Privacy Policy

1. Introduction

Welcome to Testkaaro.com (“Platform”, “we”, “us”, “our”), an AI-powered online education platform offering descriptive handwritten answer checking services for students. This Privacy Policy explains how we collect, use, store, process, and protect your personal data in accordance with the Information Technology Act, 2000, the Information Technology (Amendment) Act, 2008, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”), and applicable provisions of the Digital Personal Data Protection Act, 2023 (“DPDPA, 2023”).

By accessing or using our Platform, you consent to the collection and use of your information as described in this Privacy Policy. If you do not agree, please discontinue use of our services.

2. Definitions

For the purpose of this Privacy Policy:

• “Personal Data” means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDPA, 2023.
• “Sensitive Personal Data or Information (SPDI)” includes financial information such as bank accounts, credit/debit card details, payment instrument details, and biometric data as defined under SPDI Rules, 2011.
• “Data Principal” means the individual to whom the personal data relates (i.e., you, the user).
• “Data Fiduciary” means the Platform, which determines the purpose and means of processing of personal data.
• “Consent Manager” means a registered entity enabling Data Principals to manage their consents under DPDPA, 2023.

3. Information We Collect

3.1 Information You Provide Directly

• Full name, email address, phone number, and date of birth during registration.
• Academic information: institution name, grade/class, board of education, subject preferences.
• Handwritten answer sheets uploaded by you for evaluation (images/PDFs).
• Payment information processed via Razorpay (we do not store card details on our servers).
• Profile photo or avatar (optional).
• Communications with our support team.

3.2 Information Collected Automatically

• Device information: IP address, browser type, operating system, device identifiers.
• Usage data: pages visited, time spent, features used, answer submission history.
• Log data: server logs, error logs, access timestamps.
• Cookies and similar tracking technologies (see Section 11).

3.3 Information from Third Parties

• If you sign in via Google, Microsoft, or other authorised providers, we receive your name, email, and profile picture from such services.
• Payment status and transaction identifiers from Razorpay.

4. Purpose of Data Processing

We process your personal data for the following lawful purposes:

• To create and manage your account on the Platform.
• To provide our AI-powered handwritten answer evaluation and feedback services.
• To process payments and issue receipts/invoices through Razorpay.
• To send academic reports, performance analytics, and personalised recommendations.
• To communicate service updates, new features, and educational content.
• To comply with legal obligations under Indian law.
• To prevent fraud, unauthorized access, and abuse of the Platform.
• To improve our AI models, platform quality, and user experience through anonymized analytics.
• To resolve disputes and enforce our Terms of Service.

5. Legal Basis for Processing (DPDPA, 2023)

Under the Digital Personal Data Protection Act, 2023, we process your personal data based on:

Consent: You provide explicit consent during registration and upon uploading answer sheets for evaluation.

Legitimate Uses: Processing necessary for the performance of a contract (your subscription/service agreement), compliance with legal obligations, and protection of vital interests.

Purpose Limitation: Data collected for a specific purpose will not be used for any other incompatible purpose without fresh consent.

6. Payment Data & Razorpay Integration

Our Platform integrates Razorpay Payment Gateway (Razorpay Software Private Limited, a PCI-DSS compliant payment service provider) for processing payments. The following applies:

• We do not store your credit/debit card numbers, CVV, net banking credentials, or UPI PINs on our servers.
• All payment transactions are encrypted via TLS/SSL and processed securely through Razorpay's infrastructure.
• We store only non-sensitive transaction metadata: transaction ID, amount, date, payment status, and Razorpay order ID for reconciliation and legal compliance.
• Razorpay's Privacy Policy (available at razorpay.com) governs the handling of your payment data on their systems.
• By making a payment, you also agree to Razorpay's Terms of Service and Privacy Policy.
• Refunds, if applicable, are processed through Razorpay in accordance with our Refund Policy.
• Payment data may be shared with banks, NPCI, card networks, and financial institutions as required for payment processing and fraud prevention.

7. Sharing and Disclosure of Personal Data

We do not sell, rent, or trade your personal data. We may share your data in the following limited circumstances:

Service Providers: Third-party vendors (cloud hosting, AI processing, email service providers, analytics tools) who process data on our behalf under strict data processing agreements.

Payment Partners: Razorpay for payment processing as described in Section 6.

Educational Institutions: If you access the Platform through your school or coaching institute, we may share your performance reports with that institution as per your agreement with them.

Legal Compliance: Government authorities, law enforcement, courts, or regulators when required by law, court order, or to protect rights, safety, or property.

Business Transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity, subject to the same privacy commitments.

Anonymized Data: Aggregated and anonymized data that cannot identify you personally may be shared for research, analytics, or marketing purposes.

8. Data Retention

We retain your personal data for the following periods:

• Account data: Duration of active account + 3 years after account closure, for legal and audit purposes.
• Uploaded answer sheets: 1 year from date of upload, unless you request earlier deletion.
• Payment and transaction records: 8 years as required under the Income Tax Act, 1961 and GST laws.
• Log and usage data: 6 months on a rolling basis.
• Data subject to legal holds: Until resolution of the relevant legal matter.

Upon expiry of retention periods, we securely delete or anonymize your personal data.

9. Your Rights as a Data Principal (DPDPA, 2023)

Under the Digital Personal Data Protection Act, 2023, you have the following rights:

Right to Access: You may request a summary of personal data we hold about you and our processing activities.

Right to Correction and Erasure: You may request correction of inaccurate or incomplete data, or erasure of your personal data where processing is no longer necessary.

Right to Withdraw Consent: You may withdraw consent for non-essential processing at any time. Withdrawal does not affect prior lawful processing.

Right to Grievance Redressal: You may raise a grievance with our Grievance Officer (see Section 15) and subsequently with the Data Protection Board of India.

Right to Nominate: You may nominate an individual to exercise your rights in the event of death or incapacity.

To exercise your rights, contact us at support@testkaaro.com with the subject line “Data Rights Request”. We will respond within 30 days as required by law.

10. Data Security

We implement technical and organizational measures to protect your data, including:

• AES-256 encryption for data at rest; TLS 1.2+ for data in transit.
• Role-based access controls; multi-factor authentication for admin access.
• Regular security audits, vulnerability assessments, and penetration testing.
• Secure cloud infrastructure with reputed providers with data centers in India.
• Incident response plan with mandatory breach notification procedures.

While we implement industry-standard security practices, no system is completely infallible. You are responsible for maintaining the confidentiality of your login credentials.

11. Cookies and Tracking Technologies

We use the following types of cookies:

Essential Cookies: Required for the Platform to function (session management, authentication). Cannot be disabled.

Analytical Cookies: Help us understand usage patterns (e.g., Google Analytics). Can be disabled via cookie settings.

Functional Cookies: Remember your preferences (language, display settings). Optional.

Marketing Cookies: Used only if you opt-in to marketing communications.

You can manage cookie preferences through your browser settings. Disabling essential cookies may impair Platform functionality.

12. Children's Privacy

Our Platform may be used by students under 18 years of age. In accordance with the DPDPA, 2023:

• Users under 18 must obtain verifiable parental or guardian consent before registering.
• We do not knowingly process the data of children under 13 without verified parental consent.
• Schools and institutions accessing our Platform on behalf of minors must ensure appropriate consent mechanisms are in place.
• Parental/guardian accounts can monitor and control a minor's data and usage on the Platform.
• We do not target behavioral advertising at minors.

13. Cross-Border Data Transfers

Your data is primarily stored and processed on servers located in India. In cases where we engage international service providers (such as cloud or AI processing services), we ensure:

• Data transfer occurs only to countries or entities that provide adequate data protection.
• Standard contractual clauses and data processing agreements are in place.
• Such transfers comply with requirements under the DPDPA, 2023 and notifications issued by the Indian Government.

14. Updates to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes via email or a prominent notice on the Platform at least 30 days before they take effect. Continued use of the Platform after the effective date constitutes acceptance of the revised policy.

15. Grievance Officer

In accordance with the Information Technology Act, 2000 and DPDPA, 2023, we have appointed a Grievance Officer:

If you are unsatisfied with the resolution, you may escalate your grievance to the Data Protection Board of India once operationalized under the DPDPA, 2023.

16. Contact Us

For any privacy-related queries, please contact us at: