Masthead
Privacy Policy
Last updated 2026-05-12
Privacy Policy
Last Updated: 12 May 2026 Effective Date: 12 May 2026
This Privacy Policy describes how Pookie CA (“we”, “us”, “our”) collects, uses, stores, and shares your personal information when you use our Platform (the website at pookieca.com, the Pookie CA mobile application, and the Pookie CA Telegram bot and Mini App).
This policy is designed to comply with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and other applicable Indian data protection laws.
1. Who we are (Data Fiduciary)
For purposes of the DPDP Act, Pookie CA is the Data Fiduciary responsible for your personal data.
Contact:
- Email: support@pookieca.com
- Website: pookieca.com
For privacy-specific requests, write to support@pookieca.com with the subject line “Privacy Request”.
2. Information we collect
2.1 Information you provide
| Data | When collected | Why |
|---|---|---|
| Name | At signup, contact form | Personalisation, support |
| WhatsApp number | At signup (WhatsApp OTP verification) | Authentication, transactional messages |
| Email address | At signup, contact form | Authentication (if Google OAuth), receipts, transactional emails |
| Examination target (e.g., MAY-26, NOV-26) | At signup | Content personalisation |
| CA level (Foundation / Intermediate / Final) | At signup | Surface-relevant content |
| Payment information | At checkout | Processed by Razorpay; we do not store full card or UPI details |
| Feedback, error reports, support requests | When you contact us | To respond to and resolve your queries |
2.2 Information we receive from authentication providers
- Telegram: Your Telegram user ID, first name, and language preference (where shared by Telegram) when you use the Pookie CA bot or Mini App
- Google: Your Google account email and basic profile information when you sign in with Google
- WhatsApp: Your WhatsApp number (which you provide directly) and delivery status of OTP messages
2.3 Information collected automatically
| Data | Purpose |
|---|---|
| Device type, OS version, browser | Compatibility, debugging |
| IP address (truncated for storage) | Abuse prevention, region detection |
| Telegram bot interactions (commands, button taps) | Analytics, product improvement |
| MCQ attempts, accuracy, time spent | Progress tracking, content recommendations |
| Streak counts, milestones reached | Gamification, re-engagement |
| Cookies and similar technologies | Session persistence, analytics (see Section 6) |
2.4 Information from payment processor
Razorpay shares with us:
- Transaction ID and status (success/failure/refund)
- Amount and currency
- Payment method used (UPI, card brand, etc., not full details)
- Customer name and contact provided to Razorpay
We do not receive or store your full payment card number, CVV, UPI VPA, or banking credentials.
3. How we use your information
We process your personal data for the following purposes:
| Purpose | Legal basis under DPDP Act |
|---|---|
| Provide access to the Platform and your account | Performance of contract |
| Process payments and deliver purchased content | Performance of contract |
| Send transactional emails and WhatsApp messages (OTPs, receipts, expiry reminders) | Performance of contract |
| Personalise content based on your level and target | Legitimate interest |
| Improve our Platform, fix bugs, add features | Legitimate interest |
| Detect and prevent fraud, abuse, and security incidents | Legitimate interest |
| Comply with legal and regulatory obligations | Legal obligation |
| Send marketing communications (only if you opt-in) | Consent |
We do not use your data for automated decision-making with significant legal effects on you.
4. How we share your information
We do not sell your personal data. We share data only with the following categories of recipients:
4.1 Service providers (processors acting on our behalf)
| Provider | Role | Data shared |
|---|---|---|
| Supabase (Supabase, Inc., USA) | Backend database and authentication | Account data, attempts, progress |
| Cloudflare (Cloudflare, Inc., USA) | Hosting, edge infrastructure, email routing | All Platform traffic |
| Razorpay (Razorpay Software Pvt. Ltd., India) | Payment processing | Name, contact, payment intent |
| Brevo (Sendinblue SAS, France) | Transactional email and WhatsApp messaging | Email/WhatsApp number, message content |
| Telegram (Telegram FZ-LLC, UAE) | Bot and Mini App platform | Telegram user ID, messages, interactions |
| Google (Google LLC, USA) | OAuth authentication (if you choose Google Sign-In) | Email, basic profile |
| Vercel (Vercel Inc., USA) | Application hosting | Site traffic, application logs |
Each of these providers is contractually bound to use your data only for the purposes we specify and to maintain appropriate security measures.
4.2 Legal compliance
We may disclose your information if required by law, court order, or other valid legal process, or to protect the rights, property, or safety of Pookie CA, our users, or others.
4.3 Business transfers
If Pookie CA is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.
5. Cross-border data transfers
Some of our service providers are located outside India. By using the Platform, you consent to your data being processed in jurisdictions including the United States, the European Union, the United Kingdom, and the United Arab Emirates.
We rely on the following safeguards for such transfers:
- Service-provider contracts with data-protection clauses
- Reliance on adequacy determinations and standard contractual clauses where applicable
- Compliance with the DPDP Act’s cross-border transfer provisions as notified
6. Cookies and tracking
We use the following types of technology:
| Type | Purpose | Can you disable? |
|---|---|---|
| Essential cookies / local storage | Session, authentication, preferences | No — required for the Platform to function |
| Analytics cookies | Aggregated usage metrics (anonymised) | Yes, via browser settings |
| Marketing cookies | Not used in v1 | n/a |
We do not use third-party advertising cookies. We do not track you across other websites for advertising purposes.
7. Data retention
We retain your personal data only for as long as necessary for the purposes set out in this Policy, or as required by law:
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account, plus 90 days for backup purposes |
| Transaction records | 8 years (tax/regulatory requirement under Indian law) |
| Email and messaging logs | 18 months |
| Aggregated, anonymised analytics | Indefinite (cannot be linked back to you) |
| Marketing consents | Until withdrawn |
After the retention period, we delete or anonymise the data.
8. Your rights under the DPDP Act
You have the following rights regarding your personal data:
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Correction | Request correction of inaccurate or incomplete data |
| Erasure | Request deletion of your data (subject to legal retention requirements) |
| Grievance redressal | Raise concerns about how we handle your data |
| Withdraw consent | Withdraw consent previously given (e.g., for marketing) |
| Nominate | Nominate another person to exercise your rights in case of your death or incapacity |
To exercise any of these rights, email support@pookieca.com with the subject “Privacy Request — [Your Right]”. We will respond within 30 days.
If you are not satisfied with our response, you may approach the Data Protection Board of India under the DPDP Act.
9. Children’s data
The Platform is not intended for users under 16 years of age. We do not knowingly collect data from anyone under 16. If you are a parent or guardian and believe your child has provided us with personal data, contact us at support@pookieca.com and we will delete it.
If you are between 16 and 18, your use of the Platform requires the consent of a parent or legal guardian.
10. Security
We use industry-standard security measures including:
- HTTPS encryption for all data in transit
- Encryption at rest for stored data (provided by our infrastructure partners)
- Access controls and authentication for our administrative systems
- Regular security review and incident response procedures
- Payment data handled exclusively by PCI-DSS compliant Razorpay infrastructure
No system is perfectly secure. If you suspect unauthorised access to your account, contact us immediately at support@pookieca.com.
11. Account deletion
You may request deletion of your account at any time by emailing support@pookieca.com from your registered email or contacting us via the bot.
Upon deletion:
- Account access ceases
- Personal data is deleted within 30 days, except where retention is legally required (e.g., transaction records for tax purposes)
- Active subscriptions are cancelled (no refund — see Refund Policy)
- Anonymised aggregated data may be retained for analytics
Once deleted, your data cannot be recovered.
12. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be notified by email or by prominent notice on the Platform at least 7 days before they take effect. The “Last Updated” date at the top of this document reflects the most recent revision.
13. Contact
For any privacy-related questions, requests, or complaints:
Pookie CA — Privacy Inquiries Email: support@pookieca.com Subject line: “Privacy Request”
We aim to respond within 30 days.
Disclaimer: This Privacy Policy template is provided as a starting point. It is NOT legal advice. Before going live, have this policy reviewed by an Indian lawyer familiar with the DPDP Act, 2023; the Information Technology Act, 2000; and the Consumer Protection (E-Commerce) Rules, 2020. Update all placeholder references to match your actual data flows and infrastructure choices.