Privacy Policy

1. Introduction

This Privacy Policy describes how Sargam Guitar Academy (“we,” “us,” or “our”) collects, uses, processes, stores, and discloses personal data when you use the SGA Learning mobile application (“the App”) on Android devices.

We are committed to protecting your personal data and respecting your privacy in accordance with India’s Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT SPDI Rules), and all other applicable Indian laws.

By registering for and using the App, you acknowledge that you have read, understood, and agreed to the practices described in this Privacy Policy. If you do not agree with any part of this Policy, please do not use the App.

2. About This Application

SGA Learning is an ear-training mobile application developed exclusively for enrolled students of Sargam Guitar Academy. The App is not a public application — access is restricted to students who are individually registered and approved by the Academy’s faculty or administration.

The App provides the following learning modules:

• Pitch Identification — Exercises to train students to identify pitches across all six guitar strings at three difficulty levels (Easy, Medium, Hard), with mid-term and final Exams.
• Note Identification — Exercises to train students to identify notes on guitar strings (Strings 1 through 6), with Exams.
• Interval Comparison — Module for comparing musical intervals (under development).
• Interval Identification — Module for identifying musical intervals (under development).

The App tracks student exercise attempts and progress, and provides faculty and administrators with a learning analytics dashboard to monitor student performance.

3. Who We Are — Data Fiduciary

Under the Digital Personal Data Protection Act, 2023, the entity that determines the purpose and means of processing your personal data is called the Data Fiduciary. For the SGA Learning App, the Data Fiduciary is:

4. Scope of This Policy

This Privacy Policy applies to:

• All students who register and use the SGA Learning App.
• Parents or guardians who register on behalf of minor students (under 18 years of age).
• Faculty members and administrators who use the App to manage students and monitor progress.

This Policy covers:

• Personal data collected through the App on Android devices.
• Data stored on our Firebase cloud infrastructure and on your device locally.
• Data processed for the purpose of delivering ear-training exercises and tracking learning progress.

This Policy does not cover:

• Data collected through any physical offline classes at the Academy premises.
• Any third-party websites or services that may be referenced in the App.

5. Legal Basis for Processing Personal Data

Under the Digital Personal Data Protection Act, 2023, we must have a valid legal basis for processing your personal data. We rely on the following legal bases, depending on the type of processing:

5.1 Consent (Primary Basis)

The primary legal basis for collecting and processing your personal data is your freely given, specific, informed, and unambiguous consent, provided when you complete and submit the registration form in the App.

By registering, you consent to the collection, storage, and use of your personal data as described in this Policy. This includes:

• Account and identity data (name, email, phone, address details, branch)
• Exercise attempt and learning progress data
• Exercise access and unlock data
• Display of your data to authorised faculty/admin for educational monitoring
• Storage of your data on Google Firebase infrastructure (including servers outside India)

For users under 18 years of age, consent must be given by a parent or legal guardian on the minor’s behalf (see Section 15).

You may withdraw your consent at any time by requesting account deletion (Section 17). Withdrawal of consent will result in the termination of your ability to use the App.

5.2 Legitimate Uses (Secondary Basis)

In addition to consent, we may process certain data under the “legitimate uses” basis permitted under Section 7 of the DPDP Act, 2023, specifically for:

• Security and fraud prevention: Processing data to detect and prevent unauthorised access to the App and to enforce account approval and active-status checks.
• Legal compliance: Retaining or disclosing data where required by applicable Indian law or a valid government request.
• Grievance redressal: Processing data necessary to investigate and respond to a complaint or dispute raised by you.

5.3 Sensitive Personal Data

Under the IT (SPDI) Rules, 2011, passwords are classified as Sensitive Personal Data or Information (SPDI). Passwords are processed solely by Firebase Authentication (Google) using industry-standard secure hashing. We never access, store, or see your password in any readable form, and we do not use your password for any purpose beyond authentication.

6. What Personal Data We Collect

We collect only the data that is necessary to operate the App and deliver learning services to you. Below is a complete and itemized list of every piece of data we collect.

6.1 Account and Identity Data

Collected when you register for an account:

6.2 Exercise and Learning Progress Data

Collected automatically each time you complete an exercise session:

6.3 Exercise Access and Unlock Data

We record which of the 28 exercises are unlocked for each student (20 for Pitch Identification, 8 for Note Identification) as simple true/false flags stored in your account record.

6.4 Data We Do NOT Collect

7. How We Collect Your Data

7.1 Data You Provide Directly

Account and identity data (Section 6.1) is collected through the App’s registration form when you sign up. You actively type and submit this information. Address Line 1 and Address Line 2 are optional.

7.2 Data Collected Automatically During App Use

Exercise and progress data (Section 6.2) is collected automatically when you complete an exercise session. The App records your performance data without requiring manual input beyond completing the exercise itself.

7.3 Offline-First Local Save Before Cloud Sync

The App saves your exercise attempt data to a local database on your device first. When your device has an internet connection, this data is then synced to our cloud database (Firebase Firestore). This ensures your progress is never lost during periods without internet connectivity.

7.4 Consent at Registration

By completing and submitting the registration form, you provide informed consent for us to collect and process the data listed in this Policy (see Section 5). For users under 18, consent is provided by a parent or guardian.

8. Why We Collect Your Data — Purposes

We collect only data necessary for specific, clearly defined purposes. The table below maps each data category to the exact purpose it serves:

9. How We Process Your Data

9.1 At Registration

1. You fill in the registration form and submit it.
2. Firebase Authentication creates an account using your email and password.
3. Your profile data is written to Firestore under a unique user identifier (UID).
4. Your account is set to pending approval — you cannot log in until approved by faculty or administration.
5. Default exercise access is set — only the first exercise in each module is unlocked.
6. After submission, you are immediately signed out and must await approval.

9.2 At Login

1. You enter your email and password.
2. Firebase Authentication verifies your credentials.
3. The App fetches your profile from Firestore to check approval and active status.
4. If approved and active, you are logged in. If not, access is denied with a specific reason.
5. On login, any pending local progress data is automatically synced to the cloud.
6. The App also checks your active status each time the App resumes from the background — deactivated accounts are logged out immediately.

9.3 During an Exercise Session

1. You select and start an exercise from your unlocked list.
2. The App plays audio samples of guitar notes/pitches from pre-recorded assets stored within the App itself (no audio is recorded from you).
3. You answer each question by selecting from the on-screen options.
4. The App records your answer, the correct answer, correctness, time taken, and replay count — all locally in memory.
5. On session completion, all data is packaged into an attempt record and saved to the local SQLite database on your device.
6. If online, the attempt is immediately synced to Firestore and marked as synced; if offline, it is synced on the next internet connection.

9.4 Automatic Exercise Unlocking

1. After each completed session, the App checks if you scored 80% or above.
2. If yes, the next exercise in the sequence is automatically unlocked in the local database.
3. This unlock is then synced to Firestore when online.

9.5 Analytics Computation

Your exercise attempt data is used to compute learning analytics when faculty or you view a progress profile. Analytics computed include:

• Overall progress percentage for Pitch and Note modules
• Best score per exercise
• Last active date and days of inactivity
• Sessions completed in the last 7 days and 28-day practice streak
• Exercises where you may be “stuck” (3+ attempts, score below 80%)
• Accuracy and average response time by guitar string and by note name
• Pitch accuracy and time by semitone distance
• Note confusion analysis — which notes are most commonly confused
• Speed vs. accuracy quadrant (Mastery / Learning / Guessing / Needs Help)
• Overall student status label (On Track / Monitor / Needs Attention)

9.6 Faculty and Admin Management Actions

Faculty and administrators can perform the following actions on student data:

• Approve a pending student — grants login access
• Reject a pending student — prevents login
• Deactivate an approved student — immediately revokes access
• Activate a deactivated student — restores access
• View a student’s profile and progress analytics
• Manually adjust exercise access (unlock or lock specific exercises)
• Delete a student permanently — removes all profile and progress data from Firestore

10. No Automated Decision-Making

The App computes various learning analytics about your performance — including an overall status label (“On Track,” “Monitor,” or “Needs Attention”), a verdict summary, speed vs. accuracy quadrant, and stuck-exercise flags.

The only automated action in the App is the unlocking of the next exercise when you score 80% or above on the preceding one. This is a positive, progression-enabling action that does not restrict or penalise you in any way.

You are not subject to any decision that produces significant legal or similarly significant effects based solely on automated processing of your data.

11. How and Where We Store Your Data

11.1 Firebase Cloud Infrastructure (Primary)

Your account data and exercise progress are stored in Google Firebase Firestore — a cloud NoSQL database service provided by Google LLC — and Firebase Authentication — Google’s identity platform for secure login.

Data is organized as follows in Firestore:

• User Profile & Access: Stored in the users/{your-uid} document. Contains all account data from Section 6.1 and all 28 exercise access flags.
• Progress Records: Each completed exercise attempt is stored as a document in the users/{your-uid}/progress sub-collection, containing all attempt data from Section 6.2.

Firebase Authentication separately manages your email and hashed password for secure login. This data is never accessible to us in readable form.

11.2 Local Device Storage (Secondary / Offline Cache)

The App maintains a local SQLite database (sga_progress.db) on your Android device within the App’s private storage directory (not accessible to other apps). This stores:

• Your exercise attempt records (with a sync status flag to track what has been uploaded)
• Pending exercise unlock records (queued for sync when connectivity is restored)

11.3 Cross-Border Data Storage — Important Disclosure

If you have concerns about your data being stored outside India, please contact us at the address in Section 26 before registering.

12. How Your Data Is Displayed

12.1 What You (the Student) Can See

• Dashboard: Your first name, role badge, overall progress percentage bars for Pitch and Note modules, and a summary card showing Pitch % and Note %.
• Exercise Lists: Your unlocked and locked exercises, with your best score badge (e.g., 8/10) on attempted exercises.
• My Progress: Full analytics — overall progress, streak data, exercise-by-exercise scores, speed vs. accuracy quadrant, accuracy by guitar string/note/semitone, confusion patterns, and current status.
• My Profile: Your account details (name, email, phone, branch, city, ZIP, address, registration date) — read-only.

You can only see your own data. You cannot see other students’ data.

12.2 What Faculty Can See About You

Faculty members can see the following data for students in their assigned branch only:

• Full name, email, phone, branch, city, ZIP, address, and registration date
• Approval and active status
• Complete analytics profile (all items in Section 9.5)
• Full exercise attempt history (exercise name, date, score)
• Exercise access status (which exercises are unlocked)

12.3 What Administrators Can See

Administrators have the same view as faculty but across all branches, not restricted to a single branch.

12.4 What Faculty and Admin Cannot See

• Your password — never visible to anyone, including us.
• Data from other branches (faculty are branch-scoped).

13. How Long We Keep Your Data

14. Data Sharing and Disclosure

14.1 Within the Academy

• Faculty: Can view student data for students in their branch (Section 12.2).
• Administrators: Can view student data across all branches (Section 12.3).
• No student can see another student’s data.

14.2 Third-Party Service Providers

We use the following third-party services to operate the App:

We do not use any third-party analytics SDKs, advertising networks, crash reporting services, or social media SDKs.

14.3 No Sale of Data

14.4 Legal Disclosure

We may disclose your personal data if required by a valid written request from a competent government authority or law enforcement agency, in accordance with the IT Act, 2000 and applicable Indian law. We will notify you of such disclosure where legally permitted to do so.

14.5 Future Email Communications

We may, in a future phase, introduce email communications using an SMTP-based service. If and when this feature is added, this Privacy Policy will be updated before any such communications are sent, and you will be given the opportunity to opt out.

15. Protection of Minors (Users Under 18)

Sargam Guitar Academy accepts students of all ages, including children under 18. We take the privacy of minors very seriously.

15.1 Parental / Guardian Consent Required

In compliance with the Digital Personal Data Protection Act, 2023, if a student is under 18 years of age, a parent or legal guardian must consent to registration and use of the App on the minor’s behalf.

By submitting the registration form for a minor, the parent or guardian confirms:

1. They are the legal parent or guardian of the minor student.
2. They consent to the collection and processing of the minor’s personal data as described in this Privacy Policy — including the transfer and storage of that data on Google’s servers, which may be located outside India (see Section 11.3).
3. Where the minor does not have their own phone number or email, the parent/guardian’s contact details have been used for registration.

15.2 Contact Details for Minors

If a minor student does not have a personal phone number or email address, the parent or legal guardian’s contact details may be used for registration. In such cases, the parent/guardian is the consenting party and the contact person for any account-related communications.

15.3 Explicit International Transfer Consent for Minors

15.4 Prohibited Activities for Minor Data

We explicitly confirm the following with respect to data of users under 18:

• We do not engage in behavioral tracking or profiling of minors.
• We display no advertising — targeted or otherwise — to anyone in the App.
• We do not share minor data with any third party beyond the Firebase services described in Section 14.2.
• We do not process minor data for any purpose beyond the educational purposes described in this Policy.

15.5 Parental Rights

Parents or guardians of minor students have the right to request access to, correction of, or deletion of their child’s data by contacting the Grievance Officer (Section 23).

16. Your Rights as a Data Principal

Under the DPDP Act, 2023 and IT (SPDI) Rules, 2011, you have the following rights:

16.1 Right to Access

Request a summary of the personal data we hold about you. You can view most of your data directly in the App under “My Profile” and “My Progress.” For a full data export, contact us at Section 26.

16.2 Right to Correction

If your personal data is inaccurate or out-of-date, you can request a correction by contacting your faculty directly or emailing sargamguitar2011@gmail.com.

16.3 Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data and account where it is no longer necessary for the purpose it was collected, or where you withdraw consent. See Section 17 for the deletion process.

16.4 Right to Withdraw Consent

You may withdraw consent at any time by requesting account deletion (Section 17). Note that withdrawal of consent will result in the termination of your access to the App, as your data is necessary to provide the service.

16.5 Right to Grievance Redressal

If you have a concern about how your data is handled, you may raise a grievance with our Grievance Officer (Section 23). We will respond within 30 days.

16.6 Right to Nominate

Under the DPDP Act, 2023, you may nominate another individual to exercise your data rights on your behalf in the event of incapacity or death. Contact us in writing to make a nomination.

16.7 How to Exercise Your Rights

• In person: At the Academy premises during class hours
• By email: sargamguitar2011@gmail.com
• By phone: +91 91066 49953

We will acknowledge requests within 7 days and complete action within 30 days.

17. Account and Data Deletion

17.1 How to Request Deletion

You can request deletion of your account and all associated data through:

1. In-App: Open the App → Log in → Settings menu (top-right) → My Profile. At the bottom of the profile screen you will find:
   
   “If you want to update or Delete your profile, contact the Faculty or mail to sargamguitar2011@gmail.com”
2. By Email: Send a request to sargamguitar2011@gmail.com with subject “Account Deletion Request” and include your registered email or full name and branch.
3. In Person: Contact your faculty member directly at the Academy.

17.2 What Gets Deleted

1. Your user profile document is deleted from the Firestore users collection.
2. All exercise attempt records in the users/{uid}/progress sub-collection are deleted.
3. Your exercise access data is deleted.
4. Your Firebase Authentication credentials are removed to the extent technically possible.

17.3 Timeline

Your data will be deleted from the Firestore database within 30 days of a verified deletion request.

17.4 Important Limitations

18. Data Security and Your Responsibilities

18.1 Technical Security Measures

• Encryption in Transit: All data transmitted between the App and Firebase is encrypted using industry-standard TLS (Transport Layer Security).
• Encryption at Rest: Firebase Firestore encrypts stored data at rest by default as part of Google’s infrastructure.
• Password Security: Passwords are managed entirely by Firebase Authentication using secure, industry-standard hashing. We never store passwords in plain text or in our database.
• Role-Based Access Control: Students can only view their own data; faculty are scoped to their branch; administrators have supervised full access.
• Manual Approval Gate: No account can access the App until individually approved by faculty or administration.
• Session Monitoring: The App checks account active status on every app resume and immediately logs out deactivated accounts.
• Private Local Storage: The local SQLite database is stored in the App’s private data directory, inaccessible to other apps on Android.

18.2 Organizational Security Measures

• Access to the Firebase console and backend data is restricted to the Academy’s designated technical personnel only.
• Faculty accounts are individually created and managed — no shared credentials.
• The App is distributed only to enrolled students and is not publicly listed for open download.

18.3 Data Breach Notification

In the event of a personal data breach that is likely to result in risk to your rights or interests, we will:

• Take immediate steps to contain and assess the breach.
• Notify the Data Protection Board of India as required under the DPDP Act, 2023, within the prescribed timeframe.
• Notify affected individuals in a timely manner through the contact details in their account, describing the nature of the breach, the data affected, and the steps we are taking.
• Maintain a record of all breaches, their causes, and remediation actions.

18.4 Your Account Security Responsibilities

While we implement the security measures described above, you also share responsibility for the security of your account and data:

• Keep your password confidential. Do not share your App login credentials with anyone — including other students or family members (other than a parent/guardian acting on a minor’s behalf).
• Use a strong password. Choose a password that is not easily guessable and is different from passwords used on other services.
• Log out on shared devices. If you use the App on a shared or public device, log out after every session using the Settings menu.
• Report suspicious activity. If you notice any unauthorized access to your account or unusual activity, inform your faculty or contact us immediately.
• Keep your device secure. Use a screen lock on your Android device to protect locally cached data from unauthorized access.
• Do not share your OTP or reset link. If you receive a Firebase password reset email that you did not request, do not click the link and notify us immediately.

We are not responsible for unauthorized access to your account resulting from your failure to maintain the confidentiality of your credentials or secure your device.

18.5 Limitation of Liability

While we implement the above measures, no system is completely secure. We cannot guarantee absolute security of data transmitted over the internet or stored in cloud infrastructure. We are liable only for data security failures arising from our own negligence and within the limits of applicable Indian law.

19. Third-Party Services We Use

The App uses the following third-party services. Each has its own privacy policy governing their data handling:

We do not use any third-party analytics SDKs, advertising networks, crash reporting services, or social media SDKs.

20. App Permissions on Your Device

The SGA Learning App requests the following Android system permissions. We explain exactly why each permission is needed:

21. Google Play Data Safety Declaration

This section provides a clear summary aligned with what is declared in the Google Play Console Data Safety form for the SGA Learning App. This allows you to verify that our Play Store listing and this Privacy Policy are fully consistent with each other.

21.1 Data Collected and Shared

21.2 Data Safety Practices

21.3 Purpose of Data Collection

Data collected by the SGA Learning App is used exclusively for:

• App functionality: Account creation and login, exercise delivery, progress tracking, exercise unlocking
• Account management: Student approval workflow, active-status enforcement, faculty management tools
• Analytics: Internal learning analytics computed and displayed within the App to students and faculty (no third-party analytics service is used)

22. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the App’s features, or applicable laws. When we make material changes, we will:

• Update the Version Number and “Last Updated” date at the top of this page.
• Where reasonably practicable, notify registered users through the App or by email.

We encourage you to review this Privacy Policy periodically. Continued use of the App after a policy update constitutes your acceptance of the revised policy.

The current version is always available at the URL linked from the App’s Google Play Store listing.

23. Grievance Officer

In accordance with the IT (SPDI) Rules, 2011 (Rule 5(9)) and the DPDP Act, 2023, the following person is designated as the Grievance Officer for all data-related queries, complaints, and requests:

Grievance Redressal Timeline: Acknowledgement within 7 days; resolution within 30 days of receipt, in compliance with IT (SPDI) Rules, 2011.

Complaints may be submitted regarding:

• Unauthorized collection, use, or disclosure of your personal data
• Inaccurate or incomplete data held about you
• Requests for access, correction, or deletion of your data
• Any other concern regarding data privacy or security under this Policy

24. Data Protection Board of India

Under the DPDP Act, 2023, the Government of India is establishing the Data Protection Board of India — an independent adjudicatory body for data privacy grievances.

Once operational, if your grievance is not resolved to your satisfaction through our internal process (Section 23), you will have the right to escalate your complaint to the Board through the official government portal.

For updates on the Board’s operational status, visit: www.meity.gov.in

25. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of the Republic of India, including:

• The Digital Personal Data Protection Act, 2023
• The Information Technology Act, 2000 and its amendments
• The IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011
• Any other applicable Indian central or state law

Any disputes arising in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the competent courts located in Rajkot, Gujarat, India.

26. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us through any of the following:

When contacting us about your data, please include your registered email address or your full name and branch so we can identify your account and respond appropriately.