How we handle your data.

What we store

• Your account email, display name, bio (Firebase + Supabase).
• Notes, generated modules, quizzes, flashcards, tutor sessions (Supabase Postgres).
• Uploaded files (Google Cloud Storage, in a per-user folder).
• Payment records (DODO Payments; we don't store card numbers).
• Usage events / credit ledger (Supabase + mirrored to DODO for audit).

Who can see your content

Only you (and our backend acting on your behalf when generating content). Row-level security policies prevent cross-account reads. Crampad staff don't routinely read your notes; engineering may access aggregated logs for debugging only.

AI & training

Generation calls go to Google Gemini APIs (Vertex AI & AI Studio). Google's commitments apply: paid Gemini API content is not used to train Google models. We don't fine-tune any models on your content.

Encryption

• HTTPS everywhere (browser ↔ Crampad ↔ providers).
• Files in GCS encrypted at rest with Google-managed keys.
• Database backups encrypted at rest in Supabase.
• Auth tokens stored only in your browser localStorage (per device).

Your rights

Export your data (email support@crampad.com), delete your account (Profile → Danger Zone), or ask us what we have on you. Soft delete keeps a 30-day grace; immediate delete is irreversible.

Subprocessors

• Google (Gemini, GCS, Cloud TTS, Firebase) — content processing & storage
• Supabase — primary database + auth helpers
• DODO Payments — billing & invoicing
• Mailgun — transactional emails
• Vercel (or self-hosted) — frontend delivery

Compliance

Indian customers see 18% GST on every paid transaction. GST-compliant invoices are issued under KriyaXlabs Pvt. Ltd. We follow RBI subscription rules for Indian-issued cards (48-hour mandate window).

Contact

Privacy concerns: support@crampad.com.