PRIVACY POLICY

Last Updated: May 26, 2026

We operate as Mindcup, a business based in India (hereinafter referred to as “Mindcup”, “we”, “us”, or “our”). This Privacy Policy describes how and why we might collect, store, use, and/or share (“process”) your personal information when you use our services (“Services”), including when you:

Visit our website at https://mindcup.in or any website of ours that links to this Privacy Policy.
Register for and use the Mindcup notes and learning application.
Engage with us in other related ways, including any customer support, feedback, or operational communications.

WHAT INFORMATION DO WE COLLECT?
HOW DO WE PROCESS YOUR INFORMATION?
WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
HOW DO WE HANDLE YOUR SOCIAL LOGINS?
HOW LONG DO WE KEEP YOUR INFORMATION?
HOW DO WE KEEP YOUR INFORMATION SAFE?
WHAT ARE YOUR PRIVACY RIGHTS?
CONTROLS FOR DO-NOT-TRACK FEATURES
DO WE MAKE UPDATES TO THIS POLICY?
HOW CAN YOU CONTACT US ABOUT THIS POLICY?
GRIEVANCE REDRESSAL & ESCALATION PATH

DPDP ACT ALIGNMENT & DATA FIDUCIARY CLARITY

In compliance with India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”):

Data Fiduciary: Mindcup acts as the Data Fiduciary under the DPDP Act, 2023, responsible for determining the purposes and means of processing your personal data.
Data Principal: You act as the Data Principal, having rights in relation to the personal data you disclose or generate through our platform.
Consent & Legitimate Uses: We process personal data based on your consent (granted when you create an account, register, or submit data) or other specified “legitimate uses” permitted under the DPDP Act, 2023, including legitimate uses such as security, fraud prevention, compliance with applicable laws, and the provision of requested services.
Consent Manager: We do not utilize third-party Consent Managers. All requests, consent revocations, or data erasures are managed directly by us.

1. WHAT INFORMATION DO WE COLLECT?

Personal Information You Disclose to Us

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us, or when you otherwise contact us.

Account Registration Information: Email addresses and login credentials managed securely through our authentication provider (Supabase Auth).
User-Generated Content: Notes, folder organizational structures, tags, and media uploads (images, audio files, documents, or books uploaded by the user).
Usage and Interaction Logs: Records of learning streak tracking, study intervals, active revision sessions, folder and tag interactions, and device notification preferences.
Future Billing Data: If we introduce paid features in the future, we will update this Privacy Policy before collecting any additional billing or payment information.

Sensitive Information: We do not intentionally collect sensitive personal data unless required for service functionality or provided by the user.

Social Media Login Data: We may provide you with the option to register with us using your existing social media account details (such as Google or other social logins). If you choose to register in this way, we will collect profile information from the social media provider (such as your name, email address, profile identifier, and profile picture, if provided) strictly to establish and authenticate your account.

Information Automatically Collected

We automatically collect certain technical information when you visit, use, or navigate our Services. This information does not reveal your specific identity (like your name or contact details) but is necessary to maintain platform security, operation, and for our internal analytics and performance reporting.

Log and Usage Data: Diagnostic, performance, and usage details our servers automatically capture. This includes your IP address, device properties, browser configuration, date/time stamps, technical error reports (such as Vue error exception tracking), and pages/features viewed on the Site.
Device Data: Information about the computer, phone, or tablet you use to access the Services, such as IP address (or proxy server), application identification numbers, screen resolution, referral sources, and hardware configuration.
Location Data: We may determine imprecise location data (such as country or region) derived from your IP address. We do not collect precise GPS location tracking.

2. HOW DO WE PROCESS YOUR INFORMATION?

We process your personal information for a variety of reasons to deliver, maintain, and secure the Services, including:

Account Management: To facilitate account creation, secure user authentication, and keep your user account in working order.
Core Service Delivery: To deliver your customized revision sessions, notes, folders, and tags.
Technical Support: To respond to user inquiries, capture Vue exception crashes, and solve bugs.
Administrative Notifications: To deliver user-configured daily study alerts, inactivity nudges, and motivational streak alerts.
Service Optimization: To analyze usage trends and telemetry to improve the Mindcup application.
Legal Compliance: To comply with legal obligations, respond to statutory requests, or establish and defend our legal rights.

Targeted Advertising Disclaimer: We use analytics cookies and tracking technologies solely to understand usage patterns, monitor performance, and debug technical errors. We do not sell your personal data, nor do we currently process your personal data for targeted advertising or third-party behavioral profiling.

Automated Decision-Making and Profiling: Any analysis of usage behavior, streaks, or study patterns is limited solely to providing and improving the Services. We do not engage in automated decision-making or profiling that produces legal or significant effects on users.

We only share personal information in specific situations and with trusted third-party service providers who require access to deliver technical infrastructure:

Infrastructure & Storage Providers: Secure cloud database providers (such as Supabase or similar database hosting services) to store your authenticated credentials, notes, folders, and media uploads.
Performance & Telemetry Analytics: Performance telemetry and analytics services (such as PostHog or similar platforms) to log technical error exceptions, page views, and operational performance metrics.
Billing Portals: Future third-party payment gateways and processors to handle secure subscription billing.

Cross-Border Data Processing

Some of our technical service providers may process and store data on servers located outside of India (such as cloud database or web analytics infrastructure). We ensure appropriate safeguards are maintained in compliance with applicable data protection requirements, including contractual safeguards and encryption where applicable.

4. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

We use cookies and similar secure local storage technologies solely to persistent-authenticate your session, save your local configuration settings, and assist with basic site functions.

We utilize standard web analytics and error monitoring cookies (via PostHog and similar tools) to understand how the platform is used and debug crashes. We do not allow third-party marketing networks, behavioral tracking providers, or cart-abandonment advertising tracking on our Services. You can configure your web browser to reject or remove cookies, though doing so may affect certain features or services of our platform.

If you choose to register or log in using a third-party social media provider (such as Google or other social logins), we receive basic profile details strictly to verify your identity and auto-populate your basic profile.

We do not control, and are not responsible for, other uses of your personal information by your third-party social media provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal data.

6. HOW LONG DO WE KEEP YOUR INFORMATION?

Flexible Retention Policy: We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, including providing the Services, complying with legal or tax obligations, resolving disputes, maintaining security, enforcing agreements, and operating backup or disaster recovery systems. Retention periods vary depending on the type of data and operational requirements:

Active Systems: Personal data will be deleted or anonymized within a reasonable timeframe after account deletion, subject to technical and backup constraints.
Backup Archives: Certain technical logs, database backups, and disaster recovery archives may persist for a limited, operational period (typically up to 180 days) before automatic deletion or overwrite.
Legal Compliance: Standard transaction history or compliance logs may be retained for longer periods if required by applicable Indian laws to satisfy statutory requirements.

When we have no ongoing legitimate business need to process your personal data, we will either delete or anonymise it, or, if this is not possible (for example, because your personal data has been stored in secure backup archives), we will securely isolate your personal data from further processing until deletion is possible.

7. HOW DO WE KEEP YOUR INFORMATION SAFE?

We implement reasonable technical and organizational security safeguards designed to protect personal data against unauthorized access, misuse, loss, or disclosure. These measures are adapted to the volume and nature of the data we process.

Breach Notification: In the event of a personal data breach that is likely to cause harm or as required by applicable law, we will take reasonable steps to notify affected users and the Data Protection Board of India (DPBI) in accordance with the timelines and procedures prescribed under the DPDP Act, 2023.

Limitation of Reliance: We make reasonable efforts to protect and manage your data, but we do not guarantee absolute security or uninterrupted data handling. Despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. You should access the Services within a secure environment, and you are responsible for maintaining the confidentiality of your account credentials.

8. WHAT ARE YOUR PRIVACY RIGHTS?

As a Data Principal in India, you have the following rights under the DPDP Act, 2023:

Right to Access: You can review the personal data associated with your profile at any time through your account settings interface on the Site.
Right to Correction & Completion: You can update, correct, or complete your details to ensure accuracy.
Right to Erasure: You have the right to request deletion of your personal data.
Right to Withdraw Consent: You can withdraw your consent to process your data at any time.

Content and Accuracy Disclaimer: You are responsible for the content you upload to the platform. We rely on users to ensure the accuracy of the personal data they provide.

Data Principal Duties: Under the DPDP Act, 2023, you have certain duties as a Data Principal. You must not provide false or misleading information, impersonate others, suppress any material information, or upload unlawful, harmful, or copyright-infringing content on the platform.

Children’s Privacy: Our Services are not intended for individuals under the age of 18. We do not knowingly collect or process personal data from children.

Exercising Your Rights: The easiest way to exercise your right to withdraw consent and request data erasure is by deleting your account via your account settings interface. Account deletion initiates the erasure of active account data, subject to the legal, tax, and backup retention requirements described in Section 6. For correction, access, or general queries, you may contact us using the details below.

9. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems include a Do-Not-Track (“DNT”) feature or setting you can activate to signal your privacy preference. At this stage, no uniform technology standard for DNT has been finalized. As such, we do not currently respond to DNT browser signals.

10. DO WE MAKE UPDATES TO THIS POLICY?

We may update this Privacy Policy from time to time to stay compliant with changing laws (including DPDP Act rules) or operational requirements. The updated version will be indicated by the “Last Updated” date at the top of the policy. We encourage you to review this policy periodically to stay informed of how we protect your personal data.

11. HOW CAN YOU CONTACT US ABOUT THIS POLICY?

If you have questions or comments about this Privacy Policy, you may email us at support@mindcup.in.

12. GRIEVANCE REDRESSAL & ESCALATION PATH

In accordance with the DPDP Act, 2023, if you have any questions, concerns, or grievances regarding the processing of your personal data, or if you wish to raise a formal complaint, please contact our designated Grievance Officer:

Grievance Officer: Data Protection Officer / Designated Grievance Contact
Email: support@mindcup.in

Resolution Timeframe & Escalation

We aim to respond to, investigate, and resolve your formal grievance in a thorough and timely manner, typically within fifteen (15) days of receipt of your complaint, subject to the complexity and nature of the request.

If you are not satisfied with the response or resolution provided by our Grievance Officer, you have the right to escalate your grievance to the Data Protection Board of India (DPBI) in accordance with the procedures prescribed under the DPDP Act, 2023.