top of page

Terms & Conditions

Last updated: February 12, 2026

Controller: Idasara Digital (Pvt) Ltd (“Idasara”, “we”, “us”)

Registered Address: No. 1/A/11, Araliya Uyana, Udammita, Ja-Ela 11350, Sri Lanka

Support & Privacy Requests: support@idasara.org

 

This Privacy Policy explains how we collect, use, disclose, transfer, and protect personal data when you use Idasara Academy (the “Service”), including our websites, mobile apps, AI-enabled learning tools, and AI agents.

 

We process personal data in accordance with Sri Lanka’s Personal Data Protection Act, No. 9 of 2022 (“PDPA”) and applicable laws, and we apply internationally recognized data protection principles, including purpose limitation, data minimization, transparency, storage limitation, integrity/confidentiality, and accountability.

 

Summary (plain language)

  • We collect account details, learning progress, device/cookie data, and AI interaction data to provide, secure, and improve the Service.

  • We use data for personalization, analytics, safety/integrity, billing, and support.

  • We do not sell personal data and we do not permit third parties to buy personal data for behavioral advertising.

  • We share data only with vetted service providers and, where applicable, authorized School/Organization administrators as described below.

  • You can request access, correction, deletion, and other rights subject to applicable law (including the PDPA) and permitted exceptions.

  • The Service may be used by minors; use by users under 18 requires parent/guardian or School/Organization authorization as described below.

 

1) Key Definitions

Account: your registered profile to access the Service.

AI Agents: AI-enabled assistants/tutors that generate outputs based on your inputs and available context.

Controller: the entity that determines the purposes and means of processing Personal Data.

Processor: an entity that processes Personal Data on behalf of a Controller.

Personal Data: information that identifies you or could reasonably identify you (directly or indirectly).

Processing: any operation performed on Personal Data (collection, storage, use, disclosure, transfer, deletion, etc.).

School/Organization: an entity (e.g., a school) that provides accounts to users as a tenant/admin customer.

User Content: content you submit through the Service (including prompts, messages to AI Agents, files, feedback).

Scholarship Program: any discounted/free-access program administered by Idasara, including exam-based eligibility (for example, Grade 5 Scholarship Exam, G.C.E. O/L, G.C.E. A/L, or similar verified criteria).

Calendar Month / Month: A period starting on a specific day of one month and ending on the corresponding day of the next month. For example, December 5 to January 4 constitutes one calendar month.

 

2) Who This Policy Applies To

This policy applies to:

  • Students and individual users

  • Parents/guardians

  • Teachers and School/Organization users

  • Scholarship applicants and scholarship users

 

If you use the Service through a School/Organization, that School/Organization may also have its own policies and rules. Idasara processes Personal Data to provide the Service and, where applicable, acts on a School/Organization’s documented instructions for tenant-managed accounts. A School/Organization may control certain account-administration decisions (for example, enrollment, role assignment, and access management).

 

Rights requests should be directed to Idasara as set out in Section 14, unless the School/Organization instructs users to submit requests through the School/Organization for tenant-controlled data.

 

3) What We Collect

We collect Personal Data in three main ways: (A) what you provide, (B) what the Service generates as you learn, and (C) what is collected automatically.

 

3.1 Data you provide directly

Account & identity data: name, email, phone number, date of birth/age band, password (stored in hashed form), and identifiers such as an Idasara Global ID (e.g., IDPL/YYYYMM/XXXXXXX).Education profile: grade level, curriculum, subjects, targets, and exam dates (if provided).Communications: support requests, feedback, survey responses, and messages to our team.

Scholarship Program data: information submitted to assess eligibility (for example, proof of exam results/achievement or other program-specific verification). We do not require sensitive data for normal use; if verification is needed, we will specify what is required.

 

3.2 Learning and AI interaction data

AI interaction data: prompts/messages exchanged with AI Agents, files or text you submit to the AI, and relevant learning context used to provide the session.

Learning activity: quizzes, scores, progress indicators, time spent, topics attempted, streaks, and learning misconceptions.

Outputs produced for you: study plans, explanations, hints, recommendations, and other generated learning artifacts.

 

3.3 Automatically collected data

Device/technical data: IP address, device model, operating system, app version, browser type, language, timestamps, crash logs, and security events.

Cookies and similar technologies: identifiers and events (see Section 11).

 

3.4 Payment data

Payments are processed by PayHere. We receive limited payment-related data such as transaction ID, amount, currency, and payment status. We do not store full card numbers on our servers.

 

3.5 Sensitive data

We do not request sensitive personal data (e.g., health, biometrics, political opinions) for standard learning use. However, free-text fields and AI chats may contain sensitive information if users enter it.

Please avoid entering sensitive data into AI chats or uploads.

 

4) How We Use Personal Data

We process Personal Data for legitimate educational and operational purposes, including:

  1. Provide and operate the Service (account creation, authentication, delivering lessons/tools).

  2. Personalization (tailored study plans, identifying weak areas, adaptive learning experiences).

  3. Analytics and insights (improving content, measuring usage, feature effectiveness, reliability).

  4. Safety, integrity, and security (preventing abuse, harassment, cheating facilitation, fraud, and protecting accounts).

  5. Support and communications (responding to requests, troubleshooting, service notices).

  6. Billing and administration (subscriptions, invoices/receipts, payment reconciliation).

  7. Scholarship Program administration (eligibility assessment, access provisioning, anti-fraud checks, program reporting).

  8. Legal compliance and enforcement (responding to lawful requests, enforcing our Terms, and maintaining required records).

  9. Product improvement and research (using aggregated or de-identified insights where feasible, and applying safeguards where identifiable data is necessary).

We do not use personal data to enable third parties to deliver behavioral advertising based on your activity across non-Idasara websites or services.

 

5) Legal Basis / Justification 

Depending on the context, we rely on one or more lawful bases consistent with the PDPA and applicable law:

  • Contract necessity: processing needed to provide the Service you request.

  • Consent: where required (for example, certain cookies, optional features, or minor authorization workflows where applicable).

  • Legitimate interests: improving and securing the Service, preventing fraud, performing analytics - balanced against your rights and reasonable expectations.

  • Legal obligation: processing required to comply with applicable laws, lawful requests, or regulatory requirements.

Where a School/Organization provides your account, processing may also be based on the School/Organization’s lawful authority and documented instructions (as applicable).

 

6) AI Agents, Monitoring, and Automated Processing

 

6.1 How AI uses data

AI Agents process your inputs and relevant learning context to generate responses (e.g., explanations, plans, quizzes). We may also use interaction patterns to:

  • improve quality and reliability of AI features;

  • detect misuse (e.g., cheating facilitation, harassment, prompt abuse, fraud);

  • maintain platform safety and integrity.

Where feasible, we use aggregated or de-identified insights for product improvement.

We may use AI interaction data to improve Service features (for example, to fix errors, improve safety controls, and enhance learning quality). Where feasible, we use aggregated or de-identified insights. If identifiable AI interaction data is used beyond providing the user-requested session (for example, for feature improvement requiring identifiable context), we apply access controls, minimization, and legal-basis requirements, and obtain consent where required by applicable law.

We do not provide AI interaction data to third parties for their independent model training for advertising purposes.

 

6.2 Student–AI confidentiality boundary (parent/teacher visibility)

We aim to protect a student’s ability to learn freely while providing appropriate oversight tools.

By default:

  • Parents/guardians and teachers typically see high-level learning insights (e.g., time spent ranges, topic coverage, progress indicators, completion milestones).

  • We do not provide raw, complete, minute-by-minute AI chat transcripts to parents/teachers by default.

Access to more detailed information (which may include relevant portions of AI interaction content, account activity logs, and related metadata) may be provided only where necessary and proportionate, including:

  • to address safety concerns (e.g., self-harm threats, abuse indicators, harassment, serious misconduct);

  • to investigate integrity/security incidents (e.g., account compromise, fraud, cheating facilitation at scale);

  • to comply with legal obligations or lawful requests; or

  • where a School/Organization is lawfully authorized and required to investigate serious misconduct within its tenant.

Where feasible and appropriate, we apply necessity and proportionality controls and limit disclosure to what is needed for the specific purpose.

 

6.3 Logging, monitoring, and human review (necessity-based)

AI chat inputs/outputs and related events may be logged for:

  • session continuity, quality assurance, and debugging;

  • security monitoring and integrity investigations;

  • abuse prevention and enforcement of our Terms.

We may conduct limited human review of content for support, debugging, safety investigations, or legal compliance, under:

  • role-based access controls (RBAC);

  • access logging and internal approvals; and

  • necessity-based review (review only what is needed for the task).

 

6.4 Automated recommendations

The Service may provide automated recommendations (e.g., study plans, weak-area detection). These are intended to support learning and do not constitute decisions producing legal effects. Users remain responsible for how they use recommendations. If you believe a recommendation materially affects your learning experience due to an error, you may contact support for review and clarification.

 

7) How We Share Personal Data

We share Personal Data only as described here.

 

7.1 Service providers (processors)

We use vetted vendors to operate the Service, such as:

  • Cloud hosting/infrastructure: Azure

  • Analytics & performance monitoring: Google Analytics, Firebase

  • Email/support operations: Idasara systems and support channels (support@idasara.org)

  • Payments: PayHere

 

We require service providers to:

  • process Personal Data only on our documented instructions;

  • apply appropriate technical and organizational security measures; and

  • limit onward sharing consistent with applicable law and our contracts.

These providers may process device/technical data, usage events, and performance logs to support Service delivery, analytics, and reliability, subject to our configurations and safeguards.

 

7.2 Schools/Organizations (tenant administration)

If you use the Service through a School/Organization, authorized administrators may access:

  • account administration data (e.g., enrollment, role, access status); and

  • high-level learning insights for users within their own tenant (as described in Section 6.2).

We design for tenant isolation so one School/Organization cannot access another tenant’s user data.

 

7.3 Legal and safety disclosures

We may disclose information when we reasonably believe it is necessary to:

  • comply with law, regulations, court orders, or lawful requests;

  • protect users, the public, or the Service;

  • investigate fraud, security incidents, or policy violations.

 

7.4 Business transfers

If we undergo a merger, acquisition, restructuring, or asset transfer, Personal Data may be transferred as part of that transaction, subject to appropriate safeguards and notices where required.

 

8) We Do Not Sell Personal Data

We do not sell Personal Data. We do not permit third parties to buy your Personal Data for behavioral advertising (for example, ads targeted based on your activity across other companies’ websites/apps).

We use service providers (such as analytics and infrastructure vendors) to process data on our behalf to operate, secure, and improve the Service. We configure and limit analytics to reduce data collection where feasible and require appropriate contractual and security safeguards for processing. Service providers’ processing may also be governed by their own terms and privacy policies, which you should review.

 

9) International Users and Cross-Border Transfers

Because we may use global infrastructure and service providers, Personal Data may be processed outside Sri Lanka (and outside your country).

Where Personal Data is processed outside Sri Lanka, we implement appropriate safeguards as required by applicable law, which may include contractual protections with service providers, access controls, encryption in transit, vendor due diligence, risk-based assessments, and data minimization and purpose limitation for transfers.

 

10) Data Retention

We retain Personal Data only as long as needed for the purposes described in this policy, unless a longer period is required or permitted by law.

Retention periods expressed in “months” are Calendar Months/Months as defined in Section 1.

 

10.1 Retention table (typical)

Data Category

Purpose

Typical Retention Period

Account & identity data

Provide account, authentication, support, security

While account is active; then up to 12 Months after closure unless legal/safety/dispute needs require longer

Education profile

Personalization, learning continuity

While account is active; then up to 12 Months after closure (unless you request deletion and no exception applies)

Learning history (scores, progress, streaks)

Learning continuity, progress tracking, integrity

While account is active; then up to 12 Months after closure (some integrity records may be retained longer if needed for fraud/safety/legal reasons)

AI interaction data (inputs/outputs)

Session continuity, quality, safety/integrity, support

While account is active; then up to 12 Months after closure (flagged/safety-related records may be retained longer under legal/safety need)

Support communications

Respond to requests, service improvement, dispute handling

Up to 24 Months after ticket closure (or longer if dispute/legal hold applies)

Device/technical data, crash logs

Security, reliability, debugging

Up to 12 Months

Security/audit logs (access, admin actions)

Security monitoring, investigations, compliance

Up to 12 Months (or longer if incident/legal hold applies)

Payment records (transaction ID, status)

Billing, reconciliation, compliance

As required to comply with applicable accounting, tax, and audit obligations; typically up to 7 years (or longer if legally required)

Scholarship verification records

Eligibility verification, anti-fraud, audits

Duration of benefit + up to 24 Months after benefit ends (or longer if audit/legal hold applies)

Consent/authorization records (e.g., guardian/school authorization logs, if collected)

Compliance and accountability

While account is active + up to 24 Months after closure

 

10.2 Deletion and de-identification

When you request deletion and deletion is permitted, we will delete or de-identify relevant Personal Data without undue delay and typically within one Month (a Calendar Month/Month as defined in Section 1) after verifying the request, subject to:

  • technical constraints (e.g., backups);

  • legal obligations; and

  • safety, fraud-prevention, or dispute-resolution needs (legal hold).

Backups may persist for limited periods; during that time, we restrict access and use.

 

11) Cookies and Similar Technologies

We use cookies and similar technologies for:

  • Essential functions: login, session management, security

  • Preferences: language and settings

  • Analytics/performance: understand usage and improve reliability

Some cookies/technologies are strictly necessary for the Service to function and cannot be disabled through cookie preference controls.

 

Your choices:

  • You can manage cookies through your browser/device settings.

  • Disabling certain cookies may reduce functionality.

  • Where we provide cookie controls (for example, a cookie banner or in-app settings), you can adjust them there.

  • Where consent is required by applicable law for certain cookies/technologies, we will seek and record consent through available cookie controls, and you may withdraw consent by changing those settings.

 

12) Security

We implement reasonable technical and organizational safeguards appropriate to the risks of processing, such as:

  • encryption in transit (TLS);

  • access controls (RBAC) and least-privilege access;

  • secure configurations and monitoring;

  • logging and audit trails for privileged access; and

  • incident response procedures.

No system is completely secure. We cannot guarantee absolute security of Personal Data.

 

13) Incident and Breach Notification

If we become aware of a personal data breach that is likely to result in significant harm or requires notification under applicable law, we will take reasonable steps to:

  • investigate and contain the incident;

  • mitigate potential harms; and

  • notify affected users and/or relevant authorities where required by applicable law, and where feasible include available information about the nature of the incident, likely impacts, and steps users can take.

Where we notify users, we may do so via email, in-app notice, or other reasonable communication channels linked to the Account.

 

14) Your Rights and Choices

Subject to applicable law (including the PDPA) and permitted exceptions, you may have rights to:

  • access your Personal Data;

  • correct inaccurate or incomplete Personal Data;

  • delete Personal Data (subject to legal/legitimate retention needs);

  • restrict or object to certain processing;

  • withdraw consent where processing is based on consent;

  • receive a copy of certain data in a portable form where required.

 

How to make a request

Email support@idasara.org with subject “Privacy Request” and include:

  • your Account email; and

  • the request type (access/correction/deletion/etc.).

We may verify your identity and authority (especially for parents/guardians and School/Organization admins). We aim to respond without undue delay and typically within one Month (a Calendar Month/Month as defined in Section 1). If a request is complex, we may take additional time where permitted by applicable law and will inform you of the reason.

 

15) Children and Minors (Under 18)

For users under 18, the Service is intended to be used only with authorization by (i) a parent/legal guardian, or (ii) a School/Organization acting within its lawful authority.

We may implement reasonable verification steps (for example, parent/guardian email confirmation, guardian-linked account controls, or School/Organization administrator enablement) and may restrict or suspend access until authorization is verified.

 

Parents/guardians may request access to and/or deletion of a minor’s account data subject to legal constraints and the confidentiality boundary in Section 6.2, and we limit default parent/teacher visibility to high-level insights as described in Section 6.2.

If we reasonably believe a minor is using the Service without required authorization, we may restrict or suspend the Account until authorization is verified.

 

16) Scholarship Program Privacy Notes

If you apply for or use a Scholarship Program:

  • we process eligibility and verification data (including exam-based proof where relevant) to administer the program;

  • we may run reasonable anti-fraud checks;

  • scholarship access may be revoked for misuse or fraud in accordance with our Terms;

  • scholarships are access-based benefits (not monthly cash payments).

 

17) Changes to This Privacy Policy

We may update this Privacy Policy. We will post the updated version and change the “Last Updated” date. For material changes, we will provide additional notice where feasible (e.g., in-app notice or email).

 

18) Contact Us and Complaints

Privacy Contact & Support: support@idasara.org

Address: No. 1/A/11, Araliya Uyana, Udammita, Ja-Ela 11350, Sri Lanka

 

If you have concerns we cannot resolve, you may have a right to complain to the relevant data protection authority in your jurisdiction. For Sri Lanka, you may submit a complaint to the authority designated under the PDPA for data protection matters. You may also seek legal remedies available under applicable law.

bottom of page