Contents
- Who We Are
- What Data We Collect
- How We Collect Your Data
- Why We Use Your Data (Legal Basis)
- Data Sharing and Third-Party Processors
- Analytics and Tracking
- Cookies and Local Storage
- How Long We Keep Your Data
- Your Rights Under Indian Law
- Data Security
- Data Breach Notification
- Children's Privacy
- Changes to This Policy
- Contact & Grievance Officer
Who We Are
CramUp (operating at cramup.in) is an online educational content platform that publishes and sells digitally delivered, academically condensed course books for BEd and CTET students across India. The platform is operated by CramUp Educational Services, based in Dehradun, Uttarakhand, India, operating under the umbrella of Aarambh Learning Hub.
When this policy refers to "CramUp", "we", "us", or "our", it means CramUp Educational Services. When it refers to "you" or "your", it means any person who visits, browses, registers on, or purchases from cramup.in.
This Privacy Policy is drafted in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA 2023) and other applicable Indian laws, including the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. By using CramUp, you consent to the collection and processing of your personal data as described in this policy.
What Data We Collect
| Data Category | Specific Data Points | When Collected |
|---|---|---|
| Identity & Contact | Full name, email address, phone number | At purchase or account creation |
| Account Data | Hashed password, account creation date, university selected, programme type (BEd / CTET), role (student / admin) | At purchase / account creation |
| Purchase & Transaction Data | Books purchased, plan type, amount paid, payment reference / transaction ID, payment method type (UPI / card / net banking / wallet), purchase timestamps | At time of purchase |
| Usage & Reading Data | Pages visited, books opened, chapters read, reading progress, unit test scores, checklist completion, device type, browser type | While actively using the platform |
| Device & Session Data | IP address, device fingerprint (for 2-device limit enforcement), session tokens, operating system | On login / each session |
| Analytics Data | Page views, session duration, traffic source, click paths, events — collected by Google Analytics 4 (see Section 6) | On every page visit |
| Communication Data | Messages sent via the Contact form, email correspondence with support, WhatsApp messages sent to our support number | When you contact us |
| University Preference | Your selected university (stored locally in your browser) | When you select on the homepage |
How We Collect Your Data
- Directly from you — when you fill in the payment form (name, phone, email), use the contact form, or correspond with us via email or WhatsApp.
- Automatically — when you browse cramup.in, our servers, Firebase platform, and Google Analytics automatically record your IP address, browser type, device type, and navigation behaviour.
- From payment processors — when a purchase is confirmed, Razorpay passes us a transaction reference and payment confirmation. We do not receive raw card or bank account details.
- From your browser's local storage — your university preference, reading progress, and session state are stored locally on your device to improve your experience. This data does not leave your device unless you are actively using the platform.
Why We Use Your Data (Legal Basis)
| Purpose | Legal Basis |
|---|---|
| Creating your account after purchase | Contract performance — account creation is a core part of the service you purchased |
| Granting and managing access to purchased books | Contract performance — delivery of the digital product |
| Enforcing the 2-device access limit | Contract performance — agreed condition of use |
| Processing your payment | Contract performance and legal obligation |
| Sending purchase confirmation and login credentials | Contract performance |
| Sending academic nudges about upcoming semesters or new books | Legitimate interest — relevant, non-aggressive academic notifications only |
| Platform analytics and usage improvement | Legitimate interest — understanding how books are used to improve content quality and user experience |
| Legal compliance (tax records, dispute resolution, chargebacks) | Legal obligation under Indian law |
| Responding to contact form or support enquiries | Legitimate interest — responding to your request |
| Fraud prevention and platform security | Legitimate interest — protecting the integrity of the platform and other users |
Data Sharing and Third-Party Processors
We do not sell your personal data. We do not share it with advertisers or marketing networks. We share data only with the following service providers, and only to the minimum extent necessary for them to perform their function:
- Razorpay Financial Solutions Private Limited — our payment gateway. Razorpay processes card, UPI, net banking, and wallet payments on our behalf. Razorpay is PCI-DSS compliant. Their privacy policy governs how they handle your payment data. We receive only a transaction reference and confirmation status.
- Google LLC (Firebase & Firestore) — our backend database and authentication platform. Your account data, purchase records, reading progress, and session information are stored on Firebase-managed servers (Google Cloud, typically Mumbai region). Firebase is governed by Google's Privacy Policy and data processing terms. Google processes this data only as a data processor acting on our instructions.
- Google LLC (Google Analytics 4) — our website analytics tool. Google Analytics collects anonymised usage data about how visitors navigate cramup.in (see Section 6 for full details). Google processes this as a data processor. Analytics data is not used to serve you advertisements.
- Hostinger International Ltd — our web hosting provider. Our static website files are served from Hostinger's infrastructure. Hostinger does not have access to your personal account or purchase data.
- Meta Platforms Inc (WhatsApp Business) — if you contact us via WhatsApp, your messages and phone number are processed by WhatsApp's servers. WhatsApp's Privacy Policy applies to messages sent via their platform.
- Law enforcement or legal authorities — if required by applicable Indian law, a valid court order, or to protect our rights or the safety of others, we may disclose personal data as legally required. We will notify you to the extent permitted by law before any such disclosure.
Analytics and Tracking
CramUp uses Google Analytics 4 (GA4) to understand how visitors use the website. GA4 collects data such as pages visited, time on page, scroll depth, traffic source (how you arrived at the site), device type, and approximate geographic location (city/country level only — not precise location).
This data is collected through a tracking script loaded on every page of cramup.in, including the legal pages. GA4 assigns an anonymous client ID to your browser to distinguish unique visitors. We do not link GA4 data to your personal account or identity.
Google Analytics data is transmitted to and stored on Google's servers. Google may process this data in countries outside India, but does so under standard data protection contractual terms. We have configured GA4 with IP anonymisation enabled, meaning your full IP address is not stored by Google.
You may opt out of Google Analytics tracking across all websites by installing the Google Analytics Opt-out Browser Add-on. Alternatively, most modern browsers allow you to block tracking scripts via privacy settings or extensions.
Cookies and Local Storage
CramUp uses browser local storage (not traditional cookies) to store your preferences and session data locally on your device. This data remains on your device and is not transmitted to our servers unless you interact with the platform.
- University preference (
cramup_uni) — remembers which university you selected so you don't need to choose again on each visit. - Reading progress — stores your chapter progress locally so you can resume where you left off, across sessions.
- Session tokens — used to keep you logged in between browser sessions. Session tokens are cryptographically generated, expire automatically after 30 days of inactivity, and are invalidated on logout.
Third-party cookies: Google Analytics 4 sets cookies in your browser (including _ga, _ga_[ID]) to distinguish users and track sessions. These cookies are governed by Google's cookie policy. They are analytics-only and contain no personally identifiable information.
Our hosting provider (Hostinger) may set technical cookies for server-side session management and CSRF protection. These are security necessities and contain no personal data.
You can clear local storage and cookies at any time via your browser's settings. Doing so will reset your university preference, reading progress on that device, and log you out of your account on that device.
How Long We Keep Your Data
| Data Type | Retention Period | Reason |
|---|---|---|
| Account and purchase records | 7 years from date of purchase | Legal and tax obligation under Indian law (Income Tax Act, GST compliance) |
| Active student accounts | Duration of access period + 1 year after expiry | To allow reinstatement and respond to queries about past purchases |
| Reading progress and usage data | Until you delete your account or submit a deletion request | To allow you to resume progress across sessions |
| Contact form and support messages | 2 years from date of submission | Dispute resolution and quality assurance |
| Payment transaction records | 7 years (legal obligation) | GST, income tax, and payment dispute requirements |
| Session tokens | 30 days from last login, or until logout | Security — limits persistent session exposure |
| Google Analytics data | 14 months (configured in GA4 — Google's default retention) | Analytics only; automatically purged by Google thereafter |
| Deleted accounts | Purchase and payment records retained for 7 years; all other data deleted within 30 days of deletion request | Legal obligation overrides deletion for financial records |
When a retention period expires, data is securely deleted or irreversibly anonymised. We do not retain personal data beyond what is legally or operationally necessary.
Your Rights Under Indian Law
Under the Digital Personal Data Protection Act, 2023 (DPDPA 2023) and applicable Indian data protection law, you have the following rights as a data principal:
- Right to access — you may request a summary of the personal data we hold about you and the processing activities applied to it.
- Right to correction and completeness — you may request that we correct inaccurate data or complete incomplete data held in your account (e.g., a wrong email address or phone number).
- Right to erasure — you may request deletion of your account and associated personal data. Erasure will be carried out within 30 days, subject to our legal retention obligations. Purchase and payment records cannot be deleted before the 7-year retention period ends, as required by Indian law.
- Right to grievance redressal — you may file a grievance with our Grievance Officer (see Section 14). We will acknowledge within 48 hours and respond within 30 days.
- Right to nominate — under DPDPA 2023, you may nominate another individual to exercise your data rights on your behalf in the event of your death or incapacity.
- Right to withdraw consent — where we process your data on the basis of consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. Note that withdrawing consent for transactional communications will prevent us from delivering your purchased content.
To exercise any of these rights, email us at hello@cramup.in with the subject line "Privacy Request — [Your Name]". Please include your registered phone number or email to help us locate your account. We will respond within 30 days. Complex requests may take up to 60 days; we will inform you if this applies.
Data Security
We implement reasonable technical and organisational security measures to protect your personal data from unauthorised access, disclosure, alteration, or destruction. These measures include:
- Password security: Passwords are stored as hashed values using industry-standard hashing algorithms. We never store plain-text passwords.
- Encryption in transit: All data transmitted between your browser and cramup.in is encrypted via HTTPS (TLS 1.2 or higher).
- Payment security: All payment processing is handled entirely by PCI-DSS Level 1 certified providers (Razorpay). We do not store any payment card or bank account data on our systems.
- Access control: Access to student account data, purchase records, and platform settings is restricted to authorised administrator accounts only, protected by separate authentication.
- Database security: Our database (Firebase / Firestore) uses Google Cloud's infrastructure, which includes server-side encryption at rest, access logging, and identity-based access controls.
- Session security: Session tokens are cryptographically generated, stored securely, and invalidated on logout. The 2-device limit is enforced via active session monitoring.
- No third-party data sales: We do not sell, rent, or otherwise commercially transfer your personal data to any third party.
Despite these measures, no internet-based system is completely immune to security risks. In the event of an incident, we will follow the procedures described in Section 11.
Data Breach Notification
In the event of a personal data breach that is likely to result in risk to the rights and freedoms of affected individuals, CramUp will:
- Contain and investigate the breach as a priority.
- Notify affected users by email within a reasonable timeframe after the breach is confirmed, describing the nature of the breach, what data was affected, and the steps we are taking.
- Report the breach to the Data Protection Board of India as required under the DPDPA 2023 and any applicable Rules.
If you believe your CramUp account has been accessed without your authorisation, please contact us immediately at hello@cramup.in with the subject line "Security Concern — [Your Phone Number]".
Children's Privacy
CramUp is designed for BEd and CTET students, who are typically adults (18 years of age and older). We do not knowingly collect personal data from individuals under 18 years of age.
If a person under 18 uses CramUp, a parent or legal guardian must supervise the account creation and purchase process and is responsible for consenting to these terms on the minor's behalf.
If you believe a child under 18 has independently provided us with personal data without parental consent, please contact us immediately at hello@cramup.in and we will promptly delete that data and the associated account.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The "Last Updated" date at the top of this page will always reflect the most recent revision.
When we make material changes — changes that significantly affect how we collect or use your personal data — we will notify active account holders by email at least 7 days before the change takes effect, and will prominently display a notice on the platform.
For minor or clarifying changes, we will update this page without individual notification. We encourage you to review this policy periodically. Continued use of CramUp after the effective date of any update constitutes your acceptance of the revised policy.
Contact & Grievance Officer
In compliance with the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000, CramUp has designated a Grievance Officer to address privacy-related concerns. If you have any questions, concerns, or complaints about this Privacy Policy or how we handle your data, please contact:
Grievance Officer — CramUp Educational Services
📧 Email: hello@cramup.in
📱 WhatsApp & Contact: Visit our Contact Us page
📍 Address: Aarambh Learning Hub, GMS Road, Opposite Wadia Institute,
Near Ballupur Chowk, Dehradun — 248001, Uttarakhand, India
⏱ Response time: Acknowledgement within 48 hours; full response within 30 days of receipt of grievance
For urgent privacy matters, please use the subject line: "PRIVACY GRIEVANCE — URGENT"
For data access, correction, or deletion requests, use: "Privacy Request — [Your Name]"