Contents

  1. Who We Are
  2. What Data We Collect
  3. How We Collect Your Data
  4. Why We Use Your Data (Legal Basis)
  5. Data Sharing and Third-Party Processors
  6. Analytics and Tracking
  7. Cookies and Local Storage
  8. How Long We Keep Your Data
  9. Your Rights Under Indian Law
  10. Data Security
  11. Data Breach Notification
  12. Children's Privacy
  13. Changes to This Policy
  14. Contact & Grievance Officer
Section 1

Who We Are

CramUp (operating at cramup.in) is an online educational content platform that publishes and sells digitally delivered, academically condensed course books for BEd and CTET students across India. The platform is operated by CramUp Educational Services, based in Dehradun, Uttarakhand, India, operating under the umbrella of Aarambh Learning Hub.

When this policy refers to "CramUp", "we", "us", or "our", it means CramUp Educational Services. When it refers to "you" or "your", it means any person who visits, browses, registers on, or purchases from cramup.in.

This Privacy Policy is drafted in compliance with the Digital Personal Data Protection Act, 2023 (DPDPA 2023) and other applicable Indian laws, including the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. By using CramUp, you consent to the collection and processing of your personal data as described in this policy.

Section 2

What Data We Collect

Data CategorySpecific Data PointsWhen Collected
Identity & ContactFull name, email address, phone numberAt purchase or account creation
Account DataHashed password, account creation date, university selected, programme type (BEd / CTET), role (student / admin)At purchase / account creation
Purchase & Transaction DataBooks purchased, plan type, amount paid, payment reference / transaction ID, payment method type (UPI / card / net banking / wallet), purchase timestampsAt time of purchase
Usage & Reading DataPages visited, books opened, chapters read, reading progress, unit test scores, checklist completion, device type, browser typeWhile actively using the platform
Device & Session DataIP address, device fingerprint (for 2-device limit enforcement), session tokens, operating systemOn login / each session
Analytics DataPage views, session duration, traffic source, click paths, events — collected by Google Analytics 4 (see Section 6)On every page visit
Communication DataMessages sent via the Contact form, email correspondence with support, WhatsApp messages sent to our support numberWhen you contact us
University PreferenceYour selected university (stored locally in your browser)When you select on the homepage
We do not collect: Card numbers, CVV codes, or full payment card details. Card and UPI payments are processed entirely by Razorpay. We receive only a transaction confirmation reference. We do not store any payment instrument data on our servers.
Section 3

How We Collect Your Data

Section 4

Why We Use Your Data (Legal Basis)

PurposeLegal Basis
Creating your account after purchaseContract performance — account creation is a core part of the service you purchased
Granting and managing access to purchased booksContract performance — delivery of the digital product
Enforcing the 2-device access limitContract performance — agreed condition of use
Processing your paymentContract performance and legal obligation
Sending purchase confirmation and login credentialsContract performance
Sending academic nudges about upcoming semesters or new booksLegitimate interest — relevant, non-aggressive academic notifications only
Platform analytics and usage improvementLegitimate interest — understanding how books are used to improve content quality and user experience
Legal compliance (tax records, dispute resolution, chargebacks)Legal obligation under Indian law
Responding to contact form or support enquiriesLegitimate interest — responding to your request
Fraud prevention and platform securityLegitimate interest — protecting the integrity of the platform and other users
Section 5

Data Sharing and Third-Party Processors

We do not sell your personal data. We do not share it with advertisers or marketing networks. We share data only with the following service providers, and only to the minimum extent necessary for them to perform their function:

No advertising networks: CramUp does not use Google Ads, Meta Pixel, or any third-party advertising tracker on its platform. We do not build advertising profiles from your data. Google Analytics is used solely for understanding platform usage — not for targeted advertising.
Section 6

Analytics and Tracking

CramUp uses Google Analytics 4 (GA4) to understand how visitors use the website. GA4 collects data such as pages visited, time on page, scroll depth, traffic source (how you arrived at the site), device type, and approximate geographic location (city/country level only — not precise location).

This data is collected through a tracking script loaded on every page of cramup.in, including the legal pages. GA4 assigns an anonymous client ID to your browser to distinguish unique visitors. We do not link GA4 data to your personal account or identity.

Google Analytics data is transmitted to and stored on Google's servers. Google may process this data in countries outside India, but does so under standard data protection contractual terms. We have configured GA4 with IP anonymisation enabled, meaning your full IP address is not stored by Google.

You may opt out of Google Analytics tracking across all websites by installing the Google Analytics Opt-out Browser Add-on. Alternatively, most modern browsers allow you to block tracking scripts via privacy settings or extensions.

No behavioural advertising: The GA4 data we collect is used only for internal analytics (e.g., understanding which subjects are most popular, or where users drop off). We have not enabled Google Signals, advertising features, or data-sharing with Google's advertising products.
Section 7

Cookies and Local Storage

CramUp uses browser local storage (not traditional cookies) to store your preferences and session data locally on your device. This data remains on your device and is not transmitted to our servers unless you interact with the platform.

Third-party cookies: Google Analytics 4 sets cookies in your browser (including _ga, _ga_[ID]) to distinguish users and track sessions. These cookies are governed by Google's cookie policy. They are analytics-only and contain no personally identifiable information.

Our hosting provider (Hostinger) may set technical cookies for server-side session management and CSRF protection. These are security necessities and contain no personal data.

You can clear local storage and cookies at any time via your browser's settings. Doing so will reset your university preference, reading progress on that device, and log you out of your account on that device.

Section 8

How Long We Keep Your Data

Data TypeRetention PeriodReason
Account and purchase records7 years from date of purchaseLegal and tax obligation under Indian law (Income Tax Act, GST compliance)
Active student accountsDuration of access period + 1 year after expiryTo allow reinstatement and respond to queries about past purchases
Reading progress and usage dataUntil you delete your account or submit a deletion requestTo allow you to resume progress across sessions
Contact form and support messages2 years from date of submissionDispute resolution and quality assurance
Payment transaction records7 years (legal obligation)GST, income tax, and payment dispute requirements
Session tokens30 days from last login, or until logoutSecurity — limits persistent session exposure
Google Analytics data14 months (configured in GA4 — Google's default retention)Analytics only; automatically purged by Google thereafter
Deleted accountsPurchase and payment records retained for 7 years; all other data deleted within 30 days of deletion requestLegal obligation overrides deletion for financial records

When a retention period expires, data is securely deleted or irreversibly anonymised. We do not retain personal data beyond what is legally or operationally necessary.

Section 9

Your Rights Under Indian Law

Under the Digital Personal Data Protection Act, 2023 (DPDPA 2023) and applicable Indian data protection law, you have the following rights as a data principal:

To exercise any of these rights, email us at hello@cramup.in with the subject line "Privacy Request — [Your Name]". Please include your registered phone number or email to help us locate your account. We will respond within 30 days. Complex requests may take up to 60 days; we will inform you if this applies.

Complaints to the Data Protection Board: If you are not satisfied with our response to a grievance, you have the right to file a complaint with the Data Protection Board of India once it is operationally established under the DPDPA 2023.
Section 10

Data Security

We implement reasonable technical and organisational security measures to protect your personal data from unauthorised access, disclosure, alteration, or destruction. These measures include:

Despite these measures, no internet-based system is completely immune to security risks. In the event of an incident, we will follow the procedures described in Section 11.

Section 11

Data Breach Notification

In the event of a personal data breach that is likely to result in risk to the rights and freedoms of affected individuals, CramUp will:

If you believe your CramUp account has been accessed without your authorisation, please contact us immediately at hello@cramup.in with the subject line "Security Concern — [Your Phone Number]".

Section 12

Children's Privacy

CramUp is designed for BEd and CTET students, who are typically adults (18 years of age and older). We do not knowingly collect personal data from individuals under 18 years of age.

If a person under 18 uses CramUp, a parent or legal guardian must supervise the account creation and purchase process and is responsible for consenting to these terms on the minor's behalf.

If you believe a child under 18 has independently provided us with personal data without parental consent, please contact us immediately at hello@cramup.in and we will promptly delete that data and the associated account.

Section 13

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The "Last Updated" date at the top of this page will always reflect the most recent revision.

When we make material changes — changes that significantly affect how we collect or use your personal data — we will notify active account holders by email at least 7 days before the change takes effect, and will prominently display a notice on the platform.

For minor or clarifying changes, we will update this page without individual notification. We encourage you to review this policy periodically. Continued use of CramUp after the effective date of any update constitutes your acceptance of the revised policy.

Section 14

Contact & Grievance Officer

In compliance with the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000, CramUp has designated a Grievance Officer to address privacy-related concerns. If you have any questions, concerns, or complaints about this Privacy Policy or how we handle your data, please contact:

Grievance Officer — CramUp Educational Services

📧 Email: hello@cramup.in

📱 WhatsApp & Contact: Visit our Contact Us page

📍 Address: Aarambh Learning Hub, GMS Road, Opposite Wadia Institute,
      Near Ballupur Chowk, Dehradun — 248001, Uttarakhand, India

Response time: Acknowledgement within 48 hours; full response within 30 days of receipt of grievance

For urgent privacy matters, please use the subject line: "PRIVACY GRIEVANCE — URGENT"

For data access, correction, or deletion requests, use: "Privacy Request — [Your Name]"