Privacy Policy — EduSpark

1. Introduction

This Privacy Policy explains how Kash Developers (Pvt) Ltd, the company behind EduSpark ("we", "us", "our"), collects, uses, stores, and protects your personal data when you use the EduSpark platform at eduspark.lk.

We are committed to protecting the privacy of all users — including students, teachers, and administrators — in accordance with the Personal Data Protection Act No. 9 of 2022 (PDPA) of Sri Lanka and other applicable laws.

By creating an account or using EduSpark, you agree to the collection and use of your information as described in this policy. If you do not agree, please do not use the platform.

2. Who We Are

Data Controller: Kash Developers (Pvt) Ltd
Platform: EduSpark — eduspark.lk
Contact: privacy@eduspark.lk

3. What Data We Collect

We collect only the data necessary to provide our services. This includes:

3.1 Account & Profile Data

Full name and email address
Password (stored as a one-way cryptographic hash — never in plain text)
Profile photo (optional, uploaded by you)
Role (student, teacher, or administrator)
Preferred language and medium of instruction
Google account ID (only if you sign in with Google)

3.2 Academic Profile Data

Grade level (O/L or A/L year)
School name and district
Bio stream (e.g. Science, Arts, Commerce) and curriculum type (Local, Cambridge, Edexcel)
Teachers only: teaching speciality, institution, biography, and website URL

3.3 Usage & Activity Data

Exam attempts: questions answered, answers submitted, time taken, and scores
Progress metrics: XP points, level, daily study streak
Dates and times of account activity
Classroom membership and assigned papers (where applicable)

3.4 Technical Data

Authentication tokens (used to keep you logged in — stored in your browser)
IP address (collected by our hosting provider for security purposes)

4. How We Use Your Data

We use your personal data for the following purposes:

Providing the service: To operate your account, display your exam results, and personalise your learning experience.
Communication: To send account-related emails such as email verification, password reset, and important service notices.
Progress tracking: To calculate scores, award XP, maintain streaks, and display performance analytics to you.
Classroom features: To allow teachers to assign papers, post announcements, and share resources with enrolled students.
Platform improvement: To monitor performance, fix bugs, and improve the platform. Aggregated and anonymised usage data may be used for this purpose.
Legal compliance: To comply with applicable Sri Lankan laws and to protect the rights and safety of our users.

We do not sell your personal data to any third party. We do not use your data for advertising profiling or behavioural tracking.

5. Third-Party Services

To operate EduSpark, we use the following third-party services. Each has its own privacy policy.

Railway (railway.app) — Our hosting and database provider. Your data is stored on Railway's infrastructure. Railway is SOC 2 compliant. Railway Privacy Policy
Resend (resend.com) — Our email delivery provider. Your name and email address are transmitted through Resend when we send you emails (e.g. verification, password reset). Resend Privacy Policy
Google (accounts.google.com) — If you choose to sign in with Google, your Google account ID and email address are shared with us by Google. We do not receive your Google password. Google Privacy Policy

These providers are used solely to deliver our services. We do not authorise them to use your data for any other purpose.

6. Data Retention

We retain your personal data for as long as your account is active and as necessary to provide our services.

Active accounts: Data is retained for the lifetime of your account.
Account deletion: When you request account deletion, your personal data will be permanently erased within 30 days. During this period your account is deactivated and no longer accessible.
Exam records: Anonymised, non-identifiable aggregate statistics may be retained after deletion for platform analytics (e.g. subject difficulty metrics). These cannot be linked back to you.
Legal holds: In limited circumstances we may retain data longer if required by Sri Lankan law or to resolve a dispute.

7. Children's Privacy

EduSpark is designed for students preparing for Sri Lankan O/L and A/L examinations. The minimum age to register is 13 years. Users under 13 must not create an account.

If a parent or guardian becomes aware that their child under 13 has registered on EduSpark without consent, please contact us at privacy@eduspark.lk and we will promptly delete the account and associated data.

We do not knowingly collect personal data from children under 13.

8. Your Rights Under the PDPA

Under the Personal Data Protection Act No. 9 of 2022, you have the following rights regarding your personal data:

Right to access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate or incomplete data. You can update most profile data directly in your account settings.
Right to erasure: Request deletion of your account and personal data. We will action this within 30 days.
Right to object: Object to processing of your personal data in certain circumstances.
Right to data portability: Request a copy of your personal data in a structured, machine-readable format.
Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@eduspark.lk. We will respond within 30 days.

9. Data Security

We take the security of your data seriously and implement the following measures:

All passwords are hashed using bcrypt (12 rounds) — we cannot see your password.
All data in transit is encrypted using HTTPS/TLS.
Authentication uses short-lived JWT access tokens (24 hours) with rotating refresh tokens.
Our database is hosted on a private, access-controlled cloud environment.
Admin functions require elevated privileges and separate authentication.

No system is 100% secure. In the event of a data breach that affects your personal data, we will notify affected users and the relevant Sri Lankan authorities as required by law.

10. Cookies & Local Storage

EduSpark uses browser localStorage (not cookies) to store your authentication token and preferences (such as language and theme). This data is stored on your device only and is not transmitted to third parties.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will update the "Effective" date at the top of this page and, where appropriate, notify registered users by email. Your continued use of EduSpark after changes are posted constitutes your acceptance of the revised policy.

12. Contact Us

For any privacy-related questions, requests, or concerns, please contact us:

Email: privacy@eduspark.lk
Website: eduspark.lk
Company: Kash Developers (Pvt) Ltd

We aim to respond to all privacy requests within 30 days of receipt.