Last updated: 12-01-2026
1. Introduction
Drupto Consultants Pvt Ltd ("we," "us," or "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use DruptoQuiz (the "Platform"). For the purposes of India's Digital Personal Data Protection Act, 2023 (DPDP Act), we are the **Data Fiduciary**, and you, the user, are the **Data Principal**.
By creating an account and using our service, you provide your explicit consent to the collection and use of information in accordance with this policy.
2. Data Fiduciary & Grievance Officer
The entity responsible for your data (Data Fiduciary) is:
Drupto Consultants Pvt Ltd
Email: support@druptoconsultants.com
In accordance with India's Digital Personal Data Protection Act, 2023, we have appointed a Grievance Officer. To address any discrepancies or grievances with respect to the processing of your information, you may contact:
**Grievance Officer:**
Saurabh Chandra
Email: saurabh.chandra@druptoconsultants.com
3. Information We Collect and How We Use It
We use specific services provided by Google Firebase to operate our platform. Below is a breakdown of the data we collect and the service used:
- Firebase Authentication: To manage user sign-up, login, and account security, we process your credentials, such as your email address and hashed password or tokens from social providers like Google.
- Cloud Firestore: Your core profile information (name, email), the quizzes you create, and your submission results are stored in our secure database hosted on Google Cloud Firestore.
- Cloud Storage for Firebase: Any files you upload, such as a custom logo for a quiz or a signature for a certificate, are stored securely in Google Cloud Storage.
- Cloud Functions for Firebase: Sensitive backend tasks, such as processing payments or handling account deletions, are executed in a secure, isolated environment managed by Google.
- Technical and Usage Data: We collect technical information (IP address, device type) and usage data (pages visited, time spent) to improve our service, ensure security, and for analytics purposes.
Automated Decision Making and AI
Some platform functions use Artificial Intelligence to generate and assess quiz content. These automated processes are not intended to produce legally binding decisions and may have inaccuracies. We use this to provide a better service, which constitutes a legitimate interest.
4. Data Sharing, Disclosure, and Sub-Processors
We do not sell or rent your personal data. We use trusted third-party services, known as sub-processors, to provide our service. Our primary sub-processor is **Google**, which provides our Firebase backend infrastructure.
We may also share information with other essential service providers for functions like payment processing (Razorpay) and analytics, all under strict confidentiality agreements.
Sub‑Processor Details
Below is a comprehensive list of our sub‑processors, the services they provide, the categories of data shared, the purpose of processing, the location of processing, and the legal basis for the transfer.
| Processor Name | Service Provided | Data Shared | Purpose | Location | Legal Basis |
|---|---|---|---|---|---|
| Google Firebase | Authentication, Database, Storage | Personal data, quiz content, uploaded files | Platform infrastructure and core service delivery | India (Delhi) | Standard Contractual Clauses (SCCs) and Google Data Processing Addendum |
| Razorpay | Payment processing | Payment details (card number, UPI ID), transaction metadata | Transaction processing, invoicing, refunds | India | Razorpay DPA and contractual obligations |
| Google Analytics | Usage analytics | Anonymized usage data, device information, page views | Performance improvement, feature adoption analysis | Global | Google Analytics Data Processing Terms and SCCs |
| Google Gemini AI | AI quiz generation and assessment | Quiz content, prompts, user‑provided text | AI‑powered content creation and evaluation | Global | Google AI Data Processing Addendum and SCCs |
| MediaPipe (Google) | Face detection and landmark tracking | Biometric data (processed locally, not transmitted) | Proctoring integrity, verification of test‑taker presence | Local processing (no transmission) | No data transfer; processing occurs entirely on user device |
Note: All sub‑processors are bound by strict contractual obligations that require them to protect your data in line with applicable data protection laws. Where data is transferred outside India or the European Economic Area, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.
Google Analytics
For users who are logged into their accounts, we use Google Analytics to collect information about engagement with our platform. This helps us understand feature usage and overall application performance. This data is used in an aggregated and anonymized form to guide our development and enhance our services.
5. Data Security
We are committed to protecting your data. All data transmitted between your device and our Firebase backend is encrypted in transit using industry-standard TLS. Furthermore, all your data stored within Cloud Firestore and Cloud Storage is automatically encrypted at rest by Google, providing an additional layer of security.
6. Data Retention and Deletion
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected or to comply with legal obligations. Our data retention policies are designed to comply with the Digital Personal Data Protection Act, 2023 (DPDP Act) and other applicable laws.
Specific Retention Periods
| Data Category | Retention Period | Legal Basis | Purpose |
|---|---|---|---|
| User Account Data (Active) | Indefinitely while active | Consent, Contract | Service provision |
| User Account Data (Inactive) | 3 years from last login | Legitimate Interest | Data minimization |
| Quiz Content | 5 years from last activity | Consent | Educational records |
| Quiz Submissions | 2 years from completion | Consent | Performance records |
| Financial Transactions | 7 years | Legal Obligation | Tax compliance |
| Consent Records | 7 years | Legal Obligation | Compliance evidence |
| Audit Logs | 7 years | Legal Obligation | Compliance monitoring |
Deletion Process
When you request to delete your account or when retention periods expire, your data undergoes a structured deletion process:
- Soft Deletion: Data is marked for deletion and becomes inaccessible to users
- 30-Day Grace Period: You receive notifications and can restore your account
- Permanent Deletion: After the grace period, data is permanently purged from all systems
- Audit Trail: All deletions are logged in our DPDP audit system for 7 years
You can manage your data retention preferences through our Privacy Dashboard.
7. Your Data Protection Rights
Depending on your location, you have certain rights regarding your personal data. We are committed to upholding these rights for all our users. To facilitate these rights, we have implemented a comprehensive Privacy Dashboard where you can manage all aspects of your data protection rights.
Self-Service Rights Management
Through our Privacy Dashboard, you can exercise the following rights directly:
📥 Data Access & Export
- Download all your data in JSON/CSV format
- Export specific data categories
- View data processing history
- Access consent records
✏️ Data Correction
- Request correction of inaccurate data
- Update profile information
- Track correction requests
- Upload supporting evidence
🗑️ Data Deletion
- Delete specific data categories
- Request account deletion
- Withdraw consent for processing
- Schedule automatic deletion
📋 Consent Management
- View all active consents
- Withdraw consent granularly
- Review consent history
- Update consent preferences
Specific Rights Under DPDP Act
As a Data Principal under India's Digital Personal Data Protection Act, 2023, you have the following specific rights:
- Right to Access Information: Access summary of your personal data being processed
- Right to Correction and Erasure: Correct inaccurate data or request erasure
- Right to Grievance Redressal: File grievances through our appointed Grievance Officer
- Right to Nominate: Nominate another person to exercise your rights in case of death or incapacity
- Right to Withdraw Consent: Withdraw consent at any time with effect for the future
Response Timeframes
We are committed to responding to your data protection requests within the following timeframes:
| Request Type | Response Time | Legal Requirement |
|---|---|---|
| Data Access Request | 30 days | DPDP Act Section 11 |
| Correction Request | 30 days | DPDP Act Section 12 |
| Erasure Request | 30 days | DPDP Act Section 13 |
| Grievance Resolution | 30 days | DPDP Act Section 14 |
| Breach Notification | 72 hours | DPDP Act Section 8(2) |
To exercise these rights, you can use our Privacy Dashboard or contact our Grievance Officer at saurabh.chandra@druptoconsultants.com. You also have the right to lodge a complaint with the Data Protection Board of India.
8. Consent Management
We implement a granular consent management system in compliance with the DPDP Act. Consent is obtained for specific purposes and can be managed through our Privacy Dashboard.
Types of Consent We Obtain
- Quiz Creation Consent: Required to create and publish quizzes on the platform
- Quiz Participation Consent: Required to participate in quizzes and have your performance data processed
- Payment Processing Consent: Required for processing financial transactions through Razorpay
- Marketing Communications Consent: Required for sending promotional emails and notifications
- Biometric Data Consent: Required for proctoring features using face detection
Consent Characteristics
All consents obtained meet the DPDP Act requirements of being:
✅ Free & Informed
Consent is given voluntarily with clear information about what data is collected and how it will be used.
✅ Specific & Granular
Consent is obtained for specific purposes, not bundled together. You can consent to some purposes while declining others.
✅ Easy to Withdraw
You can withdraw consent at any time through the Privacy Dashboard with immediate effect for future processing.
✅ Version Controlled
All consent versions are tracked, and you're prompted to review updated terms when significant changes occur.
9. Data Breach Notification
We have implemented a comprehensive breach detection and notification system in compliance with DPDP Act Section 8(2).
Our Breach Response Process
- Detection: Automated systems monitor for unauthorized access and data breaches
- Investigation: Our Data Protection Officer investigates potential breaches within 24 hours
- Containment: Immediate steps are taken to contain and mitigate the breach
- Notification: Affected users and the Data Protection Board are notified within 72 hours
- Remediation: Measures are implemented to prevent future similar breaches
In the event of a data breach that is likely to result in harm to you, we will notify you through the email address associated with your account and provide guidance on protective measures you can take.
10. Vendor Management
We maintain a comprehensive vendor management program to ensure all third-party processors comply with DPDP Act requirements.
Vendor Compliance Requirements
All vendors processing personal data on our behalf must:
- Sign DPDP-compliant data processing agreements
- Undergo annual security assessments
- Implement appropriate technical and organizational measures
- Notify us of any data breaches within contractually defined timeframes
- Cooperate with our Data Protection Officer during investigations
Our vendor management system includes regular compliance monitoring, risk assessments, and contract renewal tracking to ensure ongoing DPDP compliance.
11. Cookies and Tracking Technologies
The Platform uses cookies and similar technologies to function and to enhance your experience. For more details on what we use and your choices, please refer to our Cookie Policy.
12. International Transfers and Data Storage Location
Your data is processed and stored on Google Cloud's secure servers. Our primary data storage region for Cloud Firestore and Cloud Storage is **asia-south2 (Delhi)**. While data is stored in this region, it may be accessed by our support and engineering teams from other locations for maintenance and support purposes. If your data is transferred internationally, we ensure that appropriate legal and security protections are in place in accordance with applicable laws, such as using Standard Contractual Clauses provided by Google.
13. Children's Privacy
The Platform is not intended for children under 18 years of age. We do not knowingly collect personal data from children without verifiable parental consent.
14. Changes to this Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new policy on this page and updating the "Last updated" date.