Provra

PROVRA · LEGAL

Privacy Policy

Effective: 16 May 2026Last updated: 16 May 2026

PROVRA (“we”, “our”, “us”) is a wellbeing-first AI study companion built for competitive-exam aspirants in India and worldwide. This Privacy Policy explains what personal data we collect, why we collect it, how we use and share it, and the rights you have over it. It is written to satisfy our obligations under the Indian Digital Personal Data Protection Act, 2023 (“DPDP Act”), the EU/UK General Data Protection Regulation (“GDPR”), and the California Consumer Privacy Act as amended by the CPRA (“CCPA”), and to apply globally to every user.

1. Information We Collect

Account data. Email address, name, and (if you sign up via email) a hashed password managed by Supabase Auth. We never see your password in plain text.

Profile data. Target exam (UPSC / JEE / NEET / CFA), target date, study goals, schedule preferences, and timezone.

Study data. Logged study sessions (subject, duration, notes), syllabus progress, and generated study plans.

Wellbeing data. Mood scores, stress levels, sleep, and (if you enable HRV input) heart-rate variability. This is classified as Sensitive Personal Data under DPDP Rule 8 and equivalent provisions of GDPR Article 9. We encrypt these fields with AES-256-GCM at the application layer before they reach the database.

Voice transcripts. When you use voice logging, your audio is transcribed to text directly in your browser via Whisper.cpp WebAssembly. The raw audio is never transmitted to or stored on our servers. Only the resulting text transcript is saved against your account. On older mobile browsers we fall back to Groq Whisper (cloud transcription): in that case the audio leaves your device, is transcribed in transit, and is not retained by Groq beyond the request.

Usage analytics. Pages viewed, features used, and engagement events, captured via PostHog. You can opt out via the in-app analytics toggle.

Technical data. IP address, browser type, device identifiers, and error reports captured by Sentry. Used for security, fraud prevention, and debugging.

Payment data. When you subscribe, Razorpay (INR) or Stripe (USD) handles your card details directly. We receive only the subscription status, plan tier, and transaction reference. We never see or store your card number, CVV, UPI ID, or bank account details.

2. How We Use Your Data

  • Provide and operate the service (authentication, study plans, dashboards).
  • Generate adaptive study plans and insights using AI models (Groq, OpenAI fallback).
  • Detect signs of burnout and trigger Recovery Day plans.
  • Enable parental access if you opt in to the parental linking feature.
  • Process payments and manage subscriptions.
  • Communicate with you about your account, security incidents, and product updates.
  • Improve PROVRA via aggregated, de-identified usage analysis.
  • Comply with legal obligations and prevent abuse, fraud, or harm.

3. Lawful Basis (DPDP Act, GDPR)

We process your data on the following lawful bases:

  • Consent (DPDP §6, GDPR Art. 6(1)(a)) — for account creation, wellbeing data, analytics, and marketing emails. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Performance of a contract (DPDP §7(a), GDPR Art. 6(1)(b)) — to deliver the service you signed up for.
  • Legal obligation (GDPR Art. 6(1)(c)) — for tax records, audit trails, and law-enforcement requests.
  • Legitimate interests (GDPR Art. 6(1)(f)) — for fraud prevention, service security, and improving PROVRA. Balanced against your rights and freedoms.

4. AI / Large Language Model Processing

PROVRA uses third-party AI providers to generate study plans, insights, and (on fallback) voice transcripts. The data we send to AI providers includes: your anonymised study patterns, syllabus progress, and (where relevant) wellbeing indicators. Voice transcripts are sent only when on the cloud-Whisper fallback path and only as text.

Our current AI providers are:

  • Groq, Inc. (primary chat completions) — USA.
  • OpenAI, L.L.C. (fallback) — USA.
  • Anthropic, PBC (syllabus content pipeline only, not on the user request path) — USA.

Outputs of AI processing (your daily plans, insights) are cached in our infrastructure (Upstash Redis, 24-hour TTL) so that we do not repeatedly send your data to AI providers. You may request that we exclude your account from AI processing entirely; in that case PROVRA falls back to its deterministic rule-based plan engine.

5. Who We Share Data With

We do not sell your personal data. We share it only with vetted service providers (“Data Processors” under GDPR / “Data Processors” under DPDP §8(3)) under contractual data-protection terms:

  • Supabase, Inc. — database, authentication, hosted in ap-south-1 (Mumbai).
  • Vercel, Inc. — Next.js hosting + CDN, USA.
  • Upstash, Inc. — Redis cache + rate limit, USA/EU.
  • Razorpay Software Pvt. Ltd. — INR payments, India.
  • Stripe, Inc. — USD payments, USA.
  • Groq, Inc. / OpenAI, L.L.C. / Anthropic, PBC — AI inference, USA.
  • PostHog, Inc. — analytics, USA/EU.
  • Sentry, Inc. — error tracking, USA.
  • Resend, Inc. — transactional email, USA.
  • Inngest, Inc. — background job orchestration, USA.

6. Cross-Border Data Transfers

Your account database and authentication state are hosted within India (Supabase ap-south-1, Mumbai). Some processors listed above operate from outside India (primarily the United States and the EU). Where transfers leave India, they are made in accordance with DPDP §16 to jurisdictions not restricted by the Central Government. For users located in the EU/EEA or the UK, transfers outside the EEA are protected by Standard Contractual Clauses adopted under GDPR Articles 44–49.

7. Retention

Active accounts. We retain your data as long as your account is active.

Deleted accounts. When you delete your account, we hard-delete your personal data within 90 days. Some data may be retained longer where required by law:

  • Billing records: 7 years (Indian Income Tax Act).
  • Audit logs (security): 7 years, with a hash chain ensuring tamper-evidence.
  • De-identified, aggregated analytics: indefinitely.

8. Children's Data (Under 18)

Many of our users are exam aspirants under 18. Under DPDP §9, we require verifiable parental consent before processing the personal data of a child (under 18 in India). Parents can grant consent and monitor their child's study activity using the in-product Parental Link feature.

We do not run behavioural advertising, profile, or track minors for any purpose other than delivering the service safely. Sensitive wellbeing data (mood, stress, HRV) is collected from minors only with explicit parental opt-in.

If you believe we have inadvertently collected data from a child without proper parental consent, email us at the address in Section 13 and we will delete it.

9. Security Measures

  • AES-256-GCM encryption at the application layer for Sensitive Personal Data.
  • TLS 1.3 in transit on every connection.
  • Row-Level Security enforced on every table in the database.
  • Authentication tokens with 1-hour expiry and PKCE on mobile.
  • Strict Content Security Policy + HSTS + frame-ancestors deny.
  • No service-role keys exposed to client bundles. All secrets in a secrets manager.
  • Continuous SAST (Semgrep) and dependency-vulnerability scanning in CI.
  • Append-only event log + tamper-evident audit chain (SHA-256).

10. Data Breach Notification

In the event of a personal-data breach, we will notify the Data Protection Board of India and (where required) the relevant EU/UK supervisory authority within 72 hours of becoming aware of it, in accordance with DPDP §8(6) and GDPR Article 33. Where the breach is likely to result in a high risk to your rights, we will notify you directly without undue delay (DPDP §8(6) and GDPR Article 34).

11. Your Rights

Depending on where you live, you may have the following rights over your data:

  • India (DPDP §13–15) — access, correction, completion, erasure, grievance redressal, and nomination.
  • EU / UK (GDPR Articles 15–22) — access, rectification, erasure, restriction of processing, portability, objection, and the right not to be subject to automated decisions with legal effect.
  • California (CCPA/CPRA) — right to know, right to delete, right to correct, right to limit use of sensitive personal information, right to opt-out of sale or sharing (we do not sell or share for cross-context behavioural advertising), right to non-discrimination.

Most rights can be exercised from your account's Settings page (data export, account deletion). For any other request, email us at the address in Section 13 and we will respond within 30 days (15 business days under DPDP).

If you believe we have processed your data unlawfully, you may complain to the Data Protection Board of India, your local EU supervisory authority, the UK ICO, or the California Privacy Protection Agency, as applicable.

12. Cookies and Local Storage

  • sb-* cookies — Supabase Auth session. Essential. Cannot be disabled while logged in.
  • ph_* — PostHog analytics. Optional. Disable via the in-app analytics toggle.
  • sentry-* — error replay session identifier (no PII). Optional.
  • provra_* (localStorage) — theme preference, last selected exam. Essential to user experience.

13. Contact & Grievance Officer

PROVRA is operated by Akhil Jimmy as a sole proprietorship based in Bangalore, India.

For privacy questions, data-subject requests, breach notifications, or any other matter covered by this policy, email akhiljimmy18@gmail.com. We aim to respond within 15 business days (or 30 calendar days under GDPR / CCPA).

Grievance Officer (DPDP §10 / IT Act §43A): Akhil Jimmy, akhiljimmy18@gmail.com.

14. Changes to This Policy

We may update this Privacy Policy. Material changes will be notified to you by email and by an in-app banner at least 14 days before the change takes effect. The “Last updated” date at the top reflects the most recent revision.

Continued use of PROVRA after a change takes effect constitutes acceptance of the revised policy. Prior versions are available on request.