Privacy Policy

Data We Collect	Why	How Long We Keep It
Name, email, phone number	Account creation, authentication, service communication	While account is active + 3 years after last login
Target exam, preferred language	Personalized study experience	While account is active + 3 years after last login
Payment info (order ID, transaction ID, amount)	Process credits, issue receipts, tax compliance	8 years (Indian tax law)
Doubt queries (AI chat messages)	Deliver AI-powered doubt clearing responses	While account is active; anonymized data kept indefinitely
Uploaded answer papers (PDF/images)	AI-powered answer evaluation via OCR	While account is active; deleted within 90 days of account deletion
MCQ activity (attempts, accuracy, mastery scores)	Progress tracking, personalized recommendations	While account is active; anonymized data kept indefinitely
Device info, IP address, usage data	Security, analytics, platform improvement	While account is active + 3 years after last login
Cookies	Authentication, analytics, preferences	Session to 2 years (varies by type)

01 Introduction

In plain language: This policy explains what data Aspirant Academy collects, why we collect it, and how we protect it. We respect your privacy and comply with Indian data protection law.

Welcome to Aspirant Academy (aspirant.academy). We are an exam preparation platform specializing in RAS/RPSC and other competitive examinations, operated as a sole proprietorship by Sanjay Bhat, based in Jaipur, Rajasthan, India.

This Privacy Policy describes how we collect, use, store, share, and protect your personal data when you use our website, mobile application, and related services (collectively, the "Platform"). It applies to all users of the Platform, including visitors, registered users, and subscribers.

This policy is drafted in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) and applicable rules issued thereunder by the Government of India, as well as the Information Technology Act, 2000 and its associated rules.

This Privacy Policy is currently available in English. A Hindi version will be made available in the near future.

Effective Date: March 28, 2026

By accessing or using our Platform, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with any part of this policy, please do not use our Platform.

02 Data We Collect

In plain language: We collect information you give us (name, email, etc.), information generated by your usage (pages visited, questions attempted), and limited information from Google and Razorpay when you use those services. We never receive or store your card numbers or bank details.

a. Information You Provide

Account Registration: Name, email address, phone number, and password. Your password is cryptographically hashed before storage and is never stored in plain text.
Profile Information: Target examination (e.g., RAS, RPSC), preferred language (Hindi or English).
Payment Information: All payment processing is handled by Razorpay. We receive only the order confirmation, transaction ID, and payment amount. We never receive or store your card numbers, CVV, UPI PIN, or bank account details.
Doubt Queries: Text messages and questions you send through our AI-powered doubt clearing chat.
Answer Papers: PDF files or images you upload for AI-powered answer evaluation.
Feedback & Support: Any messages, feedback, suggestions, or support requests you send to us.

b. Information Collected Automatically

Device Information: Browser type and version, operating system, device model, screen resolution.
Usage Data: Pages visited, features used, time spent on each page, click and interaction patterns.
MCQ Activity Data: Questions attempted, answers selected, time taken per question, accuracy rates, mastery scores (Elo-based), and test results.
IP Address & Location: Your IP address and approximate location at the city level (we do not collect precise GPS location).
Cookies & Similar Technologies: See Section 6 for full details.
Referral Source: How you found our Platform (e.g., search engine, social media, direct link).

c. Information from Third Parties

Google OAuth: If you sign in with Google, we receive your name, email address, and profile picture from your Google account.
Firebase: Phone number verification status when you verify your phone number via OTP.
Razorpay: Payment confirmation status and transaction details (order ID, amount, success/failure status).

03 How We Use Your Data

In plain language: We use your data to provide and improve our services, communicate with you about your account, and keep the platform safe. We also create anonymized, aggregate data from usage patterns that we may use for any purpose.

a. Service Delivery

Authenticate your identity and manage your account
Process credit purchases and payments
Deliver MCQ tests, answer evaluations, and AI-powered doubt clearing responses
Track your mastery, progress, and performance across subjects
Generate personalized study recommendations based on your strengths and weaknesses
Deliver current affairs content and study material

b. Platform Improvement

Analyze usage patterns to improve features and user experience
Train and improve our AI models using anonymized and de-identified interaction data
Conduct A/B testing to evaluate new features and design changes
Identify and fix bugs, errors, and performance issues
Generate aggregate statistics about platform usage and learning outcomes

c. Communication

Service Notifications: Credit balance alerts, test results, new feature announcements (essential, cannot be opted out of)
Marketing Communications: New features, promotional offers, study tips, and educational content — with easy opt-out at any time
Transactional Messages: Payment confirmations, password reset emails, account verification
SMS/WhatsApp Alerts: Exam reminders, daily current affairs notifications — marketing messages include opt-out

d. Legal & Safety

Comply with applicable laws, regulations, and legal obligations
Enforce our Terms & Conditions
Detect and prevent fraud, abuse, unauthorized access, and security incidents
Respond to lawful requests from courts, regulators, and government authorities

e. Anonymized & Aggregated Data

We may de-identify, anonymize, and aggregate user data so that it can no longer be used to identify any individual. Such data is no longer considered personal data under the DPDPA 2023.

We may use anonymized and aggregated data for any purpose, including but not limited to: research, analytics, marketing, product development, partnerships, statistical analysis, and publications.

This right survives account deletion. Even if you delete your account, previously anonymized and aggregated data will continue to be used as described above.

04 Legal Basis for Processing (DPDPA 2023)

In plain language: We process your data because you consent to it when you sign up, because we need it to provide the services you requested, and because we have legitimate reasons like security and legal compliance.

Consent: You provide explicit consent when you create an account and agree to this Privacy Policy. You may withdraw your consent at any time by contacting us or deleting your account. Withdrawal of consent is as easy as giving consent.
Legitimate Uses: Certain processing is necessary for legitimate purposes as recognized under DPDPA 2023, including service delivery, platform security, fraud prevention, and compliance with legal obligations.
Performance of Contract: Processing necessary to fulfill our obligations under the Terms & Conditions that you agree to when using our Platform, including delivering the services you have purchased or subscribed to.

05 Data Sharing

In plain language: We do not sell your personal data. We share data only with service providers who help us run the platform (Google, Razorpay, etc.), when required by law, or if you explicitly authorize it.

We do NOT sell your personal data to anyone.

We may share your data with the following categories of recipients:

Service Providers

Google (Gemini AI for doubt clearing, Vision OCR for answer evaluation, Analytics for usage insights, OAuth for authentication)
Razorpay (payment processing)
Firebase (phone number authentication via OTP)
Neon (PostgreSQL database hosting)
Vercel (frontend hosting and deployment)
Google Cloud (backend hosting via Cloud Run)

Each service provider processes data only for the purpose of delivering their specific service and is bound by their own privacy policies and data processing agreements.

Legal Authorities

We may disclose your data when required by law, court order, subpoena, or government directive issued by a competent authority in India.

Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred to the acquiring entity. We will provide at least 30 days prior notice via email and in-app notification before any such transfer.

With Your Consent

We may share your data with third parties when you explicitly authorize us to do so.

06 Cookies & Tracking Technologies

In plain language: We use cookies for essential functions (keeping you logged in), analytics (understanding how the platform is used), and preferences (remembering your language). We do not use advertising cookies.

Essential Cookies

Required for authentication, session management, and core platform functionality. These cannot be disabled without losing access to the Platform.

Analytics Cookies

Google Analytics 4 cookies that help us understand page views, user journeys, feature usage, and platform performance. These help us improve your experience.

Preference Cookies

Store your language selection (Hindi/English), theme preference, and other display settings so you do not have to set them each time you visit.

No Advertising Cookies

We do not use any third-party advertising or tracking cookies. No data is shared with ad networks.

You can manage non-essential cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Platform. For instructions on managing cookies, refer to your browser's help documentation.

07 Data Retention

In plain language: We keep your data while your account is active and for 3 years after your last login. Payment records are kept for 8 years for tax compliance. Anonymized data is kept indefinitely.

Active Accounts: Your personal data is retained for as long as your account remains active and you continue to use the Platform.
Inactive Accounts: If you stop using the Platform, your data is retained for 3 years after your last login. After this period, your account and personal data may be deleted.
After Account Deletion: When you request account deletion, your personal data is deleted within 90 days. Anonymized and aggregated data derived from your usage is retained indefinitely.
Payment Records: Transaction records, invoices, and related financial data are retained for 8 years as required under Indian tax and financial regulations.
Legal Holds: Data may be retained beyond normal periods if required by law, regulation, or ongoing legal proceedings.
Anonymized Activity Data: De-identified and aggregated data is retained indefinitely for platform improvement, research, and statistical analysis.

08 Data Security

In plain language: We take security seriously. Passwords are hashed, data is encrypted in transit and at rest, and we follow industry best practices. If a breach occurs, we will notify you within 72 hours as required by law.

We implement reasonable technical and organizational measures to protect your personal data, including:

Password Security: All passwords are stored using industry-standard bcrypt hashing. We never store passwords in plain text.
Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
Encryption at Rest: Data stored in our databases and infrastructure is encrypted at rest.
Access Controls: We follow the principle of least privilege, ensuring that only authorized personnel and systems can access personal data, and only to the extent necessary for their function.
Security Assessments: We conduct regular security assessments and reviews of our systems and processes.
Breach Notification: We maintain an incident response plan. In the event of a personal data breach, we will notify the Data Protection Board of India and affected users within 72 hours as required under the DPDPA 2023.

While we implement reasonable security measures consistent with industry standards, no method of electronic storage or transmission over the internet is 100% secure. By using our Platform, you acknowledge and accept this inherent risk.

09 Children's Privacy

In plain language: Our platform is for users aged 13 and above. Users between 13 and 18 need parental consent. We do not knowingly collect data from children under 13, and we do not target minors with behavioral advertising.

The Platform is intended for users aged 13 years and above.
Users between the ages of 13 and 18 must have verifiable parental or guardian consent to use the Platform and for us to process their personal data.
We do not knowingly collect personal data from children under the age of 13.
We do not engage in behavioral tracking or targeted advertising directed at minors.
If we become aware that we have collected personal data from a child without appropriate consent, we will take prompt steps to delete that data.
Parents or guardians may contact us at grievance@aspirant.academy to review, correct, or request deletion of their child's personal data.

10 Your Rights (DPDPA 2023)

In plain language: You have the right to access, correct, or delete your data, withdraw consent, file complaints, and nominate someone to act on your behalf. Email us at grievance@aspirant.academy to exercise any of these rights.

As a Data Principal under the Digital Personal Data Protection Act, 2023, you have the following rights:

Right to Access

You may request a summary of the personal data we hold about you and the processing activities we perform on that data.

Right to Correction

You may request correction of any inaccurate, incomplete, or misleading personal data we hold about you.

Right to Erasure

You may request deletion of your personal data. This right is subject to legal retention requirements (e.g., payment records must be kept for 8 years under tax law).

Right to Withdraw Consent

You may withdraw your consent to data processing at any time. The process for withdrawing consent is as easy as the process by which consent was given. Note that withdrawal of consent may affect your ability to use certain features of the Platform.

Right to Grievance Redressal

You have the right to file a complaint with our Grievance Officer regarding any concern about our handling of your personal data. See Section 14 for details.

Right to Nominate

You may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity.

How to Exercise Your Rights

To exercise any of the above rights, please send an email to grievance@aspirant.academy with the subject line "Data Rights Request". Include your registered name and email address. We will verify your identity and respond to your request within 30 days.

Limitations

We may decline requests that are:

Repetitive or made in bad faith
Requiring disproportionate technical effort
Likely to jeopardize the privacy of other users
Impractical or not required under applicable law

Legal retention requirements override erasure requests. For example, we cannot delete payment records that must be retained under Indian tax law.

11 Cross-Border Data Transfers

In plain language: Your data may be processed in India and the United States (where our hosting providers are located). We only transfer data to countries not restricted by the Indian government.

Your personal data may be processed in the following jurisdictions:

India — Primary processing location
United States — Neon (database hosting), Vercel (frontend hosting), Google Cloud (backend hosting and AI services)

All cross-border transfers are made to jurisdictions that have not been restricted by the Central Government of India under Section 16(1) of the DPDPA 2023. We ensure that appropriate safeguards and contractual protections are in place with all service providers who process your data outside India.

12 Third-Party Links

In plain language: Our platform may link to other websites. We are not responsible for how those websites handle your data.

The Platform may contain links to third-party websites, applications, or services that are not operated by us. These may include links to news sources, educational resources, government websites, or partner services.

We are not responsible for the privacy practices, content, or security of any third-party websites. We encourage you to review the privacy policy of every website you visit before providing any personal data.

13 Changes to This Policy

In plain language: We may update this policy from time to time. For significant changes, we will give you 30 days notice by email and in-app notification. Continuing to use the platform after the notice period means you accept the updated policy.

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

Material Changes: For significant changes that affect how your personal data is collected, used, or shared, we will provide at least 30 days prior notice via email (to your registered email address) and through an in-app notification.
Minor Changes: Non-material changes (such as formatting, clarifications, or corrections) may be made without advance notice.
Continued Use: Your continued use of the Platform after the notice period constitutes your acceptance of the updated Privacy Policy.
Previous Versions: Previous versions of this Privacy Policy are available upon request by emailing privacy@aspirant.academy.

14 Grievance Officer

In plain language: If you have any concerns about how we handle your data, contact our Grievance Officer. We will acknowledge your complaint within 24 hours and resolve it within 15 days.

In accordance with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the DPDPA 2023, we have appointed the following Grievance Officer:

Grievance Officer

Name: Sanjay Bhat

Email: grievance@aspirant.academy

Address: Jaipur, Rajasthan, India

Acknowledgment: All complaints and grievances will be acknowledged within 24 hours of receipt.
Resolution: We will investigate and resolve your grievance within 15 days of acknowledgment.
Escalation: If you are not satisfied with our resolution, you may escalate your complaint to the Data Protection Board of India established under the DPDPA 2023.

15 Contact Us

In plain language: For any privacy-related questions, reach out to us by email or visit our website.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Aspirant Academy

Email: privacy@aspirant.academy

Website: https://aspirant.academy