Privacy Policy
Effective: 2026-05-23. Last updated: 2026-05-23.
This is the Privacy Policy for Math to Machine (the "Platform"), operated by Math to Machine (the "Company", "we", "us"). It explains what data we collect, why we collect it, who we share it with, how long we keep it, and the rights you have under the Digital Personal Data Protection Act, 2023 (India) ("DPDP Act") and the corresponding rules.
If you're under 18, please read this with a parent or guardian. If you're under 16, a parent must approve your use of the Platform before you sign up.
TL;DR — the honest summary
- We collect what we need to teach you, no more.
- We never sell your data.
- We share data only with the service providers we genuinely use (payments, email, hosting, AI tutor model) and only what those providers need to do their job.
- Under-16 accounts require verifiable parent consent before they're created.
- You can delete your account anytime; we erase or anonymise your data within 30 days.
1. Who we are
Math to Machine, registered in India. Address: {COMPANY_ADDRESS}. Email: privacy@{DOMAIN}. Phone: {COMPANY_PHONE}.
We are the Data Fiduciary under the DPDP Act for the personal data we collect through the Platform.
2. What data we collect
We collect three categories of data.
2.1 Data you give us
- Sign-up details: email address, mobile phone number (used for OTP), display name (optional), date of birth (used to determine your age band).
- Onboarding details: your class level (Class 9-12 / graduation year), learning goals, prior programming familiarity, weekly hours you can study, preferred learning style.
- Parent contact (if you're under 16): your parent's mobile number and/or email, captured for verifiable consent.
- Lesson activity: which lessons you opened, what you answered on quizzes, how long you spent, your reflection notes, and the explanations you wrote for teach-back stages.
- AI tutor conversations: every message you send to the AI tutor ("Nova" / "Coach" / "Mentor"), the model's reply, and the rung the tutor used.
- Project submissions (when you publish): the code, text, and media you submit.
- Payment metadata (when you subscribe): we do NOT store card numbers, UPI handles, or net-banking credentials — those go directly to Razorpay. We store: the plan you bought, the date, the amount, the Razorpay payment ID, and your invoice.
2.2 Data we collect automatically
- Device + connection: browser type, operating system, screen size, IP address, approximate location derived from IP (city-level only, never GPS).
- Usage events: pages you opened, buttons you clicked, time spent on each lesson. Used to find bugs and improve content.
- Cookies and similar storage: see our Cookie Policy.
2.3 Data from third parties
- Parent verification responses from the OTP you confirm.
- Payment success / failure events from Razorpay's webhook.
3. Why we collect it (purposes)
We process your data only for these purposes:
- To operate the Platform. Create your account, save your progress, run the AI tutor, deliver paid features after payment.
- To verify identity and parent consent. OTP delivery, age-band determination, parent-link confirmation for under-16 accounts.
- To bill you. Process subscription payments via Razorpay; issue invoices.
- To improve content and product. Aggregate (de-identified) data about which lessons confuse learners helps us write better content.
- To keep the Platform safe. Detect abuse, prevent fraud, enforce our Terms.
- To comply with law. Respond to lawful requests from regulators or courts.
We do not use your data for any other purpose without your consent.
4. Who we share data with
We share data only with the third parties listed below, and only the data each one needs:
| Service | What we share | Purpose | Location |
|---|---|---|---|
| Razorpay (Razorpay Software Pvt Ltd) | Email, phone, name, payment amount | Process payments and refunds | India |
| Anthropic (Anthropic PBC) | The tutor message text + the concept context (no name, no email) | Generate AI tutor replies | USA |
| Resend (Resend Inc.) | Email address + the email body | Deliver transactional emails (OTP, parent verify, weekly reports) | USA |
| Neon (Neon Inc.) | All operational data above | Database hosting | USA / Singapore region |
| Vercel (Vercel Inc.) | Request logs (IP, path, status code) | Application hosting | Global edge |
| Sentry (Functional Software Inc.) | Error stack traces (may include user ID, may include input that triggered the error) | Crash and error monitoring | USA |
Some of these process data outside India. When they do, we rely on standard contractual clauses and the cross-border-transfer provisions of the DPDP Act and Rules.
We do not sell your data, and we do not share your data with advertisers or data brokers.
5. How long we keep your data
| Data | Retention |
|---|---|
| Active account: profile + progress | While your account is open |
| Active account: tutor messages | While your account is open (used for memory & personalization) |
| Active account: analytics events | 24 months rolling |
| Closed account: most data | Deleted within 30 days of closure |
| Closed account: invoices + payment records | Retained for 8 years (Indian tax law requires this) |
| Backups | Up to 90 days after deletion (encrypted; auto-purged) |
You can request earlier deletion of specific data via privacy@{DOMAIN} — we'll honour it where law permits.
6. Your rights under the DPDP Act
You have the right to:
- Access the personal data we hold about you.
- Correct anything that's wrong.
- Erase your data (we delete or anonymise within 30 days, except where retention is legally required).
- Withdraw consent at any time (for processing that depends on consent).
- Nominate another individual to exercise your rights if you die or become incapacitated.
- Grievance redressal through our Grievance Officer (below).
To exercise these rights: email privacy@{DOMAIN} with your registered email + a description of what you're asking for. We respond within 7 working days; we resolve within 30 days.
7. Children (under 18)
The DPDP Act gives extra protection to "children" (under 18). We go further:
- Under 16: account creation requires verifiable consent from a parent or legal guardian, captured via OTP to their phone or email, with the consent text version recorded.
- Under 18: we never process your data for profile-based tracking, behavioural advertising, or other purposes that may cause detrimental effect. Period.
- Public publishing (portfolio, projects): under-16 accounts default to private. The parent must explicitly opt in for any public exposure.
- Direct messaging between learners: disabled on under-16 accounts.
A parent can withdraw consent at any time; we close the account and erase data within 30 days.
8. Security
- All traffic between you and us is encrypted in transit (HTTPS / TLS 1.2+).
- Passwords are not stored; we use a magic-link / OTP sign-in flow.
- Payment data never touches our servers; Razorpay handles it directly.
- Application secrets and database credentials are stored as encrypted environment variables.
- We run automated security scans on every code change.
- We follow the principle of least privilege for staff database access; only a small number of engineers have production access, and accesses are logged.
No system is 100% secure. If a breach affects you, we will notify you within 72 hours of discovery, in line with DPDP requirements.
9. Grievance Officer (DPDP-mandated)
Name: {GRIEVANCE_OFFICER_NAME} Email: grievance@{DOMAIN} Phone: {GRIEVANCE_OFFICER_PHONE} Address: {COMPANY_ADDRESS}
Working hours: Monday-Friday, 10:00-18:00 IST.
If you're not satisfied with our handling of your complaint, you can escalate to the Data Protection Board of India under the DPDP Act.
10. Changes to this policy
We may update this policy. When we do, we'll:
- Update the "Last updated" date at the top.
- Email you if the change is material (new categories of data, new third-party processors, or any reduction in your rights).
- For changes that depend on your consent, ask you again — you'll see a banner the next time you sign in.
Your continued use of the Platform after a non-material change means you accept the update.
11. Contact
For any privacy question: privacy@{DOMAIN}. For grievances: grievance@{DOMAIN}. For account help: support@{DOMAIN}.