This Privacy Policy explains what personal data CA Target Test Prep (“we”, “us”) collects when you use catargettestprep.com (the “Service”), why we collect it, how long we keep it, and what choices you have. It is written to comply with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Information Technology Act, 2000 and the rules made under them.

1. Who is the Data Fiduciary

CA Target Test Prep is the “Data Fiduciary” under the DPDP Act for personal data collected through the Service. For any privacy question, complaint or DPDP rights request, email legal@catargettestprep.com.

2. What data we collect

You give us directly:

Email address (required for sign-in)
WhatsApp number (optional — only if you choose to add it for the WhatsApp tutor and OTP)
Display name (whatever you enter at signup)
Your target paper(s) and exam attempt (e.g. “P5 Audit — May 2026”)
Questions and messages you send to the AI doubt solver
Feedback or support email content you send to us

We collect automatically when you use the Service:

Practice and mock-test attempts, scores, time spent, paper / topic
Page views inside the Service and basic referrer information
IP address (used for security, abuse detection and rate limiting), browser user-agent and approximate geographic region inferred from IP
Error reports when something goes wrong on the Service, including the URL and a stack trace, so we can debug and fix it

What we do NOT collect: we do not store card, UPI or net-banking details (these are handled directly by our payment gateway); we do not ask for or collect Aadhaar, PAN or other government IDs; we do not track you across other websites.

3. Why we use your data

To provide the Service: authenticate you, save your study progress, deliver the AI doubt solver, gate paid features, send transactional messages (sign-in links, payment receipts, trial reminders)
To send product updates and exam-relevant tips (only if you opted in at signup; you can withdraw consent at any time)
To detect and prevent abuse, fraud and unauthorised access
To debug and improve the Service (aggregated and anonymised analytics)
To comply with legal obligations, including the Income Tax Act, Goods and Services Tax Act, and lawful orders from Indian authorities

4. Legal basis under the DPDP Act

We process your personal data on the basis of the consent you give when you sign up and provide your details. For transactional communications, account security and legal compliance, processing is also justified on the “certain legitimate uses” ground under section 7 of the DPDP Act (provision of a subscribed service, compliance with law).

5. Who we share data with

We use carefully selected third-party service providers (“Data Processors”) to deliver parts of the Service. Each provider receives only the minimum data needed for its specific role, processes it under our written instructions, and is contractually bound to keep it confidential. We use providers in the following categories:

Payment processing — to collect payments, issue tax invoices, and process any refunds we approve.
Communications — to deliver transactional and product email and WhatsApp messages (sign-in links, payment receipts, trial reminders, doubt-solver replies).
AI infrastructure — to power the doubt solver. Your questions are sent to a third-party large-language-model provider that processes them under commercial terms which prohibit using your inputs to train its models and require short-term retention only.
Cloud hosting and database — to run our application servers and store your account data, in Indian regions where available.
Error monitoring — to capture crashes and bugs so we can fix them. We do not deliberately send personal data to this category.

We do not sell your data, rent it, or share it with advertisers. We will share data with law-enforcement or government authorities only when compelled by a valid Indian legal order. A current list of the specific providers we use is available on request to legal@catargettestprep.com.

6. International transfer

Some of our processors operate servers outside India. When we share data with them under section 16 of the DPDP Act, we rely on their contractual data-protection commitments. By using the Service you consent to this transfer.

7. How long we keep your data

Account profile (email, phone, display name): for as long as your account is active, plus 30 days after deletion request
Practice attempts, mock-test scores, study history: until account deletion
WhatsApp and web doubt-solver conversations: up to 90 days, then aggregated and deleted
Email-engagement events (opens, clicks): up to 12 months
Payment records and tax invoices: 8 years, as required by the Income Tax Act, 1961 and the GST Act, 2017
Error logs: up to 90 days
Aggregated, anonymised usage analytics that cannot identify you: indefinitely

8. Your rights under the DPDP Act

Right to access — request a copy of the personal data we hold about you
Right to correction — ask us to fix anything inaccurate, incomplete, or out of date
Right to erasure — ask us to delete your account and the personal data linked to it (subject to records we are legally required to retain, such as tax invoices)
Right to withdraw consent — opt out of marketing or stop using the Service at any time
Right to grievance redressal — complain to our Grievance Officer; if unresolved, escalate to the Data Protection Board of India under section 27 of the DPDP Act
Right to nominate — nominate another person to exercise these rights in the event of your death or incapacity

To exercise any of these rights, email legal@catargettestprep.com with the subject “DPDP request”. We will respond within 7 working days.

9. Cookies and similar technologies

We use a single essential cookie, catutor_token, to keep you signed in. We use a second cookie, csrf_token, for security. We do not use advertising cookies or third-party analytics cookies. We do not load Google Analytics, Facebook Pixel or similar trackers.

10. Children

The Service is intended for adult learners preparing for CA Inter. If you are under 18, you may use the Service only with verifiable consent from a parent or legal guardian. We do not knowingly collect personal data from children under 13. If we learn that we have, we will delete it.

11. Security

We use HTTPS for all traffic. Sign-in is passwordless (magic-link or OTP) so there is no password to leak. Authentication tokens are HMAC-signed. Our database is backed up nightly and access is restricted by SSH-key authentication. We follow reasonable security practices under section 8(5) of the DPDP Act, but no system is perfectly secure. In the event of a personal-data breach affecting you, we will notify you and the Data Protection Board of India as required by law.

12. Grievance Officer

Grievance Officer for the purposes of the DPDP Act, the Information Technology Act, 2000 and the Intermediary Rules, 2021:

Email: legal@catargettestprep.com
Acknowledgement: within 24 hours of receipt
Resolution target: within 15 days

13. Changes to this Policy

We may update this Policy. Material changes will be notified to your registered email at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.