Privacy Policy

1. Scope: who we are and what this covers

Data fiduciary / controller: LevelUp Edu Pvt Ltd, a private limited company incorporated in India, registered at Old no.9 New no.17, Seethammal Rd, Seethammal Colony, Alwarpet, Chennai, Tamil Nadu 600018. For the purposes of India's Digital Personal Data Protection Act, 2023 (the "DPDP Act") we are the "Data Fiduciary".

This policy applies wherever you interact with us: browsing our marketing pages, signing up for an account, buying a course, watching content, posting in the community, taking a cohort, or contacting our support team — whether on the web, iOS, or Android.

2. Information we collect

We collect the following categories of personal data. Categories below map to the Apple "App Privacy" labels disclosed in the App Store listing.

• Contact Info: name, email address, phone number (used for OTP login + transactional comms).
• Identifiers: a unique user ID issued by our auth system, your device identifier (used to keep you signed in), and an IP address captured at request time.
• Purchases: records of which courses you bought, the amount, the date, and tokenised payment-method metadata returned by Razorpay (we never see or store your full card number or CVV — Razorpay does, as PCI-DSS-certified).
• User Content: assignments you submit, peer reviews you write, community posts and comments, chapter notes you save, profile bio + avatar you upload.
• Usage Data: which pages you view, which chapters you watch and for how long, your progress through a course, which features you use, attendance at live sessions.
• Diagnostics: error reports, crash logs, performance metrics — collected via Sentry to keep the Services working.
• Location (approximate only): we may infer your city or country from your IP address. We do not request precise device-level location, and the iOS / Android apps do not ask for the location permission.

We do not collect: precise GPS location; health, financial, or biometric data; contacts; calendars; photos library (other than what you explicitly upload); your microphone or camera.

3. How we use your information

We use your personal data only for the following purposes (these are the "lawful purposes" under the DPDP Act):

• Service delivery: to create and maintain your account, grant access to the courses you bought, track your progress, deliver cohort assignments + feedback, host the community.
• Payments: to process your purchases through Razorpay, send GST invoices, and process refunds.
• Transactional communications: account verification (OTP), order confirmations, cohort reminders, mentor feedback notifications, refund updates — sent over email + WhatsApp + SMS.
• Marketing communications: news about new offerings, batch launches, and educational content. Always opt-in, with a one-click unsubscribe.
• Product analytics: aggregate, anonymous usage patterns to improve the Services.
• Safety + integrity: to detect fraud, abuse, and policy violations; to investigate reports; to enforce our Terms.
• Legal obligations: tax records, GST filings, and responding to lawful requests from authorities.

4. Third-party processors we share data with

We do not sell or rent your personal data. We share it only with the specific service providers listed below, and only to the extent each one needs to deliver the function described. Each of these processors is contractually required to handle your data with the same care we do.

We may also disclose your data if required by a lawful order from a court or government authority, or to protect the rights, property, or safety of LevelUp, our users, or the public.

5. Cookies, analytics, and tracking

On the web, we use first-party cookies to keep you signed in and to remember your preferences. We use third-party analytics + advertising cookies (Meta, Google, X, Microsoft Clarity) to understand how our Services are used and to attribute ad spend.

On iOS: per Apple's App Tracking Transparency (ATT) framework, our iOS app will ask for your explicit permission before using your device's advertising identifier (IDFA) for cross-app tracking. You can decline; we'll still serve you the same content and features.

On Android: the app does not access your device's Google Advertising ID (GAID) and requests no advertising-ID permission. The analytics and ad-attribution tools listed above run inside the app's in-app web view and rely on cookies, which you can clear in your device settings. You can also reset or delete your advertising ID from your Android privacy settings.

6. Data retention

• Active account data: retained for as long as your account is open.
• After account deletion: personal data is erased within 30 days, except records we are legally required to keep (e.g. tax + GST invoices, retained 8 financial years under Indian law).
• Backups: personal data in encrypted backups is overwritten on a 30-day rolling cycle.
• Analytics: anonymous + aggregate metrics may be retained indefinitely.

7. Where your data is stored

Your primary account + content data is stored on Supabase infrastructure in the Asia Pacific (Tokyo) region. Some processors operate globally (Razorpay in India; Sentry, Vercel CDN, and the analytics platforms across the US/EU). Where data is transferred outside India, we rely on the data-protection commitments built into each processor's terms.

8. Your rights

To exercise any of these rights, email admin@leveluplearning.in or use the in-app controls described in the next section. We'll respond within 30 days.

9. Account deletion

You can permanently delete your account and all associated personal data at any time. We comply with Apple's App Store Review Guideline 5.1.1(v) and Google Play's Account Deletion policy.

In-app (web + iOS + Android):

1. Sign in at app.leveluplearning.in/profile (or open the app and tap Profile).
2. Scroll to Account → Delete my account.
3. Confirm. Your account is deactivated immediately and erased within 30 days.

By email: send a deletion request from your registered email address to admin@leveluplearning.in with the subject "Delete my account". We'll confirm within 7 days and complete deletion within 30.

What gets deleted: your profile, contact info, payment method tokens, course progress, notes, community posts, submissions, peer reviews, certificates.
What we retain (only to comply with Indian tax law): transaction records + GST invoices, kept for 8 financial years and then permanently deleted.

10. Data security

We take commercially reasonable steps to protect your personal data: TLS 1.3 in transit, AES-256 encryption at rest (Supabase + Vercel + Razorpay), Postgres Row-Level Security so users only see their own data, bcrypt-hashed API keys, audit logging on admin actions, mandatory 2FA on all administrative accounts, and quarterly access reviews.

11. Data breach notification

If we discover a personal-data breach that creates a risk of harm to you, we will notify the India Data Protection Board and the affected users without undue delay, as required by the DPDP Act, 2023. Notifications will be sent to your registered email address.

12. Children's privacy

Our Services are aimed at adult learners (18+).

For users in India: per the DPDP Act, anyone under 18 is treated as a "child". We do not knowingly process the personal data of any individual under 18 without verifiable parental consent. If you believe a child has registered without consent, please contact us immediately and we will delete the data.

For users outside India: we do not knowingly collect data from anyone under 13 (Children's Online Privacy Protection Act, US).

13. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we'll update the "Last updated" date at the top and, for material changes, notify you by email at least 14 days before the change takes effect. Continued use of the Services after the effective date constitutes acceptance.

14. Grievance officer (DPDP Act, India)