Testogram is an educational technology platform operated by LearnCurve Systems Pvt Ltd, a company duly incorporated under the provisions of the Companies Act, 2013, with its registered office in Gurugram, Haryana, India (hereinafter referred to as the "Company", "We", "Us", or "Our").
This Privacy Policy (hereinafter referred to as the "Policy") describes the manner in which the Company collects, uses, processes, stores, shares, and protects the personal information of individuals (hereinafter referred to as "Users", "You", or "Your") who access or use the Testogram mobile application, web application, and related services, features, and functionality (collectively, the "Platform").
By accessing, registering on, or otherwise using the Platform, the User expressly consents to the collection, use, processing, and disclosure of their information in accordance with the terms and conditions set forth in this Policy. If the User does not agree to the practices described herein, the User must immediately discontinue all use of the Platform.
2. Information We Collect
2.1 Information Provided Directly by the User
Account Registration Information: Full legal name, email address, telephone number, and password provided during the account creation process.
Profile Information: Examination preferences, target examination selection, educational background, and responses provided during the onboarding process.
Payment Information: Billing details processed securely through Razorpay, a PCI-DSS compliant third-party payment gateway. The Company does not directly store, process, or have access to complete payment card numbers, card verification values (CVV), or banking credentials. Such information is handled exclusively by Razorpay in accordance with its own privacy policy and security standards.
Support Communications: Messages, feedback, inquiries, and correspondence submitted by the User to the Company's support team through any channel.
2.2 Information Generated Through Platform Usage
Learning & Assessment Data: Quiz attempts, answers submitted, scores, accuracy rates, time spent on questions and sessions, difficulty level progression, and learning path advancement.
Performance Analytics: Subject-wise and chapter-wise performance metrics, identification of areas requiring improvement, improvement trends, and mastery level progression.
Engagement Data: Participation in rewards programmes, achievement records, leaderboard rankings, referral activity, and other gamification-related data.
Financial Data: Subscription status and history, virtual currency balances and transaction records, payment transaction history, and refund records.
2.3 Information Collected Automatically
Device Information: Device model, manufacturer, operating system type and version, unique device identifiers, and Firebase Cloud Messaging (FCM) tokens necessary for the delivery of push notifications.
Usage Data: Application session duration and frequency, features accessed, navigation patterns, interaction events, and user interface engagement metrics.
Network Information: Internet Protocol (IP) address and general geographic region derived therefrom (not precise geolocation).
3. How We Use Your Information
The Company processes the information collected from Users for the following lawful purposes:
Provision and Personalisation of Services: To deliver, maintain, and personalise the Platform's features, including tailoring quiz content, difficulty levels, learning paths, and study recommendations based on the User's performance, preferences, and examination goals.
Performance Analytics and Insights: To generate and provide the User with insights regarding their strengths, areas requiring improvement, and overall progress to facilitate more effective study practices.
Communications and Notifications: To send study reminders, achievement notifications, performance-based recommendations, service announcements, and other communications through push notifications, in-app messages, or electronic mail. The User may manage notification preferences through the Platform's settings.
Payment Processing: To process subscription payments, manage virtual currency transactions, and handle refund requests through Razorpay.
Platform Improvement and Development: To analyse aggregate and anonymised usage patterns for the purposes of improving content quality, user experience, platform reliability, and developing new features and services.
Fraud Prevention and Security: To detect, prevent, and address fraudulent activity, account abuse, unauthorised access, and other security threats through automated risk assessment and monitoring systems.
Customer Support: To respond to the User's inquiries, troubleshoot technical issues, and provide assistance.
Legal Compliance: To fulfil the Company's obligations under applicable laws, regulations, and legal processes, and to protect the Company's legal rights and interests.
4. Automated Decision-Making
The Platform employs automated systems and algorithms to process User data for certain purposes, including but not limited to:
Adaptive Learning: Automated analysis of User performance to adjust question difficulty, recommend study topics, and personalise learning paths.
Fraud Detection: Automated risk scoring of referral activities and account behaviour to identify and prevent potentially fraudulent activity.
Notifications and Recommendations: Automated generation of study nudges, streak reminders, and performance-based recommendations based on the User's activity patterns.
These automated processes are designed to enhance the User's experience and maintain the integrity of the Platform. No automated decision-making process employed by the Company produces legal effects or similarly significant effects on the User. The User may contact the Company at privacy@testogram.com to request human review of any automated decision or to obtain further information about the logic involved.
5. Data Storage & Security
The Company implements appropriate technical, administrative, and organisational measures to protect the User's personal information against unauthorised access, alteration, disclosure, or destruction:
Hosting Infrastructure: All User data is stored on Google Cloud Platform infrastructure located in the asia-south1 (Mumbai) region, within the territory of the Republic of India.
Encryption at Rest: All stored data is encrypted using Advanced Encryption Standard 256-bit (AES-256) encryption through Google Cloud's default encryption mechanisms.
Encryption in Transit: All data transmitted between the User's device and the Company's servers is protected using Transport Layer Security (TLS) version 1.2 or higher.
Access Controls: Internal access to User data is restricted on a need-to-know basis through role-based access controls (RBAC) with comprehensive audit logging of all administrative actions.
Database Security: PostgreSQL databases are configured with parameterised queries to prevent SQL injection attacks, with regular automated backups and disaster recovery procedures.
While the Company implements industry-standard security measures and continuously works to enhance its security posture, no method of electronic storage, processing, or transmission is entirely secure. The Company cannot guarantee absolute security of the User's information but is committed to promptly identifying, investigating, and addressing any security incidents in accordance with applicable law.
6. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected Users, the Company shall:
Notify affected Users without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, via electronic mail to the User's registered email address and/or through an in-app notification.
Provide a description of the nature of the breach, the categories and approximate number of Users affected, the likely consequences of the breach, and the measures taken or proposed to be taken by the Company to address the breach and mitigate its effects.
Notify the relevant data protection authority or regulatory body as required under applicable law, including the Indian Computer Emergency Response Team (CERT-In) in accordance with the Information Technology Act, 2000, and associated rules.
Maintain a documented record of all personal data breaches, including the facts, effects, and remedial actions taken.
7. Third-Party Services
The Company engages the following third-party service providers that may process User data in accordance with their respective privacy policies and applicable data protection obligations:
Razorpay: Payment processing and transaction management. Razorpay handles User payment information under its privacy policy. The Company receives only transaction confirmations, order identifiers, and payment status information.
Firebase (Google): Push notification delivery via Firebase Cloud Messaging (FCM). Device tokens are stored by the Company to route notifications to the User's devices. Firebase services are governed by Google's privacy policy.
Sentry: Application error tracking and monitoring. Sentry may receive anonymised crash reports, diagnostic data, and technical error information to assist the Company in identifying and resolving technical issues. No personally identifiable information is intentionally transmitted to Sentry.
Google Cloud Platform: Cloud infrastructure, hosting, data storage, and computing services. All data processed through Google Cloud Platform remains within the Mumbai (asia-south1) region unless otherwise specified.
The Company does not sell, rent, lease, or otherwise disclose the User's personal information to third parties for their independent marketing or advertising purposes.
8. Cross-Border Data Transfers
The Company primarily stores and processes User data within the territory of the Republic of India. However, certain third-party service providers engaged by the Company may process limited data outside of India in the course of providing their services (for example, Sentry for error monitoring). In such cases, the Company shall ensure that:
Appropriate safeguards are in place, including contractual obligations requiring the third-party provider to maintain adequate data protection standards consistent with applicable Indian law.
Data transfers are limited to what is strictly necessary for the provision of the relevant service.
The User's rights under applicable data protection laws are not diminished by reason of any such transfer.
By using the Platform, the User acknowledges and consents to the processing of their data by the Company's third-party service providers in accordance with this Section, subject to the safeguards described herein.
9. Your Rights
Subject to applicable law, the User has the following rights with respect to their personal data:
Right to Access: The User may request a copy of the personal data the Company holds about them, along with information regarding the purposes of processing and the categories of data concerned.
Right to Correction: The User may request the correction or updating of inaccurate or incomplete personal data held by the Company.
Right to Deletion: The User may request the deletion or anonymisation of their personal data, subject to the data retention requirements described in Section 11 and any overriding legal obligations of the Company.
Right to Data Portability: The User may request that their personal data be provided in a structured, commonly used, and machine-readable format, where technically feasible.
Right to Withdraw Consent: The User may withdraw their consent for specific data processing activities at any time. Such withdrawal shall not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.
Right to Restrict Processing: The User may request the restriction of processing of their personal data in certain circumstances as provided under applicable law.
Right to Lodge a Complaint: The User may file a complaint with the relevant data protection authority or regulatory body if the User believes that their data protection rights have been violated.
To exercise any of the foregoing rights, the User may contact the Company at privacy@testogram.com. The Company shall respond to all legitimate requests within thirty (30) days of receipt. In exceptional circumstances requiring an extension, the Company shall inform the User of the extension and the reasons therefor within the initial thirty (30) day period.
10. Account Deletion
The User may request deletion of their Testogram account at any time through the following methods:
The account deletion functionality available within the Platform's settings (Profile → Delete Account).
Submitting a written request via electronic mail to privacy@testogram.com from the User's registered email address.
Upon receipt of a valid deletion request, the following process shall apply:
A grace period shall commence during which the User's account is deactivated but their data is preserved, allowing the User to reconsider and cancel the deletion request.
The User may cancel the deletion request within the grace period by logging back in to their account or by contacting the Company's support team.
Upon expiration of the grace period, the User's personally identifiable information (including name, email address, telephone number, and profile details) shall be permanently and irreversibly anonymised.
Anonymised quiz performance, learning, and analytics data shall be retained for aggregate platform analytics, content improvement, and research purposes.
Active subscriptions shall be cancelled. All unused Virtual Currency balances shall be permanently forfeited upon account deletion.
For complete details regarding the account deletion process, please refer to the Company's Account Deletion page.
11. Data Retention
The Company retains User data in accordance with the following retention schedule:
Active Accounts: Personal data is retained for as long as the User's account remains active and in use.
Deleted Accounts: Personally identifiable information is permanently anonymised following the expiration of the applicable grace period. Anonymised performance and analytics data may be retained indefinitely for aggregate platform analytics, research, and content improvement purposes.
Payment and Financial Records: Transaction records, invoices, and related financial documentation are retained for a minimum period of seven (7) years as required under the Indian Income Tax Act, 1961, the Goods and Services Tax Act, 2017, and other applicable fiscal and regulatory provisions.
Audit Logs: Administrative audit logs and security logs are retained for a period of three (3) years for security monitoring, incident investigation, and regulatory compliance purposes.
Legal and Regulatory Holds: Notwithstanding the foregoing, the Company may retain User data for such longer period as may be required by applicable law, regulation, legal process, or governmental request.
12. Children's Privacy
The Platform is not directed at, designed for, or intended to be used by children under the age of thirteen (13). The Company does not knowingly collect, solicit, or maintain personal information from children under the age of thirteen (13). If the Company becomes aware that personal information has been collected from a child under the age of thirteen (13) without verifiable parental consent, the Company shall take prompt steps to delete such information from its systems.
Users between the ages of thirteen (13) and eighteen (18) must obtain the express, informed consent of a parent or legal guardian prior to creating an account and using the Platform. By permitting a minor to use the Platform, the parent or legal guardian acknowledges and agrees to this Policy on the minor's behalf and assumes full responsibility and liability for the minor's use of the Platform and the personal data provided in connection therewith.
13. Cookies & Tracking Technologies
The Platform employs minimal tracking technologies, limited to the following:
Session Cookies: Essential cookies used solely to maintain the User's authenticated session while using the Platform. These cookies are strictly necessary for the operation of the Platform and expire when the User terminates their session or after a defined timeout period.
No Third-Party Tracking: The Company does not use third-party advertising cookies, tracking pixels, behavioural analytics tools, or retargeting technologies. The Company does not participate in cross-site tracking, advertising networks, or data broker programmes.
14. Changes to This Policy
The Company may update this Policy from time to time to reflect changes in its data processing practices, applicable legal requirements, or Platform features and functionality. When the Company makes material changes to this Policy:
The Company shall notify the User via an in-app notification at least thirty (30) days prior to such changes taking effect.
The Company shall send a notification to the User's registered email address.
The "Last updated" date at the top of this Policy shall be revised to reflect the date of the most recent update.
The User's continued use of the Platform following the effective date of any changes to this Policy shall constitute the User's acceptance of and agreement to the updated Policy. It is the User's responsibility to review this Policy periodically.
15. Contact Us
For any questions, concerns, requests, or complaints regarding this Policy, the User's personal data, or the Company's data processing practices, the User may contact the Company through the following channels:
This Policy is governed by and shall be construed in accordance with the laws of the Republic of India, including but not limited to the following legislative and regulatory instruments:
The Information Technology Act, 2000, and the rules and regulations promulgated thereunder.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
The Digital Personal Data Protection Act, 2023, as and when notified and brought into force by the Central Government.
Any disputes arising from or relating to this Policy shall be subject to the exclusive jurisdiction of the competent courts located in Gurugram, Haryana, India, subject to the dispute resolution provisions set forth in the Company's Terms of Service.