Pliko — Privacy Policy

1) Information We Collect

2) How We Use Information (Purposes)

We use personal information to:

• Provide the Service: create/manage accounts, authenticate users, host competitions, score attempts, generate certificates, operate leaderboards, provide parent monitoring (where enabled), and uphold fair play (including limited proctoring and anti‑cheat processing).
• Improve and secure Pliko: analytics, diagnostics, testing, bug‑fixes, fraud/abuse/anti‑cheat prevention, performance and reliability.
• Communicate with you: service messages, feature updates, policy changes, and support replies.
• Compliance & enforcement: comply with law, respond to lawful requests, enforce terms, and protect users and our platform.

We do not use children's data for behavioral advertising.

Marketing communications (adults only): We may send optional product updates, tips, and offers to adults such as parents/guardians and organizers. Children do not receive marketing messages. You can opt out at any time via the unsubscribe link or in‑app notification settings.

3) Cookies & Similar Technologies

• Essential cookies (e.g., session, CSRF, auth) to run Pliko.
• Preference cookies to remember settings (language, view).
• Analytics tags/SDKs to understand usage and improve features.

We do not use third‑party advertising cookies. A cookie/preferences control will be available in Settings > Privacy. Until then, you can manage cookies in your browser/app settings. If you prefer to opt out of non‑essential analytics before the in‑app control is available, email [email protected] with the subject "Analytics Opt‑out" and your account email; we will apply the preference where technically feasible. Blocking essential cookies may affect core functions.

4) When We Share Information

• Service providers (processors): hosting, delivery, analytics, email/SMS, logging/security — under contract and only as necessary.
• Parents/guardians (with authorization): limited progress and stats for linked child accounts.
• Organizers/schools: if you participate in an event run by a school or organization, your display name, participation, scores, rank, and certificate status are visible to the organizer and visible to other participants. Public visibility (e.g., on the web) occurs only where an event is explicitly marked public by the Organizer or by Pliko and this is indicated before you join.
• Legal & safety: regulators, courts, or law enforcement when required by law or necessary to protect rights, safety, or integrity.
• Business transfers: if we restructure, merge, or sell assets, information may be transferred with continued protections and advance notice.

We do not sell personal information.

Schools and institutions (controller/processor roles): When a school or organization provisions student accounts, hosts events, or integrates with Pliko, that institution is typically the data controller, and Pliko (Wisflux) acts as its data processor. We process personal information only under the institution's instructions and our data processing terms. Parents/guardians seeking to exercise rights for school‑provisioned accounts should contact the school, which we will support in fulfilling requests.

Subprocessors: We use vetted subprocessors to help deliver Pliko. We limit access to the minimum necessary and require confidentiality and security commitments.

We will provide notice of material changes to subprocessors where required by law or contract. Organizers and institutions can request subprocessor update notifications by emailing [email protected] with the subject "Subprocessor Updates".

5) Leaderboards, Certificates, and Public Results

Leaderboards motivate learning. Display names appear as entered by users/parents and may be pseudonymous (e.g., initials). What is shown on leaderboards and results pages is minimized (e.g., rank, display name, score). By default, leaderboards are restricted to event participants and the Organizer. An event may be explicitly marked public depending on its format; only then may results be visible on the web or to a broader audience. Visibility is indicated in‑app or in event rules before you join.

Certificates include your full name by default, event name, date, and performance (e.g., score, rank). Organizers may require full names for identity and verification. Where allowed by event rules, you may choose a display name/initials for the certificate. Some events may publish winners lists.

Automated scoring and placements do not produce legal or similarly significant effects.

6) Children, Parents & Guardians

Pliko is designed for students. Parents/guardians are responsible for guiding and monitoring usage, managing consents, and helping children make safe choices online. Parents/guardians can request access to and deletion of their child's personal information, subject to legal or safety exceptions. If we learn child data was provided without appropriate authorization, we will delete it.

How parental consent works

We require verifiable consent from a parent or legal guardian for users under the applicable age in their region (e.g., under 18 in India; under 13 in the United States):

1. Direct sign‑up with parent contact: During child sign‑up, we collect a parent/guardian email or phone number. We send a consent notice with a summary of data uses and a verification link/OTP. The child account becomes active only after the parent verifies and accepts.
2. Parent‑initiated account/linking: A parent can create or link a child account from a parent dashboard, which includes an explicit consent step.
3. School‑provisioned accounts: When a school/organization provisions accounts or runs events, it is responsible for obtaining required parental/guardian consents under applicable law. Pliko acts as the processor to the institution and processes data under its instructions.
4. Withdraw/update consent: Parents/guardians can withdraw or modify consent via in‑product settings (where available) or by contacting us at [email protected] or [email protected]. We may request information to verify identity/authority.

We do not track, behaviorally monitor, or show targeted advertising to children.

7) International Processing & Cloud Providers

We use servers and services of popular global cloud providers such as AWS, Cloudflare, and DigitalOcean, with datacenters in the US, Europe, or India. When data moves across borders, we apply contractual and technical safeguards (e.g., encryption, access controls) to maintain protection comparable to applicable requirements (including India's Digital Personal Data Protection Act, 2023).

Regional addenda for specific jurisdictions (e.g., EEA/UK, California) appear below. As an India‑based company, our initial operations are focused on India; when we begin offering services in additional regions, we will publish and apply region‑specific notices and mechanisms as required by law.

8) Retention

We retain personal information only as long as necessary for the purposes in this Policy or as required by law. Retention is purpose‑based (e.g., while an account is active, for support/audit/security).

Typical periods: account/profile data is retained for the life of the account plus up to 12 months; analytics and diagnostic logs up to 90 days; backups 30–90 days with secure rotation; support records up to 24 months; proctoring recordings (if captured) up to 180 days for integrity and forensics, or longer where required for an ongoing investigation or legal obligation. Actual periods may vary based on legal, security, and operational needs.

Deletion requests: after verification, we aim to complete deletion within up to 45 days, except where we must retain certain data for legal, security, or dispute reasons. Data in backups is not actively used and will expire on the backup schedule.

9) Your Rights

Subject to law, you may:

• Access your data and receive a copy.
• Correct inaccurate or incomplete data.
• Delete data in certain circumstances.
• Withdraw consent where processing relies on consent.
• Complain to our Grievance contact and, if unresolved, to the appropriate authority.

Under India's Digital Personal Data Protection Act, 2023, you may also:

• Nominate an individual to exercise your rights in the event of your incapacity or death.

How to exercise: use in‑product settings (where available) or email [email protected]. We may request information to verify identity/authority (e.g., proof of parent‑child relationship).

10) Security

We implement safeguards including encryption in transit/at rest (where applicable), role‑based access, logging and audit, backups, and vulnerability management. No method is 100% secure, but we continually improve. If a data incident occurs, we will investigate and mitigate, and we will notify affected users/organizers and authorities without undue delay after reasonable investigation where required by law, and take remedial steps.

AI/ML use: We do not use your personal data to train external AI models. If we introduce AI features that process personal data (e.g., personalization or feedback), we will disclose the purposes, data involved, and providers, and offer appropriate choices.

11) Third‑Party Links

Pliko may link to or embed third‑party services (e.g., videos, resources). Their privacy practices are governed by their own policies. Review them before use.

12) Changes to this Policy

We may update this Policy to reflect changes in Pliko, laws, or practices. We will post updates here and revise the "Last updated" date. For material changes, we will provide prominent notice and request renewed consent where required.

13) Contact & Grievance

Company: Wisflux Private Limited

14) Regional Addenda

EEA/UK: We are preparing dedicated EEA/UK notices. When we begin offering services in these regions, we will implement appropriate data transfer mechanisms (e.g., EU Standard Contractual Clauses and the UK IDTA/Addendum) and a regional cookie consent banner. Until then, this section serves as notice of intent rather than a current commitment.

California (CPRA/CCPA): We do not "sell" or "share" personal information for cross‑context behavioral advertising. California residents may have rights to know/access, correct, and delete certain personal information, and to limit use of sensitive personal information, subject to exceptions. To exercise these rights, contact [email protected] or [email protected]. We do not discriminate against you for exercising your rights.