Last updated: 15 May 2026
1. Who is the Data Fiduciary
TwoCoreX (OPC) Pvt Ltd(“we”) is the Data Fiduciary responsible for the personal data you share with CAVerse. Under the DPDP Act 2023, you are the Data Principal.
2. What we collect
- Account info from Google sign-in: your email address, full name, and profile photo URL. We never receive your Google password.
- Activity: mock attempts, answers, scores, time spent, hint usage, tutor chat history, photo doubts you submit.
- Proctoring telemetry: tab-switch counts, fullscreen-exit counts, and anonymous brightness/face-presence indicators captured during mocks. We do NOT record video, audio, or store your face image.
- Payment metadata: Razorpay order ID, payment ID, plan purchased, amount, timestamp. We do NOT see or store card numbers, CVV, UPI PIN, or bank credentials — these stay with Razorpay.
- Technical: IP address (from server logs), browser user-agent, basic page-view counts.
3. Why we collect it (purposes)
- To deliver the service you signed in for (mock tests, AI grading, tutor).
- To compute predicted scores, topic mastery, and AIR rank against other CAVerse users.
- To process and reconcile payments via Razorpay.
- To enforce per-plan usage caps and prevent abuse.
- To improve product quality (in aggregate; we never train AI models on your raw data without explicit consent).
4. Legal basis
We process your personal data under the following bases (DPDP Act 2023, §6, §7):
- Consent — you sign in voluntarily and accept this policy.
- Performance of contract — your account is necessary to deliver paid features.
- Legitimate purpose — service security, anti-abuse caps, financial reconciliation.
5. Sharing & processors
We use a small set of processors under written agreements:
| Processor | Purpose | Data shared |
|---|---|---|
| Razorpay Software Pvt Ltd | Payment processing | Email, name, plan, amount |
| Anthropic (Claude API) | AI grading, tutor, doubt photo, deep-dive | Anonymous question + your input text/photo (no email) |
| Google (OAuth) | Sign-in | OAuth handshake only |
| Render Inc | Hosting | All app data (encrypted at rest) |
We do not sell your personal data. We do not run third-party advertising trackers or behavioural-analytics scripts.
6. Where your data lives
Primary data is stored on Render’s Singapore region (closest production location to India). AI processing occurs at Anthropic’s endpoints (US). Razorpay processes payment data within India.
7. How long we retain it
- Account & attempt history: kept while your account is active, plus 12 months after deletion request (for fraud / financial audit).
- Tutor chat & doubt photos: 24 months from creation, then auto-deleted.
- Payment records: 8 years (Income Tax Act §44AA / Companies Act statutory retention).
- Server access logs: 90 days.
8. Your rights (DPDP Act 2023)
You have the right to:
- Access — see what personal data we hold about you.
- Correct — fix anything inaccurate.
- Erase — delete your account and personal data.
- Withdraw consent — at any time, with future effect.
- Grievance redressal — contact our Data Protection Officer.
To exercise any right, email hello@caverse.in with the subject DPDP request. We respond within 30 days.
9. Children
We do not knowingly collect personal data of children under 13. If you become aware that a child has provided us data, please email us and we will delete it.
10. Security
Sessions use httpOnly cookies with SameSite=Lax, secure in production. Passwords are not stored (we use Google OAuth). All transit is HTTPS-only. Data at rest on Render is encrypted via the platform’s persistent disk encryption.
11. Changes
Material changes to this policy will be notified by email or via an in-app banner at least 14 days before they take effect.
12. Grievance Officer
Name: Smit Bhoir
Title: Director & Data Protection Officer
Email: hello@caverse.in
Entity: TwoCoreX (OPC) Pvt Ltd