Privacy Policy
Effective Date: March 2026
ExamVine (“we,” “our,” or “us”) operates the website https://examvine.com and the ExamVine mobile application (collectively, the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.
ExamVine is based in Hyderabad, India, and operates the Service as described in this policy.
By using ExamVine, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
1.1 Information You Provide Directly
| Data Type | When Collected | Purpose | Required? |
|---|---|---|---|
| Phone Number | Account registration (OTP login) | Your primary login identifier, authentication via OTP, account recovery | Yes (if using phone login) |
| Email Address | Account registration, profile update, or Google Sign-In | Account recovery, purchase receipts, subscription reminders, important notifications | Optional (required for Google Sign-In) |
| Full Name | Profile setup, Google Sign-In, or during OTP registration | Personalization (“Welcome, [Name]”), invoice generation, community display name | Optional |
| Google Account Info | When using “Sign in with Google” | Account creation: we receive your name, email, and profile picture from Google | Only if using Google Sign-In |
| Payment Information | When purchasing a subscription | Payment processing via Razorpay — we do NOT store card numbers, CVV, UPI PINs, or banking credentials | Only when making a purchase |
| Profile About Text | When editing profile | Optional bio for community features | Optional |
1.2 Information Collected Automatically
| Data Type | How Collected | Purpose |
|---|---|---|
| Device Information | Mobile app | Device model, OS version, app version — for compatibility and crash reporting |
| Usage Data | App and website | Questions attempted, topics studied, mock tests taken, time spent — for analytics, progress tracking, and personalization |
| IP Address | When you use the service | Security and abuse prevention |
| Login Session Data | On login | Keeping you logged in securely (see Cookie Policy) |
| Push Notification Token | Mobile app (if you opt in) | Delivering push notifications for subscription reminders, study streaks, community activity |
| Conversion Events | When upgrade prompts are shown | Which free-tier limits the user hits, whether they view pricing, whether they subscribe — for product analytics and improving the free-to-premium experience |
1.3 Information We Do NOT Collect
- We do not collect Aadhaar numbers, voter ID, driving license, or any government identity documents.
- We do not collect biometric data (fingerprints, face scans, etc.).
- We do not access your device contacts, camera, microphone, or photo library.
- We do not track your GPS location or fine-grained geolocation.
- We do not read or access your SMS messages (OTPs are entered manually by you).
- We do not use your data for advertising or sell it to advertisers.
2. How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation & authentication | Phone, email, Google account | Contractual necessity |
| Service delivery | All usage data, subscription status | Contractual necessity |
| Payment processing | Name, email, phone (passed to Razorpay) | Contractual necessity |
| Invoice generation | Name, email, phone, transaction details | Legal obligation (accounting) |
| Subscription reminders | Email, subscription end date | Legitimate interest |
| Product analytics | Aggregated usage data, conversion events | Legitimate interest |
| Bug fixing & crash reporting | Device info, error logs | Legitimate interest |
| Security | IP address, rate limiting data | Legitimate interest |
| Customer support | Phone, email, transaction history | Contractual necessity |
| Legal compliance | Transaction records, contact history | Legal obligation |
We will never:
- Send promotional SMS without your explicit opt-in consent
- Share your data with third parties for advertising
- Use your personal data in ways materially different from what is described here without notifying you first
3. Third-Party Services
We share limited data with the following third-party services, solely for the purposes described:
| Service | Purpose | Data Shared | Their Privacy Policy |
|---|---|---|---|
| Razorpay (Mumbai, India) | Payment processing | Name, email, phone, payment amount | https://razorpay.com/privacy/ |
| Google Sign-In (USA) | Sign in with Google | Your name, email, and profile picture (received from Google) | https://policies.google.com/privacy |
| Fast2SMS (India) | OTP delivery via SMS | Phone number only | https://www.fast2sms.com/privacy-policy |
| Bunny CDN (Global) | Delivering images and videos | IP address | https://bunny.net/privacy/ |
| Supabase (Cloud) | Secure database hosting | All user data (encrypted) | https://supabase.com/privacy |
| Sentry (USA) | Error tracking and crash reporting | Device info, error details (no personal identifiers) | https://sentry.io/privacy/ |
| Expo (USA) | Mobile app and push notifications | Notification token, device info | https://expo.dev/privacy |
| Google Gemini AI (USA) | AI Study Assistant feature | Your study queries (anonymized, no personal identifiers attached) | https://ai.google.dev/terms |
| SMTP Provider (for email) | Transactional emails (receipts, reminders) | Email address, email content | Provider’s policy |
Data Processing Agreements: We ensure that all third-party services we use have appropriate data protection measures in place. For services processing data outside India, we rely on their standard data protection commitments.
We do NOT use:
- Google Analytics (no third-party tracking cookies on the website)
- Facebook Pixel or any social media tracking
- Any advertising networks
4. Data Storage & Security
4.1 Where Your Data Is Stored
| Data | Storage Location | Encryption |
|---|---|---|
| User accounts, subscriptions, progress | Secure cloud database (Supabase) | Encrypted at rest and in transit |
| Study content (text, notes, questions) | Secure cloud database | Encrypted at rest |
| Media files (images, videos) | Content delivery network (Bunny CDN) | Encrypted in transit |
| Login session data | Your device (browser or app) | Encrypted on device and in transit |
| Payment data (card/UPI) | Not stored by us — handled entirely by Razorpay | Industry-standard payment security (Razorpay) |
4.2 Security Measures
| Measure | Implementation |
|---|---|
| Encryption | All communication between your device and our servers is encrypted via HTTPS. |
| Password protection | Passwords are securely hashed using industry-standard algorithms. They are never stored in plain text. |
| Session security | Login sessions expire automatically and are refreshed securely. Old sessions are invalidated. |
| OTP security | OTP codes expire after 5 minutes with limited verification attempts to prevent misuse. |
| Abuse prevention | We limit the number of requests to prevent automated abuse and protect all users. |
| Input validation | All user inputs are validated and sanitized to prevent security vulnerabilities. |
| Error monitoring | We track application errors to fix issues quickly, without capturing personal data in error reports. |
4.3 Data Breach Protocol
In the unlikely event of a data breach affecting your personal information:
- Within 72 hours: We will notify all affected users via email and/or in-app notification.
- Notification contents: What happened, what data was affected, what we are doing about it, what you should do (e.g., change passwords).
- Regulatory reporting: We will report the breach to CERT-In (Indian Computer Emergency Response Team) as required under the IT Act 2000 and DPDP Act 2023 rules.
- Remediation: Immediate steps to contain the breach, patch the vulnerability, and prevent recurrence.
5. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Active account data (name, email, phone) | As long as your account is active | Service delivery |
| Account data after deletion request | Deleted within 30 days, except legal holds | User right to deletion |
| Usage data (questions attempted, analytics) | 2 years from collection date | Product improvement |
| Transaction records (invoices, payments) | 8 years after transaction | Indian tax and accounting regulations |
| OTP codes | Automatically deleted after 5 minutes | No longer needed |
| Login session tokens | Automatically cleared daily | Security |
| Expired notifications | Automatically cleared daily | Housekeeping |
| Phone/email change history | Retained while account is active | Security audit trail |
| Inactive accounts (no login for 24 months) | Flagged for deletion with 30-day advance email notice | Data minimization |
6. Your Rights
Under the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023:
| Right | How to Exercise | Timeline |
|---|---|---|
| Access | View your data: My Account → Profile. Or request a full data export via email. | Data export within 7 business days |
| Correction | Update name, email, phone from your account settings. | Immediate |
| Deletion | Request account deletion by emailing support@examvine.com. | Completed within 30 days (transaction records retained per legal obligation) |
| Data Portability | Request an export of your personal data in machine-readable format (JSON). | Within 7 business days |
| Withdraw Consent | Disable push notifications in app settings. Unsubscribe from emails via link in email footer. | Immediate |
| Opt-out of Analytics | Contact support@examvine.com to opt out of anonymized analytics. | Within 7 business days |
| Grievance | Contact our Grievance Officer (details in Section 11). | Acknowledged within 24 hours, resolved within 15 business days |
Important: You cannot opt out of transactional communications (payment confirmations, security alerts, policy change notices) as these are required for service delivery and legal compliance.
7. Children’s Privacy
ExamVine is intended for users aged 16 and above who are preparing for competitive examinations. We do not knowingly collect personal information from children under the age of 16.
If we become aware that a child under 16 has provided us with personal information, we will:
- Take immediate steps to delete such information from our systems.
- Terminate the associated account.
- Notify the child’s parent or guardian if contact information is available.
If you believe a child under 16 has registered on ExamVine, please contact us immediately at support@examvine.com.
8. Cookies (Website Only)
Our website uses cookies and browser storage for essential functionality. See our Cookie Policy for full details.
Summary:
- Essential (cannot be disabled): Login tokens to keep you signed in.
- Functional: Theme preference, cookie consent status.
- Analytics: Not used as of launch. If added, will require opt-in consent.
- Third-party: Razorpay (during checkout) and Google (during Sign-In) may set their own cookies.
The ExamVine mobile app does not use cookies. Login data is stored securely on your device.
9. International Data Transfers
Some of our third-party service providers (Google, Sentry, Expo) are based in the United States. When your data is processed by these services, it may be transferred outside India.
We ensure that such transfers are:
- Necessary for the purposes described in this policy (authentication, error tracking, push notifications)
- Covered by the service provider’s data protection commitments
- Compliant with applicable Indian data protection laws
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
- The “Effective Date” at the top of this page will be updated.
- For significant changes (new data collection, new third parties, changed retention periods), we will notify you via email and/or an in-app notification at least 15 days in advance.
- For minor changes (wording clarifications, formatting), we will update the policy without individual notice.
- Your continued use of ExamVine after the updated policy is posted constitutes acceptance of the changes. If you disagree, you may delete your account.
11. Grievance Officer
In accordance with the Information Technology Act, 2000, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, and the Digital Personal Data Protection Act, 2023, the Grievance Officer for the purpose of this Privacy Policy is:
Designation: Grievance Officer
Email: support@examvine.com
Grievance redressal timeline:
- Acknowledgment: Within 24 hours of receipt
- Resolution: Within 15 business days of acknowledgment
12. Governing Law
This Privacy Policy is governed by the laws of the Republic of India, including but not limited to:
- Information Technology Act, 2000
- IT (Reasonable Security Practices) Rules, 2011
- Digital Personal Data Protection Act, 2023
- IT (Intermediary Guidelines) Rules, 2021
Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts in Hyderabad, Telangana, India.
13. Contact Us
If you have any questions about this Privacy Policy or how we handle your data:
ExamVine
Hyderabad, India
Email: support@examvine.com
Business Hours: Monday to Saturday, 10:00 AM — 6:00 PM IST