Privacy Policy

    Last updated: 19 April 2026

    CrazyGoldFish Technologies Private Limited ("CrazyGoldFish", "we", "our", "us") provides AI-powered infrastructure services for education—primarily assessment/evaluation workflows via APIs and embeddable modules. This Privacy Policy explains how we collect, use, disclose, store, and protect Personal Data when you visit our website, request a demo, access our sandbox, or use our services through an institutional deployment.

    1) Scope

    This Policy applies to:

    • Visitors to our website and marketing pages ("Website");
    • Prospective customers who request demos or sandbox access;
    • Institutional customers and their authorized users (administrators, teachers, staff) who access our services ("Services");
    • Student data processed within institutional deployments where CrazyGoldFish acts as a processor.

    If you are a student or parent, note that student data is generally processed under your school/institution's authority. Your institution's privacy notice may also apply.

    2) Key Definitions

    • "Personal Data" means any data relating to an identified or identifiable individual.
    • "Client" / "Institution" means an educational organization or platform contracting with CrazyGoldFish.
    • "Client Data" means data uploaded or provided by the Client/authorized users in connection with the Services.
    • "Controller" determines the purposes and means of processing Personal Data.
    • "Processor" processes Personal Data on behalf of the Controller.

    3) Our Role: Controller vs Processor

    A. Website & Sales Operations (Controller)

    For Website interactions, demo requests, sandbox onboarding, and customer communications, CrazyGoldFish acts as a data controller for the Personal Data we collect directly.

    B. Institutional Deployments (Processor)

    For student assessment data and related evaluation workflows processed under an institutional contract, CrazyGoldFish acts as a data processor and processes Personal Data only on the documented instructions of the Client/Institution (the Controller).

    4) Personal Data We Collect / Process

    Depending on how you engage with us, we may collect/process:

    A) Website & Business Contact Data

    • Name, email, phone number;
    • Organization name, designation, and business details;
    • Messages and support requests;
    • Marketing preferences;
    • Website usage data (e.g., pages visited, device/browser info, approximate location, cookies).

    B) Account & Usage Data (Institutional Users)

    • Account credentials and identifiers (admin/teacher/staff);
    • Role and permissions (RBAC);
    • API keys/tokens and logs (request metadata, timestamps, error logs, rate-limit events);
    • Support tickets and communications.

    C) Student Assessment Data (Institution-Authorized)

    Where enabled by the Institution, we may process:

    • Student submissions (handwritten scans, images, PDFs, typed answers);
    • Question-level responses and mapping metadata;
    • Scores, rubric/marking-scheme signals, and feedback outputs;
    • Teacher overrides/edits, review flags, and audit trail entries;
    • Workflow events (provisional publish, re-evaluation requests, query/closure states).

    Important: We do not seek to collect Personal Data from children directly outside institution-authorized workflows.

    5) How We Use Personal Data

    We use Personal Data to:

    • Provide, operate, maintain, and improve the Website and Services;
    • Authenticate users, manage access controls, and prevent fraud/abuse;
    • Process assessment workflows, generate evaluation outputs and structured feedback;
    • Provide support, troubleshooting, and account administration;
    • Monitor performance, reliability, and security (including audit logs);
    • Comply with legal obligations and enforce our contracts.

    6) Children's Data and Safeguards

    Our Services may be used in school settings and can involve children's data. In such cases:

    • Processing occurs under institutional authorization and contractual agreements;
    • Access is limited using role-based access controls and least-privilege permissions;
    • We do not use children's data for marketing, advertising, or profiling.

    7) Advertising, Profiling, and Sale of Student Data

    We do not use, sell, license, or share student data for:

    • Advertising directed at students;
    • Commercial profiling of students;
    • Behavioral marketing.

    8) AI Governance and Model Use

    CrazyGoldFish provides decision-support outputs in governed workflows. Where teacher review is enabled by the institution:

    • AI outputs may be provisional and subject to educator review/override;
    • Overrides may be logged as audit artifacts.

    Training and improvement:

    • Student/Client Data is used to provide the Services and improve system reliability/quality only as permitted by the Client contract and applicable law.
    • We do not allow third parties to use student data for advertising or profiling.

    9) Legal Bases for Processing

    Depending on context, processing may be based on:

    • Contractual necessity (to provide Services requested by the Client);
    • Legitimate interests (service security, fraud prevention, product improvement, B2B communications);
    • Consent (where required for cookies/marketing);
    • Compliance with law.

    For student data in institutional deployments, the Institution determines the legal basis as Controller; CrazyGoldFish processes data on their instructions as Processor.

    10) How We Share Personal Data

    We may share Personal Data with:

    • Service providers/sub-processors (e.g., hosting, storage, monitoring) that support service delivery;
    • Clients/Institutions (Controllers) and their authorized administrators as per workflow permissions;
    • Legal/Regulatory authorities when required by law;
    • Professional advisors (legal, auditors) under confidentiality obligations.

    We do not sell Personal Data.

    11) Sub-Processors

    We may engage sub-processors to support infrastructure and service operations. Where we act as a Processor for Client Data:

    • We impose data protection obligations on sub-processors consistent with our contractual commitments.
    • Where contractually required, we obtain Client authorization before onboarding sub-processors.

    12) International Data Transfers

    Where Client Data includes Personal Data:

    • We do not transfer Personal Data outside India without appropriate safeguards and required authorizations (as per contract and applicable law).

    13) Data Retention and Deletion

    We retain Personal Data only as long as necessary for the purposes described in this Policy, including:

    • Website/contact data: retained for business relationship management and compliance;
    • Sandbox data: retained per sandbox policy and may be temporary;
    • Client Data in institutional deployments: retained per contract and Controller instructions.

    Deletion/Return: Upon contract termination or written request, we delete or return Client Data in accordance with our contractual terms and legal obligations.

    14) Security Measures

    We maintain appropriate technical and organizational security measures, which may include:

    • Encryption in transit and at rest (where applicable);
    • Role-based access controls (RBAC) and least-privilege access;
    • Authentication controls for APIs;
    • Logging and monitoring;
    • Regular security reviews and incident response processes.

    No system is 100% secure; however, we continuously improve safeguards appropriate to risk.

    15) Data Breach Notification

    If we become aware of a Personal Data breach involving Client Data:

    • We will notify the Client without undue delay and within applicable contractual timelines;
    • We will cooperate in investigation, mitigation, and remediation.

    16) Your Rights

    Subject to applicable law, you may have rights to:

    • Access, correction, deletion;
    • Restriction or objection to processing;
    • Data portability;
    • Withdraw consent (where processing is based on consent).

    Institutional student data: Requests should generally be routed via the Institution (Controller). We will assist Controllers as contractually required.

    17) Cookies and Analytics (Website)

    We use cookies and similar technologies to:

    • Operate and improve our Website;
    • Analyze traffic and usage trends;
    • Maintain session/security functionality.

    You can manage cookies through your browser settings and any cookie consent controls we provide.

    18) Third-Party Links

    Our Website may contain links to third-party sites. We are not responsible for their privacy practices.

    19) Changes to This Policy

    We may update this Policy periodically. The "Last Updated" date indicates the latest revision. Material changes will be communicated through the Website or directly to Clients where appropriate.

    20) Contact Us

    CrazyGoldFish Technologies Private Limited

    HD-560, WeWork, DLF Two Horizon Centre, DLF QE, Gurgaon-122002, New Delhi, India

    Email: rahul@crazygoldfish.com