Privacy Policy

This Privacy Policy describes how Kamiyab (sole proprietorship, India) ("we", "us", "Kamiyab") handles information collected through kamiyab.in. We follow the Digital Personal Data Protection (DPDP) Act, 2023 of India.

1. What we require

Kamiyab is free — we never ask for payment. To take a mock test you sign in, either with your mobile number (via a one-time OTP) or with Google. We collect only what is needed to sign you in and keep your account across visits — see Sections 1A and 1B below for exactly what.

Once you sign in, your quiz history, scores, and streaks are saved to your account on our servers so they sync across your devices (see Section 2 for the exact fields).

1A. If you sign in with Google

When you sign in via Google, we receive and store only: your name, email address, profile photo URL, and Google account identifier. This is held in our Cloudflare D1 database in the Asia-Pacific region.

We use it strictly to (a) sign you in and (b) keep your account present across visits. See Section 2 for the quiz activity we store against your account.

We do not sell or share this data with third parties beyond Google (for the authentication itself) and Cloudflare (for hosting and database).

We also store a session cookie (__Secure-better-auth.session_token or similar) on your browser so you stay signed in across pages. It is HttpOnly, Secure, SameSite=Lax. The session expires after 7 days of inactivity.

You can delete your account and all associated data at any time from your Account page. Deletion is immediate (account hidden, sessions invalidated). Data is permanently removed from our database after a 30-day grace period during which you can recover the account by signing back in. The permanent removal is performed by an automated daily job — see Section 7 (Data retention).

1B. If you sign in with your mobile number

When you sign in with your phone, we send a one-time password (OTP) by SMS through our DLT-registered SMS provider and store your mobile number on your account in our Cloudflare D1 database (Asia-Pacific region). We use it strictly to (a) verify the number and sign you in and (b) keep your account present across visits. The session-cookie, data-sharing, and account-deletion terms described above apply equally to phone sign-in.

1C. Optional profile details you choose to add

From your Account page you may optionally add extra details. None of these are required to use Kamiyab or to take a mock test — you provide them voluntarily, and you can edit or delete any of them at any time. We collect them only for the specific purpose listed against each:

• Profile details (date of birth, gender, category, target exam) — to pre-fill and tailor exam-form-style fields. "Category" (e.g. General / OBC / SC / ST / EWS) is sensitive information and is stored only because you entered it.
• Address (line 1/2, city, state, pincode, country) — used only for admit-card or document delivery, if and when that applies.
• Bank details (account holder, bank, account number, IFSC, branch, UPI ID) — used only to send scholarship, refund or prize payouts to you. When you verify an IFSC, we look it up via a public bank IFSC directory (Razorpay's IFSC API) to fetch the bank and branch name — your account number is never sent to that lookup.
• Email / phone verification status — if you verify your email we send a one-time code; verifying simply records that the address/number is confirmed.

All of the above is held in our Cloudflare D1 database (Asia-Pacific region), which is encrypted at rest at the infrastructure level. We do not sell or share it, it is never shown publicly, and it is included in your data export and removed when you delete your account (Sections 4 and 7). You can clear any individual field by emptying it and saving.

2. Your quiz activity (stored on our servers)

When you finish a mock, we save that attempt to your account in our Cloudflare D1 database (Asia-Pacific region). Each saved attempt includes: exam, topic, mode, your score and total, your per-question confidence (sure / maybe / guess), which questions you marked for review, a count of tab-switches during the test, and the timestamp. We also store your daily streak. If you practised while signed out before creating an account, that locally-saved history is uploaded to your account the first time you sign in.

A copy may also be kept in your browser for quick/offline access, but your account on our servers is the source of truth. You can delete all of it any time from your Account page (see Section 1A).

3. Where questions come from

Quiz questions are not generated by AI at runtime. Every question is served from a static, version-controlled question bank that we maintain ourselves — built from previous-year question (PYQ) papers of the specific exam and audited by subject experts before shipping. The bank lives in our git repository and the same questions are served to everyone. No prompts, no AI calls, no per-user generation.

3A. AI-assisted weak-topic analysis (optional, upcoming)

Kamiyab includes (or will soon include) an AI-assisted Mistake Map feature that analyses your recent quiz attempts to surface the topics you keep getting wrong, and recommends focused practice on those gaps. The inputs to this analysis are your attempt summaries (topic, score, timestamp) — the same attempt data stored in your account. We do not include your name, email, or any other personal identifier in the AI request, and the request is not retained by us after the response is returned.

3B. AI mentor (Expert chat)

The Mistake Map includes an optional AI mentor(shown with a friendly teacher name such as “Rohit Sir”) you can chat with for personalised study guidance. When you use it, we send the AI your first name and a summary of your Mistake Map data (which subjects and concepts you are getting wrong, your accuracy and streak) so the guidance is grounded in your actual performance. Responses are AI-generated; the mentor name is a display label, not a real person.

To protect this data under India’s DPDP Act, any message that carries your personal information is sent only to AI providers that do not train their models on what we send (currently Cloudflare Workers AI, Groq, and Anthropic). Generic questions that contain no personal data (for example asking for an exam syllabus) may use a wider set of providers. We never sell this data, and we never ask the AI to invent news, results, or links.

Your chat history is stored in your account so the mentor can remember earlier conversations. You can clear it by deleting your account (see Data retention below), which removes your chat history, activity, and attempt data.

4. Server logs

Our hosting provider (Cloudflare) maintains standard server logs (IP address, user agent, request path, timestamp) for a limited period for security and abuse prevention. We do not use these logs to identify individual users. Separately, we keep a security audit log of sign-in/sign-up events (user id, IP address, user agent) for 1 year (the minimum the DPDP Rules require for security logs) — see Section 7.

5. Cookies, consent and analytics

On your first visit we show a consent banner with three optional categories — Analytics (Microsoft Clarity), Advertising (Google AdSense), and Marketing (Meta Pixel). None of these load unless you opt in; "Essential only" keeps every tracker off while login and progress-saving continue to work fully. You can change or withdraw your choices at any time via the "Cookie preferences" link in the footer.

If you allow Analytics, we use Microsoft Clarity to understand how visitors use the site — which pages they view, where they click, and where they get stuck — so we can improve it. Clarity captures usage data including session recordings (replays of page interactions) and may set cookies or use device identifiers; text you type and sensitive on-screen content are masked by default. For signed-in users, recordings are associated with your account id. Microsoft processes this data as described in the Microsoft Privacy Statement. We use this only to improve Kamiyab and do not sell it.

6. Advertising

If you allow Advertising in the consent banner, we use Google AdSense to show ads on some content pages (such as blog and news pages). Google and its advertising partners may use cookies or device identifiers to serve and measure ads. You can review and control how Google uses this data on the Google Ads & privacy page. We do not place ads on the quiz or result screens.

6A. Meta Pixel and Conversions API

If you allow Marketing in the consent banner, we use the Meta (Facebook) Pixel to measure how well our ads on Facebook and Instagram work. The pixel sets first-party cookies (_fbp, _fbc) and reports events such as page views and sign-ups to Meta. For high-value events we also send a server-side copy via Meta's Conversions API, which includes your email and phone number in hashed (SHA-256) form — never as plain text — together with your IP address and browser user-agent, so Meta can de-duplicate events. Meta processes this data as described in the Meta Privacy Policy. If you do not opt in to Marketing, none of this happens.

7. Data retention

We keep personal data only as long as it serves the purpose you gave it to us for, after which an automated daily job permanently deletes it:

• Account & quiz data — kept until you delete your account; permanently erased after the 30-day recovery grace period.
• Login sessions — expire after 7 days of inactivity; expired sessions are purged daily.
• OTP codes — valid for 10 minutes; expired codes are purged daily.
• Security audit log (sign-in/sign-up events) — retained 1 year (DPDP Rules security-log minimum), then purged daily.
• Cloudflare server logs — retained by Cloudflare for a limited period for security and abuse prevention.

8. Your rights under DPDP Act

You have the right to: access your data, correct it, erase it, and withdraw consent. On your Account page you can: download a copy of everything we hold about you ("Download my data"), edit your display name, and delete your account and everything tied to it (your identity plus every saved attempt and streak). Tracking consent can be withdrawn any time via "Cookie preferences" in the footer. To correct your email or phone number, or for any other data-related request, email official@kamiyab.in — we respond to all requests well within the 90-day period required by the DPDP Rules.

You also have the right to nominate a person (for example, a family member) who can exercise these rights on your behalf if you die or are unable to act yourself (Section 14, DPDP Act). To register or change a nominee, email official@kamiyab.in with the subject "Nominee".

9. Grievance redressal

If you believe we have mishandled your personal data, write to our grievance contact at official@kamiyab.in with the subject line "Grievance". We acknowledge grievances within 72 hours and aim to resolve them within 30 days. If you are not satisfied with our response, you may escalate to the Data Protection Board of India as provided under the DPDP Act, 2023.

10. Age requirement

Kamiyab is intended for users aged 18 and above — the government exams we serve (SSC, UPSC, Banking, Railways) require candidates to be at least 18. By creating an account you confirm you are 18 or older. We do not knowingly collect personal data from anyone under 18; if we learn that an account belongs to a person under 18, we will delete it. To report such an account, email official@kamiyab.in.

11. Changes to this policy

We will update this page when our practices change. The "Last updated" date at the top reflects the latest revision.

12. Contact

Kamiyab (sole proprietorship, India). official@kamiyab.in