Your data belongs to you. Here's exactly what we collect, why we collect it, and how we protect it.
EdHills ("we", "us", or "our") is a JEE and NEET examination preparation platform operated as a mobile and web application. We provide students, schools, and educators with tools including online test series, video courses, question banks, OMR scanning, and school management features.
This Privacy Policy applies to the EdHills Android application, web application, and all related backend services.
We collect the following categories of information:
| Category | Specific Data | Collected From |
|---|---|---|
| Account Info | Full name, email address, phone number | Registration / Login |
| Authentication | OTP (hashed, not stored as plaintext), JWT tokens | Login process |
| Profile | Profile avatar / photo | User upload (optional) |
| Academic Data | Test results, scores, subject performance, answers submitted | In-app test activity |
| Payment Info | Razorpay order ID, payment ID (no card/bank details stored) | Purchase flow |
| Device / Push | Firebase Cloud Messaging (FCM) device token | App installation |
| School Admin Data | Student names, roll numbers, mobile numbers, date of birth, class/section | School admin upload |
| Usage Data | Firebase Analytics events, crash reports (Crashlytics) | Automatic (Firebase SDK) |
| Purpose | Data Used |
|---|---|
| Account creation and secure login via OTP | Name, email, phone, OTP hash |
| Delivering test series, courses, and results | User ID, academic data |
| Processing course and test series purchases | User ID, Razorpay transaction IDs |
| Sending push notifications for new courses and tests | FCM device token |
| School management (attendance, results, OMR) | Student records uploaded by school admin |
| App analytics and crash diagnostics | Firebase Analytics / Crashlytics data |
| Sending OTP emails | Email address |
We do not sell, rent, or trade your personal data to any third party for marketing purposes.
EdHills uses the following third-party services, each governed by their own privacy policies:
| Service | Purpose | Privacy Policy |
|---|---|---|
| Supabase | Database and file storage | supabase.com/privacy |
| Firebase (Google) | Analytics, crash reporting, push notifications | policies.google.com/privacy |
| Razorpay | Payment processing | razorpay.com/privacy |
| Google (Gmail SMTP) | Sending OTP verification emails | policies.google.com/privacy |
These services may process your data on servers located outside India. By using EdHills, you consent to this transfer.
We retain your personal data for as long as your account is active. Specifically:
Account data (name, email, phone, test results, purchases) is retained until you delete your account.
OTPs are hashed before storage and automatically cleared upon successful login or after 10 minutes of expiry.
Push notification tokens (FCM) are retained while your account is active and removed when the account is deleted.
Analytics and crash data is retained per Firebase's default retention policy (up to 14 months).
School student data uploaded by a school administrator is retained for the duration of the school's active account.
EdHills is an educational platform designed primarily for students preparing for JEE and NEET examinations. Users may include students under the age of 18.
We do not display targeted advertising to any users, including minors. We do not sell data belonging to any user, including minors.
If a parent or guardian believes their child's data has been collected without appropriate consent, they may contact us at the email below and we will promptly delete the data.
You have the following rights over your personal data:
| Right | How to Exercise |
|---|---|
| Access — view the data we hold about you | Contact us by email |
| Correction — update your name, email, or phone | Profile settings inside the app |
| Deletion — permanently delete your account and all associated data | Account settings → Delete Account, or contact us |
| Opt-out of push notifications | Device notification settings |
Account deletion removes your profile, test results, enrolled courses, purchased test series, and notifications from our systems within 30 days.
We implement industry-standard security measures to protect your data:
OTPs are hashed using bcrypt before storage — we never store them in plain text.
Tokens are signed JWTs; access tokens expire in 1 hour and refresh tokens in 7 days.
API is protected with Helmet security headers, CORS restrictions, and rate limiting on sensitive endpoints (login, payments, uploads).
Payment verification uses HMAC-SHA256 signature validation on every transaction before any data is written to our database.
Storage is managed by Supabase with row-level security enabled. Direct anonymous access is blocked.
While we take all reasonable steps to protect your information, no method of transmission over the internet is 100% secure.
We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. For significant changes, we will notify users via a push notification or in-app message.
Continued use of the EdHills app after changes constitutes acceptance of the updated policy.
For any questions, data requests, or privacy concerns, please contact us:
EdHills Support Team
For privacy inquiries, data deletion requests, or concerns about your personal data
support@edhills.inWe aim to respond to all privacy-related requests within 7 business days.