← Back to Cosmos Tutorial

Privacy Policy

Last updated: 21 May 2026

Cosmos Tutorial ("we", "our", or "us") operates a SaaS platform for tutoring institutes, including a web-based admin portal and a mobile parent application. This Privacy Policy explains what personal data we collect, why we collect it, who we share it with, and how we protect it.

Role clarification: Institutes that use Cosmos Tutorial are the data controllers — they decide what student and parent data to enter into the platform. Cosmos Tutorial acts as a data processor on their behalf. By using this platform, institutes accept responsibility for obtaining appropriate consent from their students and parents.

By using Cosmos Tutorial as an administrator, teacher, or parent, you agree to this policy.

1. Information We Collect

Institute Administrators & Teachers

  • Full name and email address (used for login and identification)
  • Role and institute affiliation
  • Device push notification token (for system and attendance alerts)
  • Browser web push subscription (for notifications in the admin portal)

Parents

  • Full name and email address (used for app login)
  • Phone number (for WhatsApp notifications, if enabled by the institute)
  • Device push notification token (to receive attendance, fee, and weekly report alerts)
  • Selected student preference (stored locally on device)

Students

  • Full name, grade, and batch enrollment
  • Unique student code (used to map to biometric attendance devices, if enabled)
  • Attendance records — check-in/check-out times, dates, and status (present, absent, late)
  • Test marks, questions answered, and academic performance by subject and topic
  • Concept-level performance data (chapter, micro-topic scores)
  • AI-generated weekly performance summary (see Section 4)
  • School name, board, and address (optional)
  • Phone number (optional)
  • Fee records — monthly amount, payment status, collection date, and digital receipt
  • Homework and study material access records

Automatically Collected

  • App error reports, crash logs, and stack traces (via Sentry — see Section 6)
  • Device type and operating system version
  • Page performance metrics on the admin portal (via Vercel Speed Insights)
  • Security logs: failed login attempts, rate-limit events, and anomalous API access (retained for 30 days)
  • Notification delivery logs: recipient, message preview, channel (push or WhatsApp), delivery status, and timestamp (retained for 90 days)

2. How We Use Your Information

  • To provide attendance tracking, marks entry, homework management, and fee collection features
  • To send push notifications and WhatsApp messages to parents about attendance, test results, fees, and notices
  • To automatically generate AI-powered weekly performance reports for each student (see Section 4)
  • To allow institute administrators to manage batches, students, and teachers
  • To record biometric attendance check-ins and check-outs (if the institute uses biometric devices)
  • To issue and track digital fee receipts
  • To maintain platform security, prevent unauthorised access, and investigate incidents
  • To communicate important service updates or changes to this policy

3. Data Storage & Security

All data is stored on Supabase, a cloud database platform hosted on AWS (Asia Pacific — Mumbai region where available). Row-level security (RLS) is enforced at the database level, meaning each institute can only access its own data. No cross-institute data access is possible.

All data is encrypted at rest and in transit using TLS/SSL. Push notification tokens and web push subscriptions are stored in our database and used solely for delivering notifications to the correct device. They are never used for advertising or shared for any purpose beyond notification delivery.

File uploads (fee receipts, homework materials, institute logos) are stored in Supabase Storage with access controlled by institute-level permissions.

4. AI-Powered Weekly Reports

Every week, Cosmos Tutorial automatically generates a performance summary for each student using Google Gemini AI (a generative AI service provided by Google LLC). To produce each report, the following student data is transmitted to Google's servers:

  • Student first name
  • Attendance count for the week
  • Average test score and improvement trend
  • Strong and weak topics by subject
  • Batch and week date range

Google processes this data to generate a written summary in English. The generated report is stored in our database and delivered to the parent via the app and WhatsApp (if enabled). No student surname, contact details, or financial data is sent to Google.

Google's use of data submitted via the Gemini API is governed by Google's API Terms of Service and their AI/ML privacy terms. Google does not use API-submitted data to train their public models.

If your institute does not want AI-generated reports, contact us at support@cosmostutorial.com and we can disable this feature for your account.

5. Third-Party Services & Data Sharing

We do not sell, rent, or share personal data for marketing purposes. Data is shared with the following service providers solely to operate the platform:

Supabase (Database & Storage)

All structured data (users, students, attendance, marks, fees) and file uploads are stored on Supabase. Supabase acts as a sub-processor. Data is encrypted at rest and protected by RLS.

Expo (Mobile Push Notifications)

Parent device push tokens and notification payloads (title, body) are sent to Expo's push notification service (exp.host) to deliver alerts for attendance, test results, and weekly reports. Expo does not retain notification content.

Vercel (Web Hosting & Analytics)

The admin portal is hosted on Vercel. Vercel may collect basic performance metrics (page load times, Core Web Vitals) via Vercel Speed Insights. No personally identifiable information is collected by Vercel Analytics.

Google Gemini AI (Report Generation)

Limited student performance data is sent to Google's Gemini API for weekly report generation. See Section 4 for full details of what is shared.

WhatsApp / Interakt (Messaging)

If an institute enables WhatsApp notifications, parent phone numbers and message content (student name, attendance summary, test scores) are sent to our WhatsApp messaging provider (Interakt, powered by Meta's WhatsApp Business API) to deliver messages. Phone numbers are used only for message delivery and are not stored by Interakt beyond delivery processing.

WhatsApp messages are only sent to phone numbers that the institute has registered as parent contacts. Parents who do not wish to receive WhatsApp messages may ask their institute administrator to remove their phone number from the platform.

Sentry (Error Monitoring)

We use Sentry to capture application errors and crashes. Error reports may include request metadata, user role, and stack traces to help us diagnose issues. We do not intentionally include student academic data or personal details in error reports. Sentry data is retained for 90 days.

Legal Compliance

We may disclose data if required by Indian law, a valid court order, or a lawful request from a government authority.

6. Biometric Attendance Devices

Some institutes connect hardware biometric attendance devices (fingerprint or RFID readers) to Cosmos Tutorial. When enabled, each student is assigned a unique numeric code that is registered on the device. When a student checks in or out, the device sends the student code and timestamp to our platform via a secure webhook.

We do not store fingerprint data or biometric templates. Only the student code (a numeric ID) and the check-in/check-out timestamp are stored in our database. The biometric processing itself happens entirely on the institute's hardware device and is not transmitted to us.

Institutes are responsible for obtaining appropriate consent from students and parents before deploying biometric attendance devices.

7. Push Notifications & Communication Logs

The platform delivers notifications through three channels:

  • Mobile push (Expo): Sent to parent devices via Expo's push service. Parents can opt out at any time through their device notification settings.
  • Browser push: Admins and teachers can opt into browser notifications in the admin portal. Web push subscriptions (endpoint URLs and encryption keys) are stored in our database. Subscriptions can be revoked at any time through browser settings (Settings → Notifications).
  • WhatsApp: Sent only if the institute has WhatsApp enabled and the parent's phone number is on file. See Section 5.

All notifications sent are logged in our database with the recipient identifier, message preview, channel, delivery status, and timestamp. These logs are retained for 90 days and are used for troubleshooting delivery failures and audit purposes only.

8. Data Retention

We retain different types of data for different periods based on their purpose:

Data Type Retention Period
Student academic records (marks, attendance) While institute subscription is active; deleted 30 days after account termination
Fee payment records Retained for the duration of the institute subscription (for accounting purposes)
AI-generated weekly reports Retained while the student record is active; deleted with the student record
Parent & teacher accounts Soft-deleted on request; hard-deleted after 30-day grace period
Notification delivery logs 90 days
Security & rate-limit logs 30 days
Sentry error reports 90 days (Sentry's default)
Uploaded files (receipts, materials) Retained while the associated record is active; deleted with the record

When an account is deleted, data enters a 30-day soft-delete grace period during which it is hidden but not removed. After 30 days, all associated data (students, attendance, marks, fees, notifications) is permanently and irreversibly deleted. Institutes may request immediate hard deletion by contacting us.

9. International Data Transfers

Our primary database is hosted in the Asia Pacific region (Mumbai). However, some of our service providers operate internationally:

  • Google Gemini AI — servers operated by Google LLC, USA
  • Expo push notifications — servers in USA
  • Sentry — servers in USA (Sentry.io, US region)
  • Vercel — edge network distributed globally; build servers in USA
  • Interakt / Meta WhatsApp — Meta's infrastructure, USA and globally

By using Cosmos Tutorial, you acknowledge that data may be processed outside India for the purposes described above. We ensure each provider maintains industry-standard security and encryption protections.

10. Children's Privacy

Our platform serves educational institutes that manage student records, which frequently include minors. We do not directly collect data from children. All student data is entered by authorised institute administrators or teachers on behalf of the institute. Parents and guardians access only their own child's records through the parent app.

Institutes are responsible for ensuring they have obtained appropriate consent from parents or guardians before entering student data into the platform, particularly for students under 18.

Fingerprint and biometric data is never transmitted to or stored by Cosmos Tutorial. See Section 6.

11. Your Rights

You have the right to:

  • Access — request a copy of personal data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your account and all associated data
  • Opt out of push notifications — at any time via your device or browser settings
  • Opt out of WhatsApp messages — ask your institute administrator to remove your phone number
  • Opt out of AI reports — institutes can disable AI weekly reports; contact us
  • Data portability — request your data in a machine-readable format

To exercise any of these rights, email us at support@cosmostutorial.com with the subject line "Data Request". We will respond within 30 days. For complex requests we will notify you of any extension.

Note: For student data, requests must be made by the institute administrator or the parent/guardian. We cannot action individual student data requests directly — the institute, as data controller, must initiate them.

12. Session Storage & Cookies

The admin web portal uses browser session cookies (managed by Supabase Auth) to maintain your login state. These cookies contain an encrypted session token and expire when you log out or when the session expires. No persistent tracking cookies are used.

The parent mobile app stores the selected student preference locally on the device using encrypted device storage (Expo SecureStore / AsyncStorage). This data never leaves the device.

We do not use third-party advertising cookies, cross-site tracking pixels, or any form of behavioural advertising technology.

13. Data Breach Notification

In the event of a data breach that may compromise personal data, we will:

  • Notify affected institutes within 48 hours of becoming aware of the breach
  • Notify affected end-users (parents, teachers) within 72 hours where required by applicable law
  • Provide details of what data was affected, likely consequences, and steps being taken
  • Cooperate with Indian regulatory authorities as required

To report a suspected security vulnerability, contact us immediately at support@cosmostutorial.com.

14. Institute Responsibilities

Institutes using Cosmos Tutorial are data controllers under applicable privacy law. By using the platform, institutes agree to:

  • Obtain appropriate consent from parents/guardians before enrolling students
  • Inform parents about the use of AI-generated reports and WhatsApp notifications
  • Ensure student data entered is accurate and limited to what is necessary
  • Handle data subject requests from parents and students in a timely manner
  • Not upload sensitive categories of data (health records, financial account numbers) beyond what the platform is designed to handle

15. Changes to This Policy

We may update this Privacy Policy from time to time as our features change or legal requirements evolve. Updates will be posted at this URL with a revised "Last updated" date. For significant changes, we will notify institute administrators via email or an in-app notice at least 7 days in advance. Continued use of the platform after changes take effect constitutes acceptance of the revised policy.

16. Contact Us

For privacy-related questions, data requests, or to report a security concern:

Cosmos Tutorial
Email: support@cosmostutorial.com
Subject line for data requests: Data Request
Response time: Within 30 days
India
Terms of Service Refund Policy