Bodhh

Legal

Privacy Policy

Last updated: May 25, 2026

This page explains, in plain English, what data Bodhh collects when you use the app, what we do with it, who we share it with, and how you can control or delete it. Bodhh is operated for users in India and worldwide; we honour the protections set out in India’s Digital Personal Data Protection Act 2023 (DPDP) and the EU General Data Protection Regulation (GDPR) for every user, regardless of where you live.

1. Who we are

Bodhh is a simulation-first learning platform run by the Bodhh team (“we”, “us”). For privacy questions you can write to privacy@bodhh.com. If you’re an EU/UK resident, you have the right to complain to your local data protection authority.

2. What we collect

Only the data we need to give you a learning experience. Specifically:
  • Account data — your name, email address, the password hash (never the password itself), and your class level. If you sign in with Google, we additionally store your Google profile picture URL and the OAuth subject ID.
  • Progress data — which topics you’ve opened, your answers, XP earned, streaks, mastery scores, and last-accessed timestamps. This is the core of the product.
  • Device data — your IP address, browser user-agent string and approximate region, captured by our access logs for security and fraud prevention. We never tie ad-tracking IDs to you.
  • Diagnostic data — when something errors, we log the error stack and a session identifier so we can debug it. We redact email addresses and passwords from these logs.

3. What we do NOT collect

  • We don’t collect your real-time location, microphone, or camera.
  • We don’t store credit card numbers — payments go through PCI-compliant processors (Razorpay / Stripe).
  • We don’t sell your data, ever. No advertising trackers, no third-party pixels, no data brokers.

4. How we use your data

We use the data only to:
  • Authenticate you (logging you in, keeping your session secure).
  • Show you the right content and remember your progress.
  • Improve the product (which topics confuse students, which work).
  • Send you operational emails (password reset, important changes). We never auto-subscribe you to marketing.
  • Detect abuse (e.g., brute-force login attempts).

5. Who we share it with

We share only with infrastructure providers we need to run the service. These are bound by contract not to use your data for any other purpose:
  • Railway — hosts our app servers and database.
  • Resend — sends our transactional emails (password reset, etc.).
  • Google — only if you choose to sign in with Google.
We do not transfer data outside its region of collection unless that provider is the only viable one (e.g. Resend is US-based; we accept this because emails must be delivered).

6. How long we keep it

  • Account + progress data — for as long as your account exists. If you delete your account, we delete everything within 30 days (we keep it for that window in case you change your mind).
  • Access logs — 90 days, then purged.
  • Diagnostic logs — 30 days, then purged.
  • Backups — retained for 14 days. A deleted account disappears from backups within 14 days of deletion.

7. Your rights

Under DPDP, GDPR, and our policy for everyone:
  • Access — request a copy of everything we hold on you, returned as JSON within 30 days.
  • Correction — ask us to fix wrong data, or fix it yourself in Settings → Profile.
  • Deletion — delete your account from Settings → Account → Delete account, or email us.
  • Portability — your data export is in a machine-readable format you can take to another service.
  • Withdrawal of consent — for Google sign-in or email marketing (if you ever opt in), you can withdraw at any time.
Email privacy@bodhh.com for any of the above. We respond within 30 days.

8. Children

Bodhh is built for students in Classes 9–12, ages 13 and up. If you are under 18, please use Bodhh with the awareness and consent of a parent or guardian. We do not knowingly collect data from children under 13; if we discover we have, we delete it.

9. Security

We hash passwords with argon2id. All connections use TLS 1.2+. Session tokens are signed JWTs that rotate on refresh. Our infrastructure runs in containers with no public ports except the API, behind a CDN. We’re not infallible — if we suspect a breach affecting you, we’ll notify you within 72 hours per DPDP/GDPR requirements.

10. Changes to this policy

If we materially change how we handle data, we’ll update this page, bump the “last updated” date, and email registered users at least 14 days before the change takes effect.

Questions? Write to privacy@bodhh.com — a real person reads it.