Ostrya Privacy Policy

1. Who we are and how to reach us

Ostrya operates this Platform. For any privacy question, to exercise a right, or to raise a concern, contact our Grievance Officer through Ostrya support (see the Support page). We will acknowledge your request and respond within the timelines required by the DPDP Act. If you are not satisfied with our response, the DPDP Act gives you the right to escalate to the Data Protection Board of India.

2. The personal data we collect

Account and identity data: for creators, your name, email, and account identifiers received from our authentication provider; for learners, the email address you use to receive a one-time magic-link sign-in.

Product and usage data: the courses, websites, codesites, enrolments, and content you create or interact with, plus audit and security events (such as sign-in events and privileged actions) needed to operate the Platform safely.

Transaction data: records of payments, subscriptions, plan, credits, and invoices. We do NOT store your card number, UPI handle, or bank credentials — those are collected and stored by our payment provider (Razorpay) under its own terms; we receive only the result of a transaction and a provider reference.

Communications and support data: messages you send us and the metadata of transactional emails we send you (such as sign-in links and receipts).

Device and analytics data (only with your consent): if you accept analytics, a small set of product-usage events and a non-identifying anonymous identifier. We do not run session recording, we do not capture form values, and we never sell your data. See section 4 (item 8).

Sensitive contact fields are masked in list views and revealed only with audit coverage. We do not seek to collect special-category data. We do not knowingly process the personal data of children (persons under 18) without verifiable consent of a parent or lawful guardian; creators must not upload children's data or special-category data to the Platform without a valid lawful basis.

3. How we obtain consent, and how to withdraw it

Where we rely on your consent (see the itemized list below), we ask for it through a clear, specific, and unbundled request, and we process only the data needed for the purpose you agreed to. You can withdraw any consent at any time — it is as easy to withdraw as it was to give. Withdrawing consent does not affect processing already carried out, and may mean we can no longer provide a feature that depends on it (for example, declining analytics simply turns analytics off).

Some processing does not rely on consent because the DPDP Act recognises it as a “legitimate use” (for example, providing a service you have signed up for, or complying with a legal obligation). The itemized list below states, for each purpose, whether we rely on your consent or on a legitimate use.

4. Why we process your data — itemized by purpose

Purpose 1 — Authenticating sign-in (creator session via our auth provider; learner magic-link). Data: identity and email. Basis: legitimate use — providing the service you requested. Consent: not required.

Purpose 2 — Operating the Platform and its tools (building and serving courses, websites, codesites, enrolments). Data: account, product, and usage data. Basis: legitimate use — performance of the service. Consent: not required.

Purpose 3 — Processing payments, subscriptions, credits, and invoices. Data: transaction data and identity. Basis: legitimate use — performance of the service and compliance with financial-record law. Consent: not required.

Purpose 4 — Sending transactional email (sign-in links, receipts, enrolment and live-session notices). Data: email and the related transaction/enrolment record. Basis: legitimate use — these are service messages, not marketing. Consent: not required.

Purpose 5 — Security, fraud prevention, abuse prevention, and rate limiting. Data: audit and security events, IP address, and account identifiers. Basis: legitimate use. Consent: not required.

Purpose 6 — Meeting legal, tax, and regulatory obligations and resolving disputes. Data: transaction and account records. Basis: legitimate use — legal obligation. Consent: not required.

Purpose 7 — Responding to your support and privacy requests. Data: your messages and the records needed to act on them. Basis: legitimate use — responding to the request you made. Consent: not required.

Purpose 8 — Product analytics to understand and improve how the Platform is used. Data: a small set of product-usage events and a non-identifying anonymous identifier; PII-looking fields are stripped before any event leaves your browser and again on our server. Basis: YOUR CONSENT. Consent: REQUIRED — analytics is off until you accept the analytics banner, and you can withdraw at any time. Analytics is EU-hosted (PostHog EU), events-only, with no session recording.

5. Who we share data with (processors and recipients)

We share personal data only as needed, with vetted processors who act on our documented instructions: our authentication provider (creator sign-in), Razorpay (payments, subscriptions, and creator payouts), our transactional email provider, our analytics provider (PostHog EU, only if you consent to analytics), and our cloud hosting and object-storage providers. Each processor is bound by contract to process data only for these purposes and to keep it secure.

We do not sell your personal data and we do not use it for third-party advertising. We may disclose data where required by law or to protect the rights, safety, and security of users and the Platform. A current list of processors is available on request through Ostrya support.

6. Where your data is processed

We host the Platform and process data with reputable cloud providers. Analytics, when you consent to it, is processed in the European Union (EU data residency). Where data is processed outside India, we do so consistent with the DPDP Act and only with processors bound to protect it. We do not transfer personal data to any jurisdiction restricted by the Government of India under the DPDP Act.

7. How long we keep it (retention and erasure)

We keep personal data only as long as needed for the purpose it was collected for, or as required by law — for example, financial and tax records are retained for the statutory period. When data is no longer needed, automated retention sweeps and an erasure registry delete or anonymise it. When you exercise a valid right to erasure, we remove or anonymise your personal data except where we are legally required to retain specific records.

8. Your rights as a data principal

Right to access: obtain a summary of the personal data we process about you and the processing activities.

Right to correction and completion: have inaccurate or incomplete data corrected or updated.

Right to erasure: have your personal data deleted where it is no longer needed and no legal obligation requires us to keep it.

Right to withdraw consent: turn off any consent-based processing (such as analytics) at any time, as easily as you gave it.

Right to grievance redressal: raise a concern with our Grievance Officer and receive a timely response.

Right of nomination: nominate another individual to exercise your rights in the event of your death or incapacity.

To exercise any right, contact us through Ostrya support; we use a verified privacy-request workflow and respond within the timelines the DPDP Act requires. We may need to verify your identity before acting, to protect your data from unauthorised requests.

9. How we protect your data

We apply role-based access controls, strict tenant isolation, encryption in transit, signed and verified payment callbacks, audit logging of privileged actions, secret management without plaintext credentials, and least-privilege practices throughout. We design new features to fail closed and to derive identity, amounts, and tenancy from authoritative server state rather than from the browser. No system is perfectly secure, but we work continuously to protect your data and to detect, contain, and respond to incidents.

If a personal-data breach occurs that is likely to affect you, we will notify the affected data principals and the Data Protection Board of India as required by the DPDP Act.

10. Your responsibilities as a creator

If you are a creator, you are the data fiduciary for the learner data you collect through your courses and websites; Ostrya is your processor for that data. You are responsible for having a lawful basis and your own privacy notice for your learners, for honouring their rights, and for not uploading children's or special-category data without a valid basis. We provide the tools (masking, retention, erasure, audit) to help you meet these duties.

11. Changes to this policy

We may update this policy as the Platform and the law evolve. We will post the updated version here and change the “Last updated” date above; where a change materially affects you or relies on your consent, we will seek fresh consent or give you notice as the DPDP Act requires.