Privacy Policy

Effective Date: October 21, 2025

1. Introduction and Commitment to Privacy

1.1 Our Commitment

Welcome to Lumsas ("Lumsas," "we," "us," or "our"). We are committed to protecting your privacy and handling your personal data in an open and transparent manner. This Privacy Policy ("Policy") describes how we collect, use, process, share, and safeguard your Personal Data when you ("you," "User," "Data Principal") access or use our platform, website, and associated services (collectively, the "Service").

Our platform is built on trust. For Learners, this means trusting the validity of our Certificates. For Creators, this means trusting us with your intellectual property and channel data. This Policy is designed to be comprehensive and clear, ensuring you understand your rights and our obligations.

1.2 Scope of this Policy

This Policy applies to all Personal Data processed by Lumsas, whether you are a:

• Creator: A User who verifies their YouTube channel ownership to create and sell Exams.
• Learner: A User who registers to purchase and take Exams.
• Visitor: An individual browsing the public-facing areas of our Service.

By accessing or using our Service, you signify that you have read, understood, and agree to our collection, storage, use, and disclosure of your Personal Data as described in this Policy and our Terms of Service.

1.3 Data Fiduciary and Legal Basis

For the purposes of applicable data protection laws, Lumsas is the "Data Fiduciary" of your Personal Data. We are a company registered in India, and our data processing activities are governed by:

• The Digital Personal Data Protection (DPDP) Act, 2023
• The Information Technology (IT) Act, 2000
• The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("IT Rules")

We will only process your Personal Data when we have a lawful basis to do so, as detailed in Section 4 of this Policy.

1.4 Key Definitions

• "Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act.
• "Processing" means any operation performed on Personal Data, such as collection, storage, use, sharing, alteration, or deletion.
• "Data Fiduciary" means the entity that, alone or in conjunction with others, determines the purposes and means of the Processing of Personal Data (in this case, Lumsas).
• "Data Principal" means the individual to whom the Personal Data relates (in this case, you).

---

2. Information We Collect (Our Data Collection)

We collect Personal Data in three primary ways: data you provide to us directly, data we collect automatically through your use of the Service, and data we receive from third parties (like Google).

2.1 Data You Provide Directly to Us

2.1.1 For All Registered Users (Learners and Creators)

• Account Registration Data: When you create an account (e.g., via Google OAuth or email), we collect your name, email address, and a unique user ID. We may also ask for a password if you don't use a third-party login.
• Profile Information: You may voluntarily add more information to your profile, such as a profile picture, a short bio, or links to your social media profiles.
• Communications Data: When you contact our support team, report an issue, or communicate with us in any way, we collect the content of those communications and any associated metadata.

2.1.2 Specifically for Learners

• Payment Information: When you purchase an Exam, our third-party payment processors (e.g., Razorpay, Stripe) collect your payment details (such as credit/debit card number, UPI ID, or net-banking details). Lumsas does not store your full payment card number or financial account details on our servers. We only receive a transaction token, the last four digits of your card, and confirmation of payment.
• Exam and Performance Data: We collect your answers to Exam questions, your scores, the time taken, and your completion status. This is necessary to issue your Certificate.

2.1.3 Specifically for Creators

• Payout Information: To pay you your Creator Revenue, we collect necessary financial information, such as your bank account number, IFSC code, account holder name, and billing address.
• Tax Information: As required by Indian law, we must collect your Permanent Account Number (PAN) and, if applicable, your Goods and Services Tax Identification Number (GSTIN) for tax reporting and compliance purposes.
• Exam Content Data: We collect the information you add to your Exam, such as custom instructions, pricing details, and any edits you make to the AI-Generated Content.

2.2 Data We Receive from Third Parties

2.2.1 Google / YouTube API Services

This is a critical part of our Service for Creators. To verify your identity and access your content, we use the YouTube API Services.

• Creator Channel Verification Data: When you link your YouTube channel, you will be prompted to authenticate via Google's OAuth screen. By granting permission, you authorize us to securely access specific data from your Google Account. This data is used *exclusively* for the purposes stated. We collect:
  • Basic Profile Info: Your name and email address (to link to your Lumsas account).
  • Channel Ownership Confirmation: We request permissions (e.g., `youtube.readonly`) to confirm that your authenticated account is the owner or manager of the YouTube channel you claim to represent. We receive a secure OAuth token to verify this.
  • Channel Information: We may collect your public channel ID, channel name, and channel icon to display on your Creator profile and Exam pages.
• Creator Content Data: Once you are verified, we use the YouTube API to access the data for the *specific video URLs you submit* to our Service. This includes:
  • The video's public title and description.
  • The video's caption/transcript file.

Our Promise on Google Data:
1. We *only* use this data to provide the Service (i.e., verify you and process your videos).
2. We *never* share this data with any other third party, except as required by law.
3. Our use of this data is subject to the Google Privacy Policy and the YouTube API Services Terms of Service.

2.3 Data We Collect Automatically

• Log and Usage Data: Like most web services, our servers automatically record information ("Log Data") when you use the Service. This Log Data may include your Internet Protocol (IP) address, browser type and settings, device information (e.g., operating system), the date and time of your request, and how you interacted with the Service (e.g., links clicked, pages viewed).
• Cookie Data: We use cookies and similar tracking technologies (like local storage) to operate and improve the Service. Cookies are small data files stored on your device. We use:
  • Essential Cookies: For security and to keep you logged in (session cookies).
  • Analytics Cookies: To help us understand how Users interact with our Service (e.g., Google Analytics).
  • Preference Cookies: To remember your settings (e.g., language).

  You can control or reset your cookies through your web browser settings. Please see our Cookie Policy

2.4 Data We Generate (AI Content and Confidentiality)

2.4.1 Generated Content

Our AI models process the Creator's transcript to create "Generated Content" (summaries and questions). This Generated Content is then stored as part of the Exam on our platform.

2.4.2 Our Core Promise: Transcript Confidentiality

This is a cornerstone of our trust with Creators.

• We treat your raw video transcripts and captions as your Confidential Information.
• Transcripts are fed into our secure, proprietary AI processing pipeline. They are used *only* for the purpose of generating your Exam content.
• **We will never share, sell, rent, or make your raw transcripts visible to any other User (including Learners) or any third party.**
• Access to these raw transcripts is restricted to a very limited number of authorized Lumsas personnel (e.g., senior engineers for debugging) and to the automated AI system itself. All such access is logged and audited.
• Once the Generated Content is created and approved by you, the raw transcript may be deleted or securely archived in an encrypted format, separate from the main production database, for model-retraining purposes (only in an aggregated, anonymized form) or as required for legal compliance.

---

3. How We Use Your Personal Data (Purpose of Processing)

We use your Personal Data for specific, limited purposes, and we only process data that is necessary for those purposes.

3.1 To Provide and Maintain the Service

• To create and manage your user account.
• To process your transactions (both Learner payments and Creator payouts).
• To enable you to create, manage, publish, and take Exams.
• To issue Certificates to Learners who pass Exams.
• To display your Creator profile and your available Exams to Learners.

3.2 To Verify and Secure Your Account

This is a critical function for protecting our community and your intellectual property.

• To Verify Creator Channel Ownership: We use the data from the YouTube API (as described in 2.2.1) to confirm that you are the legitimate owner of the channel you are linking. This is a security measure to prevent impersonation and fraud.
• To Secure Your Account: To protect your account from unauthorized access, to detect and prevent fraud, and to enforce our Terms of Service.

3.3 To Process Your Content (The AI Pipeline)

• To securely access the specific video transcripts you submit (as per Section 2.4.2).
• To feed these confidential transcripts into our proprietary AI models.
• To generate the summaries and questions that form your Exam.
• To store the final Generated Content (which you review and approve) as part of your published Exam.

3.4 To Communicate With You

• Transactional Communications: To send you necessary communications, such as payment confirmations, payout notifications, Certificate issuance, password resets, and important notices about the Service or changes to our Terms or this Policy.
• Customer Support: To respond to your comments, questions, and requests, and to provide customer service.
• Marketing Communications (with your consent): To send you marketing emails about new features, promotions, or new Exams you might be interested in. You can opt out of these at any time, as described in Section 7.

3.5 For Analytics, Research, and Improvement

• To monitor and analyze trends, usage, and activities in connection with our Service.
• To understand what features are popular and how to improve the User experience.
• To improve our AI models (only using anonymized or aggregated data, never your raw, identifiable transcripts for public-facing models).
• To debug and fix errors in the Service.

3.6 To Comply with Legal Obligations

• To comply with our legal and regulatory requirements under Indian law (e.g., tax laws like GST, corporate laws, IT Act, DPDP Act).
• To respond to valid legal requests, such as summons, court orders, or government investigations.
• To enforce our Terms of Service and protect our rights, property, and safety, and that of our Users.

---

4. Our Lawful Bases for Processing (DPDP Act Compliance)

Under India's DPDP Act, 2023, we must have a "lawful basis" (referred to as "legitimate uses") for processing your Personal Data. Our bases are:

• Example 1 (Creator): When you provide your bank details for payouts, you give Deemed Consent for us to process those details to send you money.
• Example 2 (Creator): When you link your YouTube channel, you give Deemed Consent for us to process the necessary channel data to verify your ownership.
• Example 3 (Learner): When you provide your payment details, you give Deemed Consent for us to process that payment.
• Example 4 (All Users): When you create an account, you give Deemed Consent for us to process your login details to operate and secure your account.

We also rely on other lawful bases:

• Explicit Consent: For activities that are not covered by Deemed Consent, such as sending you non-essential marketing emails, we will ask for your explicit, opt-in consent.
• Performance of a Contract: Much of our processing is necessary to perform our contractual obligations to you as set out in our Terms of Service.
• Compliance with Law: We process certain data (like PAN/GST information) because we are legally obligated to do so under Indian tax law and other statutes.

You have the right to withdraw your consent at any time, as detailed in Section 7.

---

5. How We Share and Disclose Your Information

We are not in the business of selling your Personal Data. We share it only in the limited circumstances described below, and always with appropriate safeguards.

5.1 With Third-Party Service Providers

We engage trusted third-party companies ("Data Processors") to help us operate, secure, and improve our Service. These processors are contractually bound to only use the data to perform services for us and to maintain its confidentiality and security. They include:

• Payment Processors (e.g., Razorpay, Stripe): To securely process Learner payments and Creator payouts.
• Cloud Hosting Providers (e.g., AWS, Google Cloud): To host our servers, databases, and infrastructure.
• Analytics Providers (e.g., Google Analytics): To help us understand Service usage.
• Email Service Providers: To send you transactional and marketing emails.

5.2 With Other Users (Limited Sharing)

Some of your information is public or semi-public by nature.

• For Creators: Your public YouTube channel name, channel icon, and any other profile information you add are visible to Learners to help them identify your Exams.
• For Learners: Your name and completion status are shared with the Creator of the Exam you took, so they can track their audience's performance. Your detailed answers or scores on specific questions are generally not shared, only your final pass/fail status and overall score. Your profile is not public to other Learners.

5.3 With Third-Party Services (Google/YouTube)

As described in Section 2.2.1, our Service interacts with the YouTube API. Our use of information received from YouTube API Services will adhere to the YouTube API Services Terms of Service, including the Limited Use requirements. We do not share your data *back* to Google, other than what is necessary to use the API (e.g., making an API request for your video's transcript).

5.4 What We **NEVER** Share

5.5 For Legal Compliance and Protection

We may disclose your Personal Data if we believe in good faith that it is necessary to:

• Comply with a legal obligation, court order, or valid request from law enforcement or government authorities (in accordance with the law).
• Enforce our Terms of Service and other agreements.
• Detect, prevent, or address fraud, security, or technical issues.
• Protect the rights, property, or safety of Lumsas, our Users, or the public.

5.6 In a Business Transfer

If Lumsas is involved in a merger, acquisition, sale of assets, or bankruptcy, your Personal Data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service before your data is transferred and becomes subject to a different privacy policy. We will ensure the new entity is bound by privacy obligations at least as strict as this one.

---

6. Your Rights as a Data Principal (DPDP Act)

Under India's DPDP Act, 2023, you (as the "Data Principal") have specific rights over your Personal Data. We are committed to upholding these rights.

6.1 Right to Access Information

You have the right to request a summary of the Personal Data we hold about you and information on our processing activities related to that data. We will provide this in a clear and understandable format.

6.2 Right to Correction and Erasure

• Correction: You have the right to request the correction of any inaccurate or misleading Personal Data we hold about you. You can update most of your profile information directly in your account settings.
• Erasure: You have the right to request the erasure (deletion) of your Personal Data. Upon receiving a valid request, we will delete your data, *except* for any information we are legally obligated to retain (e.g., tax and transaction records) or that is necessary for our legitimate business purposes (e.g., to defend against legal claims).

6.3 Right to Withdraw Consent

You have the right to withdraw your consent for any processing that is based on your explicit consent (like marketing emails) at any time. You can do this via the "unsubscribe" link in the email or in your account settings.
For processing based on "Deemed Consent" (which is necessary to provide the Service), withdrawing consent would require you to stop using the feature or to delete your account (see Right to Erasure). For example, you cannot withdraw consent for us to process your payment for an Exam and still receive access to that Exam.

6.4 Right to Grievance Redressal

You have the right to have your grievances addressed in a timely manner. We have appointed a Grievance Officer as required by law. Please see Section 12 for their contact details and our redressal process.

6.5 How to Exercise Your Rights

To exercise any of these rights, please submit a written request to our Data Protection Officer at copyright@lumsas.com.
For your protection, we will need to verify your identity before processing your request. We will respond to your request within the timeframes mandated by law (typically within 30 days).

---

7. Marketing and Communications

7.1 Transactional Communications

We will send you transactional emails that are necessary to provide the Service. These are not marketing and you cannot opt-out of them. This includes:

• Account verification emails.
• Payment receipts and payout notifications.
• Exam completion and Certificate delivery.
• Critical security alerts.
• Notices of changes to our Terms or this Policy.

7.2 Marketing Communications (Opt-In)

We will only send you promotional or marketing emails (e.g., new Exam announcements, platform new features) if you have given us your explicit, opt-in consent to do so.

7.3 How to Opt-Out

You can withdraw your consent and opt-out of marketing emails at any time by:

• Clicking the "unsubscribe" link at the bottom of any marketing email.
• Updating your communication preferences in your account settings.

---

8. Data Security

8.1 Our Security Commitment

We take the security of your Personal Data very seriously and have implemented "reasonable security practices and procedures" as required by the IT Rules, 2011, and the DPDP Act. We use a combination of technical, administrative, and physical safeguards to protect your data from loss, theft, misuse, and unauthorized access.

8.2 Technical Safeguards

• Encryption: We use industry-standard TLS encryption for all data in transit (when you use our website). Sensitive data at rest (like database backups) is encrypted using AES-256.
• Access Controls: We enforce strict role-based access controls. Our employees and contractors can only access the data they absolutely need to perform their jobs.
• Secure Infrastructure: We host our Service with reputable, secure cloud providers who offer robust physical and network security.
• Payment Security: We do not store your full payment card data. All payments are processed by our PCI-DSS compliant payment processors.

8.3 Special Security for Creator Data

• OAuth Security: We use secure, standard OAuth 2.0 protocols to link your YouTube channel. We only request the minimum permissions necessary. We store access tokens in an encrypted, secure manner.
• Transcript Security: As stated in Section 2.4.2, raw transcripts are treated as highly confidential, with strict access controls and a separate, secured processing pipeline.

8.4 Data Breach Notification

In the event of a Personal Data breach that is likely to affect you, we will notify you and the Data Protection Board of India in accordance with the DPDP Act. We will inform you of the nature of the breach, the data affected, and the steps we are taking to mitigate it.

8.5 No Absolute Guarantee

While we do our utmost to protect your data, no system is 100% secure. We cannot guarantee or warrant the absolute security of any information you transmit to us. You use the Service and provide us with your information at your own risk.

---

9. Data Retention

9.1 Our Retention Policy

We retain your Personal Data for no longer than is necessary for the purposes for which it was collected, as described in this Policy, and to comply with our legal obligations.

9.2 Specific Retention Periods

• Account Data: We retain your account and profile data for as long as your account is active. If you delete your account, we will permanently delete this data within a reasonable period (e.g., 90 days), except for data we must keep for legal reasons.
• Creator Payout & Tax Data: We are required by Indian tax law to retain financial records (including your PAN, GSTIN, and payout history) for a period of up to eight (8) years after the end of the financial year.
• Learner Transaction Data: We retain records of your payments for a similar period as required by law.
• Exam & Certificate Data: We retain your Exam results and Certificates for as long as your account is active, so you can access them.
• Log Data: Server logs are typically rotated and deleted within 90-180 days, unless required for a security investigation.

9.3 Account Deletion

When you request to delete your account, we will initiate a process to permanently delete your Personal Data. This process is irreversible. We will anonymize or delete your data, retaining only what is legally required (as mentioned above).

---

10. Cookies and Tracking Technologies

10.1 What are Cookies?

Cookies are small text files placed on your device when you visit a website. We use them to make our Service work, or work more efficiently, as well as to provide reporting information.

10.2 Types of Cookies We Use

• Strictly Necessary Cookies: These are essential for you to move around the Service and use its features, such as accessing secure areas and maintaining your login session. You cannot opt-out of these.
• Performance and Analytics Cookies: These cookies (e.g., from Google Analytics) help us understand how visitors interact with our Service by collecting and reporting information anonymously. This helps us improve our platform.
• Functionality Cookies: These are used to recognize you when you return to our Service and remember your preferences (e.g., your choice of language).
• Marketing Cookies: We may use these (with your consent) to track your activity and show you relevant ads for Lumsas on other websites.

10.3 Your Choices

When you first visit our Service, we will show you a cookie banner asking for your consent to use non-essential cookies. You can manage your preferences at any time through our cookie settings panel or by changing your browser settings. Please note that blocking essential cookies may make parts of the Service unusable.

---

11. International Data Transfers

11.1 Our Primary Location

Lumsas is an Indian company, and our primary servers and operations are located in India. Your Personal Data will be primarily stored and processed in India, subject to Indian data protection laws.

11.2 Use of Global Service Providers

However, some of our third-party service providers (e.g., cloud hosting, payment processors) may be based in other countries. This means that your Personal Data may be transferred to, and processed in, countries outside of India.

When we do this, we take steps to ensure your data receives an adequate level of protection. We do this by:

• Ensuring the country has been deemed to provide an adequate level of protection by the Government of India.
• Using Standard Contractual Clauses or other legal mechanisms approved under the DPDP Act.
• Entering into robust Data Processing Agreements with these providers.

By using the Service, you consent to the transfer of your Personal Data to other countries, including those that may have different data protection laws than your own, for the purposes described in this Policy.

---

12. Children's Privacy

Our Service is not directed to children under the age of 13. We do not knowingly collect Personal Data from children under 13.

As stated in our Terms of Service, individuals between the ages of 13 and 18 may only use the Service with the consent and supervision of a parent or legal guardian. If we become aware that we have collected Personal Data from a child under 13 without verification of parental consent, we will take steps to delete that information. If you are a parent or guardian and believe your child has provided us with Personal Data without your consent, please contact us at copyright@lumsas.com.

---

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, regulatory, or operational reasons. If we make material changes, we will provide you with reasonable notice, such as by:

• Sending an email to the address associated with your account.
• Posting a prominent notice on our Service.
• Requesting your consent to the new policy, if required by law.

We will also update the "Last Updated" date at the top of this Policy. We encourage you to review this Policy periodically to stay informed about how we are protecting your data.

---

14. Grievance Redressal (DPDP Act & IT Rules, 2021)

14.1 Your Right to Redressal

You have the right to an easily accessible and effective grievance redressal mechanism. We have appointed a Grievance Officer to handle your complaints and concerns regarding our processing of your Personal Data.

14.2 Grievance Officer Contact

In accordance with the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the name and contact details of the Grievance Officer are provided below:

14.3 How to File a Grievance

To file a grievance, please send a written communication to our Grievance Officer with the following details:

• Your full name and account email.
• A clear description of your grievance.
• Any supporting documents or evidence.
• The specific relief you are seeking.

14.4 Our Process

1. We will acknowledge receipt of your grievance within 24 hours.
2. We will work to resolve your grievance and provide a final response within 15 days from the date of its receipt.
3. If your grievance is complex, we may require additional time, but we will keep you informed of the progress.

---