Privacy Policy | 9DXR Labs

9DXR LABS

Product: 9DXR LABS — Immersive VR-based education platform

Operating Company: Drishta Technology Private Limited

Registered Office: B-5 303, PALM GROVE HEIGHTS ARDEE CITY SECTOR 52, GURGAON, Gurgaon, Haryana, India, 122002

Website: https://9dxrlabs.com

Primary Contact Email: info@9dxrlabs.com

Last Updated: 12 June 2026

Version: 2.0

Policy Owner: Grievance Officer, Drishta Technology Private Limited

1. About This Policy

Drishta Technology Private Limited ("Drishta Technology", "we", "us", or "our") operates 9DXR LABS, an immersive Virtual Reality (VR) educational platform designed for school and institutional classroom use, including teacher-led science, mathematics, and experiential learning sessions for students from Class 6 to Class 12 in alignment with the NCERT curriculum.

9DXR LABS is built around a privacy-by-default and privacy-by-design philosophy. This Privacy Policy explains:

What personal data the 9DXR LABS product does and does not collect during normal classroom use;
How limited non-personal, technical, and operational data may be handled to support classrooms;
How privacy is protected by default for students, including children;
How any business contact data submitted by schools, teachers, parents, or partners is handled;
How users, schools, parents, and guardians can exercise their rights and contact us.

This Policy applies to the 9DXR LABS application, content modules, AI mentor ("Medha"), associated VR experiences, the 9dxrlabs.com website, and related communication channels (email, demo requests, support, training, and institutional engagement).

This Policy is published with the goal of meeting the data privacy and safety expectations of UNICEF's EdTech for Good Framework, the UNICEF Learning Cabinet, the European Union General Data Protection Regulation (GDPR), the United States Children's Online Privacy Protection Act (COPPA), India's Digital Personal Data Protection Act, 2023 (DPDP Act), and the principles set out in the UN Convention on the Rights of the Child, including General Comment No. 25 on children's rights in relation to the digital environment.

2. Definitions

For the purposes of this Policy:

"Personal Data" means any information relating to an identified or identifiable individual, such as a name, email address, phone number, photograph, voice recording, government ID, biometric identifier, or precise location.
"Sensitive Personal Data" includes data relating to children, health, biometrics, financial information, and other categories treated as sensitive under applicable law.
"Student" means any learner using 9DXR LABS in a classroom or institutional setting, including children.
"Child" means a person below the age of 18 in India (per the DPDP Act), below the age of 13 in the United States (per COPPA), and below the age of 16 in the European Union (or such lower age set by an EU member state, not below 13, per the GDPR).
"School" means any educational institution, government department, non-governmental organisation, or training body deploying 9DXR LABS.
"Teacher" means an educator or facilitator running a 9DXR LABS classroom session.
"Parent" or "Guardian" means a legal parent or guardian of a Child.
"Data Controller" means the entity that determines the purposes and means of processing Personal Data.
"Data Processor" means the entity that processes Personal Data on behalf of a Data Controller.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Non-Personal Data" means data that does not identify an individual, including aggregated, anonymised, technical, and diagnostic information.
"VR Device" means head-mounted virtual reality hardware such as Meta Quest, PICO, or other compatible devices on which 9DXR LABS operates.
"AI Mentor" or "Medha" means the in-experience virtual character providing guided learning, hints, and feedback within 9DXR LABS modules.

3. Our Privacy Principles

9DXR LABS is designed and operated according to the following core privacy principles, which are implemented across the product, content pipeline, and business operations:

Privacy by Default. Students do not need to create accounts or provide any personal information to use 9DXR LABS in a classroom session.
Privacy by Design. The product, content, and infrastructure are architected so that no student personal data is required, collected, transmitted, or stored during normal classroom use.
Data Minimisation. We collect only the minimum data strictly necessary for a specific, legitimate purpose.
Purpose Limitation. Data is used only for the purpose for which it was collected, and not for any incompatible secondary purpose.
Transparency. We clearly explain what data is and is not handled, in plain language accessible to schools, teachers, and parents.
Security. Reasonable technical and organisational safeguards protect any data that is handled.
Accountability. We document our practices, review them regularly, and provide accessible channels for questions, complaints, and rights requests.
No Commercial Profiling of Children. We do not sell, rent, share, or commercially exploit any student or child data.
Offline-First Operation. 9DXR LABS is engineered to operate offline in classrooms, which structurally reduces the surface area for any data collection or transmission.

4. Roles and Responsibilities

For the purposes of data protection law, the following roles generally apply:

Drishta Technology Private Limited is the Data Controller for any business contact data submitted to us directly (for example, demo requests, support enquiries, or institutional communications), and for limited non-personal technical data used to operate and improve 9DXR LABS.
Schools and Institutions remain the Data Controllers for any student or staff information that they generate or hold within their own systems. 9DXR LABS does not require, collect, or store such data on their behalf during normal classroom use.
Third-Party Hardware and Platform Providers (such as VR device manufacturers, operating systems, app stores, and device management providers) act as independent Data Controllers for any device-level or account-level data they collect under their own privacy policies, outside the scope of this Policy.

5. Data We Do Not Collect from Students

During normal classroom use of 9DXR LABS, we do not require, collect, store, transmit, sell, share, or process any of the following from students:

Student name, parent name, or guardian name
Email address or phone number
Date of birth, age, or gender
School roll number, registration number, or government ID number
Home address or precise location
Photographs of students
Voice recordings or video recordings of students
Biometric identifiers (fingerprint, iris, face recognition data, etc.)
Financial or payment information
Health, medical, or disability information
Login credentials, passwords, or social media identifiers
Browsing history, search history, or third-party app usage
Personally identifiable learning performance records
Communications between students or between students and external persons

Students do not create individual accounts in 9DXR LABS. Teachers are not required to enter student personal information into the product to operate a classroom session. The product does not generate, hold, or export student profiles.

6. Non-Personal and Technical Data We May Handle

9DXR LABS may generate or handle limited non-personal, technical, and aggregated data for product operation, support, troubleshooting, content quality, and stability. This data is not used to identify any individual student, teacher, or classroom user.

7. Website, Demo, and Business Contact Data

The 9DXR LABS product does not collect personal data during normal classroom usage. However, when a school, teacher, administrator, parent, partner, investor, or visitor contacts us through our website, email, phone, demo form, training request, support request, or institutional engagement, we may receive limited business contact information from the requester, including:

Name of the requester
Designation or role
School, organization, or institution name
Official email address
Phone number
City, state, and country
Enquiry, message, or proposal content provided by the requester

This data is used only for the following purposes:

Responding to enquiries
Scheduling and conducting product demonstrations
Providing institutional support and training
Coordinating pilots, deployments, and rollouts

Business contact data is processed separately from any classroom product activity. It is not used for student advertising, student profiling, or any consumer marketing program. We do not sell, rent, or license this data.

8. How We Use Data

Any data handled by 9DXR LABS — whether non-personal technical data or business contact data — is used solely for:

Operating the VR learning experience for schools
Supporting teachers, schools, and institutions during classroom deployment
Troubleshooting technical, content, or device-related issues
Monitoring application stability and content reliability
Improving content quality, pedagogical effectiveness, and product reliability
Planning software or content updates
Understanding general usage trends in aggregate
Providing ongoing maintenance, support, and training

We do not use any data to identify individual students, build student profiles, target students with advertising, or share student information with advertisers, brokers, or any third party outside the lawful purposes set out in this Policy.

9. Legal Bases for Processing

Where data protection law requires a specified lawful basis (for example, under the GDPR or the India DPDP Act), 9DXR LABS relies on the following bases for the limited categories of data it handles:

Student personal data: Not collected and therefore not applicable. No processing of student personal data takes place.
Non-personal technical and diagnostic data: Used to operate, secure, support, and improve the product. The legal basis is the legitimate interests of the operator and the school, as well as necessity for providing the service.
Business contact data: Used to respond to enquiries, provide demonstrations, manage institutional relationships, and fulfil contractual obligations. The legal basis is performance of a contract, steps requested before entering into a contract, and the legitimate interests of the organisation.
Website analytics (aggregated): Used to understand how the website is used and to improve its content and functionality. The legal basis is consent where required by law and the legitimate interests of the organisation.
Legal, tax, and audit records: Maintained to comply with legal, tax, contractual, and audit requirements. The legal basis is compliance with legal obligations.

10. Security Measures

Even though 9DXR LABS does not collect personal student data during normal classroom use, we implement reasonable technical and organisational security measures to protect the broader product environment, business contact data, and supporting systems. These measures include, where applicable:

Encryption in Transit. Communications between the 9DXR LABS website, business systems, and supporting cloud services use HTTPS / TLS encryption.
Encryption at Rest. Business contact data and operational records stored in our managed systems use industry-standard encryption at rest on supported cloud platforms.
Access Controls. Access to internal systems is restricted on a role-based, need-to-know basis, with named accounts, strong authentication, and revocation on role change or exit.
Device Configuration Controls. Classroom VR devices are deployed in a controlled kiosk or managed mode to prevent unintended account creation, browsing, or app installation by students.
Content Update Controls. Application and content updates are issued through controlled channels, and integrity is verified prior to deployment.
Source Code and IP Controls. Source code is held in controlled repositories with audit logs, role-based access, and standard secure-development practices.
Vendor Due Diligence. Sub processors and vendors are reviewed for security and data protection posture, with contractual data protection commitments.
Staff Confidentiality and Training. Personnel with access to any data are subject to confidentiality obligations and receive periodic awareness training on data protection and safe handling.
Data Minimization. We retain the minimum data necessary for the relevant purpose, and delete or anonymize data when no longer required.
Logging and Monitoring. Operational systems are monitored for stability and abnormal activity, consistent with the limited data they handle.

No system can be guaranteed to be completely secure, but we take reasonable, ongoing, and proportionate steps to protect systems and data against unauthorized access, misuse, alteration, or loss.

11. Data Breach Response and Notification

If we become aware of a security incident affecting any personal data or business contact data handled by 9DXR LABS, we will:

Investigate the incident promptly to determine its scope, cause, and impact;
Contain the incident and take reasonable steps to limit its effect;
Where the incident is likely to result in a risk to the rights or freedoms of affected individuals, notify the relevant supervisory authority within the timeframes required by applicable law (for example, without undue delay and, where feasible, within 72 hours under the GDPR);
Notify affected schools, institutions, or authorised contacts where required, in plain language and with practical guidance;
Support affected institutions in taking appropriate action;
Conduct a post-incident review and strengthen safeguards to reduce the likelihood of recurrence.

Because 9DXR LABS does not collect student personal data during normal classroom use, the scope of any conceivable incident affecting student data is structurally limited.

12. Cross-Border Data Transfers

9DXR LABS is operated from India, and the core classroom product does not require transfer of student personal data across borders.

Where any business contact data or technical support information is processed by sub processors located outside India (for example, cloud hosting, email, or CRM providers), such transfers are protected through one or more of the following safeguards:

Use of providers with recognized data protection certifications and security standards;
Contractual data protection commitments with sub processors, including confidentiality, security, and lawful processing obligations;
Where applicable, reliance on lawful cross-border transfer mechanisms recognized under the GDPR (such as Standard Contractual Clauses or adequacy decisions) and the India DPDP Act;
Data minimization, so that only the data strictly necessary for the relevant operational purpose is transferred.

13. Children's Privacy: Special Protections

9DXR LABS is designed for safe educational use by students, including children. Because the product does not collect personal data from students during normal classroom use, the following statements apply by design and not merely by policy:

Student profiles are not created.
Student personal data is not stored on our systems.
Student personal data is not sold, rented, licensed, or shared with advertisers.
Student data is not used for advertising, behavioural targeting, or commercial profiling.
Students are not asked to communicate with strangers or with other users through public chats or social features in the product.
Students are not asked to make in-app purchases.
Students cannot, by design, create personal accounts within the 9DXR LABS classroom experience.

Specifically with respect to the major child-protection frameworks:

COPPA (United States) — Children Under 13: 9DXR LABS does not knowingly collect personal information from children under 13. If a school or parent believes that any personal information of a child under 13 has been inadvertently provided to us, they may contact us at info@9dxrlabs.com and we will take reasonable steps to delete it.
GDPR (European Union) — Children Under 16: Where the GDPR applies, 9DXR LABS does not condition use of the classroom product on any consent from a child, because the product does not collect personal data from children. Any information services that may in future apply to children would be subject to parental consent in accordance with Article 8 of the GDPR.
India DPDP Act, 2023 — Persons Under 18: Where the DPDP Act applies, processing of personal data of a child generally requires verifiable consent of a parent or lawful guardian. 9DXR LABS is engineered so that no such personal data of a child is processed during classroom use. We do not undertake tracking, behavioural monitoring, or targeted advertising directed at children.
UN Convention on the Rights of the Child (UNCRC) and General Comment No. 25: 9DXR LABS is designed in keeping with the principle that a child's best interests must be a primary consideration in the digital environment, including the rights to privacy, non-discrimination, freedom of expression, access to information, and protection from commercial exploitation.

14. Your Rights and How to Exercise Them

Because 9DXR LABS does not collect personal data from students during normal classroom use, most rights requests will apply only to business contact data or any information inadvertently submitted to us.

Subject to applicable law, individuals (including parents, guardians, teachers, school administrators, and business contacts) may request:

Right of Access. A copy of any personal data we hold about you.
Right to Rectification. Correction of inaccurate or incomplete personal data.
Right to Erasure. Deletion of personal data, subject to legal retention requirements.
Right to Restriction. Restriction of processing in defined circumstances.
Right to Object. Objection to processing based on legitimate interests.
Right to Data Portability. Receipt of personal data in a structured, commonly used, machine-readable format, where applicable.
Right to Withdraw Consent. Withdrawal of consent at any time, where processing is based on consent (without affecting the lawfulness of prior processing).
Right to Lodge a Complaint. The right to lodge a complaint with the competent data protection authority.

Requests may be submitted to info@9dxrlabs.com or to the Grievance Officer (see Section 24). We will respond within the timeframes required by applicable law, typically within thirty (30) days of receipt of a verifiable request. We may need to verify the requester's identity before acting on a request.

15. No Advertising, Profiling, or Automated Decision-Making

9DXR LABS does not, in any context:

Display advertising to students inside the VR learning experience;
Use student data for behavioral advertising or third-party marketing;
Sell, rent, share, or license student data for commercial purposes;
Build commercial profiles of students;
Engage in automated decision-making, including profiling, that produces legal or similarly significant effects on a student (within the meaning of Article 22 of the GDPR);
Use student data to train external generative AI models.

16. Data Retention

We retain data only for as long as necessary for the purpose for which it was collected, or as required by applicable law.

Student personal data: Not collected and therefore not retained.
Student profiles: Not created and therefore not retained.
Personal learning records of identified students: Not collected and therefore not retained.
Teacher personal data for normal classroom use: Not required by the product and not retained at the product layer.
Non-personal technical and diagnostic logs: Retained only for as long as necessary to operate, secure, and support the service, typically for up to 12 months, after which they are deleted.
Business contact data (schools, partners, and vendors): Retained for the duration of the relevant relationship or engagement and thereafter as necessary to meet legal, audit, contractual, or legitimate business requirements.
Records required for tax, accounting, or legal compliance: Retained for the periods required under applicable laws and regulations.
Crash and error logs: Retained for a limited period, typically up to 12 months, to support diagnostics, troubleshooting, and service improvement, and then deleted.
Website analytics data: Maintained in aggregated form. Retention periods are governed by the settings of the analytics provider and applicable cookie consent requirements.

17. Accessibility, Equity, and Inclusion

9DXR LABS is designed with the goal of widening, not narrowing, access to high-quality science and mathematics learning. The platform is being developed with attention to:

Operating offline, so that schools without reliable internet connectivity can still deliver immersive learning;
Multilingual content, so that students can learn in the language they understand best;
Teacher-led classroom mode, so that learners benefit from in-room guidance and are not isolated by the technology;
Hand-tracking interaction without controllers, reducing complexity for first-time learners;
Curriculum alignment with the NCERT framework, supporting government school deployment;
Privacy by default, which protects students who may not have the same legal or technical resources as students in better-resourced systems.

We welcome feedback from schools, teachers, parents, and partners on accessibility, equity, and inclusion improvements that would strengthen 9DXR LABS for all learners.

18. Offline-First as a Privacy Advantage

9DXR LABS is engineered to run primarily offline in the classroom. This is both a product design choice (to operate in schools with limited connectivity) and a structural privacy advantage. Practical implications:

Student interactions with learning modules do not require an internet connection.
There is no real-time transmission of student activity data to any cloud service during a classroom session.
Content and updates are downloaded onto devices during controlled sync windows, not continuously during student use.
The surface area for any inadvertent personal data exposure is structurally smaller than for cloud-streamed or always-online platforms.

19. Cookies and Website Analytics

The 9DXR LABS website (https://9dxrlabs.com) may use a limited number of cookies and similar technologies to ensure the site functions correctly and to understand how visitors use the site at an aggregate level.

Typical categories include:

Strictly Necessary Cookies. Required for basic site functionality.
Analytics Cookies. Used to understand site usage in aggregate (for example, page visits and traffic patterns), where permitted by applicable law and, where required, with the visitor's consent.

Visitors can manage cookies through their browser settings. Disabling certain cookies may affect site functionality. The website is not designed to be used by children for account creation or any data submission.

20. Grievance Officer and Contact

In accordance with the India Digital Personal Data Protection Act, 2023, and consistent with international good practice, Drishta Technology Private Limited has designated the following point of contact for privacy-related enquiries, rights requests, and grievances:

Name: Saurabh Singh
Designation: Grievance Officer
Company: Drishta Technology Private Limited (operating under the brand name 9DXR LABS)
Address: B-5 303, Palm Grove Heights, Ardee City, Sector 52, Gurgaon, Haryana 122002, India
Email: info@9dxrlabs.com

We will acknowledge and respond to verifiable requests and complaints as promptly as reasonably possible, typically within seven (7) days of receipt.

Individuals who are not satisfied with our response to a privacy concern may have the right to lodge a complaint with the competent data protection authority in their jurisdiction, including the Data Protection Board of India under the DPDP Act, or the relevant supervisory authority under the GDPR in the European Union.

21. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to the product, content, applicable law, regulatory guidance, operational practices, or to improve clarity.

If we make material changes, we will update the "Last Updated" date at the top of this document, increment the version number, and where appropriate notify schools, institutional contacts, or authorized representatives. Continued use of 9DXR LABS following the effective date of an updated policy constitutes acceptance of the updated terms by the deploying institution.

Users, schools, parents, and guardians are encouraged to review this Privacy Policy periodically.