Privacy Policy
Effective date: 14 July 2026
1. Who we are
BimaShastra (“we”, “us”, “our”) is a B2B training and knowledge platform for insurance professionals in India. We are not an IRDAI-licensed insurer or intermediary. This platform is for professional education and reference only.
For privacy-related queries, contact us at: privacy@bimashastra.com
2. Data we collect
We collect only the minimum data needed to operate the platform:
- Account data: email address and full name (provided at sign-up via Supabase Auth).
- Exam data: IC38 practice exam mode, number of questions attempted, score percentage, and time taken. Linked to your account.
- Usage data: pages visited and features used, collected in aggregate to improve the platform. We do not track individual browsing histories.
- Email content: when you use “Email this answer”, your email address and the AI answer are used to send the email. We do not store the content of AI conversations.
We do not collect Aadhaar numbers, PAN, financial account details, health data, or any biometric information.
3. How we use your data
- To authenticate your account and maintain your session.
- To save and display your IC38 exam attempt history on your profile.
- To send transactional emails (AI answers you explicitly request to email yourself).
- To generate anonymised aggregate statistics for admin reporting (e.g. platform-wide pass rates).
- To send optional weekly digest emails if you opt in. You can unsubscribe at any time.
We do not sell your data. We do not use your data for advertising or share it with insurance companies, brokers, or any commercial third party.
4. Third-party services
We use the following sub-processors, each bound by their own privacy obligations:
- Supabase (database and authentication) — data stored on AWS servers, EU/US region. Supabase Privacy Policy.
- Vercel (web hosting and serverless functions) — standard access logs retained for 30 days. Vercel Privacy Policy.
- Resend (transactional email delivery) — your email address is passed to Resend only when you explicitly trigger an email send. Resend Privacy Policy.
- Google Gemini API (AI assistant) — your chat messages are sent to Google’s Gemini API to generate responses. Do not include personal identifying information in AI chat messages. Google Privacy Policy.
5. Your rights under the DPDP Act 2023
Under India’s Digital Personal Data Protection Act, 2023, you have the following rights with respect to your personal data:
- Right to access: you may request a copy of the personal data we hold about you.
- Right to correction: you may request that inaccurate data be corrected.
- Right to erasure: you may delete your account and all associated data at any time from your Profile page. Deletion is permanent and immediate.
- Right to grievance redressal: if you believe your data has been mishandled, contact us at privacy@bimashastra.com. We will respond within 72 hours.
To exercise any of the above rights, you can either use the in-app controls (Profile → Delete Account) or email us directly.
6. Data retention
We retain your account data and exam history for as long as your account is active. If you delete your account, all personal data is permanently erased within 24 hours. Anonymised aggregate statistics (e.g. total platform pass rate) do not contain personally identifiable information and are retained indefinitely.
7. Cookies and session storage
We use a single session cookie (pv_admin_session) for admin authentication only. Regular users are authenticated via Supabase, which sets its own session cookies (sb-access-token, sb-refresh-token) necessary for platform functionality. We do not use any advertising, analytics, or tracking cookies.
8. Security
We implement the following safeguards:
- All data is transmitted over HTTPS (TLS 1.2+).
- Database access is protected by Supabase Row Level Security — users can only access their own data.
- Admin functions are protected by server-side cookie authentication with an 8-hour expiry.
- API rate limiting protects against automated abuse of AI and email endpoints.
- No passwords are stored by BimaShastra — authentication is handled entirely by Supabase.
9. Children
BimaShastra is a professional platform intended for insurance agents and industry professionals aged 18 and above. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us at privacy@bimashastra.com and we will delete it immediately.
10. Changes to this policy
We may update this Privacy Policy as the platform evolves. Material changes will be notified via email to registered users at least 7 days before taking effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.