§ Legal

Privacy Policy

Effective · 10 June 2026 · Version 1.1

Plain language first; the legalese is at the bottom. Thozha Education Pvt. Ltd. (“Thozha”, “we”, “our”) operates the Thozha learning platform across web, Android (Google Play), and iOS (App Store). This policy explains what we collect, why, and how you stay in control.

1. Introduction

We built Thozha as a quiet, scholarly tool. That principle extends to data. We collect only what we need to make the product work and to improve it, and we never sell, rent, or trade your data.

By using Thozha you agree to this policy. If you do not agree, please do not use the service. This policy applies to all versions of Thozha, including the mobile applications distributed via Google Play and the Apple App Store, and the website at thozha.in.

2. Information we collect

2.1 Information you provide

  • Account data— name, email, password (hashed), profile photo, target exam, target year, language preference.
  • Study data— lesson reads, MCQ attempts, bookmarks, notes, Mains answer uploads (text or images), AI doubt queries.
  • Payment data— handled by Razorpay (web/Android) and Apple's in-app purchase system (iOS). We store only the order ID, plan, status, and subscription period. We never see card numbers, UPI IDs, or Apple payment tokens.

2.2 Information we collect automatically

  • Device & log data— device type, OS, app version, IP address (truncated to /24 for v4), session timestamps, error traces.
  • Usage data— pages visited, features used, referral source. Aggregated and pseudonymised.
  • Push notification tokens— if you opt in to push notifications, we collect your device token via OneSignal to deliver notifications. You can opt out at any time via your device settings.

2.3 Information from third parties

If you sign in with Google or Apple, we receive your email and profile name as authorised by you. Nothing else.

2.4 Information from platform stores

When you purchase a subscription through Google Play or the Apple App Store, the respective platform may share purchase confirmation, subscription status, and transaction identifiers with us. We use this solely to activate and manage your subscription. We do not receive your payment method details from these platforms.

3. How we use information

  • To deliver and personalise lessons, plans, and feedback.
  • To run AI evaluations and grade Mains answers.
  • To process payments and manage subscriptions.
  • To detect fraud and abuse.
  • To send transactional emails (receipts, password resets).
  • To send the optional weekly brief which you can unsubscribe from at any time.
  • To comply with legal obligations, enforce our terms, and respond to legal requests.

We do not use your data for advertising or sell it to advertisers. We do not track you across third-party apps or websites (we do not use the Apple IDFA or Android Advertising ID).

4. AI processing & training

When you submit a Mains answer, MCQ attempt, or doubt query, the relevant content is sent to our AI provider (currently Google Gemini) for processing under a paid API agreement. We do not allow your content to be used for training third-party models.

We may use anonymised, aggregated patterns (e.g. “average MCQ accuracy in GS-3 Q4-2025”) to improve our content and models. Anonymised means stripped of identifiers and re-identification keys.

AI-generated outputs (evaluations, summaries, doubt answers) are provided as study aids and may contain errors. You retain ownership of your inputs; AI-generated outputs are licensed to you for personal use under our Terms of Service.

5. Sharing & third parties

We share data only with processors strictly required to operate the service:

  • Supabase— database & authentication.
  • Google Cloud (Gemini)— AI inference for evaluation and chat.
  • Razorpay— payments (web and Android).
  • Apple— in-app purchases and subscription management (iOS).
  • Google Play— app distribution and subscription management (Android).
  • OneSignal— push notifications (only if enabled by you).
  • Sentry— error monitoring (no PII in stack traces).
  • Vercel / EAS— hosting & build infra.

We do not sell, rent, or trade your personal data to any third party. We will disclose data if compelled by valid Indian legal process and only after challenging requests we believe to be improper.

Tracking & advertising: Thozha does not contain third-party advertising SDKs. We do not participate in ad networks. On iOS, we do not request App Tracking Transparency permission because we do not track users across third-party apps or websites.

Our data practices are disclosed in the Google Play Data Safety section and the Apple App Store Privacy Nutrition Labels. Those disclosures are consistent with this policy.

6. Data security

  • In transit: TLS 1.2+ for every request.
  • At rest: AES-256 on Postgres and object storage.
  • Isolation: Row-level security policies in Supabase ensure your records are visible only to you.
  • On device: Sensitive tokens are stored using platform-native secure storage (iOS Keychain / Android Keystore via expo-secure-store).
  • Access: Production access is limited to two engineers and audited via signed SSH bastion.
  • Backups: daily automated, retained 30 days, stored in a separate region.

No system is perfectly secure. If a breach occurs we will notify affected users within 72 hours of confirmation, as required by the DPDP Act 2023.

7. Retention & deletion

  • Active accounts: data retained while the account is active.
  • Closed accounts: study data deleted within 30 days of account closure.
  • Anonymised aggregates: retained indefinitely for product improvement.
  • Tax / payment records: retained 8 years per Indian tax law.

How to delete your account

You can delete your account at any time through any of these methods:

Upon account deletion, all personal data and study data will be permanently removed within 30 days, except where retention is required by law (e.g. tax records). If you have an active subscription through Google Play or the App Store, you must cancel it separately through the respective platform to avoid continued billing.

8. Your rights

Under the DPDP Act 2023, you have the right to:

  • Access a copy of all data we hold about you.
  • Correct inaccurate data.
  • Erase your account and study data.
  • Withdraw consent for non-essential processing.
  • Nominate someone to exercise these rights on your behalf.
  • Lodge a complaint with the Data Protection Board of India.

For users in the European Economic Area (GDPR): You additionally have the right to data portability, the right to restrict processing, and the right to object to processing. Our legal basis for processing is contract performance (to deliver the Service) and legitimate interest (to improve the product).

For users in California (CCPA/CPRA): We do not sell or share your personal information for cross-context behavioural advertising. You have the right to know what data we collect, to delete it, and to opt out of any future sale (though we do not sell data). We will not discriminate against you for exercising these rights.

Email privacy@thozha.in to exercise any of these rights. We respond within 30 days.

9. Children

Thozha is intended for users 16 and older. We do not knowingly collect data from children under 16. If you believe a child has provided us data, contact privacy@thozha.in and we will delete it promptly.

We do not collect data from children under 13 under any circumstances, in compliance with COPPA and equivalent regulations. If we learn that we have inadvertently collected such data, we will delete it immediately.

10. International users

Thozha is operated from India. If you access the Service from outside India, your data may be transferred to and processed in India and other countries where our service providers operate (including the United States for cloud infrastructure). By using the Service, you consent to this transfer. We ensure appropriate safeguards are in place for all cross-border data transfers.

11. Changes to this policy

We may update this policy as the product evolves. Material changes will be notified by email and a banner in the app at least 14 days before they take effect. The updated policy will also be reflected in our Google Play and App Store listings.

12. Export compliance

Thozha uses standard encryption protocols (TLS/HTTPS for data in transit, AES-256 for data at rest, and platform-native secure storage) to protect your data. This software may be subject to United States export laws and regulations. The encryption used in Thozha qualifies as mass-market encryption exempt under the US Export Administration Regulations (EAR), Category 5, Part 2. We do not use proprietary or custom cryptographic algorithms.

13. Contact

Questions, requests, or complaints — write to our Data Protection Officer at privacy@thozha.in.

Thozha Education Pvt. Ltd.
3rd Floor, Tidel Park
Taramani, Chennai 600113

Have a privacy question? Talk to us →