology Act, 2000, the SPDI Rules, 2011 and the DPDP Act, 2023, CRIAA has appointed a Grievance Officer to address any concerns or complaints relating to the processing of personal data.
If you have any questions about this Policy, wish to exercise your rights, or have a concern about how your personal data has been handled, please contact our Grievance Officer. We are committed to resolving all complaints within 30 days of receipt.
Contact Us
For general queries about this Privacy Policy or about CRIAA's data practices, you may also contact us through the following channels:
- In-App Support: Raise a support ticket directly within the Craqit app under Settings → Help & Support → Privacy Query.
- Email: support@criaa.in for privacy-related queries or info@criaa.in for general support.
- Website: Submit an enquiry through the Contact Us form at criaa.in/contact.
- Post: Write to our Grievance Officer at the registered address stated in Section 15.
Governing Law: This Privacy Policy is governed by and construed in accordance with the laws of India. Any disputes arising in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of [City], India.
This Privacy Policy was last reviewed and approved by the CRIAA leadership team on 1 January 2026. CRIAA reserves the right to modify this Policy at any time in accordance with Section 14 above.