India Digital Personal Data Protection Act, 2023
This policy is written to comply with the DPDP Act 2023. As a Data Fiduciary, Prepbee EdTech Pvt. Ltd. is responsible for your personal data and processes it only for the purposes described in this policy, with your explicit consent.
1. Who We Are
Prepbee EdTech Pvt. Ltd. ("Prepbee", "Company", "we", "us", "our") is a company incorporated under the Companies Act, 2013, with its registered office in India. We operate MBAcallPredictor (the "Platform"), accessible at mbacallpredictor.com.
For the purposes of the Digital Personal Data Protection Act, 2023 ("DPDP Act"), Prepbee EdTech Pvt. Ltd. is the Data Fiduciary — the entity that determines the purpose and means of processing your personal data.
Data Protection Officer
Our designated Data Protection Officer ("DPO") can be reached at: dpo@prepbee.in or by post at: Prepbee EdTech Pvt. Ltd., Grievance Officer, [Registered Address], India.
2. Data We Collect
We collect only the minimum personal data necessary to provide the prediction service. We do not collect data beyond what is described in this section.
2.1 Data You Provide Directly
| Data Element | Category | Required? | Why Collected |
|---|---|---|---|
| Full name | Identity | Optional | Personalise reports |
| Email address | Contact | Yes | Account creation, report delivery |
| Phone number | Contact | Optional | Support only |
| CAT/XAT/SNAP/NMAT score | Academic | Yes | Core prediction input |
| Graduation percentage | Academic | Yes | Profile scoring |
| Work experience (months) | Professional | Yes | Profile scoring |
| Gender | Sensitive — Personal | Yes | Category-wise cutoff matching |
| Category (General/OBC/SC/ST/EWS/PwD) | Sensitive — Personal | Yes | Reservation-based cutoff matching |
| State of domicile | Geographic | Yes | State quota matching |
| PwD status | Sensitive — Health | If applicable | Disability reservation matching |
2.2 Data Collected Automatically
- IP address (for rate limiting and fraud prevention)
- Browser user-agent string (for consent logging)
- Anonymous session identifier (UUID stored as a cookie)
- Pages visited and features used (analytics, only with your cookie consent)
- Payment metadata (amount, status, provider reference — not card numbers)
2.3 Data We Do NOT Collect
- Credit or debit card numbers (handled entirely by payment processor)
- Aadhaar number or any government-issued ID
- Biometric data
- Location data beyond state of domicile (user-provided)
- Social media profile data beyond OAuth email
3. How We Use Your Data
We use your personal data strictly for the following specified purposes. We will not use your data for any purpose not listed here without obtaining fresh, specific consent.
- Generating B-school call predictions: Your exam scores, academic profile, category, gender, and work experience are passed to our prediction engine to compute college-wise interview call probabilities.
- Producing GD/PI preparation reports: If you purchase a premium report, your prediction data is used to generate a personalised preparation guide via AI.
- Account management: Your email and name are used to create and manage your account, send verification emails, and provide account recovery.
- Payment processing: Payment metadata is stored for transaction records, refund processing, and financial compliance.
- Customer support: Support team members with the "support" role may access your prediction and payment data to resolve issues you raise.
- Product improvement (aggregate only): Anonymised, aggregated prediction data (no PII) is used to improve prediction accuracy and add new colleges.
- Legal compliance: Data is retained as required by Indian law, including GST records and the DPDP Act 2023.
- Marketing emails (optional): Only if you explicitly opted in during consent — Prepbee MBA prep tips and product updates. Unsubscribe available at any time.
4. Legal Basis for Processing
Under the DPDP Act 2023, every act of processing personal data requires a valid legal basis. The following table documents the basis for each processing activity:
| Processing Activity | Legal Basis | Consent Version |
|---|---|---|
| Prediction generation | Explicit consent (DPDP §7) | 2026-01-v1 |
| GD/PI report generation | Explicit consent + contract performance | 2026-01-v1 |
| Account creation & management | Contract performance | — |
| Payment processing | Contract performance + legal obligation | — |
| Support access to data | Legitimate interest (support resolution) | — |
| Aggregate analytics | Legitimate interest (anonymised) | — |
| Marketing emails | Explicit opt-in consent | 2026-01-v1 |
| Rate limiting / fraud prevention | Legitimate interest (security) | — |
| Audit logging | Legal obligation | — |
You may withdraw consent at any time via the "My Data" section in your account. Withdrawing consent for core prediction processing will prevent you from using the prediction feature but will not affect data already processed.
5. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Anonymous predictions (no account) | 180 days from creation | Auto-deleted by scheduled job |
| Authenticated user predictions | 3 years from creation | Historical comparison feature |
| Account information | Duration of account + 2 years | Legal obligation |
| Payment records | 7 years | GST and Income Tax compliance |
| GD/PI reports | 1 year from generation | User re-download access |
| Consent logs | 5 years | DPDP Act compliance audit |
| Audit logs | 5 years | Security and compliance audit |
| Rate limit records | 7 days | Operational only |
Upon account deletion, all personal data is deleted within 30 days, except where retention is required by law (e.g. GST records for paid transactions).
6. Data Sharing
We do not sell, rent, or trade your personal data. Data is shared only as described below:
6.1 Service Providers (Data Processors)
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase Inc. | Database, Auth, Storage | All user data | India region (ap-south-1) |
| Vercel Inc. | Application hosting | Request logs, session cookies | Edge + India |
| Razorpay / PhonePe | Payment processing | Name, email, amount | India |
| Anthropic (Claude) | AI report generation | Prediction data (no PII) | US (processed, not stored) |
| Resend | Transactional email | Email address, name | US (email delivery only) |
All service providers are bound by Data Processing Agreements (DPAs) that restrict them to processing data only for the specified purpose.
6.2 Legal Disclosure
We may disclose your data to law enforcement, regulators, or courts when legally required by a valid order under Indian law. We will notify you unless prohibited from doing so.
7. Data Storage & Security
All data is stored on Supabase infrastructure in the Asia Pacific (Mumbai) region (ap-south-1), ensuring data residency within India as required by the DPDP Act 2023.
7.1 Security Measures
- All data in transit encrypted via TLS 1.3
- All data at rest encrypted using AES-256
- Row Level Security (RLS) enforced at the database layer — users can only access their own data
- Passwords hashed using bcrypt (via Supabase Auth)
- JWT sessions expire after 1 hour; refresh tokens rotate on every use
- Admin and support access restricted by role-based database policies
- All admin actions logged in an immutable audit trail
- GD/PI reports served via signed URLs valid for 24 hours only
7.2 Data Breach Notification
In the event of a personal data breach that is likely to cause harm to you, we will notify the Data Protection Board of India within 72 hours of becoming aware, and notify affected users as required by the DPDP Act 2023.
8. Your Rights Under the DPDP Act 2023
As a Data Principal under the DPDP Act 2023, you have the following rights. To exercise any right, email privacy@prepbee.in or use the "My Data" section in your account. We will respond within 30 days.
| Right | What It Means | How to Exercise |
|---|---|---|
| Right to Access | Obtain a copy of all personal data we hold about you | My Data → Download |
| Right to Correction | Correct inaccurate or incomplete personal data | My Data → Edit Profile |
| Right to Erasure | Request deletion of your account and all personal data | My Data → Delete Account |
| Right to Withdraw Consent | Withdraw previously granted consent for specific processing | My Data → Consent Settings |
| Right to Grievance Redressal | Raise a complaint with our Grievance Officer | dpo@prepbee.in |
| Right to Nominate | Nominate a person to exercise rights on your behalf | Email dpo@prepbee.in |
Grievance Officer
If you are not satisfied with our response, you may escalate to the Data Protection Board of India established under the DPDP Act 2023. Details at: meity.gov.in
9. Cookies & Tracking
| Cookie Name | Type | Purpose | Expiry |
|---|---|---|---|
| mbacp_session | Essential | Anonymous session tracking for predictions | 90 days |
| sb-access-token | Essential | Supabase authentication JWT | 1 hour |
| sb-refresh-token | Essential | Supabase session refresh | 60 days |
| mbacp:consent:v1 | Essential | Cookie consent preference (localStorage) | Permanent |
| _ga, _gid | Analytics (optional) | Google Analytics — only with consent | 2 years |
Analytics cookies are set only after you click "Accept all cookies" on the cookie banner. Choosing "Essential only" disables all analytics tracking. You can change this preference at any time via the "Cookie Settings" link in the footer.
10. Children's Privacy
MBAcallPredictor is intended for use by individuals who are at least 18 years of age, as MBA aspirants are typically post-graduation. We do not knowingly collect personal data from individuals under 18.
If you are under 18 and have provided us with personal data, or if you are a parent or guardian who believes your child has done so, please contact us at privacy@prepbee.in and we will delete the data immediately.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, new legal requirements, or product updates. When we make material changes:
- The "Last updated" date at the top of this page will be revised and the consent version number incremented (e.g. 2026-01-v1 → 2026-06-v2).
- We will display a notice on the Platform and, where required by the DPDP Act, obtain fresh consent for new processing activities.
- Registered users will be notified by email at least 7 days before material changes take effect.
Your continued use of the Platform after the effective date constitutes acceptance of the updated policy for non-material changes. For material changes, we will seek fresh consent through the consent modal.
12. Contact & Grievances
If you are dissatisfied with our response to your privacy concern, you may approach the Data Protection Board of India at meity.gov.in.