Fresh Eye Foundation · Legal

Privacy Policy

This policy describes how Fresh Eye Foundation and its instruments handle the data of everyone who interacts with them. Our foundational commitment is simple and absolute: we will never collect, store, or use personal information that could identify you.

Version
1.0
Effective Date
2026
Governing Legislation
DPDP Act 2023 · IT Act 2000
Applies To
fresheyefoundation.com · catalystbox.in · All FEF instruments
Plain Language Summary

The three things that matter most

We never know who you are
Our feedback forms do not ask for your name, email, or phone number. There is no account, no login. When you submit, all we know is which school it came from and whether you are a student, teacher, or parent. That is the complete extent of what we hold about you as an individual.
Your response becomes a school score, not a record about you
Your individual response is one input to a school-level calculation. What schools, boards, and everyone else sees is a score — not your specific answer. There is no way for a teacher, principal, or board administrator to find out what you said.
We will never sell your data
Fresh Eye Foundation does not sell, licence, or commercially transfer any data collected through our feedback instruments. Our revenue comes from institutional subscriptions, research partnerships, and CSR funding — not from selling the responses of students, teachers, or parents.
Section 01

Who We Are

Fresh Eye Foundation is a civic intelligence organisation registered as a One Person Company under the Companies Act of India, headquartered in Uttar Pradesh. We build anonymous, AI-powered data intelligence infrastructure for India's public systems. Our first instrument is CatalystBox (catalystbox.in) — a national education feedback and intelligence platform.

For the purposes of the Digital Personal Data Protection Act 2023, Fresh Eye Foundation is the Data Fiduciary for all data collected through its instruments and platforms. Privacy contact: support@fresheyefoundation.com.

Section 02

Scope

This Privacy Policy applies to: the Fresh Eye Foundation website at fresheyefoundation.com, the CatalystBox platform at catalystbox.in, all anonymous feedback forms deployed by CatalystBox to schools, and any future instruments or platforms operated by Fresh Eye Foundation.

It governs three distinct groups: feedback respondents (students, teachers, parents who submit feedback), website visitors (anyone browsing our sites), and dashboard users (school administrators and board officials who access the analytics platform). Each is addressed separately below.

Section 03

Feedback Respondent Data

This is the most sensitive category of data we handle — and by design, the least identifying.

We have built our system so that knowing who submitted a response is architecturally impossible — not difficult, not controlled by policy. Impossible.

What we collect

  • School identifier code — pre-filled in the form URL. Identifies the institution, not you.
  • Academic year — pre-filled. Used for year-on-year trend analysis.
  • Respondent type — student, teacher, or parent. A category, not an identity.
  • Scaled survey responses — numeric ratings for school quality questions.
  • Open text response — optional. Processed only for sentiment analysis. Never shared externally. We ask you not to include personal names in this field.
  • Gender — student forms only, collected in aggregate for the girl student experience metric. Not used for identification.
  • Submission timestamp — server-generated. Used for fraud detection at school level.

What we never collect

Name, email address, phone number, device identifier or fingerprint, IP address (not stored), GPS location, biometric data, social media profile, caste or religion. These fields do not exist in our forms. They cannot be submitted.

Legal basis

Processing is based on the voluntary consent of the respondent (by submitting the form) and on the legitimate interests of Fresh Eye Foundation in generating school quality intelligence for institutional use. Because we collect no personal identifiers, most of what we hold does not constitute "personal data" under the DPDP Act 2023 in the conventional sense. We nonetheless apply the Act's standards as a matter of policy.

Section 04

Website Visitor Data

When you visit our websites, standard hosting infrastructure processes your IP address transiently to serve the page. We do not store it. We do not log it.

Fresh Eye Foundation does not use Google Analytics, Meta Pixel, or any third-party behavioural tracking on our sites. We do not track browsing behaviour across sessions or across sites. Our websites are static pages — they set no persistent cookies and communicate with no data collection services when you visit.

Section 05

Dashboard User Data

School administrators and board officials who access the CatalystBox analytics dashboard have accounts in our system. For these users we hold: email address (for authentication), assigned role, affiliated institution, and account timestamps.

This data is used solely for providing authenticated access to the platform. It is not used for marketing or profiling. Dashboard accounts can be deleted at any time by writing to support@fresheyefoundation.com. Accounts inactive for 12 months are deleted automatically.

Section 06

Cookies & Tracking

Our websites

No cookies. No tracking scripts. No analytics. Visiting fresheyefoundation.com or catalystbox.in leaves no traceable record with us.

Feedback forms

Our feedback forms are delivered via a third-party form provider which may set functional cookies as part of their infrastructure. Those cookies are governed by the provider's own privacy policy. We do not read or process them.

Dashboard application

The dashboard uses a session token to maintain your authenticated session. This token expires automatically and is used for no purpose other than keeping you logged in.

No advertising cookies. Ever.

Fresh Eye Foundation does not run advertising campaigns and uses no advertising or remarketing technology anywhere on our properties. This is a permanent commitment.

Section 07

How We Use Data

Feedback response data

  • Scoring: Compute school quality dimension scores and the composite benchmark index.
  • Sentiment analysis: Extract qualitative signals from open text to detect patterns.
  • Benchmarking: Aggregate school scores into city, district, state, and national comparisons.
  • Research: Provide anonymised, aggregated datasets to research partners (no individual response data).
  • Fraud prevention: Detect and remove anomalous or duplicate submissions at school level.

Website and dashboard data

  • Page delivery: IP addresses processed transiently by hosting infrastructure to serve pages. Not stored by us.
  • Authentication: Dashboard account details used to verify identity and authorise access only.

We do not use any data for advertising, marketing, profiling, or the training of AI models. We do not sell data. We do not use data for any purpose not described above.

Section 08

Sharing & Disclosure

We share data only in the following circumstances:

  • With schools: Their own aggregate metrics only. No individual responses, no other schools' data.
  • With education boards: Affiliated school aggregates. No individual responses.
  • With infrastructure providers: Third-party services that power our technical operations process data as necessary to run those services. Each operates under its own privacy policy and our data processing agreements.
  • With research partners: Anonymised, aggregated datasets under signed Data Sharing Agreements with explicit anonymisation requirements and minimum cohort size thresholds.
  • Under legal compulsion: Only when required by a valid, binding legal order from a competent Indian authority. We will notify affected parties to the extent we are legally permitted to do so.

We never share individual response data, school scores with unaffiliated parties, or any data with advertisers or commercial data brokers under any circumstances.

Section 09

Children's Privacy

Many CatalystBox respondents are students below the age of 18. The DPDP Act 2023 establishes specific protections for children's personal data. Our architecture goes further than the legal minimum.

Because we collect no personal identifiers from any respondent, we do not — in practice — hold personal data about children. A numeric survey rating submitted without any name or identifier cannot be linked to a specific person. We nonetheless apply the following specific safeguards:

  • No behavioural profiling of any kind from student response data
  • No advertising, targeting, or recommendations using student data
  • No sale or commercial transfer of any data derived from student responses — in any form, ever
  • Open text responses from student forms are deleted after 12 months — shorter than numeric responses
  • Schools that deploy our QR codes are responsible for communicating the voluntary and anonymous nature of participation to students
  • Our Independent Advisory Board includes child safety specialists who review our data practices annually
For parents and guardians

If you have concerns about data from a student at your child's school, write to support@fresheyefoundation.com. Because we hold no identifying information about students, we cannot retrieve a specific student's response — but we can confirm our practices in writing and provide assurance of deletion per our retention schedule.

Section 10

Your Rights

Under the DPDP Act 2023, you have rights with respect to your personal data. Here is how those rights apply given our anonymised architecture.

Right to Access

For feedback respondents: we hold no identifying information, so there is no "your" record to provide. For dashboard users: contact us to receive a copy of your account data.

Right to Correction

For feedback respondents: we cannot identify which response is yours. For dashboard users: contact us to update your account details.

Right to Erasure

All response data is deleted per our retention schedule. Dashboard users may request account deletion at any time. Deletion occurs within 30 days of request.

Right to Withdraw Consent

Participation is voluntary. Simply do not submit a form. Dashboard users may close their account at any time.

Right to Grievance Redressal

Raise any concern at support@fresheyefoundation.com. We respond within 10 business days and resolve within 30 days.

Right to Escalate

If unsatisfied with our response, you have the right to escalate to the Data Protection Board of India once established under the DPDP Act 2023 framework.

Section 11

Security

We implement technical and organisational security measures appropriate to the data we hold: encryption in transit (TLS/HTTPS), encryption at rest, role-based access controls with least-privilege principles, and audit logging.

The single most effective security measure is architectural — a breach of our response data cannot expose personal information because the database contains none. The primary security risk in a breach would be to school-level aggregate metrics, which are not personal data.

In the event of a security incident, we follow the incident response procedure in our Data Governance Charter — notification of affected parties within 72 hours, public disclosure within 30 days.

Section 12

Changes to This Policy

Material changes — any change that reduces privacy protections or alters how we use data in ways that affect respondents — will be published with a minimum 30-day notice period before taking effect.

Non-material changes — clarifications, corrections, additions for new instruments operating on the same data model — may be made without notice.

The most current version is always at fresheyefoundation.com/privacy.

Section 13

Contact

Fresh Eye Foundation
Uttar Pradesh, India
support@fresheyefoundation.com

We acknowledge all privacy communications within 3 business days and provide a substantive response within 10. For matters requiring investigation, we resolve or update within 30 days.

For technical data architecture details, see our Data Governance Charter.