Privacy Policy
Effective date · 03 May 2026
1. Who we are
Dooit is operated by Roy Digital ("we", "us", "our"). For purposes of
the DPDP Act 2023, we are the Data Fiduciary for personal data
collected through the App.
Grievance Officer (per IT Rules 2021, Rule 3(2)):
- Name: Hrishikesh Roy
- Email: roy@roydigital.in
- Address: available on request via the email above
- Acknowledgement: within 24 hours of receipt
- Resolution: within 15 days of receipt
2. What personal data we collect
2.1 Data you provide directly
- Account data — email address, full name, optional phone number
(when phone OTP login is enabled)
- Onboarding data — exam language preference, target exam year,
preparation stage, daily study hours, optional subject, educational
background
- Content you create — questions you ask the AI, MCQ answers you
submit, bookmarks, personal notes, study progress markers
- Communications — any message you send to support, feedback, or
the grievance officer
2.2 Data we generate about your use
- Server-generated content — AI-generated answers, study plans,
MCQ results, study-note progress, all keyed to your account
- Usage logs — endpoint hit, request timestamp, response model,
cache hit/miss, latency. Used for cost tracking and service
reliability.
- Forensic audit log — for content-fetch endpoints, we additionally
log the request IP, the user-agent string, and the specific content
identifier served. See Section 5 for the lawful basis.
- Watermark metadata — every AI-generated answer served to you is
invisibly tagged with a fingerprint derived from your user ID and a
server-side secret. The fingerprint maps back to your account if a
copy of the answer surfaces outside the Service. See the Terms of
Service Section 6.
2.3 Data we do NOT collect
- We do not collect contact lists, SMS, photos, microphone, camera, or
precise location.
- We do not place advertising tracking cookies or SDKs in the App.
- We do not sell your personal data to anyone.
3. Why we use your data (purposes)
| Purpose | Data used | Lawful basis under DPDP Act 2023 |
|---|---|---|
| Provide the Service (auth, content, plan generation) | Account, onboarding, content | §6 — consent at account creation |
| Personalize your study plan and answers | Onboarding, content history | §6 — consent |
| Bill you for paid tiers (when applicable) | Account + payment metadata | §6 — consent + contractual necessity |
| Detect and deter scraping, bulk redistribution, account abuse | Usage logs, audit log, watermark fingerprint | §7(b) — legitimate use |
| Comply with legal obligations | All of the above | §7(c) — legal compliance |
| Improve the AI prompts and content quality | Aggregated, de-identified usage signals | §7(b) — legitimate use |
4. Who we share your data with
We share data only with the following processors, and only to the
extent necessary for the purposes above:
- Supabase Inc. — primary hosting (PostgreSQL database, Edge
Functions, authentication). Data resides in Sydney, Australia.
- Third-party AI providers — the large-language-model services that
power our AI process your questions and our prompts to generate
answers. They process content in transit; under their published
policies they do not retain Dooit user data for training.
- Razorpay (when paid tiers launch) — payment processing. Razorpay
is its own data fiduciary for transaction data under RBI rules.
- Google (Firebase Cloud Messaging) — push notifications, when you
opt in.
We may disclose your data to law-enforcement or regulatory authorities
when compelled by a valid legal order, subject to challenge where the
order appears overbroad or unlawful.
We do not sell, rent, or trade your personal data to advertisers or
data brokers.
5. Lawful basis for the audit log and watermark
Recording IP, user-agent, and content-fetch identifiers in our audit
log, and embedding watermarks in served content, are processing
activities we conduct without separately asking for your consent on
each request. The lawful basis is §7(b) of the DPDP Act 2023 —
processing necessary for fraud prevention, network security, or
information security.
You acknowledge this processing by accepting these Terms and the
Privacy Policy at sign-up. The audit log is retained for 6 months and
the watermark fingerprint mapping is retained for as long as your
account is active plus 12 months.
6. How long we keep your data
| Data type | Retention |
|---|---|
| Account profile | Lifetime of the account + 30 days after deletion |
Q&A history (qa_logs) | 24 months from creation |
| Study-progress markers | Lifetime of the account |
| MCQ session results | 24 months from creation |
| Forensic audit log | 6 months from creation |
| LLM usage / cost log | 36 months (financial-records purpose) |
| Watermark fingerprint mapping | Account lifetime + 12 months |
| Backups (encrypted) | 30 days rolling |
After the relevant period, data is deleted or irreversibly anonymised.
7. Your rights
Under the DPDP Act 2023 you have the right to:
- Access the personal data we hold about you (§11),
- Correct inaccuracies and update incomplete data (§12),
- Erase your data when it is no longer needed for the purpose
collected (§12), subject to retention required by law,
- Withdraw consent at any time (§6(4)) — note this may make some
features unusable,
- Nominate another individual to exercise your rights in the event
of your death or incapacity (§14),
- Lodge a grievance with our Grievance Officer (Section 1) and,
if unresolved, with the Data Protection Board of India.
To exercise any of these rights, write to roy@roydigital.in with
"Privacy Request" in the subject line. We will respond within 30 days.
For account deletion specifically, you can also use the in-app
Settings → Account → Delete account flow when it ships.
8. Children
Dooit is intended for users 13 years and older. If you are between 13
and 18, you confirm at sign-up that a parent or legal guardian has
reviewed these terms and consents to your use. We do not knowingly
collect personal data from children under 13. If we learn that we have
collected such data, we will delete it promptly.
9. International transfers
Some of our processors (including Supabase and our third-party AI
providers) operate servers outside India. By using the Service you consent to your data being
transferred and processed in those countries. We require all
processors to maintain at least the same level of protection as
applicable Indian law.
10. Security
We implement technical and organisational measures including:
- Transport-layer encryption (TLS 1.2+) for all client-server
communication
- Row-level security on the database — users can read/write only their
own rows
- Service-role-only access to forensic tables (audit log, shadow-ban
list)
- API keys and secrets stored as environment variables in the
Edge-Function runtime, never committed to source control
- Periodic review of access logs
No system can be guaranteed 100% secure. If we become aware of a data
breach affecting your personal data, we will notify you and the Data
Protection Board of India per §8(6) of the DPDP Act.
11. Changes to this Privacy Policy
We may update this Policy from time to time. Material changes will be
notified via the App or email at least 7 days before they take effect,
and the "Effective date" above will be updated.
12. Contact
- Email: roy@roydigital.in
- Operator: Roy Digital
- Grievance Officer: Hrishikesh Roy (same email)
End of Privacy Policy v1.0.