Privacy Policy

TheoderAI Technologies Private Limited (“TheoderAI”, “we”, “us”) is the data fiduciary under the Digital Personal Data Protection Act, 2023 (DPDP Act). We are incorporated in India and operate the TheoderAI platform.

Our Data Protection Officer can be reached at privacy@theoderai.com.

Account data: Name, email address, phone number (optional), and the exam you are preparing for. Collected when you sign up.

Session data: Transcripts of your tutoring conversations, question-and-answer exchanges, and your self-reported mastery assessments. This is how Theoder builds your knowledge graph.

Voice data: Audio recordings during voice coaching sessions. Audio is transcribed in real-time and the raw recording is deleted within 48 hours. Transcripts are retained as session data (see above).

Usage data: Pages visited, features used, session durations, error logs. Used to improve the product and diagnose bugs.

Payment data: Billing address, GST number (if applicable), and payment method details processed by Razorpay. We do not store full card numbers. We receive only a tokenized reference from Razorpay.

Device data: Browser type, operating system, IP address, and approximate location (city-level). Used for security and to comply with legal obligations.

We use your data to:

• Provide the tutoring service — build and update your knowledge graph, generate coaching responses, and deliver your daily prep brief
• Improve Theoder's AI models using anonymized, aggregated conversation data
• Process payments and manage your subscription
• Send transactional emails (welcome, billing receipts, password reset, session summaries)
• Send product updates and tips — you can opt out at any time
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations under Indian law

We do not use your data to serve third-party advertising. We do not sell your personal data to any third party.

Under the DPDP Act, 2023, we process your personal data on the following grounds:

• Consent: You have provided explicit consent during registration for the processing of your account, session, and voice data.
• Contractual necessity: Processing required to perform the service you have subscribed to.
• Legitimate interests: Security monitoring, fraud prevention, and product improvement using anonymized data.
• Legal obligation: Compliance with Indian tax law (GST) and other applicable regulations.

Location:All personal data is stored on servers located within India, in compliance with the DPDP Act's data localization requirements.

Retention: We retain your account and session data for the duration of your subscription plus 90 days after account closure. After that, all personal data is deleted. Voice audio is deleted within 48 hours of the session.

Security measures: Data is encrypted at rest (AES-256) and in transit (TLS 1.3). Access to production data is restricted to authorized personnel and logged. We conduct regular security reviews.

Breach notification: In the event of a personal data breach that poses a risk to your rights, we will notify you and the Data Protection Board within 72 hours of becoming aware.

We share your data only with:

• Service providers: Razorpay (payments), Clerk (authentication), cloud infrastructure providers — all operating under data processing agreements.
• AI model providers: We use third-party large language model APIs to power Theoder's responses. Your conversation content is sent to these APIs for inference. It is not stored or used for training by the API provider under our agreement.
• Legal authorities: When required by law, court order, or to protect our legal rights.

We do not share your data with advertisers, data brokers, or other education companies.

Under the DPDP Act, 2023, you have the right to:

• Access: Request a summary of what personal data we hold about you.
• Correction: Correct inaccurate or outdated personal data.
• Erasure: Request deletion of all your personal data (“right to be forgotten”).
• Grievance redressal: File a complaint with our Data Protection Officer.
• Nominate: Nominate a person to exercise your data rights in the event of your death or incapacity.

To exercise any of these rights, go to Settings → Privacy in your account, or email privacy@theoderai.com. We will respond within 15 business days.

If you are not satisfied with our response, you may file a complaint with the Data Protection Board of India.

We use cookies and similar technologies for:

• Strictly necessary: Authentication tokens, CSRF protection, session management — these cannot be disabled.
• Analytics: Aggregate, anonymized usage data to understand how people use the product — you can opt out in Settings.

We do not use advertising or cross-site tracking cookies.

In strict compliance with Section 9 of the DPDP Act 2023 and the DPDP Rules 2025 (notified November 13, 2025), you must be at least 18 years of age to use our Services independently. Users under 18 are legally classified as minors under Indian law.

TheoderAI is legally prohibited from processing the personal data of a minor unless we obtain verifiable parental consentfrom the minor's parent or lawful guardian. We use one or more of the following mechanisms to verify the consenting individual is an adult:

• Email-Plus Verification: A multi-step confirmation process via the parent's email address.
• Payment Gateway Authentication: A nominal, temporary transaction to verify adult financial authority.
• Government ID Verification: Secure, encrypted upload of a government-issued ID.
• Video-Based Verification: Real-time video face matching and age verification.
• Knowledge-Based Authentication: Contextual security questions tailored to adult records.

For minor users, as a Data Fiduciary under the DPDP framework, we strictly enforce:

• No behavioral tracking — we do not track, monitor, or log online behavior, screen time, keystrokes, or habits of minor users.
• No targeted advertising — we are prohibited from serving targeted advertisements directed at children.
• No detrimental profiling — we will not engage in digital profiling that may negatively impact a child's psychological or emotional well-being.

If you are a parent and believe your child has provided us with personal data without consent, email privacy@theoderai.com and we will delete it promptly.

We will notify you of material changes to this policy by email at least 14 days before they take effect. Minor changes (such as typo corrections) may be made without notice. The “last updated” date at the top of this page reflects the most recent revision.

In compliance with Section 5 of the DPDP Act 2023 and the IT Rules 2021, we have appointed a dedicated Grievance Officer for privacy and data-related disputes:

If you are not satisfied with our response, you may escalate your complaint to the Data Protection Board of India.