This Privacy Policy is governed by the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the Digital Personal Data Protection Act, 2023 (DPDP Act) of India.
Section 01
Who We Are
Rankrr Learning Systems ("Rankrr", "we", "us", "our") operates the platform available at rankrr.in and its associated mobile applications. We are registered and operate under Indian law.
This policy explains what personal data we collect, why we collect it, how we use it, and what rights you have over it as a data principal under the DPDP Act, 2023.
Section 02
Information We Collect
We collect the following categories of information:
- Account Data: Name, email address, password (hashed), and profile picture when you register.
- Usage Data: Pages visited, features used, study session durations, focus timer logs, goals set and completed, lecture progress.
- Device & Technical Data: IP address, browser type, operating system, device identifiers, and approximate geolocation (country/state level).
- Payment Data: Billing name, plan selected. We do NOT store full card numbers - payments are processed by Razorpay/Stripe which maintain their own PCI-DSS compliance.
- Communication Data: Emails or messages you send to our support team.
- Cookies & Analytics: Session tokens, preferences, and anonymized analytics data.
We do not knowingly collect Sensitive Personal Data or Information (SPDI) as defined under the SPDI Rules 2011 (such as passwords beyond hashing, financial info beyond billing, health data, biometrics, sexual orientation, or caste). If any such data is incidentally shared, it will be promptly deleted.
Section 03
How We Use Your Data
We collect and use your data only for the following specified purposes under the DPDP Act 2023:
- To create and manage your Rankrr account and provide platform services.
- To track your study sessions, focus time, lecture progress, and daily goals.
- To send you important transactional emails (account creation, password resets, billing receipts).
- To improve and debug platform features using anonymized usage analytics.
- To comply with our legal obligations under Indian law.
- To send product updates or educational content via email (you may opt out at any time).
We will not use your data for purposes beyond those stated above without seeking fresh consent from you in line with the DPDP Act, 2023.
Section 04
Data Sharing & Disclosure
We do not sell your personal data to any third party. We may share data with:
- Firebase (Google): Authentication, database, and storage infrastructure. Governed by Google's Privacy Policy and Data Processing Addendum.
- Supabase: PostgreSQL database backend. Governed by Supabase's Privacy Policy.
- Razorpay / Stripe: Payment processing. These providers are PCI-DSS compliant.
- Vercel / Cloudflare: Hosting and CDN infrastructure.
- Government or Legal Authorities: If required by a court order, government directive, or applicable Indian law (including the IT Act, 2000 and DPDP Act, 2023).
All third-party service providers are contractually bound to process your data only as instructed by us and in compliance with applicable data protection laws.
Section 05
Data Storage & Security
Your data is stored on servers located in India and/or the European Economic Area through our infrastructure partners (Firebase, Supabase). Cross-border transfers, where they occur, are protected by Standard Contractual Clauses (SCCs).
We implement reasonable security practices as mandated under Rule 8 of the SPDI Rules, 2011, including:
- TLS/SSL encryption for all data in transit.
- AES-256 encryption for sensitive data at rest.
- Bcrypt hashing for all user passwords.
- Role-based access control - only authorized personnel can access user data.
- Regular security audits and vulnerability assessments.
No system is 100% secure. In the event of a data breach that affects your rights, we will notify affected users and the relevant authority as required under the DPDP Act, 2023.
Section 06
Your Rights as a Data Principal
Under the Digital Personal Data Protection Act, 2023, you have the following rights:
- Right to Access: Request a summary of your personal data processed by us.
- Right to Correction: Request correction of inaccurate or incomplete personal data.
- Right to Erasure: Request deletion of your personal data, subject to legal retention obligations.
- Right to Grievance Redressal: Raise a complaint to our Grievance Officer (see Section 11).
- Right to Nominate: Nominate another individual to exercise your rights in the event of death or incapacity.
- Right to Withdraw Consent: Withdraw consent for non-essential data uses at any time (this will not affect prior lawful processing).
To exercise any of these rights, email us at privacy@rankrr.in with the subject line "Data Rights Request". We will respond within 30 days.
Section 07
Cookies & Tracking
We use cookies and similar technologies for the following purposes:
- Essential Cookies: Required for platform functionality - authentication session tokens, security tokens.
- Analytics Cookies: Anonymized usage data (e.g., Google Analytics, Vercel Analytics) to improve the product.
- Preference Cookies: Stores your settings like dark mode preferences.
You can control cookies through your browser settings. Disabling essential cookies may affect platform functionality. We do not use cookies for targeted advertising.
Section 08
Children's Privacy
Rankrr is intended for students aged 13 and above. We do not knowingly collect personal data from children under 13 without verifiable parental consent, as required under the DPDP Act, 2023 (which mandates parental consent for processing data of children under 18 in certain contexts).
If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at privacy@rankrr.in. We will delete such data promptly.
Section 09
Third-Party Links
Our platform may contain links to external websites, YouTube videos, or other third-party content. We are not responsible for the privacy practices or content of those third-party sites. We encourage you to read their privacy policies before sharing any personal information.
Section 10
Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
- Active accounts: Data is retained for the duration of your account.
- Deleted accounts: Data is deleted within 90 days of account termination, except where retention is required by law.
- Financial records: Billing and payment records may be retained for up to 7 years to comply with GST and income tax regulations under Indian law.
- Support communications: Retained for 2 years for dispute resolution purposes.
Section 11
Grievance Officer (India)
As required under Rule 5(9) of the IT (Intermediaries Guidelines and Digital Media Ethics Code) Rules, 2021 and the DPDP Act, 2023, we have designated a Grievance Officer to address privacy-related complaints:
You may also escalate unresolved grievances to the Data Protection Board of India once operationalized under the DPDP Act, 2023.
Section 12
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to your registered address) and/or by displaying a prominent notice on the platform at least 7 days before the changes take effect.
Continued use of the platform after the effective date of a revised policy constitutes acceptance of the updated terms.