Privacy notice · plain language
How we handle your
child's information
TalentSpark assesses how children reason and what they enjoy, to produce one report for the parent. This notice tells you exactly what data we collect, why, how long we keep it, and how to remove it. Written to comply with India's Digital Personal Data Protection Act, 2023.
Last updated: 3 June 2026 · Notice version: v1-2026-06
Who we are
TalentSpark is a service of Demyu Labs Corporation Pvt. Ltd., an Indian private limited company. When this notice says "we", "us", or "TalentSpark", it means Demyu Labs Corporation Pvt. Ltd. operating the TalentSpark service.
You — the parent or legal guardian who registers, pays, and completes this consent — are the person who has the legal authority to decide how your child's personal data is processed. We treat you as the Data Principal acting on your child's behalf, and we treat ourselves as the Data Fiduciary, in the language of the DPDP Act.
This service is for children — and that matters
Because the assessment is for children under 18, the law requires us to obtain verifiable parental consent before processing any of your child's data. We do this in three concrete ways:
- You register with your own phone number, which we verify with a one-time password.
- You pay through your own payment instrument (UPI, card, or net banking), which independently verifies your identity through your bank or UPI provider.
- You explicitly tick a consent box on the registration page stating that you are the parent or legal guardian, that you have read this notice, and that you consent to the assessment on your child's behalf.
We store a record of when you gave this consent, from which IP address, and which version of this notice you agreed to. That record is your audit trail. You can withdraw it at any time.
What we will never do. We do not show your child any advertising. We do not run behavioural profiling on them. We do not sell, lease, or share their data with advertisers or data brokers.
Exactly what we collect, and why
Here is every category of personal data we process, with the specific purpose:
Parent's full nameTo address you correctly in the report, in receipts, and in any communication.Retained 2 years from registration
Parent's phone numberTo send the OTP that verifies your identity and to contact you about the report.Retained 2 years from registration
Parent's email address (optional)To send you the report link and account-related communication if you provide it.Retained 2 years from registration
Child's first name and last nameTo personalise the assessment and the report. The name appears in the report only.Retained 2 years from assessment
Child's date of birth and ageTo select age-appropriate scenarios. The assessment uses different content for ages 8-9, 10-11, 12-13, 14-15, and 16.Retained 2 years from assessment
Child's gender (optional)Reserved for future research. Currently does not affect scenario selection or report content. "Prefer not to say" is always available.Retained 2 years from registration
Parent's observations about the child (optional)Your structured input at registration about what your child enjoys and is good at. Used only to generate the report.Retained 2 years from assessment
Child's self-report (optional)Your child's structured input at the start of the assessment. Used only to generate the report.Retained 2 years from assessment
Child's responses to the 30 scenario questionsThe raw text the child types during the assessment. Used to generate the report.Raw conversation: 90 days · Generated report: 2 years
The generated report (JSON)The full Holistic Intelligence Profile we produce. Shown to you at a unique private URL.Retained 2 years from completion
Payment transaction recordPayment gateway transaction ID, amount, and timestamp. Required for accounting, GST records, and refunds. No card or UPI details are stored on our servers — those stay with the payment processor.Retained 7 years under Indian tax law
Technical dataIP address, browser, timing of answers. To detect abuse, calibrate Decision Tempo in the report, and maintain service stability.90 days from collection
Who else processes the data
We rely on third-party service providers to operate TalentSpark. Each one is used only to deliver part of our service, and only the data needed for its specific function is shared with it.
- An AI provider — helps generate the report.
- A payment processor — handles payment.
- An SMS gateway — sends the OTP.
- A cloud infrastructure provider — runs our servers and database.
We do not sell your data, share it with advertisers, data brokers, or marketing partners, or run any analytics tool (such as Google Analytics, Meta Pixel, or Hotjar) that tracks individual users across the internet.
Your rights as a parent
Under the DPDP Act, you have the following rights regarding your child's data. We honour all of them through the Privacy Centre (link below) or by emailing our grievance officer:
- Right to access — see exactly what data we hold about your child.
- Right to correction — fix anything that is wrong.
- Right to deletion — have your child's data permanently removed. We act without undue delay on receipt of a valid request.
- Right to withdraw consent — if you withdraw consent, we stop processing and delete the data without undue delay. The report stops being accessible immediately.
- Right to grievance — raise a complaint about how we handled your child's data. We respond within the timelines set by the DPDP Act.
- Right to escalate — if you are not satisfied with our response, you may complain to the Data Protection Board of India.
The fastest way to exercise any of these rights is the Privacy Centre. You can also email our grievance officer directly.
Retention and deletion
The retention period for each data type is listed in the table above. The defaults summarised:
- Most data — 2 years from when it was collected
- Raw scenario-conversation logs — 90 days after report generation (the report itself stays)
- Payment records — 7 years (mandatory under Indian tax law)
- Temporary records (OTPs, technical logs) — 30 to 90 days
When data is deleted, it is first soft-deleted (hidden but recoverable for 30 days in case of mistake or regret), and then permanently removed.
Security
We protect your child's data using:
- Encrypted data transmission (HTTPS/TLS 1.2+ across the site)
- Server access controls and access logging
- Regular database backups
- Rate-limited public endpoints to deter automated abuse
In the event of a personal data breach, we will notify the Data Protection Board as required by law and inform affected parents as soon as practicable.
Grievance officer · how to reach us
If you have any privacy concern, complaint, or request, our grievance officer is reachable here:
You may also use the Privacy Centre form, which routes to the same officer with an automatic case number.
For matters you cannot resolve with us, you may escalate to the Data Protection Board of India at the contact details published on its official website.
Changes to this notice
If we change this notice substantively, we will notify all active parents by email or SMS at least 14 days before the change takes effect, and we will re-request consent for any new processing purpose introduced. The version tag at the top of this page tells you which version is currently active.
If you don't agree
If you do not agree with this notice, please do not register or pay for the assessment. If you have already paid but are not comfortable with how we handle data, contact our grievance officer for a full refund and immediate deletion of any data we hold.