Privacy Policy
Your data belongs to you. Here's exactly what we collect and why.
Effective date: 14 April 2025
1. Who We Are
ZestExam is an online exam preparation platform operated by ZestExam (India). Our registered contact for data matters is: Email: support@zestexam.com Website: https://zestexam.com
2. Information We Collect
We collect the following categories of data: a) Account Information • Full name and email address (provided at registration) • Phone number (optional, provided voluntarily) • Password — stored as a one-way bcrypt hash; we cannot read it b) Usage Data • Mock test attempts, scores, time taken, and topic-level performance • Topics practised and questions answered • Study streak and session frequency c) Payment Data • Subscription plan chosen and payment date • Razorpay order ID and payment ID (for verification) • We do NOT store card numbers, CVVs, UPI handles, or bank account details — all payment data is handled exclusively by Razorpay under their PCI-DSS compliant infrastructure d) Technical Data • IP address (for fraud prevention and security logs) • Browser/device fingerprint (to detect suspicious login activity) • Cookies: session cookie (bolt_token, httpOnly) and refresh cookie (bolt_refresh, httpOnly) e) Communications • Emails you send to support@zestexam.com
3. How We Use Your Data
• To create and manage your account • To deliver personalised mock tests, PYQ practice, and Battle Plan insights • To process and verify subscription payments via Razorpay • To send transactional emails (purchase confirmation, password reset) • To detect and prevent fraud or misuse • To improve the platform based on aggregate, anonymised usage patterns • To comply with legal obligations We do NOT use your data for targeted advertising or profile selling.
4. Data Sharing
We share your data only with the following third parties, and only to the extent necessary: • Razorpay Payments Pvt. Ltd. — payment processing (PCI-DSS Level 1 compliant) • Resend Inc. — transactional email delivery • Supabase / PostgreSQL — database hosting (data stored in India/Singapore region) All third-party processors are contractually bound to process data only on our instructions and to maintain appropriate security standards. We do not sell, rent, or trade your personal information to any third party for marketing purposes.
5. Cookies & Tracking
ZestExam uses the following cookies: • bolt_token (httpOnly, Secure) — your login session JWT, expires in 7 days • bolt_refresh (httpOnly, Secure) — refresh token for silent re-login, expires in 30 days • eb_device_fp (localStorage) — anonymous device fingerprint for security We do not use advertising cookies or third-party tracking pixels.
6. Data Retention
• Account data: retained while your account is active; deleted within 30 days of an account deletion request • Mock attempt data: retained for 2 years to power analytics; anonymised after that • Payment records: retained for 7 years as required by Indian GST and accounting law • Support emails: retained for 3 years
7. Your Rights
You have the right to: • Access — request a copy of the personal data we hold about you • Correction — ask us to correct inaccurate data • Deletion — request deletion of your account and associated data • Portability — receive your data in a machine-readable format • Opt-out — unsubscribe from any non-essential emails To exercise any of these rights, email support@zestexam.com with the subject line "Data Request". We will respond within 30 days.
8. Data Security
We implement the following security measures: • All passwords are hashed with bcrypt (cost factor 12) — not stored in plain text • All API communication is over HTTPS/TLS • JWT tokens and refresh tokens are stored in httpOnly, Secure cookies (not accessible via JavaScript) • Refresh tokens are hashed with SHA-256 in the database • Suspicious login activity is flagged via device fingerprint comparison
9. Children's Privacy
ZestExam is designed for students aged 13 and above. We do not knowingly collect data from children under 13. If we become aware that a child under 13 has provided us data, we will delete it promptly. If you believe your child has registered, contact us at support@zestexam.com.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the effective date above and, for material changes, notify registered users via email. Your continued use of ZestExam after changes are posted constitutes acceptance.
11. Contact
For any privacy-related queries: Email: support@zestexam.com We aim to respond within 2 business days.