Privacy Policy

• To provide and improve the exam preparation platform
• To personalise your experience (language preferences, exam countdowns)
• To track your learning progress and identify weak areas
• To enforce fair usage limits on AI features
• To send important account-related communications (e.g., password reset, payment receipts, subscription expiry notices)
• To analyse product usage patterns and improve conversion, retention, and feature quality (only with your analytics consent)
• To detect, investigate, and prevent abuse, fraud, and security incidents
• To comply with Indian law (tax, accounting, response to legal requests)

We do not sell your personal data to third parties. We do not use your data for advertising profiling or remarketing. We do not share your data with marketing or ad networks.

Under the Digital Personal Data Protection Act, 2023, we process your data on the following bases:

• Consent — for product analytics, marketing emails (if applicable), and voice logs. You can withdraw consent at any time.
• Performance of contract — to provide the services you subscribed to, including authentication, content delivery, AI features within usage limits, and subscription management.
• Legitimate uses (Section 7, DPDP Act) — for fraud prevention, security, customer support, and to comply with statutory obligations including tax records and payment audit retention.
• Legal compliance — to respond to lawful requests from Indian government authorities and to retain financial records as required by tax laws.

Your account data, practice history, and profile information are stored in a PostgreSQL database managed by Supabase, which is hosted on AWS infrastructure. Supabase implements industry-standard security measures including encryption at rest and in transit (TLS/SSL).

Row-Level Security (RLS) policies ensure that each user can only access their own data. Administrators have access to question bank management and aggregated analytics only — not to your personal account contents except where required for account support or investigating reported abuse.

Analytics data sent to Mixpanel is stored in the European Union and is subject to Mixpanel's own security and retention controls. Payment metadata is stored by Razorpay in India.

While we take reasonable measures to protect your data in accordance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, no system is completely secure. You use the platform at your own risk.

MyDhora uses the following third-party services. Each has its own privacy policy:

• Supabase — database, authentication, and file storage provider. Handles email-based sign-in and Google OAuth.
• Google Gemini API — AI language model used by Gyan Dost and content extraction. Messages sent to Gyan Dost are transmitted to Google's servers for processing. Subject to Google's AI Terms and Privacy Policy.
• Cloudflare — website hosting, CDN, and DDoS protection.
• Razorpay — payment processing for Plus and Pro subscriptions. Your card and bank details never reach our servers; they are handled entirely by Razorpay's PCI-DSS compliant infrastructure.
• Mixpanel (EU residency) — product analytics processor. Only used after you accept the analytics consent banner. We send anonymous events keyed to a random UUID; no email, name, phone, or IP is sent to Mixpanel. We do not use any session-replay / screen-recording feature.

MyDhora uses browser cookies solely for authentication session management (provided by Supabase). We do not use tracking cookies or third-party advertising cookies.

We use browser localStorage and sessionStorage to store your language preference, chat history, font size, theme, onboarding state, analytics consent decision, and other application preferences. This data stays on your device. The analytics consent flag (dhora_analytics_consent) controls whether the PostHog analytics library loads.

Mixpanel (when consented to) stores a distinct ID in browser localStorage to identify returning visitors. We do not allow Mixpanel to set its own cookies. This data does not communicate with advertising networks.

We retain personal data only as long as necessary for the purposes for which it was collected:

• Account data — for the lifetime of your account, plus a brief grace period after deletion for backup recovery (typically 30 days).
• Practice and learning history — for the lifetime of your account, unless you reset it via Settings.
• Payment audit records (subscription_payments, invoices, refund records) — up to 8 years, to comply with Indian tax and accounting requirements.
• Analytics events in Mixpanel — retained per Mixpanel defaults (typically 5 years for free tier, configurable).
• Analytics events in our database (financial / audit) — retained alongside payment records.
• Voice logs — until you delete them, or 12 months from creation if you do not.

As a Data Principal, you have the right to:

• Access the personal data we hold about you.
• Correct any inaccurate or incomplete data.
• Erase your personal data (subject to retention requirements above for payment records).
• Withdraw consent for analytics or any other consent-based processing at any time.
• Port your data — you can export your practice history and progress data via the Settings page (Plus and Pro plans).
• Nominate another individual to exercise your rights in the event of your death or incapacity.
• Grievance redressal — you may raise complaints about how we process your data.

To exercise any of these rights, please contact us using the details in Section 12. We will respond within a reasonable time, typically within 30 days. Note that some data may be retained for legal compliance even after a deletion request.

MyDhora is intended for adult users preparing for Rajasthan government examinations. Users must be at least 13 years of age to create an account. Users between 13 and 18 must have parental or guardian consent to use the platform.

In line with Section 9 of the DPDP Act, we do not knowingly engage in tracking, behavioural monitoring, or targeted advertising of users under 18. If you believe a person under 13 has created an account, or that we are processing the data of a minor without the required parental consent, please contact us and we will take prompt action.

We may disclose your information to Indian government authorities, courts, or law enforcement agencies if compelled by valid legal process (subpoena, court order, statutory notice). We will challenge requests that we believe are unlawful or overly broad. We do not voluntarily share user data with any government or private entity except as described in this policy.

Some of our service providers store data outside India (Supabase on AWS, Mixpanel in the EU, Cloudflare globally). All such providers are contractually bound by appropriate data protection terms. By using MyDhora, you consent to these transfers as required to deliver the service.

For privacy-related questions, complaints, or data access / correction / deletion requests, please email us at support@mydhora.com. We endeavour to acknowledge complaints within 7 days and resolve them within 30 days, in line with Section 13 of the DPDP Act.

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent change. Significant changes will be communicated through the platform. Continued use of MyDhora after changes constitutes your acceptance of the updated policy.