Privacy Policy
Effective Date: March 2026
ExamVine (“we,” “our,” or “us”) operates the website https://examvine.com and the ExamVine mobile application (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.
ExamVine is a proprietary micro enterprise registered under Udyam Registration Number UDYAM-TS-25-0067520, with its registered office at 202, Lakshmi Towers, Vandanapuri Colony, Beeramguda, Ameenpur, Hyderabad, Telangana 502032, India.
By using ExamVine, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
1.1 Information You Provide Directly
| Data Type | When Collected | Purpose | Required? |
|---|---|---|---|
| Phone Number | Account registration (OTP login) | Primary identifier (USERNAME_FIELD), authentication via OTP, account recovery | Yes (if using phone login) |
| Email Address | Account registration, profile update, or Google Sign-In | Account recovery, purchase receipts, subscription reminders, important notifications | Optional (required for Google Sign-In) |
| Full Name | Profile setup, Google Sign-In, or during OTP registration | Personalization (“Welcome, [Name]”), invoice generation, community display name | Optional |
| Google Account Info | When using “Sign in with Google” | Account creation: we receive your name, email, and profile picture URL from Google | Only if using Google Sign-In |
| Payment Information | When purchasing a subscription | Payment processing via Razorpay — we do NOT store card numbers, CVV, UPI PINs, or banking credentials | Only when making a purchase |
| Profile About Text | When editing profile | Optional bio for community features | Optional |
1.2 Information Collected Automatically
| Data Type | How Collected | Purpose |
|---|---|---|
| Device Information | Mobile app (Expo SDK) | Device model, OS version, app version — for debugging, compatibility, and crash reporting |
| Usage Data | App and website | Questions attempted, topics studied, mock tests taken, time spent — for analytics, progress tracking, and personalization |
| IP Address | Every API request | Security (rate limiting, abuse prevention), approximate geographic analytics |
| JWT Authentication Tokens | On login (website: localStorage; app: SecureStore) | Session management — 30-minute access tokens, 90-day refresh tokens |
| Cookies & Local Storage | Website only | Session management, authentication (see Cookie Policy) |
| Push Notification Token | Mobile app (if user opts in) | Delivering push notifications for subscription reminders, study streaks, community activity |
| Conversion Events | When upgrade prompts are shown | Which free-tier limits the user hits, whether they view pricing, whether they subscribe — for product analytics and improving the free-to-premium experience |
1.3 Information We Do NOT Collect
- We do not collect Aadhaar numbers, voter ID, driving license, or any government identity documents.
- We do not collect biometric data (fingerprints, face scans, etc.).
- We do not access your device contacts, camera, microphone, or photo library.
- We do not track your GPS location or fine-grained geolocation.
- We do not read or access your SMS messages (OTPs are entered manually by you).
- We do not use your data for advertising or sell it to advertisers.
2. How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation & authentication | Phone, email, Google account | Contractual necessity |
| Service delivery | All usage data, subscription status | Contractual necessity |
| Payment processing | Name, email, phone (passed to Razorpay) | Contractual necessity |
| Invoice generation | Name, email, phone, transaction details | Legal obligation (accounting) |
| Subscription reminders | Email, subscription end date | Legitimate interest |
| Product analytics | Aggregated usage data, conversion events | Legitimate interest |
| Bug fixing & crash reporting | Device info, error logs | Legitimate interest |
| Security | IP address, rate limiting data | Legitimate interest |
| Customer support | Phone, email, transaction history | Contractual necessity |
| Legal compliance | Transaction records, contact history | Legal obligation |
We will never:
- Send promotional SMS without your explicit opt-in consent
- Share your data with third parties for advertising
- Use your personal data in ways materially different from what is described here without notifying you first
3. Third-Party Services
We share limited data with the following third-party services, solely for the purposes described:
| Service | Purpose | Data Shared | Their Privacy Policy |
|---|---|---|---|
| Razorpay (Mumbai, India) | Payment processing | Name, email, phone, payment amount | https://razorpay.com/privacy/ |
| Google OAuth 2.0 (USA) | Authentication (Sign in with Google) | Google account info (name, email, picture) — we receive this, not send it | https://policies.google.com/privacy |
| Fast2SMS (India) | OTP delivery via SMS | Phone number only | https://www.fast2sms.com/privacy-policy |
| Bunny CDN (Global) | Content delivery (images, videos, media) | IP address (for CDN routing) | https://bunny.net/privacy/ |
| Supabase / PostgreSQL (Cloud) | Database hosting | All user data (encrypted at rest, encrypted in transit) | https://supabase.com/privacy |
| Sentry (USA) | Error tracking and crash reporting | Device info, error stack traces (no personal identifiers) | https://sentry.io/privacy/ |
| Expo (USA) | Mobile app framework, push notifications | Push token, device info | https://expo.dev/privacy |
| Google Gemini AI (USA) | AI Study Assistant feature | Your study queries (anonymized, no personal identifiers attached) | https://ai.google.dev/terms |
| SMTP Provider (for email) | Transactional emails (receipts, reminders) | Email address, email content | Provider’s policy |
Data Processing Agreements: We ensure that all third-party services we use have appropriate data protection measures in place. For services processing data outside India, we rely on their standard data protection commitments.
We do NOT use:
- Google Analytics (no third-party tracking cookies on the website)
- Facebook Pixel or any social media tracking
- Any advertising network SDK
4. Data Storage & Security
4.1 Where Your Data Is Stored
| Data | Storage Location | Encryption |
|---|---|---|
| User accounts, subscriptions, progress | PostgreSQL on Supabase (cloud infrastructure) | Encrypted at rest (AES-256), encrypted in transit (TLS 1.2+) |
| Study content (text, notes, questions) | PostgreSQL (same database) | Encrypted at rest |
| Media files (images, videos) | Bunny CDN storage zones | Encrypted in transit, CDN edge caching |
| Authentication tokens | Client-side: localStorage (website) / SecureStore (app) | In-transit: TLS; at-rest: device-level (SecureStore is encrypted) |
| Payment data (card/UPI) | Not stored by us — handled entirely by Razorpay | PCI-DSS Level 1 compliant (Razorpay) |
4.2 Security Measures
| Measure | Implementation |
|---|---|
| Transport encryption | All communication over HTTPS (TLS 1.2+). HTTP Strict Transport Security (HSTS) enabled for 1 year. |
| Password hashing | Passwords hashed using Django’s PBKDF2 with SHA-256 (150,000 iterations). Never stored in plain text. |
| JWT tokens | Access tokens expire in 30 minutes. Refresh tokens expire in 90 days. Tokens are rotated on refresh and old tokens are blacklisted. |
| OTP security | 6-digit codes expire after 5 minutes. Maximum 3 verification attempts per code. 30-second cooldown between sends. Rate limited: 5/minute, 100/hour, 100/day per phone. |
| API rate limiting | Anonymous: 30 requests/minute. Authenticated: 300 requests/minute. Login: 10/minute. OTP: 5/minute. |
| CORS | Only examvine.com and mobile app origins are allowed. Credentials require explicit origin matching. |
| SQL injection prevention | Django ORM parameterized queries. No raw SQL. |
| Input validation | Phone numbers validated against E.164 format. Emails validated. All inputs sanitized. |
| Error tracking | Sentry captures errors without personal data in stack traces. |
| Dependency security | Python packages pinned to specific versions in requirements.txt. |
4.3 Data Breach Protocol
In the unlikely event of a data breach affecting your personal information:
- Within 72 hours: We will notify all affected users via email and/or in-app notification.
- Notification contents: What happened, what data was affected, what we are doing about it, what you should do (e.g., change passwords).
- Regulatory reporting: We will report the breach to CERT-In (Indian Computer Emergency Response Team) as required under the IT Act 2000 and DPDP Act 2023 rules.
- Remediation: Immediate steps to contain the breach, patch the vulnerability, and prevent recurrence.
5. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Active account data (name, email, phone) | As long as your account is active | Service delivery |
| Account data after deletion request | Deleted within 30 days, except legal holds | User right to deletion |
| Usage data (questions attempted, analytics) | 2 years from collection date | Product improvement |
| Transaction records (invoices, payments) | 8 years after transaction | Indian tax and accounting regulations (Income Tax Act, 1961 — Section 44AA requires 6 years; we keep 8 for safety) |
| OTP codes | Automatically deleted after 5 minutes | No longer needed |
| JWT refresh tokens | Blacklisted on rotation; purged by Celery task (daily 03:00 UTC) | Security |
| Expired notifications | Purged by Celery task (daily 04:00 UTC) | Housekeeping |
| Phone/email change audit log (UserContactHistory) | Retained indefinitely while account is active | Security audit trail |
| Inactive accounts (no login for 24 months) | Flagged for deletion with 30-day advance email notice | Data minimization |
6. Your Rights
Under the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023:
| Right | How to Exercise | Timeline |
|---|---|---|
| Access | View your data: My Account → Profile. Or request a full data export via email. | Data export within 7 business days |
| Correction | Update name, email, phone from your account settings. | Immediate |
| Deletion | Request account deletion by emailing support@examvine.com. | Completed within 30 days (transaction records retained per legal obligation) |
| Data Portability | Request an export of your personal data in machine-readable format (JSON). | Within 7 business days |
| Withdraw Consent | Disable push notifications in app settings. Unsubscribe from emails via link in email footer. | Immediate |
| Opt-out of Analytics | Contact support@examvine.com to opt out of anonymized analytics. | Within 7 business days |
| Grievance | Contact our Grievance Officer (details in Section 11). | Acknowledged within 24 hours, resolved within 15 business days |
Important: You cannot opt out of transactional communications (payment confirmations, security alerts, policy change notices) as these are required for service delivery and legal compliance.
7. Children’s Privacy
ExamVine is intended for users aged 16 and above who are preparing for competitive examinations. We do not knowingly collect personal information from children under the age of 16.
If we become aware that a child under 16 has provided us with personal information, we will:
- Take immediate steps to delete such information from our systems.
- Terminate the associated account.
- Notify the child’s parent or guardian if contact information is available.
If you believe a child under 16 has registered on ExamVine, please contact us immediately at support@examvine.com.
8. Cookies (Website Only)
Our website uses cookies and localStorage for essential functionality. See our Cookie Policy for full details.
Summary:
- Essential (cannot be disabled): JWT tokens in localStorage for authentication.
- Functional: Theme preference, cookie consent status.
- Analytics: Not used as of launch. If added, will require opt-in consent.
- Third-party: Razorpay (during checkout) and Google (during Sign-In) may set their own cookies.
The ExamVine mobile app does not use cookies. Authentication tokens are stored in Expo SecureStore.
9. International Data Transfers
Some of our third-party service providers (Google, Sentry, Expo) are based in the United States. When your data is processed by these services, it may be transferred outside India.
We ensure that such transfers are:
- Necessary for the purposes described in this policy (authentication, error tracking, push notifications)
- Covered by the service provider’s data protection commitments
- Compliant with applicable Indian data protection laws
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- The “Effective Date” at the top of this page will be updated.
- For significant changes (new data collection, new third parties, changed retention periods), we will notify you via email and/or an in-app notification at least 15 days in advance.
- For minor changes (wording clarifications, formatting), we will update the policy without individual notice.
- Your continued use of ExamVine after the updated policy is posted constitutes acceptance of the changes. If you disagree, you may delete your account.
11. Grievance Officer
In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, the Grievance Officer for the purpose of this Privacy Policy is:
Name: Katkuri Vanaja (Proprietor)
Designation: Grievance Officer
Email: support@examvine.com
Phone: +91 8860078551
Address: 202, Lakshmi Towers, Vandanapuri Colony, Beeramguda, Ameenpur, Hyderabad, Telangana 502032, India
Grievance redressal timeline:
- Acknowledgment: Within 24 hours of receipt
- Resolution: Within 15 business days of acknowledgment
12. Governing Law
This Privacy Policy is governed by the laws of the Republic of India, including but not limited to:
- Information Technology Act, 2000
- IT (Reasonable Security Practices) Rules, 2011
- Digital Personal Data Protection Act, 2023
- IT (Intermediary Guidelines) Rules, 2021
Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts in Hyderabad, Telangana, India.
13. Contact Us
If you have any questions about this Privacy Policy or how we handle your data:
ExamVine
202, Lakshmi Towers, Vandanapuri Colony,
Beeramguda, Ameenpur, Hyderabad,
Telangana 502032, India
Email: support@examvine.com
Phone: +91 8860078551
Business Hours: Monday to Saturday, 10:00 AM — 6:00 PM IST