XFACTOR UPSC (“we”, “us”) operates an AI-assisted preparation platform for civil-services aspirants. This notice explains what personal data we collect, why, and the rights you have under the Digital Personal Data Protection Act, 2023 (“DPDPA”) and, where applicable, the EU/UK GDPR.
1. What we collect
- Account: email, name, profile image (from Google sign-in).
- Optional: phone, exam attempt year, billing address.
- Submissions: handwritten/typed answer content for evaluation. Treated as confidential.
- Operational: IP address, user agent, login timestamps for security and audit.
- Payments: tokenized references from Cashfree or Stripe (e.g.
cf_payment_id,pi_*, last-four of card). We never receive card numbers, CVV, or expiry data.
2. Why we process your data
- To deliver the service you purchased (contract).
- For features you opt into, e.g. marketing emails (consent).
- For legal records — payments, tax invoices, audit logs (legal obligation).
- For security, fraud prevention, and abuse handling (legitimate interest).
3. Where your data lives
Primary storage is in AWS’s Mumbai (ap-south-1) region. AI evaluation runs on AWS Bedrock in the same region. Sub-processors are listed at /legal/sub-processors.
4. Retention
- Account data: while your account is active, plus 12 months.
- Raw OCR of handwritten PDFs: 90 days.
- Audit logs: 180 days hot + up to 7 years archived (regulatory).
- Payment records: 7 years (Income Tax / GST).
5. Your rights
You can request access, correction, portability, or erasure of your personal data via /account/privacy or by emailing privacy@example.com. We respond within the statutory timelines (24h acknowledgement, 7-day fulfilment target).
6. Children
Users below 18 require verifiable parental consent. We do not target users under 13.
7. Grievance Officer
See /legal/grievance.
8. Changes
We version this policy. Material changes prompt a re-consent notice on next sign-in. Versions are recorded in consentVersions for audit.