Privacy Policy | AceNEET

1. Personal Data We Collect

1.1 Data You Provide Directly

Account data: Full name, email address, username, password (stored as a bcrypt hash — never in plain text), and target exam year.
Payment data: Transaction IDs, order amounts, and payment status. Full card/UPI details are processed exclusively by Razorpay and are never stored on our servers.
Communications: Messages you send to our support team.

1.2 Data Generated by Your Use

Test & performance data: Assessment attempts, question responses, time taken per question, scores, streaks, XP points, and analytics derived from your test history.
Device & access data: IP address at login (used for security auditing and approximate country detection), browser type, operating system, and referring URL.
Cookies & local storage: Authentication tokens (stored as cookies), tenant preference, and UI preferences. See Section 6 below.

1.3 Data We Do Not Collect

We do not collect: government ID numbers, biometric data, precise GPS location, or payment card numbers. We do not knowingly collect personal data from children under 13 without verifiable parental consent.

2. How We Use Your Data

Purpose	Legal Basis (DPDP / GDPR)
Provide and operate the Platform (account access, tests, analytics)	Contract performance
Process payments and manage subscriptions	Contract performance
Send transactional emails (password reset, purchase receipt)	Contract performance
Prevent fraud, abuse, and unauthorised access	Legitimate interests / legal obligation
Improve the Platform via aggregated analytics	Legitimate interests
Send product updates and new feature announcements	Consent (you may opt out at any time)
Comply with legal obligations (tax records, court orders)	Legal obligation

3. Data Sharing & Third-Party Processors

We do not sell your personal data. We share data only as described below:

3.1 Service Providers (Data Processors)

Razorpay Software Pvt. Ltd. — Payment processing. Receives billing amounts and order metadata. Governed by Razorpay's Privacy Policy.
Cloudinary, Inc. — Image hosting and delivery for question images. No personal data beyond technical request metadata is shared.
Cloud infrastructure provider (Render / AWS / equivalent) — Hosts our servers and database. Data is stored in India or as specified in our Data Compliance policy.
Redis (in-memory cache) — Stores session tokens and transient data. No permanent personal data is stored in Redis.

3.2 Legal Disclosures

We may disclose your data to law enforcement, regulators, or courts if required by applicable Indian law, a court order, or to protect the rights and safety of our users or the public.

3.3 Business Transfers

If AceNEET is acquired or merges with another entity, your personal data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

4. Data Retention

Account data: Retained for the lifetime of your account, plus 90 days after deletion (to allow account recovery if requested).
Test & performance data: Retained for the duration of your account and up to 1 year after account deletion for aggregate analytics purposes (in anonymised form only).
Payment records: Retained for 7 years as required by Indian tax law.
Security logs (login IP, failed attempts): Retained for 90 days.
Support communications: Retained for 2 years.

After retention periods expire, data is securely deleted or irreversibly anonymised.

5. Your Rights

Under the DPDP Act 2023 and, where applicable, the GDPR, you have the following rights:

Right to access: Request a copy of the personal data we hold about you.
Right to correction: Request correction of inaccurate or incomplete data. You can update most profile information directly in your account settings.
Right to erasure ("Right to be forgotten"): Request deletion of your personal data. We will comply within 30 days except where retention is required by law.
Right to data portability: Request your performance data in a structured, machine-readable format (JSON/CSV).
Right to withdraw consent: Withdraw consent for marketing emails at any time via the unsubscribe link or by contacting us.
Right to grievance redressal: Under the DPDP Act, you may lodge a complaint with our Data Protection Officer (see Section 8) or with the Data Protection Board of India once established.
Right to object (GDPR): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

To exercise any right, email privacy@ace-neet.com. We will respond within 30 days.

6. Cookies & Tracking

We use the following cookies and storage mechanisms:

accessToken (cookie) — JWT access token for authentication. Session-scoped, HttpOnly equivalent via our auth flow.
x-tenant-id (cookie) — Remembers which platform (AceNEET / DMCTest) you are using. Non-personal, 1-year expiry.
UI preferences — Stored in browser memory (not persisted beyond the session on the Platform).

We do not use advertising cookies, third-party tracking pixels, or analytics cookies that transmit data to external ad networks. You may clear cookies at any time via your browser settings; doing so will log you out.

7. Data Security

We implement industry-standard security measures including:

TLS/HTTPS encryption for all data in transit.
bcrypt hashing (cost factor 12) for all passwords — we never store plaintext passwords.
JWT access tokens with 15-minute expiry and refresh-token rotation.
Rate limiting on authentication endpoints to prevent brute-force attacks.
HTTP security headers (Helmet, CSP, HSTS, X-Frame-Options).
Access to production databases restricted to authorised backend services only.

No method of transmission over the internet is 100% secure. In the event of a personal data breach that poses a high risk to your rights, we will notify you and the relevant authority within the timeframes required by law.

8. Data Protection Officer & Contact

If you have questions, concerns, or wish to exercise your data rights, contact our Data Protection Officer:

Data Protection Officer — AceNEET

Email: privacy@ace-neet.com

Response time: within 30 days of receipt.

If you are an EU/EEA resident and believe your GDPR rights have been violated, you have the right to lodge a complaint with your local supervisory authority.

9. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or a prominent notice on the Platform at least 14 days before they take effect. The "Effective Date" at the top of this page reflects the most recent revision.