Overview
Classplus (Bunch Microtechnologies Pvt. Ltd.) is the backbone for thousands of coaching centers and educators in India. They handle data for teachers, parents, and most importantly, students (many of whom are minors).
As a Data Fiduciary — the legal term for a company that decides how and why your data is used — Classplus has a massive responsibility to keep this information safe. If you are an educator using their platform, their policy gaps are effectively your gaps too.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
Classplus uses what we call “bundled consent.” You either accept everything or you can’t use the app. Under the DPDP Act, this is a big no-no.
What the policy says: “The terms of this Policy will be effective upon the User’s acceptance… by clicking on the ‘I accept the Privacy Policy’ tab or by use of the Website.”
The problem: The law requires consent to be specific and informed. You should be able to say “Yes” to the learning features but “No” to your data being used for “marketing tips.” Classplus doesn’t give you that choice.
Section 7 — Certain Legitimate Uses ⚠️
The law allows companies to use data without a separate “I Agree” button in very specific cases (like medical emergencies or state functions). However, Classplus tries to give itself a “blank check.”
What the policy says: They may use data for “such other purposes that Bunch, at its sole discretion… may deem fit.”
The problem: Under the DPDP Act, you can’t just process data because you “deem it fit.” Processing must be for a lawful purpose. This vague phrasing wouldn’t hold up in a DPDP audit.
Section 8 — Obligations of Data Fiduciary ✅
This is one area where Classplus shines. They are transparent about the “locks” they put on their digital doors.
What the policy says: “The content available on the Website is encrypted with AES 256 encryption… data transfers are secured with HTTPS.”
What the law requires: A Data Fiduciary (the company) must take reasonable security safeguards to prevent data breaches. Classplus clearly outlines their tech stack, which is a good sign for data safety.
Section 9 — Data Retention ⚠️
How long do they keep your data? It’s a mixed bag.
What the policy says: “Bunch shall retain Information for as long as is reasonably necessary… which may include maintaining this Information beyond when the User ceases using the Website.”
The problem: For general data, they use the “as long as we want” excuse. However, they do get a point for being specific about student chats and tests, which they delete after 2 years. Under DPDP, you must delete data once the purpose is served. “Reasonably necessary” is too vague for the new law.
Section 11 — Rights of Data Principal 🔴
A Data Principal is the “person the data is about” (that’s you!). You have rights now, but Classplus hasn’t updated its policy to reflect them.
The problem:
- No mention of the Right to Nominate (choosing someone to manage your data if you pass away or are incapacitated).
- No clear path to Data Portability (taking your data with you to another app).
- While you can withdraw consent by emailing them, they don’t explain the process clearly.
Section 12 — Right of Grievance Redressal ⚠️
If you have a problem, you can email their Grievance Officer, Mukul Rustagi. That’s good, but it’s not enough anymore.
What the policy says: It provides an email and a Noida address for complaints.
The problem: Under Section 12 of the DPDP Act, companies must tell you that if they don’t solve your problem, you can complain to the Data Protection Board of India. Classplus doesn’t mention this “higher court” for privacy.
Section 16 — Cross-Border Data Transfer ⚠️
Classplus is an Indian company, but they might store your data on servers like Amazon (AWS) or Google Cloud which might be outside India.
What the policy says: They may share information with institutions “located within or outside India.”
The problem: The DPDP Act says data can only be sent to certain countries that the Indian government allows. Classplus’s policy is too broad and doesn’t promise to follow these new transfer rules.
Special Note: Children’s Data (Section 9 of DPDP) 🔴
This is the biggest risk for an EdTech company. The DPDP Act is incredibly strict about “Children” (anyone under 18).
The problem: Classplus says they “assume” a minor has obtained parental consent. The DPDP Act does not allow assumptions. Companies must verify parental consent. If they don’t have a system to prove a parent said “Yes,” they are in high-risk territory.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Children’s Privacy | Critical | Heavy fines for failing to verify parental consent for minors. |
| Consent Quality | High | Bundled consent is invalid; they may have to re-ask thousands of users. |
| Regulatory Fine | Medium | Up to ₹250 Cr for failing to implement DPDP-specific rights. |
| Transparency | Medium | Vague “other purposes” clause makes them look non-compliant. |
Recommendations
- Fix the “Assumption” on Kids: Implement a real “Parental Consent” flow (like an OTP to a parent’s phone) instead of just assuming they gave permission.
- Break up the Consent: Let users opt-out of “Marketing Tips” while still being able to use the “Classroom” features.
- Update the “Rights” Section: Add the right to nominate and explicitly mention the Data Protection Board of India.
- Define “Necessary”: Change “as long as necessary” to specific timelines (e.g., “Account data is deleted 180 days after subscription expiry”).
How Does Your Policy Compare?
Not sure if your company’s privacy policy has similar gaps? Run a free instant check:
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.