Foundational Principles
Every data governance decision we make flows from these principles. They are not aspirational — they are the constraints within which all our systems are designed. They cannot be overridden by business rationale or institutional pressure.
We do not collect personal identifiers and then promise not to use them. We build systems where those identifiers cannot be collected at all. A policy can change. An architecture with no field for a name cannot leak one.
We collect only what is necessary to generate the intelligence our instruments produce. If a data point does not contribute to a measurable output, we do not collect it.
No individual response is ever surfaced to any party — including the school that generated it. All outputs are statistical aggregates. A school receives a score and a trend, never a record traceable to a specific respondent.
The people most likely to generate valuable feedback are also the people most vulnerable to retaliation from the institutions they are describing. Our anonymity architecture exists specifically to protect this asymmetry. A school principal cannot identify what any specific student said.
We will never sell, licence, or transfer raw response data to any third party for commercial purposes. Our commercial model is built on aggregated, anonymised intelligence products — not on the underlying responses.
What We Collect
CatalystBox collects the following through anonymous QR-based feedback forms. Future Fresh Eye Foundation instruments will publish their own schedules as annexures to this charter.
| Data Field | Type | Purpose | Collected |
|---|---|---|---|
| School Identifier Code | Institutional | Attribute responses to the correct school | Yes |
| Academic Year | Temporal | Year-on-year trend analysis | Yes |
| Respondent Type | Category only (Student / Teacher / Parent) | Segment responses for dimension weighting | Yes |
| Scaled Survey Responses | Numeric ratings | Input to school quality dimension scores | Yes |
| Open Text Response (optional) | Unstructured text | Qualitative signal extraction via AI sentiment analysis | Yes |
| Gender (student forms only) | Category (aggregated) | Equity-disaggregated scoring for girl student experience metric | Yes |
| Submission Timestamp | Server-generated | Fraud detection; submission frequency analysis at school level | Yes |
The optional free-text field is processed by AI for sentiment classification only. Raw text is never shared externally and is subject to a shorter retention period than numeric responses. We ask respondents not to include personal names or contact details in this field.
What We Never Collect
The following are permanently excluded. These are not fields we collect but promise not to use — our systems are designed so they cannot be collected at all.
| Data Category | Collected | Reason |
|---|---|---|
| Name | Never | Primary anonymity guarantee; foundational to respondent trust |
| Email address | Never | No login required; no contact collection of any kind |
| Phone number | Never | Not requested; not required for submission |
| Device ID or fingerprint | Never | Fraud prevention uses session-based methods only; no persistent device tracking |
| IP address (stored) | Never stored | Transiently visible at network layer but never logged or associated with any response |
| Location data | Never | School identified by pre-filled code; no location capture performed |
| Biometric data | Never | Not required; not requested; not captured under any circumstance |
| Social profile or linked account | Never | No social login; no account creation required to respond |
| Caste, religion, or community identity | Never | Sensitive personal data under DPDP Act 2023; entirely outside our scope |
The school identifier code is the deepest identifier in our system. It identifies an institution, never a person. That is the boundary we will not cross.
Data Lifecycle
Every piece of data passes through a defined lifecycle from submission to institutional delivery.
Collection
A respondent scans a school-specific QR code. The form loads with the school's identifier and academic year pre-filled. No personal information is requested at any point in this flow.
Processing & scoring
Responses are processed into school-level quality scores across multiple dimensions. The individual response is the input; a school-level aggregate is the only output carried forward. Individual records are not exposed in any downstream layer.
AI analysis
Open text responses are analysed by an AI system for sentiment classification and signal extraction. Results are aggregated at school level before delivery. The original text is retained only in secured internal systems, subject to our retention schedule, and never appears in dashboard outputs.
Institutional delivery
Dashboards display aggregate scores, trends, and comparative benchmarks. No individual response data appears at any point in the delivery layer.
Access & Disclosure
| Party | Can Access | Cannot Access |
|---|---|---|
| School | Own school aggregate scores, trends, dimension breakdowns | Individual responses, any other school's data |
| Education Board | Affiliated schools' aggregates, board-level distribution | Individual responses, non-affiliated schools |
| Research Partners | Anonymised aggregate datasets (minimum cohort threshold applies) | Individual responses, school-identified data without agreement |
| CSR Funders | Aggregate programme-level impact metrics per funding agreement | Individual responses, school scores beyond agreed scope |
| Government / Law Enforcement | Only under a valid binding legal order — no voluntary disclosure | Any voluntary disclosure without legal compulsion |
We do not disclose individual response data to any third party except as required by valid legal order, to research partners under signed Data Sharing Agreements with anonymisation requirements, or to infrastructure processors necessary to operate our systems. Research disclosures are subject to minimum cohort size requirements to prevent re-identification.
Data Involving Minors
A significant proportion of CatalystBox respondents are students below the age of 18. The DPDP Act 2023 establishes specific protections for children's data. Our architecture applies additional protections beyond the legal minimum.
Because we collect no personal identifiers from any respondent, we do not hold personal data about children in the conventional sense. We treat the DPDP Act 2023's standards for children's data as a floor — not a ceiling — across all student-facing collection.
We do not build individual profiles from student responses. We do not use student data for advertising, recommendations, or targeting of any kind. Data derived from student responses will never be sold or commercially transferred in any form. This restriction is permanent and not subject to charter revision.
QR codes are distributed by schools — we have no direct contact with students outside the anonymous feedback form. Schools are responsible for communicating the voluntary and anonymous nature of participation, and for applying any child safety policies required by their own institutional rules.
Retention & Deletion
Individual response records
Retained for 24 months from the end of the academic year in which they were submitted. Deleted permanently at the end of this period. Cannot be restored once deleted.
Open text responses
Retained for 12 months from submission — a shorter period given the greater potential for inadvertent personal information in free text. AI-derived sentiment scores are retained separately as part of the school aggregate record.
School-level aggregate scores
Retained indefinitely to enable longitudinal benchmarking. These records contain no individual-level data.
Audit logs
Retained for 5 years for security review and regulatory compliance. Audit logs do not contain response content.
Respondent Rights
Because our system collects no personal identifiers, certain rights under the DPDP Act 2023 apply differently than in systems that hold named records.
Right to access & correction
We cannot retrieve or correct a specific individual's response because the record carries no identity. This is a deliberate design choice, not a limitation on willingness. All responses are deleted automatically per our retention schedule.
Right to erasure
Respondents who wish to confirm that responses from a specific school and period have been deleted may request written confirmation of our retention schedule compliance at support@fresheyefoundation.com.
Right to object
Participation is entirely voluntary. A respondent who does not wish to submit feedback simply does not submit the form. Non-participation has no consequence.
Right to grievance redressal
Any concern may be raised at support@fresheyefoundation.com. We respond within 10 business days and resolve within 30 days or provide a reasoned update.
Oversight & Review
Independent Advisory Board
Fresh Eye Foundation maintains an Independent Advisory Board comprising educators, psychologists, data privacy specialists, and child safety experts. The Board reviews data governance practices annually. Its recommendations on privacy protection are binding.
Charter revision
This charter is reviewed annually. Material changes — any change that reduces privacy protections for respondents — require a minimum 30-day public notice period before taking effect. Non-material changes may be made without notice. All versions are maintained in a public version history.
Security incidents
In the event of a security incident, we will contain it within 24 hours; assess scope within 72 hours; notify affected institutional partners within 72 hours; notify the relevant data protection authority as required under the DPDP Act 2023; and publish a public incident summary within 30 days. Given our anonymised architecture, a breach cannot expose personal information — the data does not contain any.
Contact
Questions about this charter or specific data practices:
Fresh Eye Foundation — Data Governance
support@fresheyefoundation.com
We respond to all governance-related queries within 10 business days. For urgent security matters, mark your subject line URGENT: Data Security.