Privacy Policy

COMPANY: APEX24 TECHSYS AND BRAND: BUCKLEUP - ENTERPRISE PRIVACY POLICY

(Structured in Alignment with the Digital Personal Data Protection Act, 2023 – India)

Effective Date: 1 FEBRUARY 2026

1. INTRODUCTION

This Privacy Policy (“Policy”) describes how Apex24 Techsys, operating under the brand name BuckleUp (“Company,” “we,” “us,” or “our”), collects, uses, processes, stores, shares, transfers, and protects Personal Data in connection with the BuckleUp AI Photo Product (“AI Photo Service” or “Service”).

This Policy applies to:

• Schools and Educational Institutions
• School Owners and Administrators
• Teachers and Staff
• Parents and Legal Guardians
• Students (including Minors)
• Website visitors and app users

This Policy is structured in alignment with the Digital Personal Data Protection Act, 2023 (DPDP Act) and relevant Indian Information Technology laws.

By accessing, logging into, or using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. ROLE UNDER THE DPDP ACT

The Company’s role varies depending on the type of account:

2.1 Institutional Accounts

Where a School or Institution subscribes to the Service:

• The Institution acts as the Data Fiduciary.
• The Company acts as a Data Processor, processing Personal Data on documented instructions of the Institution.

2.2 Direct Parent Accounts

Where Parents use the Service directly without an Institution:

• The Company acts as a Data Fiduciary for Personal Data processed in connection with such accounts.

3. DEFINITIONS

For the purpose of this Policy:

• Personal Data means any data about an individual who is identifiable.
• Minor means any individual under eighteen (18) years of age.
• Data Principal means the individual to whom Personal Data relates.
• Processing includes collection, recording, storage, use, analysis, modification, disclosure, or deletion.
• Biometric Data includes facial geometry, derived facial attributes, or template-based facial data.
• Uploaded Content means photographs or images submitted by Users.
• Generated Content means AI-processed or AI-generated images derived from Uploaded Content.

4. CATEGORIES OF PERSONAL DATA COLLECTED

We may collect the following categories of data:

4.1 Identity Information

• Name of Student
• Parent/Guardian name
• Teacher name
• School name
• Class/grade information

4.2 Contact Information

• Email address
• Phone number
• Institutional contact details

4.3 Image Data

• Uploaded photographs
• Group photos
• Event photographs
• AI-generated images

4.4 Technical Data

• IP address
• Device information
• Browser type
• Operating system
• Session timestamps

4.5 Usage Data

• Feature usage logs
• Interaction patterns
• Platform engagement metrics

4.6 Consent Records

• Timestamp of consent
• Parent acknowledgment logs
• Institutional consent confirmation records

5. PURPOSES OF PROCESSING

We process Personal Data for the following lawful purposes:

1. Providing AI-based image enhancement and generation services
2. Delivering photo transformation features
3. Managing institutional accounts
4. Enabling school event photo workflows
5. Maintaining platform security
6. Preventing misuse or harmful conduct
7. Complying with legal obligations
8. Conducting internal analytics in aggregated or anonymized form
9. Providing customer support

We do not process Personal Data for unrelated commercial exploitation.

6. LAWFUL BASIS FOR PROCESSING

Processing is carried out on one or more of the following lawful bases:

• Explicit consent
• Performance of a contract
• Compliance with legal obligations
• Legitimate institutional instructions (for Data Processor role)

Where required under the DPDP Act, consent is obtained through:

• Explicit checkbox acceptance
• Parent login acknowledgment
• Institutional representation
• Written consent forms

Login to the Platform constitutes acknowledgment of processing activities described in this Policy.

7. PROCESSING OF MINOR DATA

We recognize that the Service frequently involves processing data of Minors.

7.1 Parental Consent

• Institutions must obtain verifiable parental consent prior to uploading Minor photographs.
• Parents using direct accounts must provide explicit consent before enabling AI processing.

7.2 No Tracking or Profiling

The Company does not:

• Track Minors for behavioral advertising
• Conduct profiling that significantly affects the child
• Use AI to evaluate academic or psychological traits

7.3 Consent Withdrawal

Parents may withdraw consent by contacting the Institution or the Company directly.

Withdrawal may result in:

• Deletion of stored images
• Disabling of certain features

8. AI PROCESSING & BIOMETRIC DISCLOSURE

The AI Photo Service may use automated systems that analyze visual attributes within images.

8.1 Nature of AI Processing

AI systems may:

• Detect faces
• Adjust lighting
• Modify backgrounds
• Apply artistic transformations
• Enhance clarity

8.2 Biometric Data Handling

We may temporarily process facial geometry data for editing purposes. However:

• We do NOT sell biometric data.
• We do NOT create persistent biometric databases.
• We do NOT perform facial recognition for identity tracking.
• We do NOT use images for surveillance.

8.3 AI Model Training

Uploaded images are not used to train public AI models unless explicitly disclosed and consented to.

9. DATA RETENTION POLICY

Personal Data is retained only for as long as necessary to:

• Provide the Service
• Fulfill contractual obligations
• Comply with statutory requirements
• Resolve disputes

Institutions may request deletion of stored images. Deletion requests will be processed subject to legal retention requirements.

Backups may persist for a limited duration in secure storage.

10. DATA SECURITY MEASURES

We implement commercially reasonable security safeguards, including:

• Encryption in transit (TLS)
• Encryption at rest
• Access controls
• Role-based permissions
• Audit logging
• Intrusion monitoring
• Periodic security reviews

No system can guarantee absolute security. However, we apply industry-standard SaaS security practices.

11. DATA SHARING & DISCLOSURE

We do not sell Personal Data.

We may share data with:

11.1 Subprocessors

• Cloud hosting providers
• AI infrastructure providers
• Storage providers

All subprocessors are contractually bound to maintain confidentiality and security standards.

11.2 Legal Authorities

Where required by law, regulation, or court order.

11.3 Institutional Administrators

Teachers and authorized staff may access relevant student data under institutional controls.

12. CROSS-BORDER TRANSFERS

Where data is processed outside India:

• Transfers occur only to jurisdictions permitted under Indian law.
• Appropriate contractual safeguards are implemented.
• Security controls equivalent to Indian standards are applied.

13. DATA PRINCIPAL RIGHTS (UNDER DPDP ACT)

Data Principals have the right to:

• Access their Personal Data
• Request correction
• Request erasure
• Withdraw consent
• Nominate a representative
• Seek grievance redressal

Requests may be submitted to the contact details below.

14. AUTOMATED DECISION-MAKING

The AI Photo Service uses automated computational systems for image transformation.

However:

• No legally binding decisions are made solely through automation.
• No academic grading or disciplinary decisions are made through AI.
• Outputs are creative and aesthetic in nature.

15. CHILD SAFETY COMMITMENT

We maintain a zero-tolerance approach toward:

• Exploitation
• Harassment
• Non-consensual image manipulation
• Inappropriate content generation

We may suspend accounts and report unlawful content where necessary.

16. DATA BREACH NOTIFICATION

In the event of a material data breach:

• We will assess impact promptly.
• We will notify affected parties as required by law.
• We will cooperate with regulatory authorities.

17. INSTITUTIONAL RESPONSIBILITIES

Institutions must:

• Obtain parental consent
• Maintain consent documentation
• Restrict teacher access
• Ensure appropriate supervision
• Comply with child protection norms

The Company relies on institutional representations regarding consent.

18. PARENT RESPONSIBILITIES

Parents must:

• Upload only authorized images
• Avoid uploading images of other children without consent
• Supervise student access

19. COOKIES & TRACKING

The Platform may use:

• Essential cookies
• Security cookies
• Performance analytics cookies

We do not engage in behavioral advertising tracking of minors.

20. GRIEVANCE REDRESSAL

In accordance with Indian IT Rules:

Grievance Officer:
Name: Vishal Shah
Email: contact@buckleupnow.in
Address: Rajul Park, Bibwewadi, Pune 411037, Maharashtra.

Complaints will be acknowledged and addressed within legally prescribed timelines.

21. AMENDMENTS

This Policy may be updated periodically.

Material changes will be notified through:

• In-app notifications
• Email communication
• Website update notices

Continued use constitutes acceptance.

22. CONTACT INFORMATION

For privacy-related inquiries:

Email: contact@buckleupnow.in
Registered Address: Rajul Park, Bibwewadi, Pune 411037, Maharashtra.

23. GOVERNING LAW

This Policy is governed by the laws of India. Disputes shall be subject to jurisdiction of courts in Pune, Maharashtra.

24. ENTERPRISE ASSURANCES

This Privacy Policy is designed to align with:

• DPDP Act 2023
• Indian IT Act
• Enterprise SaaS security standards
• School data governance best practices
• Child data protection principles