How EdTech Companies Handle Student Data in India

So my neighbor's daughter -- she's eleven -- came home from school last year and asked her mom why she was getting Instagram ads for JEE coaching classes. She hadn't searched for anything related to JEE. She's in Class 6. But she'd been using a popular EdTech app for her science homework, and somewhere in the pipeline between her tapping on a biology video and the ad network deciding what to show her, a connection was made. An eleven-year-old was profiled, categorized as a "potential coaching customer," and served targeted advertising based on her learning behavior.

That story stuck with me. Not because it's unusual -- it's probably happening to millions of kids right now -- but because her mother had no idea it was even possible. She'd downloaded the app because a teacher recommended it. The signup took about ninety seconds. Nobody mentioned data collection, tracking, or ad targeting. There was a terms of service checkbox, sure. Nobody read it. Nobody ever reads it.

I want to talk about what's actually happening with student data in India's EdTech industry, because the gap between what parents think is happening and what's really going on is genuinely alarming.

What They Collect, How Much of It, and Why It's More Than You'd Guess

Let's start with the basics. When a student signs up on platforms like BYJU'S, Unacademy, Vedantu, WhiteHat Jr, Physics Wallah, or Toppr, the registration form typically asks for a name, age or class, email, phone number, and sometimes a parent's phone number. That's the visible layer. Underneath it, the data collection runs much deeper.

These apps track learning behavior in granular detail. Which subjects a student studies. How long they spend on each topic. Which videos they watch and how far they get before dropping off. Their quiz scores, including which specific questions they got wrong and how many attempts they made. How often they open the app. What time of day they study. Which features they use and which they ignore. On apps with live classes, the camera and microphone might be active during sessions, and some platforms record these sessions for "quality improvement."

Then there's device-level data. Most EdTech apps collect your device model, operating system, screen resolution, IP address (which reveals approximate location), and a unique device identifier. Many request permissions for contacts, storage, camera, microphone, and location. A 2024 analysis by the Internet Freedom Foundation found that several major Indian EdTech apps requested permissions that had no obvious connection to education -- things like access to the phone's call log or the list of other installed apps.

Why collect all this? The official answer is "to personalize the learning experience." The real answer, or at least the fuller one, is that this data has multiple uses: improving the product (yes, genuinely), but also training recommendation algorithms, building student profiles for targeted upselling, sharing insights with advertising partners, and in some cases, selling or licensing aggregated data to third parties. An EdTech company sitting on behavioral data from 50 million students has something seriously valuable -- not just an education tool, but an advertising platform with a captive audience of children and parents who trust it.

BYJU'S, at its peak, claimed over 150 million registered users. That's a staggering data pool. Unacademy had around 60-70 million registered learners. Physics Wallah, which grew explosively after 2022, built its user base largely from Tier 2 and Tier 3 cities where digital literacy around data privacy tends to be lower. These aren't small datasets we're talking about. They're population-scale repositories of children's educational behavior, stored on private company servers with varying levels of security.

Children's Data, Consent, and the Gap Between Law and Practice

The Digital Personal Data Protection Act, 2023 has specific provisions for children's data. Section 9 requires "verifiable consent of the parent or lawful guardian" before processing the personal data of anyone under 18. It prohibits tracking, behavioral monitoring, and targeted advertising directed at children. Companies can't do anything that's "likely to cause any detrimental effect on the well-being of a child." On paper, this is among the stricter child data protection frameworks globally.

In practice? The enforcement machinery barely exists yet. The Data Protection Board of India was still getting its legs under it in early 2026. No major penalty has been imposed on an EdTech company for child data violations. The rules about what "verifiable parental consent" actually means in practice haven't been fully fleshed out.

What does signup look like on most EdTech apps today? A student enters a phone number, receives an OTP, and they're in. Some apps ask for the student's age or class. Very few have any mechanism to verify that a parent actually consented. There's no ID verification, no Aadhaar-linked parental check, no callback to a parent's registered number. The consent is a checkbox that says "I agree to the Terms of Service and Privacy Policy" -- and the person checking it is often the 12-year-old student themselves, using their parent's phone.

I read through the privacy policies of five major EdTech apps in January 2026. Two of them mentioned DPDPA compliance in vague terms. One had a dedicated section on children's data that was clearly copied from a template (it referenced "COPPA," the American law, not the Indian one). Two didn't mention children's data protections at all, despite their user base being overwhelmingly minors. The average privacy policy was over 4,000 words of dense legal text. I'd guess fewer than 1% of parents have read any of them.

There's a structural problem here that goes beyond any single company. EdTech businesses are built on engagement metrics. The longer a student stays on the app, the more data the platform collects, the better it can personalize (and monetize), and the higher its valuation goes. Every aspect of the product -- the gamification, the streaks, the leaderboards, the push notifications reminding kids to "continue your learning journey" -- is designed to maximize time on app. That's the same playbook social media companies use. But here it's being applied to children, in the name of education, with less regulatory scrutiny than Instagram or YouTube receive.

WhiteHat Jr provides a particularly interesting case study. The platform, acquired by BYJU'S in 2020 for $300 million, taught coding to children as young as six. It collected detailed information about children's coding projects, video recordings of live classes, parent contact details, and school information. When parents tried to raise concerns about data practices, some reported aggressive sales follow-ups using the data they'd provided during signup. A few parents posted about receiving calls from sales representatives who referenced their child's specific performance data during the pitch -- "your child showed promise in the trial class, you should enroll in the full course." Whether or not that crossed a legal line, it crossed a line of trust.

The data sharing dimension deserves its own discussion. EdTech apps, like most apps, embed third-party SDKs (software development kits) for analytics, advertising, and attribution tracking. Each SDK is a separate company receiving data about your child. A 2023 study by a privacy research group found that popular Indian EdTech apps contained between 8 and 25 third-party trackers each. These included advertising networks like Google's AdMob and Facebook Audience Network, analytics tools like CleverTap and MoEngage, and attribution services like Adjust and AppsFlyer. When a child opens a math lesson, data about that interaction flows not just to the EdTech company but potentially to a dozen other companies across the globe. Some of those data flows go to servers outside India, raising questions about cross-border data transfer under the DPDPA.

Student profiling is the quiet concern that doesn't get enough attention. When a platform knows that a student struggles with algebra but excels in geometry, watches biology videos longer than chemistry ones, studies mostly between 9 PM and midnight, and tends to drop off after 40 minutes, it has built a behavioral profile. Right now, that profile is used to recommend content and sell premium courses. But what happens to it in five or ten years? Could an employer access it? Could an insurance company? Could a college admissions process? There are no clear rules about how long EdTech companies can retain student data or what they can do with it once the student stops using the platform. Most companies retain data indefinitely -- it costs nearly nothing to store, and it might be valuable someday. The DPDPA says data should be erased once its purpose is fulfilled. The "purpose" is defined so broadly in most privacy policies that it might never technically be "fulfilled."

What can parents actually do? Start by checking which EdTech apps your child uses and what permissions those apps have on their device. Go to Settings > Apps on their phone and review permissions for each app. Does a math tutoring app really need access to the camera when there's no live class in session? Does it need location data? Contacts? Revoke anything that doesn't make sense.

During registration, provide the minimum information required. If a field is optional, leave it blank. Use an email address that isn't linked to other accounts. If the app asks for a school name, consider whether that's actually needed for the service to work (it usually isn't -- it's collected for demographic profiling).

Have a conversation with your child about data. Not the scary "the internet is dangerous" talk, but a practical one. Explain that when they use an app for free, they're paying with their information. Show them the permissions the app has. Ask them if they think a homework app needs to know their location. Kids are surprisingly good at spotting when something seems off, if you give them the framework to think about it.

When you stop using an EdTech platform, don't just uninstall the app. Log in, go to settings, and look for a "delete account" or "erase data" option. If one doesn't exist, email their support team and formally request deletion of your child's data under Section 12 of the DPDPA. Keep a copy of the request. If they don't comply within a reasonable timeframe, you'll have grounds to file a complaint with the Data Protection Board once it's fully operational.

There's another angle that most coverage of this topic misses: the sales funnel. EdTech companies don't just collect data to improve products or serve ads. They use it to build aggressive sales pipelines. If your child takes a free trial class on BYJU'S or Unacademy, your phone number enters a CRM system that triggers a sequence of follow-up calls from sales counselors. Parents have reported receiving ten to fifteen calls within days of signing up for a free demo. The sales pitch often uses information from the trial itself -- "your daughter seemed really engaged with the physics module, she'd benefit from the full course." That level of personalization is only possible because they tracked exactly what happened during the trial session, minute by minute.

Some of the sales practices have crossed into outright pressure tactics. News reports from 2023 and 2024 documented cases where BYJU'S sales representatives visited homes unannounced, persuaded parents to sign up for loans to cover course fees, and used children's performance data as ammunition -- "your son is falling behind in math, this course will fix that." The emotional weight of a parent's anxiety about their child's academic performance, combined with detailed performance data, creates a potent and sometimes manipulative sales environment. When BYJU'S entered financial crisis in 2024, former employees described sales targets that incentivized exactly this kind of behavior.

The camera and microphone access question is particularly sensitive. Live tutoring platforms like Vedantu, WhiteHat Jr, and BYJU'S (for certain courses) require camera and mic access during sessions. That's understandable -- the tutor needs to see and hear the student. But what happens to the recorded sessions? Are they stored? For how long? Who can access them? Most platforms say recordings are used for "quality assurance" and "training purposes." Some retain them indefinitely as part of the student's learning record. A recorded video of a minor, in their home, showing their room and personal space, stored on a company server with uncertain security practices -- that should concern any parent. And yet, because the recording is framed as educational, it slips under the radar in a way that a social media livestream wouldn't.

Location data collection might seem benign -- why would a tutoring app care where a student is? -- but it serves multiple purposes. It allows the company to geo-target marketing campaigns ("new coaching center opening near you"), segment users by city tier for pricing strategies, and in some cases, identify which schools a student attends based on location patterns during school hours. A child who opens the app every day from the same GPS coordinates between 8 AM and 2 PM is probably at school. Cross-reference that with the school's known location, and the company has identified the school without the student ever typing the name in a form. This kind of inference-based profiling is technically permitted under most privacy policies, because they typically say something like "we may derive additional information from the data you provide." And it doesn't stop at location. Usage timestamps reveal sleep patterns -- a student consistently studying past midnight suggests either dedication or parental absence, both of which are marketable insights. Device data reveals the family's economic bracket. The combination of all these signals creates a profile that's far more detailed than what the student or parent ever consciously shared.

The regulatory picture is slowly changing, though "slowly" is the operative word. The Ministry of Education issued advisory guidelines for EdTech companies in late 2024, recommending transparency in data practices, restrictions on targeted advertising to students, and clearer consent mechanisms. But these were advisory, not mandatory. The National Commission for Protection of Child Rights (NCPCR) has also flagged concerns about children's data in EdTech, and in early 2025, it sent notices to several platforms asking for details about their data collection practices. Responses were mixed -- some companies engaged constructively, others sent boilerplate legal responses that didn't address the specific questions asked.

Internationally, India's approach lags behind the EU, where the GDPR's age verification requirements are enforced with actual fines, and behind the U.S., where the FTC has levied penalties of over $100 million against EdTech companies for COPPA violations. In India, we have stronger law on paper (the DPDPA's blanket prohibition on tracking and behavioral monitoring of children) but weaker enforcement in reality. That gap is where the problems live.

Here's the question I keep coming back to, and it doesn't have a clean answer yet: at what point does data-driven education become data-driven surveillance of children? The line is blurry, and it's getting blurrier as the technology improves. The kids logging into these apps right now will be adults in a decade, and the digital profiles built from their childhood learning behaviors will follow them. Whether that turns out to be benign or harmful depends on decisions being made right now -- by companies, by regulators, and yes, by parents who are willing to ask uncomfortable questions about what happens when their child taps "Start Lesson."