Legal

Privacy Policy

Your data belongs to you. Here's exactly what we collect, why we collect it, and how we protect it.

Effective date: April 3, 2026 Last updated: April 3, 2026 App: EdHills — JEE & NEET Prep Platform: Android / Web
Table of contents
  1. Who we are
  2. Data we collect
  3. How we use your data
  4. Third-party services
  5. Data retention
  6. Children's privacy
  7. Your rights
  8. Data security
  9. Changes to this policy
  10. Contact us
01

Who we are

EdHills ("we", "us", or "our") is a JEE and NEET examination preparation platform operated as a mobile and web application. We provide students, schools, and educators with tools including online test series, video courses, question banks, OMR scanning, and school management features.

This Privacy Policy applies to the EdHills Android application, web application, and all related backend services.

02

Data we collect

Category Specific data Collected from
Account info Full name, email address, phone number Registration / Login
Authentication OTP (hashed, not stored as plaintext), JWT tokens Login process
Profile Profile avatar / photo User upload (optional)
Academic data Test results, scores, subject performance, answers submitted In-app test activity
Device / Push Firebase Cloud Messaging (FCM) device token App installation
School admin data Student names, roll numbers, mobile numbers, date of birth, class/section School admin upload
Usage data Firebase Analytics events, crash reports (Crashlytics) Automatic (Firebase SDK)
We do not store: Card numbers, bank account details, CVV, or any raw payment credentials. All payment processing is handled by our payment provider. We only store transaction identifiers for order verification purposes.
03

How we use your data

Purpose Data used
Account creation and secure login via mobile OTP Name, email, phone number, OTP hash
Delivering test series, courses, and results User ID, academic data
Processing course and test series purchases User ID, transaction IDs
Sending push notifications for new courses and tests FCM device token
School management (attendance, results, OMR) Student records uploaded by school admin
App analytics and crash diagnostics Firebase Analytics / Crashlytics data
Sending OTP via SMS for login verification Mobile phone number
We do not sell, rent, or trade your personal data to any third party for marketing purposes.
04

Third-party services

EdHills uses the following third-party services, each governed by their own privacy policies:

Service Purpose Privacy policy
Supabase Database and file storage supabase.com/privacy ↗
Firebase (Google) Analytics, crash reporting, push notifications policies.google.com/privacy ↗
SMS Gateway Sending OTP via SMS for mobile login verification Subject to the provider's privacy policy

These services may process your data on servers located outside India. By using EdHills, you consent to this transfer.

05

Data retention

We retain your personal data for as long as your account is active. Specifically:

Account data
Name, email, phone, test results, and purchases — retained until you delete your account.
OTPs
Hashed before storage and automatically cleared upon successful login or after 10 minutes of expiry.
Push notification tokens (FCM)
Retained while your account is active and removed when the account is deleted.
Analytics and crash data
Retained per Firebase's default retention policy (up to 14 months).
School student data
Uploaded by a school administrator and retained for the duration of the school's active account.
06

Children's privacy

EdHills is an educational platform designed primarily for students preparing for JEE and NEET examinations. Users may include students under the age of 18.

For users under 18: We do not knowingly collect more information than is necessary to provide the educational service. Student data added by a school administrator (such as name, roll number, and mobile number) is entered by the school, not the student, and is used solely for academic management within that school's account.

We do not display targeted advertising to any users, including minors. We do not sell data belonging to any user, including minors.

If a parent or guardian believes their child's data has been collected without appropriate consent, they may contact us at the email below and we will promptly delete the data.

07

Your rights

You have the following rights over your personal data:

Right How to exercise
Access — view the data we hold about you Contact us by email
Correction — update your name, email, or phone Profile settings inside the app
Deletion — permanently delete your account and all associated data Account settings → Delete Account, or contact us
Opt-out of push notifications Device notification settings
Account deletion removes your profile, test results, enrolled courses, purchased test series, and notifications from our systems within 30 days.
08

Data security

We implement industry-standard security measures to protect your data:

OTP hashing
OTPs are hashed using bcrypt before storage — we never store them in plain text.
JWT tokens
Access tokens expire in 1 hour and refresh tokens in 7 days.
API protection
Helmet security headers, CORS restrictions, and rate limiting on sensitive endpoints.
Storage security
Managed by Supabase with row-level security enabled. Direct anonymous access is blocked.
Transaction verification
HMAC-SHA256 signature validation on every transaction before any data is written.
Transfer security
All data in transit is encrypted. No method is 100% secure, but we take all reasonable steps.
09

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. For significant changes, we will notify users via a push notification or in-app message.

Continued use of the EdHills app after changes constitutes acceptance of the updated policy.

10

Contact us

For any questions, data requests, or privacy concerns, please contact us:

✉️
EdHills Support Team
For privacy inquiries, data deletion requests, or concerns about your personal data
We aim to respond to all privacy-related requests within 7 business days.