Privacy Policy

CurrentPrep (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the CurrentPrep platform (currentprep.in), including our website, mobile applications, and related services.

This policy is compliant with the Digital Personal Data Protection Act, 2023 (DPDPA) of India and applicable data protection regulations. By using our services, you consent to the data practices described in this policy.

1. Information We Collect

When you use CurrentPrep, we may collect the following categories of personal data:

1.1 Account Information

• Registration Data: Name, email address, and password (hashed using bcrypt with salting). We never store plaintext passwords.
• Social Login Data: If you sign in via Google OAuth, we receive your name, email, and profile picture from Google.
• Profile Data: Optional information you provide such as preferred language and study preferences.

1.2 Usage Data

• Pages visited, features used, and time spent on the platform.
• Quiz attempts, mock test scores, subject-wise performance, and study progress.
• Search queries and content interactions (bookmarks, downloads).

1.3 Payment Information

• Transaction IDs, order IDs, plan/product details, and payment status processed through Razorpay.
• We do not store your credit/debit card numbers, CVV, UPI PIN, or bank account details. All payment data is handled by Razorpay (PCI-DSS Level 1 compliant).

1.4 Device & Technical Information

• Browser type, version, and language settings.
• Operating system and device type (desktop/mobile/tablet).
• IP address, approximate geolocation (city-level only, derived from IP).
• Device fingerprinting: We may collect a combination of browser attributes (screen resolution, installed fonts, timezone, WebGL renderer) to generate a non-reversible device fingerprint. This is used solely for session security and preventing credential sharing — not for cross-site tracking or advertising.

1.5 Contact Information

• Name, email address, and message content when you use our contact form.
• Support ticket details and communication history.

2. How We Use Your Information

We process your personal data for the following purposes:

• Service Delivery: To provide and improve our UPSC preparation services, including AI-generated content, mock tests, and Daily Digests.
• Personalization: To tailor your study experience with AI-generated quizzes, recommendations, and performance analytics.
• Payments: To process payments, manage subscriptions, issue refunds, and maintain billing records.
• Communications: To send important service updates, password resets, and security alerts (transactional emails).
• Support: To respond to your queries, troubleshoot issues, and provide customer support.
• Security: To monitor platform security, prevent unauthorized access, detect fraud, and enforce concurrent session limits.
• Analytics: To understand usage patterns and improve our platform (all analytics are aggregated and anonymized where possible).
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

3. Email Communications

We send the following types of emails:

3.1 Transactional Emails (cannot be opted out)

• Account verification and password reset emails.
• Payment confirmations, subscription receipts, and renewal reminders.
• Critical security alerts (e.g., login from a new device, password changes).

3.2 Daily Digest Emails (opt-in, can be unsubscribed)

• Daily UPSC current affairs Daily Digest delivered to your inbox.
• You can opt out at any time using the one-click unsubscribe link included in every Daily Digest email.
• Unsubscribing from Daily Digest emails does not affect your account or access to other features.

3.3 Promotional Emails (opt-in, can be unsubscribed)

• New feature announcements, special offers, and exam tips.
• You can opt out at any time via the unsubscribe link in the email or through your account settings.

We comply with India's anti-spam regulations and the CAN-SPAM Act. Every non-transactional email includes our company name, physical address, and a clear unsubscribe mechanism.

4. Legal Basis for Processing (DPDPA 2023)

Under the Digital Personal Data Protection Act, 2023, we process your data based on:

• Consent: You provide consent when registering, subscribing to emails, or using optional features. You may withdraw consent at any time.
• Legitimate Uses: Processing necessary for providing the service you requested, including account management, payment processing, and security.
• Legal Obligation: Processing required to comply with applicable Indian laws, including tax regulations and regulatory requirements.

5. Data Storage & Security

Your data is stored securely using Supabase (hosted on AWS infrastructure in the Mumbai region, India). We implement industry-standard security measures including:

• Password hashing using bcrypt with unique salts per user.
• HTTPS (TLS 1.3) encryption for all data in transit.
• Row-Level Security (RLS) policies on our database to prevent unauthorized data access.
• Rate limiting on authentication, payment, and content generation endpoints.
• Input sanitization and parameterized queries to prevent XSS and SQL injection attacks.
• Timing-safe HMAC verification on all payment webhook and verification routes.
• Content Security Policy (CSP), X-Frame-Options, and HSTS headers.
• Concurrent session monitoring to detect and prevent credential sharing.

6. Data Breach Notification

In accordance with DPDPA 2023, in the event of a personal data breach that is likely to cause harm to users:

• We will notify the Data Protection Board of India within 72 hours of becoming aware of the breach.
• We will notify affected users without unreasonable delay via email and/or platform notification.
• The notification will include: nature of the breach, types of data affected, likely consequences, and measures taken to address the breach.
• We maintain an internal incident response plan that is reviewed and tested regularly.

7. Third-Party Services

We use the following third-party services that may process your data:

We do not sell your personal data to third parties. Data is shared with third-party services only as necessary to provide our services. Each service has its own privacy policy, and we recommend reviewing them for a complete understanding.

8. Cookies & Local Storage

• Essential Cookies: Authentication session tokens (NextAuth.js). Required for the platform to function. Cannot be disabled.
• Local Storage: Theme preference (dark/light mode), language setting (English/Tamil), and UI state. Stored only on your device.
• Analytics Cookies: Google Analytics (GA4) cookies for anonymized usage tracking. Can be blocked using your browser settings.

We do not use third-party advertising cookies or cross-site tracking cookies.

9. Your Rights Under DPDPA 2023

As a Data Principal under the DPDPA 2023, you have the following rights:

• Right to Access: Request a summary of your personal data and how it is being processed.
• Right to Correction: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data, subject to legal retention requirements.
• Right to Withdraw Consent: Withdraw your consent for data processing at any time. This may limit access to certain features.
• Right to Nominate: Nominate another person to exercise your data rights in the event of your death or incapacity.
• Right to Grievance Redressal: File a complaint with our Grievance Officer or the Data Protection Board of India.

To exercise any of these rights, contact us at support@currentprep.in with the subject line “Data Rights Request”. We will respond within 30 days.

10. Data Retention

• Active Accounts: Data is retained for as long as your account is active.
• Account Deletion: Upon account deletion, personal data is permanently removed within 30 days. Certain anonymized usage data may be retained for service improvement.
• Payment Records: Transaction records are retained for 8 years as required by Indian tax laws (Income Tax Act, GST Act).
• Support Tickets: Communication history is retained for 2 years after the last interaction, then deleted.
• Logs: Server access logs are retained for 90 days for security purposes, then automatically purged.

11. Children's Privacy

CurrentPrep is intended for users aged 16 and above. We do not knowingly collect personal data from children under 16. Under DPDPA 2023, processing of a child's personal data requires verifiable parental consent. If you believe a child under 16 has provided us with personal information without parental consent, please contact us immediately at support@currentprep.in and we will promptly delete such data.

12. Cross-Border Data Transfer

Your data is primarily stored in India (AWS Mumbai region via Supabase). Some third-party services (Vercel CDN, Google APIs) may process data in other jurisdictions. In such cases, we ensure that the data transfer complies with DPDPA 2023 requirements and that adequate safeguards are in place. We do not transfer data to countries or territories that have been restricted by the Central Government under DPDPA 2023.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Post the updated policy on this page with a new “Last updated” date.
• Notify you via email or a prominent notice on the platform.
• Where required by DPDPA 2023, obtain fresh consent for any new processing activities.

14. Grievance Officer

In accordance with DPDPA 2023 and the Information Technology Act, 2000, we have appointed the following Grievance Officer:

If you are not satisfied with the resolution, you may file a complaint with the Data Protection Board of India as established under DPDPA 2023.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• General: support@currentprep.in
• Privacy/Data Rights: grievance@currentprep.in
• Address: New Delhi, India