Skip to main content
Share

Privacy Policy

Effective Date: May 13, 2026 · Version: v2.0

Governed by the Digital Personal Data Protection (DPDP) Act, 2026, IT Rules 2021/2026, and CERT-In Directions.

1. Who We Are (Data Fiduciary)

Vidhyapath Learning Technologies Private Limited (VLTPL), operating as "Vidhyapath" ("we", "us", "our"), operates the educational platform at vidhyapath.com and the Abhaya Portal at vidhyapath.com/ai-portal. We are the Data Fiduciary as defined under the DPDP Act, 2026, responsible for the personal data you share with us.

Data Protection Officer (DPO): contact@vidhyapath.com
Grievance Officer: contact@vidhyapath.com · Acknowledgment within 48 hours · Resolution within 15 days

2. What Personal Data We Collect

We collect only the data necessary to deliver our educational services:

  • Identity data: Name, email address, phone number, and college/institution name provided at registration.
  • Authentication data: Hashed password (never stored in plain text) or Google OAuth token. We do not store your Google password.
  • Educational performance data: Mock test scores, subject-wise analytics, attempt history, rank estimates, and hints accessed — used to personalise your learning experience.
  • Consent data: Timestamp, policy version number, and session identifier recorded when you accept this Privacy Policy at registration (DPDP Act §9 requirement).
  • Technical data: Browser type, device type, approximate location (state-level, derived from IP address for regional analytics), and session identifiers. We do not track your precise GPS location.
  • Payment data: Payment confirmation reference numbers only. All payment card, UPI, and bank details are processed exclusively by Cashfree Payments and are never stored on Vidhyapath servers.

3. Purpose and Legal Basis for Processing

PurposeLegal Basis (DPDP Act)
Deliver mock tests, results, and hintsConsent + Contractual necessity
Personalised subject analytics and rank estimateConsent
Send exam updates, revision tips via email/WhatsAppConsent (opt-in at signup)
Process payments via CashfreeContractual necessity
Maintain platform security and audit logs (180 days)Legal obligation (CERT-In Directions)
Respond to grievances within statutory timelinesLegal obligation (IT Rules 2021/2026)
Comply with government / court ordersLegal obligation

4. Data Residency — India Only

All personal data of Indian students is stored exclusively on Indian servers in compliance with the DPDP Act, 2026. Our primary infrastructure uses Google Firebase (data centre: Mumbai, India region) for authentication and real-time database services. Video and media assets are stored on E2E Networks cloud storage — a MeitY-empaneled, India-sovereign cloud provider. No student personal data is transferred outside India without explicit consent, except where required by law.

5. Minor's Data (Users Under 18)

Vidhyapath serves students preparing for competitive entrance examinations, many of whom may be minors (under 18 years). In compliance with DPDP Act, 2026 Section 9:

  • We require verifiable parental or guardian consent before processing the personal data of any user who indicates they are under 18.
  • We do not knowingly collect data from minors without parental consent, and do not track minors' behaviour for advertising or profiling purposes.
  • Parents or guardians may contact us at contact@vidhyapath.com to review, correct, or request deletion of a minor's data.

6. AI-Generated Content Disclosure

Some lesson videos available on the Vidhyapath Student Learning Portal are created using artificial intelligence tools, including synthetic voice (text-to-speech) and AI avatar technology. In compliance with the IT Rules Amendment, 2026 (effective 20 February 2026):

  • All AI-generated video content carries a visible "AI-Generated Content" label within the video player interface.
  • Metadata identifying content as AI-generated is embedded in the content to prevent tampering.
  • If you believe any content constitutes a synthetic impersonation (deepfake) or is being misused, report it immediately to contact@vidhyapath.com. User-reported AI content concerns are resolved within 36 hours.

7. Third-Party Data Sharing

We do not sell, rent, or trade your personal data. We share data only with:

  • Cashfree Payments — for payment processing. Governed by Cashfree's PCI-DSS compliant privacy policy.
  • Google Firebase — for authentication and real-time data storage (India region).
  • E2E Networks — for video and media asset storage (MeitY-empaneled, India).
  • Government / law enforcement — only when required by a valid court order, government directive, or statutory obligation. We will notify you of such disclosure unless legally prohibited from doing so.

8. Your Data Rights (DPDP Act 2023)

You have the following rights regarding your personal data. All requests are fulfilled within 30 days:

  • Right to Access: Request a summary of the personal data we hold about you.
  • Right to Correction: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Request complete deletion of your account and all associated personal data from our systems, including Firebase and E2E Networks storage. This may affect your access to purchased mocks.
  • Right to Withdraw Consent: You may withdraw consent for marketing communications at any time by emailing us. Withdrawal of consent does not affect the legality of processing carried out before withdrawal.
  • Right to Nominate: You may nominate another individual to exercise your data rights on your behalf in the event of death or incapacity.

To exercise any of these rights, email contact@vidhyapath.com with the subject line "Data Rights Request — [Your Name]".

9. Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of a verified erasure request.
  • Test performance data: Retained for 2 years from the date of the test attempt, then anonymised.
  • Security and access logs: Retained for a minimum of 180 days as required by CERT-In Directions.
  • Payment records: Retained for 7 years as required by Indian accounting and tax laws.
  • Consent records: Retained for the life of the account plus 1 year after deletion.

10. Data Breach Notification

In the event of a personal data breach, we will notify the Data Protection Board of India (DPBI) and all affected users within 72 hours of becoming aware of the breach, as required by the DPDP Act, 2026. Notifications will be sent to your registered email address and will include: the nature of the breach, the data affected, the likely consequences, and the steps taken to mitigate harm.

11. Security Measures

  • All data in transit is encrypted using TLS 1.3.
  • Passwords are hashed using Firebase's bcrypt-based scheme and are never stored in plain text.
  • Access to student data is restricted on a least-privilege basis — only authorised personnel can access production data.
  • We conduct periodic security reviews and plan to commission a VAPT (Vulnerability Assessment and Penetration Testing) audit before full institutional integration.

12. Cookies and Tracking

We use minimal, strictly necessary session cookies to keep you logged in. We do not use third-party advertising cookies or tracking pixels. We do not participate in behavioural advertising networks. Analytics data (page views, session duration) is collected in aggregate and anonymised form only.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in law or our services. When we make material changes, we will notify you via email and display a prominent notice on the platform at least 7 days before the change takes effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

14. Contact & Grievance Redressal

Data Protection Officer & Grievance Officer

Vidhyapath · Hyderabad, Telangana, India

Email: contact@vidhyapath.com

Grievance acknowledgment: within 48 hours · Resolution: within 15 days (IT Rules 2021/2026) · DPDP data rights requests: within 30 days

If your grievance is not resolved to your satisfaction, you may escalate it to the Data Protection Board of India (DPBI) at dpboard.gov.in.

Policy Version v2.0 · Effective May 13, 2026 · Governed by the laws of India · Jurisdiction: Hyderabad, Telangana
💬 Chat with us on WhatsApp