Privacy policy

This policy applies to every public-facing CampusOS surface — the marketing site at campusos.app, the authenticated product at app.campusos.app, email we send to users, customer support channels, and any mobile surfaces we release under the CampusOS brand. It does not cover third-party websites we link to, even when the link appears inside our product.

CampusOS operates as the data controller for student accounts created directly on the platform. When an institution rolls out CampusOS under a separate agreement, the institution acts as controller for roster data they upload, and CampusOS acts as processor for that data — the terms of the applicable data processing addendum then govern.

We group the data we handle into five clear categories so you can see exactly what is involved. We collect the minimum needed to operate each category and nothing beyond.

• Operate your account — authentication, password reset, session continuity, and account recovery flows.
• Run product features — generate AI summaries, create flashcards from PDFs, personalise your dashboard, schedule revision, route marketplace messages, and surface events on your campus.
• Keep the service reliable — measure performance, detect crashes, mitigate abuse, and investigate security incidents.
• Handle payments — process subscriptions, issue invoices, apply refunds, and comply with tax and accounting rules.
• Communicate with you — send transactional emails, service-critical notices, and optional product updates you can unsubscribe from at any time.
• Improve CampusOS — analyse aggregated usage patterns to decide what to build, what to remove, and what to invest in next.
• Meet legal and regulatory duties — respond to lawful requests, enforce our terms, and defend CampusOS in any legal claim.

We do not profile students for advertising, we do not run ad networks, and we do not feed account data into third-party behavioural-targeting platforms.

Under GDPR, India’s Digital Personal Data Protection Act 2023, and comparable laws, we rely on the following legal bases:

• Contract — processing needed to deliver the CampusOS service you signed up for (account operation, subscription handling, support).
• Legitimate interest — product reliability, fraud prevention, internal analytics at an aggregate level, and communications about service changes.
• Consent — optional email updates, non-essential cookies, and participation in research studies. Consent can be withdrawn at any time without losing the service.
• Legal obligation — tax records, anti-money-laundering checks, and responses to lawful requests from public authorities.

We do not sell personal data. We share only the minimum needed with named service providers, each bound by a written processing agreement and assessed for security before onboarding.

• Cloud hosting (primary compute, storage, and database) — infrastructure providers running in Indian and EU regions with SOC 2 Type II and ISO 27001 certifications.
• Payments — a PCI-DSS Level 1 processor handles card data; CampusOS only sees masked identifiers and transaction metadata.
• Transactional email — delivery providers that send password resets, invoices, and service notices. They process delivery metadata only.
• Error telemetry — a crash-reporting service that ingests stack traces; personal identifiers are redacted before sending.
• Support tooling — a ticketing platform used by our support team; access is least-privilege and audit-logged.
• Campus institutions — where your account is part of an institutional rollout, your institution's designated admin can see the roster data they uploaded and the aggregate engagement signals defined in their contract.

We will disclose information if compelled by a valid legal order from a competent authority. Where the law allows, we notify the affected user before complying.

Primary production data stays in India and the European Union. Limited categories of data may be transferred to providers located in the United States or the United Kingdom — for example, email delivery and error telemetry. These transfers are covered by Standard Contractual Clauses (for EU data subjects) and contractual safeguards that mirror the protections required under the Indian DPDP Act. We do not transfer data to jurisdictions subject to a negative adequacy decision without equivalent additional safeguards.

• Active account data — kept while your account is active and for up to 30 days after a verified deletion request, to allow recovery in case the request was made in error.
• Backups — encrypted backups rotate out within 90 days of deletion.
• Billing and tax records — retained for up to 7 years, as required by Indian tax law and financial regulations.
• Support tickets — kept for up to 3 years so recurring issues have context; stripped of sensitive fields on closure.
• Security logs — kept for up to 18 months to investigate incidents and preserve forensic trails.
• Marketing lists — deleted within 30 days of unsubscribe.

• Encryption in transit using TLS 1.2+ for every request between browsers, mobile, and our servers, and at rest using AES-256 on cloud-managed volumes and databases.
• Access control on a least-privilege model. Production access is limited to on-call engineers, requires multi-factor authentication, and every action is audit-logged.
• Password hashing using a modern memory-hard algorithm; plain-text passwords are never stored or transmitted to our servers.
• Network isolation with private subnets, WAF rules in front of the public edge, and rate limits on authentication endpoints.
• A bug bounty and responsible disclosure path at security@campusos.app; triaged within 72 hours on business days.
• Regular dependency scanning, secret scanning in our CI pipeline, and external penetration tests at least once per year.

No system is perfectly secure. If we detect a personal data breach that creates a risk to a user, we will notify the affected users and, where required, the relevant supervisory authority within the statutory window (72 hours under GDPR).

Depending on your jurisdiction, you have the right to access, correct, export, restrict, object to, or delete the personal data we hold about you. You may also withdraw consent, lodge a complaint with your supervisory authority, and ask us not to subject you to purely automated decisions.

• Access — request a structured export of your account, uploaded content, and activity log.
• Correction — update inaccurate data yourself through account settings, or email privacy@campusos.app.
• Deletion — request account erasure from within Settings → Account, or by email from the linked address.
• Portability — receive a machine-readable (JSON) copy of data you provided, so you can move it to another service.
• Restriction & objection — ask us to pause processing while a dispute is being resolved.
• Complaint — contact your local supervisory authority if you believe your rights are not being respected.

We respond within 30 days. If we need more time for complex requests, we write back before the 30-day mark to explain why. Where we cannot action a request — for example, because a retention obligation overrides deletion for billing records — we explain the exact legal basis in writing.

CampusOS is intended for students aged 16 and above. We do not knowingly collect data from children under 13. If you believe a child under 13 has created a CampusOS account, email privacy@campusos.app and we will investigate and remove the account within 7 days. For users aged 13 to 15, a parent or guardian must give verifiable consent before the account can be fully activated in jurisdictions that require it.

When we make material changes to this policy, we update the “Last updated” date at the top of the page and notify active users by email at least 14 days before the change takes effect. Minor editorial fixes (typo correction, clearer wording) are applied without notice but never reduce the protections described here.

Write to privacy@campusos.app for anything in this policy, including rights requests, questions about a specific processing activity, or complaints. For urgent security matters — such as a suspected compromised account or a vulnerability disclosure — use security@campusos.app instead.