1.1 Our Commitment to Privacy

MockPe ("we", "us", "our", "Company", "हम") is deeply committed to protecting the privacy and security of your personal data. This Privacy Policy explains our practices regarding the collection, use, storage, sharing, and protection of your personal information.

1.2 Scope of This Policy

This Privacy Policy applies to:

1.3 Agreement to Privacy Policy

By using the MockPe platform, you:

• Acknowledge that you have read this Privacy Policy
• Understand how we collect, use, and protect your data
• Consent to our data processing practices as described
• Agree to the terms of this Privacy Policy

1.4 Integration with Terms and Conditions

This Privacy Policy is an integral part of our Terms and Conditions. Both documents should be read together. In case of any conflict between the two, the Privacy Policy shall prevail on privacy-related matters.

1.5 Language

This Privacy Policy is provided in English and Hindi. In case of any discrepancy, the English version shall prevail.

2.1 Data Fiduciary Details

Under the Digital Personal Data Protection Act, 2023, MockPe acts as a Data Fiduciary (controller of personal data).

2.2 Responsibilities as Data Fiduciary

As a Data Fiduciary, we are responsible for:

• Determining the purpose and means of processing personal data
• Ensuring lawful, fair, and transparent data processing
• Implementing appropriate security measures
• Respecting data principal rights
• Complying with DPDP Act, 2023 and other applicable laws
• Notifying data breaches
• Maintaining records of data processing activities

2.3 Data Protection Officer

Designated Officer:

3.1 Categories of Personal Data

We collect the following categories of personal data:

3.1.1 Identity Data

Legal Basis: Contract performance, legitimate interest

3.1.2 Contact Data

Legal Basis: Contract performance, consent

3.1.3 Account Data

Legal Basis: Contract performance

3.1.4 Usage Data

Legal Basis: Legitimate interest, service improvement

3.1.5 Technical Data

Legal Basis: Legitimate interest, technical necessity

3.2 What We DO NOT Collect

3.3 How We Collect Data

Collection Methods:

3.4 Data from Minors (Below 18)

Special Protocol for Children's Data:

• We collect data of minors ONLY with verifiable parental consent
• Parent/Guardian provides consent during account creation
• Same data elements as adults (no additional data)
• Parent/Guardian can access, modify, or delete child's data anytime
• We do NOT engage in behavioral tracking of minors
• We do NOT serve targeted advertisements to minors

Compliance: DPDP Act, 2023 - Section 9

4.1 Primary Purposes

We use your personal data for the following purposes:

4.1.1 Service Provision

Legal Basis: Contract performance (Section 7, DPDP Act, 2023)

4.1.2 Communication

Legal Basis:

• Essential communications: Contract performance
• Promotional: Consent (Section 6, DPDP Act, 2023)

4.1.3 Service Improvement

Legal Basis: Legitimate interest

4.1.4 Security & Fraud Prevention

Legal Basis: Legitimate interest, legal obligation

4.1.5 Legal Compliance

Legal Basis: Legal obligation (Section 7, DPDP Act, 2023)

4.2 Marketing and Promotional Use

With Your Consent:

We may send you:

• New feature announcements
• Special discounts or offers
• Referral program invitations
• Educational content and tips
• Platform updates and improvements

Your Control:

• You can OPT-OUT anytime by sending "STOP" to our WhatsApp number
• Opt-out processed within 48 hours
• You will still receive essential service communications

Compliance:

• TRAI Regulations on Unsolicited Commercial Communication
• DPDP Act, 2023 - Section 6 (Consent requirements)
• Respect for DND (Do Not Disturb) registry

4.3 Purposes We DO NOT Use Data For

5.1 Lawful Grounds Under DPDP Act, 2023

We process personal data only on lawful grounds as specified in the Digital Personal Data Protection Act, 2023:

5.1.1 Consent (Section 6)

When We Rely on Consent:

Your Rights:

• Consent can be withdrawn at any time
• Withdrawal does not affect lawfulness of prior processing
• Withdrawal may affect service delivery (for essential processing)

How to Withdraw:

• Send "STOP" for promotional messages
• Contact Grievance Officer for other consents

5.1.2 Contract Performance (Section 7)

When We Rely on Contract:

This processing is necessary to perform our contract with you (Terms and Conditions).

5.1.3 Legal Obligation (Section 7)

When We Rely on Legal Obligation:

5.1.4 Legitimate Interest

When We Rely on Legitimate Interest:

Balancing Test: We ensure our legitimate interests do not override your fundamental rights and freedoms.

5.2 Special Provisions for Children

Under DPDP Act, 2023 - Section 9:

For users below 18 years:

• Verifiable parental consent is mandatory
• Parent/Guardian acts as data principal
• Parent can exercise all rights on behalf of child
• No behavioral tracking or profiling of children
• No targeted advertising to children

Our Implementation:

• Account in parent's name (parent provides consent)
• Parent's contact details registered
• Parent can request deletion anytime

6.1 Our General Policy

6.2 When We DO NOT Share

We do NOT share your data with:

• Third-party advertisers
• Data brokers or marketing companies
• Social media platforms (for advertising)
• Credit bureaus
• Insurance companies
• Recruitment agencies
• Any entity for commercial exploitation
• International entities (data stays in India)

6.3 When We MAY Share

We may share your data ONLY in the following limited circumstances:

6.3.1 Service Providers

Who: Technical service providers essential for platform operation

Protections:

• Contractual obligations to protect data
• Process data only as per our instructions
• Cannot use data for their own purposes
• Data Processing Agreements in place

6.3.2 Legal Obligations

Who: Law enforcement, courts, government authorities

Process:

1. Verify authenticity of request
2. Assess legal validity
3. Share minimum necessary data
4. Document the disclosure
5. Notify user (if legally permissible)

6.3.3 Business Transfers

In case of:

• Merger with another company
• Acquisition by another entity
• Sale of business assets
• Bankruptcy or insolvency

Then:

• Your data may be transferred to successor entity
• You will be notified of such transfer
• Successor must honor this Privacy Policy
• You have right to delete data before transfer

6.3.4 With Your Consent

If we need to share data for any purpose not covered above:

• We will ask for your explicit consent
• We will explain the purpose and recipient
• You can refuse without consequences
• You can withdraw consent later

6.4 Data NOT Shared

Internal Use Only:

The following data is NEVER shared externally:

• Passwords (even hashed versions)
• Individual performance/scores
• Private exam content you created
• Support conversation details
• Payment method details

6.5 Aggregate & Anonymized Data

We may share:

• Aggregate statistics (e.g., "10,000 exams attempted this month")
• Anonymized data for research
• Industry benchmarks

Protection: Data is aggregated/anonymized so individual users cannot be identified.

Legal Basis: DPDP Act, 2023 - Section 2(j) excludes anonymized data from definition of "personal data"

7.1 Storage Location

All your data is stored in INDIA:

Compliance: DPDP Act, 2023 - Section 16 (Cross-border data transfer restrictions)

7.2 Storage Infrastructure

7.3 Data Retention Periods

We retain your data for the following periods:

7.3.1 Active Account Data

7.3.2 Post-Termination Data

7.3.3 Specific Data Types

7.4 Retention Timeline Flowchart

┌─────────────────────────────────────────────────────────┐
│               DATA RETENTION TIMELINE                   │
├─────────────────────────────────────────────────────────┤
│                                                         │
│  ACTIVE SUBSCRIPTION                                    │
│  └─► All data retained and actively used               │
│                                                         │
│  SUBSCRIPTION EXPIRES                                   │
│  └─► Day 0: Subscription ends                          │
│      Day 1-30: Grace period (data retained)            │
│      Day 31: Deletion process initiated                │
│      Day 45: All personal data permanently deleted     │
│                                                         │
│  EXCEPTIONS (Retained Longer):                          │
│  └─► Payment records: 8 years                          │
│  └─► Legal hold: Until resolved                        │
│  └─► Fraud investigation: Until concluded              │
│                                                         │
└─────────────────────────────────────────────────────────┘

7.5 Data Deletion

Secure Deletion Process:

When data is deleted:

• Removed from production databases
• Removed from backup systems (within backup cycle)
• Overwritten to prevent recovery
• Deletion logged for audit trail

Data Residuals:

• Some metadata may remain in logs (anonymized)
• Aggregate statistics remain (no personal identifiers)

7.6 Legal Retention Requirements

We are legally required to retain certain data:

These override our standard deletion timelines.

8.1 Our Security Commitment

8.2 Technical Security Measures

8.2.1 Encryption

Implementation:

• All website communications over HTTPS
• Minimum TLS 1.2 or higher
• Strong encryption algorithms (AES-256)
• Regular security certificate updates

8.2.2 Access Controls

8.2.3 Network Security

8.2.4 Application Security

8.3 Organizational Security Measures

8.4 Your Security Responsibilities

You play a crucial role in security:

✅ DO's:

• Choose a strong, unique password
• Keep your password confidential
• Log out from shared/public devices
• Report suspicious activity immediately
• Keep your registered mobile number secure
• Enable screen lock on your device
• Use updated browser and operating system

❌ DON'Ts:

• Don't share your login credentials
• Don't use the same password on multiple sites
• Don't log in from untrusted devices
• Don't click on suspicious links
• Don't share OTPs or verification codes
• Don't ignore security warnings

8.5 Security Limitations & Disclaimer

Legal Basis: IT Act, 2000 - Section 43A (reasonable security practices)

9.1 Overview of Rights

Under the Digital Personal Data Protection Act, 2023, you have the following rights regarding your personal data:

9.2 Right to Access (Section 11)

What: Know what personal data we hold about you

How to Exercise:

9.3 Right to Correction (Section 12)

What: Correct inaccurate or incomplete personal data

Examples:

• Name spelled incorrectly
• Wrong mobile number
• Outdated parent names

How to Exercise:

9.4 Right to Erasure (Section 12)

What: Request deletion of your personal data

When You Can Request:

• Purpose of processing is fulfilled
• You withdraw consent (where processing based on consent)
• Data no longer necessary
• You terminate subscription

How to Exercise:

9.5 Right to Data Portability

What: Receive your data in a structured, commonly used format

How to Exercise:

9.6 Right to Grievance Redressal (Section 13)

What: File complaints about data protection violations

When to Use:

• We violated your data rights
• Data processed unlawfully
• Security breach affecting you
• Unauthorized data sharing
• Any privacy concern

How to Exercise:

9.7 Right to Nominate (Death/Incapacity)

What: Designate someone to exercise your rights if you become deceased or incapacitated

How to Exercise:

9.8 Right to Withdraw Consent

What: Withdraw previously given consent

When Applicable:

• Promotional messages
• Optional data collection
• Non-essential processing

How to Exercise:

9.9 How to Exercise Rights

General Process:

Step 1: IDENTIFY THE RIGHT you want to exercise

Step 2: CONTACT US
        WhatsApp: [NUMBER]
        Email: [EMAIL if any]

Step 3: PROVIDE DETAILS
        - Your registered name
        - Mobile number
        - Specific request
        - Reason (optional but helpful)

Step 4: VERIFICATION
        We verify your identity using registered mobile

Step 5: PROCESSING
        We process your request within timelines

Step 6: RESPONSE
        You receive confirmation and action taken

9.10 Limitations on Rights

Your rights may be restricted if:

• Legal obligation requires us to retain data
• Ongoing legal proceedings involving your data
• Fraud investigation in progress
• Request is manifestly unfounded or excessive
• Exercise of right would harm rights of others

We will inform you if any limitation applies.

9.11 No Fee for Reasonable Requests

Free of Charge:

• First data access request
• Correction requests
• Erasure requests
• Reasonable number of requests

Nominal Fee May Apply:

• Excessive requests
• Repeated requests for same information
• Manifestly unfounded requests

Compliance: DPDP Act, 2023 - Sections 11-13

10.1 What Are Cookies

Cookies are small text files stored on your device when you visit our website. They help us provide you with a better experience.

Types We Use:

10.2 Cookies We Use

10.2.1 Essential Cookies

These are necessary for the platform to function:

You cannot disable these without affecting functionality.

10.2.2 Preference Cookies

You can disable these; some features may not work optimally.

10.3 What We DO NOT Use

10.4 Managing Cookies

How to Control Cookies:

Browser Settings:

Google Chrome:

1. Settings → Privacy and Security → Cookies and other site data
2. Choose: Block third-party cookies OR Block all cookies

Mozilla Firefox:

1. Settings → Privacy & Security → Cookies and Site Data
2. Choose blocking options

Safari:

1. Preferences → Privacy
2. Block cookies options

Microsoft Edge:

1. Settings → Privacy, search, and services
2. Manage cookies

Effect of Disabling:

10.5 Other Tracking Technologies

Local Storage:

We use browser local storage to:

• Store non-sensitive preferences
• Improve loading performance
• Cache non-personal data

Server Logs:

Our servers automatically log:

• IP address
• Browser type
• Access time
• Pages visited

Purpose: Security, troubleshooting, analytics

10.6 Do Not Track (DNT)

Current Position: We respect "Do Not Track" browser settings for non-essential tracking. However, essential cookies are still necessary for functionality.

11.1 Age Policy

Compliance: DPDP Act, 2023 - Section 9

11.2 Verifiable Parental Consent

For users below 18 years:

How We Obtain Consent:

1. Account created in parent/guardian's name
2. Parent/guardian provides their own contact details
3. Parent accepts Terms and Privacy Policy on behalf of child
4. Parent is the "data principal" for child's data

Verification Method:

• Account uses parent's registered mobile number
• Any communication goes to parent
• Consent requests sent to parent

11.3 Parental Rights

Parents/Guardians have the right to:

• Access child's personal data
• Correct inaccurate data
• Delete child's data at any time
• Withdraw consent for data processing
• Request what data is collected
• Control promotional communications

How to Exercise:

11.4 Data Collected from Children

Same as adults:

• Name, parent names, mobile numbers, date of joining
• Usage data (exams attempted, scores)
• Technical data (IP address, device info)

No additional sensitive data from children

11.5 How We Protect Children

Special Protections:

• No targeted advertising to children
• No behavioral profiling of minors
• No selling of children's data
• No sharing with third parties (except as per policy)
• Parental control at all times
• Age-appropriate content and features
• No public forums where children can interact with strangers

11.6 Third-Party Services and Children

We do NOT integrate:

• Social media login for children
• Third-party advertising networks
• Behavioral analytics specifically for children
• Any service that tracks children across websites

11.7 Educational Purpose

Platform is designed for:

• Educational and exam preparation purposes
• Safe learning environment
• No commercial exploitation of children
• Focus on academic improvement

11.8 Parent's Responsibilities

Parents/Guardians should:

• Supervise child's use of platform
• Monitor child's online activities
• Ensure child uses platform appropriately
• Review child's exam content and scores
• Contact us with any concerns

11.9 Reporting Concerns

If you believe:

• We have collected child's data without parental consent
• Child's data is being misused
• Any child safety concern

Please contact us immediately:

Legal Framework: