Privacy Policy

Welcome to Gyanis AI (“we,” “our,” or “us”).Gyanis AI is operated by Gyanis (FZC), a Free Zone Company registered under License No. 10506, incorporated at the Sharjah Research Technology and Innovation Park (SRTIP), Sharjah, United Arab Emirates, pursuant to Sharjah Emiri Decree No. 38 of 2016.

This Privacy Policy describes how we collect, use, store, share, and protect personal data when you access or use the Gyanis AI Platform, including our website at platform.gyanis.ai, our APIs, dashboards, and related services (collectively, the “Platform”).

By using the Platform, you agree to the practices described in this Privacy Policy. If you do not agree, please discontinue use of the Platform.

• “Tenant” means an organization or individual that registers for and maintains an account on the Platform.
• “Entity” means any person or object managed through the Platform, including students, teachers, institutions, classes, and curricula, as created by a Tenant.
• “End User” means any individual who interacts with AI-powered features provided by a Tenant through the Platform API.
• “Personal Data” means any information that relates to an identified or identifiable natural person.

3.1 Tenant Account Data

When you register or manage an account, we collect:

• Company name and website
• Contact name, email address, and phone number
• Country of operation
• Intended use case and expected usage volume
• Billing and payment information (processed securely via Stripe)

3.2 Entity Data

Tenants create and manage entities on the Platform. Entity data may include:

• Name and external identifier
• Email address
• Entity type (student, teacher, institution, class, curriculum)
• Grade level, subjects, curriculum board, and country
• Parent entity relationships
• Custom metadata defined by the Tenant

3.3 Conversation and Usage Data

When the Platform API is used, we collect:

• Messages sent to and received from AI models
• Token usage metrics (input tokens, output tokens, cached tokens)
• Model identifiers and request latency data
• Content moderation decisions and flags
• API key identifiers and request timestamps

3.4 Technical Data

We automatically collect:

• IP addresses and API request metadata
• Browser type and operating system (for dashboard access)
• Session cookies and authentication tokens
• Error logs and diagnostic data

We process personal data for the following purposes:

• Service Delivery: To operate the Platform, process API requests, manage entities, and deliver AI-powered educational features.
• Account Management: To create and maintain Tenant accounts, authenticate users, and manage API keys.
• Billing and Payments: To process credit purchases, generate invoices, and manage billing status via our payment processor (Stripe).
• Safety and Moderation: To screen AI-generated content through our multi-layer content safety pipeline and protect end users.
• Analytics and Improvements: To provide usage dashboards, latency metrics, cost projections, and to improve Platform performance.
• Security: To detect and prevent fraud, unauthorized access, and abuse of the Platform.
• Communications: To send service-related notifications, webhook event deliveries, credit alerts, and system updates.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

We process personal data based on the following legal grounds:

• Contract Performance: Processing necessary to deliver the Platform services under our Terms of Service.
• Legitimate Interest: Processing for security, fraud prevention, service improvement, and analytics, where such interests are not overridden by your rights.
• Legal Obligation: Processing required to comply with applicable laws and regulations.
• Consent: Where required by law, we obtain consent before processing personal data, particularly for marketing communications.

We do not sell personal data. We share data only as follows:

• Payment Processor: Stripe, Inc. processes payment transactions on our behalf. Their privacy policy governs payment data handling.
• AI Model Providers: API requests are forwarded to underlying AI model providers for processing. We select providers that maintain appropriate data handling standards.
• Infrastructure Providers: Cloud hosting and infrastructure services that store and process data under our direction and contractual safeguards.
• Legal Requirements: We may disclose data when required by law, court order, or governmental authority, or to protect the rights, safety, or property of Gyanis, our users, or the public.

We implement industry-standard security measures to protect your data:

• Encryption at Rest: All stored data is encrypted using AES-256 encryption.
• Encryption in Transit: All data transmitted between clients and our servers is protected by TLS 1.3 encryption.
• Access Control: API keys support 9 granular permission scopes with separate live and test modes.
• Rate Limiting: Configurable per-key rate limits protect against abuse and unauthorized access.
• Webhook Security: All webhook deliveries are HMAC-SHA256 signed for integrity verification.
• Session Security: Dashboard sessions use secure, HTTP-only cookies with automatic expiration.

• Account Data: Retained for the duration of the Tenant account and for a reasonable period thereafter for legal and operational purposes.
• Conversation Data: Retained in accordance with the Tenant's configuration and applicable retention policies. Tenants can delete entity data at any time via the API.
• Usage and Analytics Data: Aggregated analytics data may be retained for up to 24 months. Individual request logs are retained for 90 days unless otherwise configured.
• Billing Records: Retained for the period required by applicable tax and accounting laws.

The Gyanis AI Platform is designed for use by EdTech companies that serve educational institutions and learners. We recognize that end users may include children.

• Tenants are responsible for obtaining any required parental or institutional consent before creating entities for minors on the Platform.
• Our content moderation pipeline is specifically designed to protect younger users by screening all AI-generated content before delivery.
• We do not knowingly collect personal data directly from children under the age of 13 (or the applicable age in the relevant jurisdiction) without appropriate consent.
• If you believe personal data of a child has been collected without proper consent, please contact us immediately at hello@gyanis.ai.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure: Request deletion of your personal data. For entity data, Tenants can use the DELETE /entities/:id API endpoint, which removes all associated data and anonymizes request logs.
• Right to Restrict Processing: Request limitation of processing in certain circumstances.
• Right to Data Portability: Request a machine-readable copy of your data in a structured format.
• Right to Object: Object to processing based on legitimate interest.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.

To exercise any of these rights, please contact us at hello@gyanis.ai. We will respond within 30 days.

The Platform provides built-in tools to support GDPR compliance:

• Data Deletion: A single API call (DELETE /entities/:id) removes all entity data, including conversation history, metadata, and associated logs. Request records are automatically anonymized.
• Data Export: Per-entity data export is available for data portability requirements.
• Audit Logging: Full audit trails of all API interactions are maintained for transparency and accountability.
• PII Handling: Personally identifiable information is automatically stripped from training data pipelines.

The Platform uses the following cookies:

• Session Cookies: Essential cookies for dashboard authentication and session management. These are strictly necessary and do not require consent.
• Security Cookies: Cookies used for rate limiting and fraud prevention.

We do not use advertising cookies, third-party tracking pixels, or behavioral analytics cookies on the Platform.

Gyanis (FZC) is based in the United Arab Emirates. If you access the Platform from outside the UAE, your data may be transferred to, stored, and processed in the UAE or other jurisdictions where our infrastructure providers operate.

We ensure that any international data transfers are conducted with appropriate safeguards, including contractual commitments with our service providers to protect your data in accordance with applicable privacy laws.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify Tenants of material changes via email or through the Platform dashboard. The “Last Updated” date at the top of this page indicates when the policy was last revised.

Continued use of the Platform after changes take effect constitutes acceptance of the revised policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: