Ostrya
OSTRYA PLATFORM

Ostrya Privacy Policy

Last updated 9 June 2026

Draft — pending legal review

This policy explains how the Ostrya platform processes personal data for creators and learners. It complements — and does not replace — each creator's own privacy notice shown to their learners. We aim to collect the minimum data needed to operate and to honour your rights as a data principal.

1. What we collect

Creator identity from our authentication provider (name, email, account identifiers); learner email used for magic-link sign-in; product activity (courses, websites, enrolments, usage and audit events); and transaction records for payments and subscriptions. We do not store card or bank credentials — those are handled by the payment provider.

Sensitive contact fields are masked in list views and revealed only with audit coverage. We avoid collecting special-category or children's data; creators must not upload such data without a lawful basis.

2. How and why we use it

To provide and secure the service, authenticate sign-ins, process payments and subscriptions, enforce plan limits, send transactional email (sign-in links and receipts), prevent abuse, and meet legal obligations. We process data on the basis of providing the service you requested, your consent where required, and our legitimate and legal interests.

3. Sub-processors we share with

We share data only as needed with vetted processors: our authentication provider (creator sign-in), Razorpay (payments and subscriptions), our email provider (transactional email), and cloud hosting/storage providers. Each is bound to process data only on our instructions. A current list is available on request.

4. Your rights

You may request access to, correction of, or erasure of your personal data, and may withdraw consent where processing relies on it. These are supported through our privacy request workflows; we respond within the timelines required by applicable law (including India's DPDP Act).

5. Retention and erasure

We keep personal data only as long as needed for the purposes above or as required by law (for example, finance records for the statutory period). Automated retention sweeps and an erasure registry remove or anonymise data per policy when it is no longer needed or on a valid erasure request.

6. Security

We use access controls, tenant isolation, encryption in transit, signed/verified payment callbacks, audit logging of privileged actions, and least-privilege practices. No system is perfectly secure, but we work to protect your data and to detect and respond to incidents.

7. Changes and grievance contact

We will post material changes to this policy and update the date above. For privacy questions or to exercise your rights, contact our grievance officer through Ostrya support; we will direct your request to the right team.

This is a draft template, not legal advice. Questions? Visit Ostrya support. Creator-published legal pages live on each tenant’s own website and are separate from these platform policies.