CPMAI Prep

Privacy Policy

Last updated: 2026-05-26

1. Overview

This Privacy Policy explains what personal information CPMAI Prep (the “Service”) collects, how we use it, who we share it with, and the choices you have. We aim to collect the minimum necessary to operate the Service well.

2. Information We Collect

You provide directly

  • Name, email address, and password when you register
  • Phone number and WhatsApp number when you opt to share these (e.g. through a callback request)
  • Payment instrument details — handled directly by Razorpay; we never see or store your full card number or UPI VPA
  • Profile data you choose to add (company, role, study notes)
  • Content of chat conversations with our AI assistant and any feedback you submit

Collected automatically

  • IP address and approximate location (country, city) derived via MaxMind GeoIP — used for currency selection, fraud mitigation and country-specific tax handling
  • Device, browser and OS information visible in standard HTTP headers
  • Pages visited, course progress, quiz attempts and timestamps
  • Anonymous-session identifiers stored as cookies to maintain pre-login activity

3. How We Use Your Information

  • Provide the Service: authenticate you, track course progress, deliver content, process payments
  • Personalise: surface relevant courses, default to your local currency, remember in-progress lessons
  • Communicate: send transactional emails (receipts, account notices), respond to support requests, send course/session reminders
  • Improve: review aggregated usage patterns and AI conversation quality to fix bugs and improve teaching content
  • Comply with law: retain financial records (typically 7 years under Indian tax law), respond to lawful requests
  • Security: detect abuse, rate-limit, audit-log administrator actions

4. Sharing Your Information

We do not sell your personal data. We share information only with the following parties, and only for the purposes described:

  • Payment processors (Razorpay, PayPal where applicable) — for processing transactions
  • Email delivery (Resend / Postmark / equivalent) — to send the emails listed above
  • Cloud infrastructure (our hosting provider, Cloudflare for asset delivery) — to operate the Service
  • AI providers (OpenAI, Anthropic where configured) — to generate answers in the AI assistant. Conversation contents are sent to these providers as part of normal operation. We pass through their own data-handling commitments and do not use your data for model training
  • Live-session providers (Zoom) — to host video sessions where applicable
  • Legal compliance — when required by law or to protect rights, property or safety

5. Cookies and Local Storage

We use cookies and browser local storage for:

  • Authentication (an access token and a refresh token)
  • Maintaining anonymous-session state before sign-up
  • Remembering UI preferences (e.g. sidebar collapsed state)

We do not use third-party advertising cookies. You may disable cookies in your browser, but doing so will prevent you from logging in.

5a. Product Analytics (Visitor Insights)

To understand how visitors and learners use the Service, we run a first-party analytics tracker (no third-party analytics provider, no cross-site tracking). This tracker runs only in your browser session on our domain and the data is stored on our own infrastructure.

What we collect:

  • The pages you view on this Service and the timestamps
  • How long each page was actively in the foreground (the tracker pauses when the tab is in the background)
  • Scroll depth on each page (25 / 50 / 75 / 100% milestones), to identify which content learners actually read
  • Clicks on a small number of explicitly-tagged calls-to-action (sign in, plan select, checkout, request callback, course enrol) — we do NOT capture every click
  • Standard UTM parameters in the URL if you arrived via a tagged campaign link
  • Referrer URL (the page that linked you here) with personal-looking query parameters (email, phone, tokens) stripped server-side before storage
  • Device, browser and operating system bucket parsed from the standard User-Agent header
  • Country and city from the same MaxMind GeoIP lookup described in §2 — not the precise IP

Why: improving the product (finding pages that aren't working), measuring whether new features are used, identifying drop-off in the signup → payment flow.

How to opt out:

  • The tracker honours your browser's Do Not Track setting (set navigator.doNotTrack = "1" via your browser's privacy settings).
  • Operators can disable the tracker globally via a server-side kill switch; we may use this during incidents or in response to specific user requests.
  • You may request your captured analytics rows be detached from your identity at any time via the data deletion flow in §8 — your aggregate event counts stay in place, but no further drilldown by your visitor identifier is possible.

Retention for analytics events follows the same schedule as other usage data (see §7).

6. Data Security

We use TLS encryption for data in transit. Sensitive credentials (API keys, payment-provider secrets) stored server-side are encrypted at rest. Passwords are stored using salted hashing — never in plaintext. Access to production data is restricted to authorised personnel and audit-logged.

No system can be 100% secure. We will notify affected users promptly in the event of a confirmed personal-data breach in compliance with applicable law.

7. Data Retention

We retain your data for as long as your account is active, plus the periods needed for the purposes described in this policy. After account deletion:

  • Personally-identifying fields (email, name, Google ID) are redacted within 24 hours
  • Your account is marked inactive and you can no longer sign in
  • Financial records (invoices, payment confirmations) are retained for 7 years to comply with Indian tax and accounting law
  • Aggregated, non-identifying usage analytics may be retained indefinitely

8. Your Rights

You have the right to:

  • Access — download a copy of your data (export from account settings)
  • Correct — fix inaccurate information in your account
  • Delete — request deletion of your account and the redaction of identifying data (subject to the legal-retention requirements in Section 7)
  • Opt out of marketing communications (we send only transactional ones by default)
  • Withdraw consent at any time where processing relies on consent

Exercise these rights through your account settings, or by emailing us at contact@cpmaiexampre.com. We respond within 30 days.

9. Children's Privacy

The Service is not directed at children under 18. If we learn that we have inadvertently collected data from a minor, we will delete it promptly.

10. International Transfers

Our infrastructure is hosted primarily in India. Some of our sub-processors (e.g. OpenAI, Cloudflare) operate outside India. We rely on those vendors' published security and privacy commitments to safeguard data in transit.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced via email or an in-product notice at least 14 days before they take effect. The “Last updated” date above always reflects the current version.

12. Contact

For privacy questions, data-rights requests, or breach notifications, reach us at contact@cpmaiexampre.com.