TechPaths

1. Introduction

TechPaths ("we", "our", "us") operates the website www.techpaths.dev(the "Platform"). This Privacy Policy explains how we collect, use, store, share, and protect your personal data in accordance with the Digital Personal Data Protection Act, 2023 (DPDPA), the Information Technology Act, 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and other applicable Indian laws.

By accessing or using our Platform, you consent to the practices described in this Policy. If you do not agree, please discontinue use of the Platform.

2. Data Fiduciary Details

As defined under the DPDPA 2023, TechPaths is the Data Fiduciary responsible for processing your personal data.

Platform Name: TechPaths
Website: www.techpaths.dev
Contact Email: techpaths.support@gmail.com
Grievance Officer: Reachable at techpaths.support@gmail.com

3. Personal Data We Collect

We collect only the minimum data necessary to provide our services (principle of data minimisation under DPDPA 2023):

3.1 Data You Provide Directly

Full name and email address (on registration)
Password (stored as a one-way bcrypt hash — never in plain text)
Google account profile information (if you sign in with Google)

3.2 Payment Data

Payment transactions are processed by Razorpay. We do not store your card number, CVV, UPI PIN, or net banking credentials. We store only: payment ID, amount, currency, payment method type (e.g., "card", "upi"), and transaction status for compliance and billing records. Please note that we have a strict no refund policy for any reasons, as detailed in our Terms of Service.

3.3 Usage Data Collected Automatically

Articles read and learning path progress
Session tokens (stored securely in our database)
Vercel Speed Insights — anonymised performance metrics (no personal identifiers)

3.4 Data We Do NOT Collect

Aadhaar number, PAN, or any government-issued ID
Biometric data
Location data
Device fingerprints or advertising identifiers
Data from minors under 18 years of age (see Section 10)

4. Purpose and Legal Basis for Processing

Under the DPDPA 2023, we process your personal data only for the following specified, clear, and lawful purposes:

Purpose	Legal Basis
Create and manage your account	Consent / Contract
Authenticate your identity on login	Contract
Process subscription payments	Contract
Track learning progress	Consent / Contract
Send transactional emails (payment receipts, subscription alerts)	Contract / Legal Obligation
Comply with legal and regulatory obligations	Legal Obligation
Prevent fraud and abuse	Voluntary Provision / Security
Improve platform performance (anonymised analytics)	Not Applicable (Anonymised Data)

We do not use your personal data for advertising, profiling, or selling to third parties.

5. Data Sharing and Third Parties

We share your data only with the following trusted service providers ("Data Processors") strictly for the purposes described above:

Supabase (PostgreSQL database) — stores your account, subscription, and progress data. Hosted on AWS ap-southeast-2 (Sydney).
Razorpay — processes payments. Subject to RBI regulations and PCI-DSS compliance. Their privacy policy applies to payment data.
Google OAuth— if you sign in with Google, Google shares your name, email, and profile picture with us per Google's OAuth terms.
Vercel — hosts the Platform. Processes request logs and anonymised performance data.
Upstash Redis — stores temporary rate-limiting counters. No personal data is stored beyond IP address for abuse prevention.

We do not sell, rent, or trade your personal data to any third party for commercial purposes.

We may disclose your data if required by law, court order, or a competent government authority under applicable Indian law.

6. Data Retention

Data Type	Retention Period
Account data (name, email)	Until account deletion + 30 days
Password hash	Until account deletion
Payment records	7 years (as required by Indian tax law)
Subscription history	7 years
Learning progress	Until account deletion
Session tokens	30 days or until logout
Rate limiting data (IP)	1 hour (auto-expired)
Webhook event logs	2 years for audit purposes

7. Your Rights as a Data Principal

Under the DPDPA 2023, you have the following rights as a Data Principal (individual whose data is processed):

Right to Access (Section 11): Request a summary of personal data we hold about you and how it is being processed.
Right to Correction and Erasure (Section 12): Request correction of inaccurate data or erasure of your personal data where it is no longer necessary for the purpose it was collected.
Right to Grievance Redressal (Section 13): Lodge a complaint with our Grievance Officer. We will respond within 30 days.
Right to Nominate (Section 14): Nominate another individual to exercise your rights in the event of your death or incapacity.
Right to Withdraw Consent: You may withdraw consent at any time by deleting your account. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

To exercise any of these rights, email us at techpaths.support@gmail.comwith the subject line "Data Rights Request". We will respond within 30 days.

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India once it is constituted under the DPDPA 2023.

8. Data Security

We implement reasonable security practices as required under the IT (SPDI) Rules, 2011 and DPDPA 2023, including:

Passwords stored as bcrypt hashes (cost factor 12) — never in plain text
All data transmitted over HTTPS/TLS
Database access restricted to application layer only
API rate limiting to prevent brute force attacks
Payment data handled exclusively by Razorpay (PCI-DSS compliant)
HTTP security headers (HSTS, CSP, X-Frame-Options) enforced
Regular security reviews of application code

In the event of a personal data breach that is likely to cause harm to you, we will notify you and the Data Protection Board of India as required under DPDPA 2023.

9. Cross-Border Data Transfers

Your data may be stored and processed outside India (Supabase on AWS Sydney, Vercel on global edge network, Upstash). We ensure that such transfers are made only to countries or entities that provide adequate data protection, consistent with the DPDPA 2023 and any notifications issued by the Central Government regarding permitted geographies.

10. Children's Privacy

Our Platform is intended for users who are 18 years of age or older. We do not knowingly collect personal data from children under 18. As required under Section 9 of the DPDPA 2023, we do not process personal data of children without verifiable parental consent. If you believe a child has provided us with personal data, please contact us at techpaths.support@gmail.com and we will delete it promptly.

11. Cookies and Tracking

We use only essential cookies required for authentication (session tokens). We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Vercel Speed Insights collects anonymised performance data with no personal identifiers.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and update the "Last updated" date at the top of this page. Continued use of the Platform after changes constitutes acceptance of the updated Policy.

13. Grievance Officer

As required under the IT Act 2000 and IT (Intermediary Guidelines) Rules 2021, we have designated a Grievance Officer:

Name: TechPaths Grievance Officer
Email: techpaths.support@gmail.com
Response time: Within 30 days of receipt of complaint

14. Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of India. Any disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of India.

For any privacy-related queries, contact us at techpaths.support@gmail.com