Privacy Policy

We're a study platform for forensic-science students. To make that work we need to know who you are, what you're studying, and how you're doing. Beyond that, we collect as little as possible.

• We never sell your data.
• We never run advertising trackers on the study pages.
• We use Razorpay for payments, so we never see your card or UPI details.
• You can export or delete everything we have on you at any time.

The sections below are the legally precise version of the same thing. They follow the structure required by India's Digital Personal Data Protection Act, 2023 (DPDP Act) and, for users in the European Union and United Kingdom, the General Data Protection Regulation (GDPR / UK GDPR).

ForensicSpot is operated from India by Sourabh Gupta. In this policy, "we", "us" and "our" refer to ForensicSpot.

• Operator: Sourabh Gupta (sole proprietor) — Gandhinagar, Gujarat, India
• Contact for privacy questions: hello@forensicspot.com
• Data Protection Officer (designated): the same address. We will respond to verifiable requests within 30 days, and within 7 days where the law requires it.

Under the DPDP Act we are a Data Fiduciary. Under GDPR we are a Data Controller. Both terms mean the same thing in practice: we decide what data is collected and what it is used for.

We collect the following categories. Anything we don't list here, we don't collect.

Account data

• Full name, email address (the one you sign up with)
• Password, hashed by our authentication provider before it leaves your browser — we never see the plaintext
• Username, profile bio, avatar URL (optional, set by you)
• University, exam targets, persona (student / aspirant / faculty), city — all optional, set during onboarding
• College email and verification status — only if you choose to verify it for the "verified student" badge

Study activity

• Mock attempts: which mocks you took, when, your answers, your score, the time taken
• Resources / notes / questions you upload, ask, or answer
• Bookmarks, weakness map, streaks
• Reading history of long-form notes (so we can save your place)

Payment data

• Plan code, amount, currency, status, paid_at, expires_at, and the Razorpay payment / order IDs returned to us by Razorpay
• We do not see or store your card number, CVV, UPI VPA, NetBanking credentials, or wallet PIN. Razorpay handles those on their PCI-DSS-certified infrastructure.

Technical data

• IP address (truncated to /24 in stored logs after 7 days)
• User-Agent string (browser + OS family)
• Approximate country / state, derived from IP at request time — never stored long-term
• Server-side error logs that may include the URL you were on and a stack trace

Cookies and similar

We set the cookies we need to keep you signed in and remember your preferences. The full list and how to control them lives on our Cookies page.

We use the data above for the purposes below — and nothing else. Any new use beyond this list will require updating this policy first and (where the law requires it) asking for your consent.

• Run the service. Sign you in, save your study progress, render your dashboard, deliver paid mock packs.
• Process payments. Send order details to Razorpay, receive confirmation back, mark your purchase as paid, set the validity window.
• Communicate with you. Send signup confirmations, payment receipts, password-reset emails, college-email OTPs, and (only if you opt in) occasional product updates.
• Improve the product.Look at aggregate metrics (which mocks are popular, average score, drop-off points) to decide what to build next. We do this on aggregated data — never by reading individual users' activity for our own interest.
• Stay secure. Detect and stop brute-force, credential stuffing, payment fraud, and abuse of the free credit grant.
• Meet legal obligations. Keep payment records as required by Indian tax law; respond to lawful CERT-In notices and court orders.

Different jurisdictions phrase the same idea differently. Below is our legal basis for each category.

• Account, study activity:performance of the contract you enter into when you sign up (DPDP Act "legitimate use" / GDPR Art. 6(1)(b)).
• Payment data: performance of contract + legal obligation (we have to keep tax-relevant records).
• Marketing emails:your consent (GDPR Art. 6(1)(a) / DPDP "notice and consent"). You can withdraw at any time without losing access to the rest of the service.
• Security and abuse prevention:our legitimate interest in keeping the service safe (GDPR Art. 6(1)(f)) and responding to known cyber-incident reporting requirements (DPDP "legitimate use").

We share data with a small, named set of vendors who help us run the service. Each one is bound by their own published privacy policy and we use only what we need.

We do not share your data with advertisers, data-brokers, lead-generation services, AI training providers, or any third party not listed above.

Your account data, study activity and payments stay in India (Supabase ap-south-1 region). Two categories cross borders:

• Email send via Resend— when we send you a receipt or OTP, the message and your email address briefly transit Resend's US infrastructure. Resend is GDPR-compliant and we send only the email content + your address; no other profile data.
• Edge cache via Vercel — public marketing pages (the homepage, pricing, blog) are cached at edge nodes worldwide for performance. Authenticated pages and API routes always run in ap-south-1.

For users in the EU/UK, these transfers rely on the relevant standard contractual clauses each vendor publishes.

• Account profile — until you delete the account. On deletion we remove your profile, attempts, uploads, posts, answers, and bookmarks within 7 days.
• Payment records — kept for 8 years (Indian tax-law retention requirement). On account deletion these are anonymised — your name and email are removed, but the transaction record (amount, date, plan) is preserved without you attached to it.
• Server logs — IP-bearing logs are kept for 30 days for security investigation, then truncated.
• Email send history (Resend side)— Resend retains send-status records for up to 90 days; we don't control that.
• Marketing email subscription— until you unsubscribe; we keep an unsubscribe record indefinitely so we don't accidentally re-add you.

Under the DPDP Act and GDPR you have the following rights. To exercise any of them, head to /data-rights for a single-form request.

• Access — get a copy of the data we have on you
• Correction — fix anything inaccurate
• Erasure / deletion — delete your account and associated data
• Portability — receive your data in a structured, machine-readable format (CSV / JSON)
• Withdraw consent — for example, opt out of marketing email; revoke college-email verification
• Grievance redressal— escalate within ForensicSpot (within 7 days), then to the Data Protection Board of India under the DPDP Act, or to your local data-protection authority (e.g. ICO in the UK, CNIL in France) if you're in the EU/UK

We follow standard industry practices for authentication, encryption, and access control, and we keep our internal procedures continually under review. We deliberately do not publish the specifics of those procedures.

If you discover a security issue, please report it privately to security@forensicspot.com. See our Security page for our disclosure expectations.

ForensicSpot is open to forensic-science students of any age, including school students preparing for entrance exams. There is no minimum age requirement.

• Under the Digital Personal Data Protection Act, 2023, anyone below 18 years is treated as a "child". For child accounts we rely on verifiable parental or guardian consent: the parent or guardian must read this policy and agree to it on the child's behalf before account creation or any purchase.
• We do not run targeted advertising, behavioural profiling, or automated decision-making against any user under 18, in line with Section 9(3) of the DPDP Act.
• If you are a parent or guardian and believe your child has created an account without your consent, email hello@forensicspot.com and we will pause the account and delete the data on request.

We do not use automated decision-making (including profiling) to produce legal effects on you. Your mock score is computed by a deterministic algorithm — that's the only place automation touches a value about you, and the decision (your score) is factual, not evaluative.

When we make a material change, we will:

• Update the "Last updated" date at the top of this page.
• Email registered users at least 14 days before the change takes effect.
• Show a banner on the site for 14 days after the change ships.

Minor edits (typos, layout, clarifying language) may go in without notice; the "Last updated" date will still change.

For any privacy-related question, email hello@forensicspot.com. We respond to most queries within 2 business days and to formal rights-requests within 30 days.

Postal address available on request — we're a small team and don't list a public office address for privacy reasons.