Privacy Policy

Privacy Policy

Effective: 2026-05-23. Last updated: 2026-05-23.

This is the Privacy Policy for Math to Machine (the "Platform"), operated by Math to Machine (the "Company", "we", "us"). It explains what data we collect, why we collect it, who we share it with, how long we keep it, and the rights you have under the Digital Personal Data Protection Act, 2023 (India) ("DPDP Act") and the corresponding rules.

If you're under 18, please read this with a parent or guardian. If you're under 16, a parent must approve your use of the Platform before you sign up.

TL;DR — the honest summary

  • We collect what we need to teach you, no more.
  • We never sell your data.
  • We share data only with the service providers we genuinely use (payments, email, hosting, AI tutor model) and only what those providers need to do their job.
  • Under-16 accounts require verifiable parent consent before they're created.
  • You can delete your account anytime; we erase or anonymise your data within 30 days.

1. Who we are

Math to Machine, registered in India. Address: {COMPANY_ADDRESS}. Email: privacy@{DOMAIN}. Phone: {COMPANY_PHONE}.

We are the Data Fiduciary under the DPDP Act for the personal data we collect through the Platform.

2. What data we collect

We collect three categories of data.

2.1 Data you give us

  • Sign-up details: email address, mobile phone number (used for OTP), display name (optional), date of birth (used to determine your age band).
  • Onboarding details: your class level (Class 9-12 / graduation year), learning goals, prior programming familiarity, weekly hours you can study, preferred learning style.
  • Parent contact (if you're under 16): your parent's mobile number and/or email, captured for verifiable consent.
  • Lesson activity: which lessons you opened, what you answered on quizzes, how long you spent, your reflection notes, and the explanations you wrote for teach-back stages.
  • AI tutor conversations: every message you send to the AI tutor ("Nova" / "Coach" / "Mentor"), the model's reply, and the rung the tutor used.
  • Project submissions (when you publish): the code, text, and media you submit.
  • Payment metadata (when you subscribe): we do NOT store card numbers, UPI handles, or net-banking credentials — those go directly to Razorpay. We store: the plan you bought, the date, the amount, the Razorpay payment ID, and your invoice.

2.2 Data we collect automatically

  • Device + connection: browser type, operating system, screen size, IP address, approximate location derived from IP (city-level only, never GPS).
  • Usage events: pages you opened, buttons you clicked, time spent on each lesson. Used to find bugs and improve content.
  • Cookies and similar storage: see our Cookie Policy.

2.3 Data from third parties

  • Parent verification responses from the OTP you confirm.
  • Payment success / failure events from Razorpay's webhook.

3. Why we collect it (purposes)

We process your data only for these purposes:

  1. To operate the Platform. Create your account, save your progress, run the AI tutor, deliver paid features after payment.
  2. To verify identity and parent consent. OTP delivery, age-band determination, parent-link confirmation for under-16 accounts.
  3. To bill you. Process subscription payments via Razorpay; issue invoices.
  4. To improve content and product. Aggregate (de-identified) data about which lessons confuse learners helps us write better content.
  5. To keep the Platform safe. Detect abuse, prevent fraud, enforce our Terms.
  6. To comply with law. Respond to lawful requests from regulators or courts.

We do not use your data for any other purpose without your consent.

4. Who we share data with

We share data only with the third parties listed below, and only the data each one needs:

ServiceWhat we sharePurposeLocation
Razorpay (Razorpay Software Pvt Ltd)Email, phone, name, payment amountProcess payments and refundsIndia
Anthropic (Anthropic PBC)The tutor message text + the concept context (no name, no email)Generate AI tutor repliesUSA
Resend (Resend Inc.)Email address + the email bodyDeliver transactional emails (OTP, parent verify, weekly reports)USA
Neon (Neon Inc.)All operational data aboveDatabase hostingUSA / Singapore region
Vercel (Vercel Inc.)Request logs (IP, path, status code)Application hostingGlobal edge
Sentry (Functional Software Inc.)Error stack traces (may include user ID, may include input that triggered the error)Crash and error monitoringUSA

Some of these process data outside India. When they do, we rely on standard contractual clauses and the cross-border-transfer provisions of the DPDP Act and Rules.

We do not sell your data, and we do not share your data with advertisers or data brokers.

5. How long we keep your data

DataRetention
Active account: profile + progressWhile your account is open
Active account: tutor messagesWhile your account is open (used for memory & personalization)
Active account: analytics events24 months rolling
Closed account: most dataDeleted within 30 days of closure
Closed account: invoices + payment recordsRetained for 8 years (Indian tax law requires this)
BackupsUp to 90 days after deletion (encrypted; auto-purged)

You can request earlier deletion of specific data via privacy@{DOMAIN} — we'll honour it where law permits.

6. Your rights under the DPDP Act

You have the right to:

  1. Access the personal data we hold about you.
  2. Correct anything that's wrong.
  3. Erase your data (we delete or anonymise within 30 days, except where retention is legally required).
  4. Withdraw consent at any time (for processing that depends on consent).
  5. Nominate another individual to exercise your rights if you die or become incapacitated.
  6. Grievance redressal through our Grievance Officer (below).

To exercise these rights: email privacy@{DOMAIN} with your registered email + a description of what you're asking for. We respond within 7 working days; we resolve within 30 days.

7. Children (under 18)

The DPDP Act gives extra protection to "children" (under 18). We go further:

  • Under 16: account creation requires verifiable consent from a parent or legal guardian, captured via OTP to their phone or email, with the consent text version recorded.
  • Under 18: we never process your data for profile-based tracking, behavioural advertising, or other purposes that may cause detrimental effect. Period.
  • Public publishing (portfolio, projects): under-16 accounts default to private. The parent must explicitly opt in for any public exposure.
  • Direct messaging between learners: disabled on under-16 accounts.

A parent can withdraw consent at any time; we close the account and erase data within 30 days.

8. Security

  • All traffic between you and us is encrypted in transit (HTTPS / TLS 1.2+).
  • Passwords are not stored; we use a magic-link / OTP sign-in flow.
  • Payment data never touches our servers; Razorpay handles it directly.
  • Application secrets and database credentials are stored as encrypted environment variables.
  • We run automated security scans on every code change.
  • We follow the principle of least privilege for staff database access; only a small number of engineers have production access, and accesses are logged.

No system is 100% secure. If a breach affects you, we will notify you within 72 hours of discovery, in line with DPDP requirements.

9. Grievance Officer (DPDP-mandated)

Name: {GRIEVANCE_OFFICER_NAME} Email: grievance@{DOMAIN} Phone: {GRIEVANCE_OFFICER_PHONE} Address: {COMPANY_ADDRESS}

Working hours: Monday-Friday, 10:00-18:00 IST.

If you're not satisfied with our handling of your complaint, you can escalate to the Data Protection Board of India under the DPDP Act.

10. Changes to this policy

We may update this policy. When we do, we'll:

  • Update the "Last updated" date at the top.
  • Email you if the change is material (new categories of data, new third-party processors, or any reduction in your rights).
  • For changes that depend on your consent, ask you again — you'll see a banner the next time you sign in.

Your continued use of the Platform after a non-material change means you accept the update.

11. Contact

For any privacy question: privacy@{DOMAIN}. For grievances: grievance@{DOMAIN}. For account help: support@{DOMAIN}.