Privacy policy

§1Who is the data controller

The data controller (and the "Data Fiduciary" under the Digital Personal Data Protection Act, 2023) is the operating legal entity behind mypinaka.com. That entity is being incorporated as a Private Limited company in the Republic of India; the registered name, CIN, and registered address will be inserted here on this page once incorporation is complete.

You can reach us about this policy at support@mypinaka.com. Indian-law grievances go to the grievance officer page.

§2What we collect

Account data: name, email address, and authentication credentials. If you sign in with Google, we receive your name, email, and a Google account identifier from Google; we do not receive your Google password.

Performance data: your mock answers, drill responses, time-on-question signals, and the skill map computed from them.

Operational data: device type, browser, IP address, request logs, and error reports needed to run the service securely.

Billing data: the payment method, billing address, and tax identifiers you enter at checkout. Card numbers and bank account numbers are handled by our merchant of record and our payment processor; Pinaka does not store full card or account numbers.

Communication data: emails you send to us and our responses.

§3Why we collect it (lawful basis)

We process account data, performance data, and operational data to provide the service you signed up for (contractual necessity under DPDP, contract under GDPR-equivalent frameworks, performance of contract under PIPEDA).

We process billing data to take payment and comply with tax law (legal obligation).

We process operational data and security logs to keep accounts safe and to prevent fraud (legitimate interest in security, subject to your rights).

We send transactional emails on the basis of the contract. We send the weekly Sunday Analysis newsletter only if you opted in; you can unsubscribe at any time using the link in the email or from your dashboard.

§4How we use your data

Your performance data drives your own skill map, drill recommendations, and scaled mock score.

It also feeds anonymized cohort aggregates used in analysis posts. Aggregates require a minimum of one hundred independent attempts before any number is published. You can opt out of the cohort aggregate from your dashboard; opting out does not affect your own skill map.

Operational data is used to run, secure, and improve the service.

We do not use your data for automated decisions that produce legal or similarly significant effects about you.

§5What we do not do

Pinaka does not sell your personal data. Pinaka does not share your personal data with third parties for their own marketing.

No third-party advertising pixels. No third-party analytics that resell behavior. No cross-site tracking.

For California residents: we have not sold or shared personal information in the preceding twelve months, and we do not process sensitive personal information for inferring characteristics.

§6Who else processes your data (sub-processors)

We use a small set of vendors to run the service. They process data only on our instructions and under written agreements that meet applicable cross-border transfer requirements.

1. Amazon Web Services (US-East-1, N. Virginia, USA): hosting, database, authentication (Amazon Cognito), object storage, content delivery (Amazon CloudFront, whose access logs are our first-party analytics source), and transactional email (Amazon SES). Pinaka does not use third-party analytics or RUM products.
2. Google LLC (USA): Sign in with Google identity provider, used only when you choose to sign in with Google.
3. Our merchant of record (name to be inserted on this page once signed): payment processing, fraud screening, tax calculation, refunds, and customer billing communications.
4. Cashfree Payments India Pvt Ltd (India): backup payment processor, used only as a fallback.

§7Where your data is stored and processed

Pinaka stores most personal data on Amazon Web Services infrastructure in the US-East-1 region (Northern Virginia, USA). If you are located in India, the European Economic Area, the United Kingdom, Canada, or any other jurisdiction that regulates cross-border data transfers, your data is transferred to the United States subject to AWS's standard cross-border data-transfer terms and to applicable safeguards.

By using the service, you consent to this transfer.

§8Cookies and consent

Pinaka uses first-party cookies only. No advertising cookies, no third-party trackers. Detail, including names and durations, is on the cookie policy page.

On first visit, the marketing site checks your country (via a server-side IP-to-country lookup; the IP itself never leaves the request). The consent banner is visually identical for every visitor. What differs is the order of operations. Visitors in the European Economic Area, the United Kingdom, and Quebec must click Accept before the analytics pixel or the pinaka_vid cookie fires; this honours the prior-consent requirement of the EU General Data Protection Regulation, the UK GDPR + PECR, and Quebec's Law 25. Visitors elsewhere have the analytics pixel running from the first page view under the opt-out model recognised by the California CPRA and the rest-of-Canada operational-analytics provision of PIPEDA; clicking Decline retroactively stops further tracking. You can change your choice at any time from the Cookie preferences link in the footer.

§9How long we keep your data

Active-account data is retained while your account exists.

On account deletion, your performance data and personal identifiers are removed within thirty days, except for records we are required to keep for tax, fraud, or legal compliance (typically up to eight years for billing records under Indian and US tax rules).

Server-side application logs and security event data roll off after ninety days.

CloudFront access logs (the request URL, timestamp, user agent, and client IP address for each page view and pixel event) are retained for ninety days and then deleted automatically by an S3 lifecycle rule. We use them to debug outages, to detect abuse, and to produce aggregate product analytics. The ninety-day window is the minimum needed to investigate incidents and to compute quarter-over-quarter trends; we do not retain access logs beyond this window. The legal basis is legitimate interest in security and service quality (PIPEDA Principle 4.5 "limiting retention", CCPA "reasonable necessity").

Scored mock-result files in Amazon S3 are retained for two years from the date the mock was scored, and are removed sooner if you delete your account.

Anonymized cohort aggregates, once produced, are not personal data and are retained indefinitely as part of the public methodology.

§10Your rights

You can access, correct, export, or delete your data from your dashboard at any time. You can also email support@mypinaka.com to exercise these rights; we respond within five working days and complete the request within thirty days.

Under the Digital Personal Data Protection Act, 2023 (India), you have the right to access, correct, complete, update, and erase your personal data, the right to nominate a person to exercise your rights in the event of your death or incapacity, and the right to grievance redressal through the grievance officer page.

Under the California Consumer Privacy Act / CPRA, you have the right to know what categories of personal information we collect and the sources, the right to access and delete your personal information, the right to correct inaccurate personal information, and the right to non-discrimination for exercising these rights. We do not sell or share personal information; there is no opt-out to exercise.

Under PIPEDA (Canada) and Quebec's Law 25, you have the right to access, correct, and request deletion of your personal information, the right to know who has had access, and the right to lodge a complaint with the Office of the Privacy Commissioner of Canada or with the Commission d'accès à l'information du Québec.

We do not charge a fee to exercise these rights and we do not require you to create an account to do so (a verification step may be needed).

§11Security

We use industry-standard security controls: encryption in transit (TLS), encryption at rest, least-privilege access controls, audit logging, and a Web Application Firewall in front of the public surface.

No system is perfectly secure. If we discover a personal-data breach that is likely to result in risk to your rights, we will notify you and the relevant regulator(s) without undue delay, in line with applicable law (including the Indian Computer Emergency Response Team rules).

§12Children

Pinaka is for users aged eighteen and older. We do not knowingly collect personal data from children under thirteen (US) or under sixteen (EEA / UK), or from minors as defined under DPDP. If you believe a child has provided us with personal data, email support@mypinaka.com and we will delete it.

§13Changes to this policy

We may update this policy. Material changes are notified by email and by a notice on the dashboard at least thirty days before they take effect. The "Last updated" date at the top of the page reflects the latest revision.

§14Governing law

This policy is governed by the laws of the Republic of India. Statutory rights of users in the United States (including California) and Canada (including Quebec) are preserved where applicable, and nothing in this policy requires you to waive a right that cannot be waived under the law of your place of residence.