Privacy policy.
Your data, your rules.
Here's what we do — and don't do — with your information. The 60-second version. Full details below.
- Your name, grade, country, and school board — to personalise what you see.
- Your mobile number — to sign you in securely.
- What you do in pathways — choices, reflections, stickers — so you can come back to it.
- Chats with your AI Companion — so it remembers what you've talked about.
- We don't sell your data. To anyone. Ever.
- We don't show you ads.
- We don't share what you wrote with your parent or school — unless you choose to share it yourself.
- We don't track you across other apps or websites.
- Download everything we have about you — one tap in Settings → Privacy & data.
- Delete your account — one tap, 14-day recovery window, then gone for good.
- Turn notifications on or off any time.
- A parent or guardian needs to know — usually because the signup OTP went to their phone, or because they gave us their email to approve.
- A parent can contact us any time to review or delete your data.
- Nothing you write is sent to your parent automatically. Only if you tap "share with parent".
1 · Who we are
Careers Ahoy! is a product of [LEGAL ENTITY NAME], registered in India at [REGISTERED ADDRESS]. We are a Data Fiduciary under India's Digital Personal Data Protection Act 2023. Contact: privacy@careersahoy.app.
2 · Who this policy is for
This policy applies to everyone who visits or uses Careers Ahoy — our website, our app, our pathways, the AI Companion, and any supporting service we run. If you are under 18, a parent or guardian should read this with you.
3 · What we collect, and why
Only what we actually need. Here's every field, why it exists, and how long we keep it.
| Data | Why | Retention |
|---|---|---|
| Preferred name | Personalisation | Life of account |
| Grade, country, school board | Suggesting relevant pathways and content | Life of account |
| Mobile number | OTP login security; consent audit trail | Life of account |
| Email (optional) | Weekly summaries and recovery | Life of account |
| "Parent on this number?" Yes/No | Determining valid parental consent for minors | Life of account |
| Pathway progress & choices | Save points, recommendations, AI Companion context | Life of account |
| Reflections & notes | Re-readable on My Journey, AI Companion context | Life of account · private to you |
| Decision (Yes/Maybe/No) per pathway | Your shelf, recommendation tuning | Life of account |
| Companion chat messages | Chat memory; future model training (anonymised) | Life of account · separately deletable |
| Aggregate analytics | Improving the product | ~14 months pseudonymous, then aggregated |
| Technical diagnostics (errors) | Fixing bugs and crashes | 90 days |
We do not collect: precise location, contacts list, photos from your phone, browsing history on other sites, biometric data, political views, religious beliefs, financial information, or any special-category personal data.
4 · Children's data — extra care
Under India's DPDP Act 2023, anyone under 18 in India is treated as a child and their data can only be processed with verifiable parental consent. We apply equivalent protection internationally (COPPA in US, GDPR Art. 8 in EU/UK).
We capture verifiable parental consent in one of two ways at signup:
- Shared-phone path — when the mobile number at signup is the parent's (common for ages 12–16 in India), the OTP goes to the parent. They physically receive the code. This is a recorded consent event.
- Verified-email path — when the student has their own phone, we ask for a parent's contact. We send an approval link the parent must click. Nothing is processed until they approve.
For all minors, we additionally commit to:
- No behavioural advertising, ever
- No profiling for marketing
- No sharing of the child's content with parents unless the child initiates
- No location tracking beyond country (self-reported)
- Age-appropriate language in this policy itself
- One-tap account deletion accessible to the child directly — not gated by parent permission
5 · How we use what we collect
- To run the service — sign you in, save your progress, render your shelf.
- To personalise — recommend pathways based on what you've explored.
- To support the AI Companion — the chat reads your pathway data so it can reference your specific choices.
- To improve the product — aggregate analytics on what works.
- To keep you safe — detecting abuse, preventing misuse of the AI Companion.
- To respond to a parent's request, with your consent.
6 · Who we share data with
We do not sell your personal information. We do not participate in data-broker markets. We do not integrate with advertising networks. We do not show you ads.
We do share data with a small number of processors who help us operate the platform, each under DPDP-compliant agreements:
- Firebase (Google) — hosting, authentication, database, aggregate analytics
- Anthropic (Claude API) — AI Companion responses
- Microsoft Clarity — anonymous public-page session replay (disabled for signed-in minors)
- WhatsApp Business API — outbound messages and OTP delivery
We disclose data only when required by valid Indian legal process, or to protect lives or prevent serious harm.
7 · Your rights
All accessible from Settings → Privacy & data when you're signed in.
- Access — download everything we have about you (JSON).
- Correction — edit your profile fields, ask us to correct stored data.
- Erasure — one-tap delete with a 14-day recoverable grace period, then progressive removal.
- Withdrawal of consent — turn off any notification channel, opt out of the AI Companion, revoke parent consent.
- Nomination — under DPDP Act, you can nominate someone to exercise your rights.
- Grievance — escalate to our Grievance Officer (below). If unresolved within 30 days, escalate to the Data Protection Board of India.
8 · Security & breach notice
Data is stored in Firebase (Google Cloud) with encryption in transit and at rest. Access is limited to a small named team under least-privilege controls. Mobile OTPs are handled by Firebase Auth; we do not store OTP codes ourselves.
In the event of a personal data breach likely to cause harm, we will notify affected users and the Data Protection Board of India within 72 hours, as required by the DPDP Act. For children, parents will be notified.
9 · Retention & deletion
Retention periods per data type are in section 3.
Account deletion runs on this schedule:
- You tap delete → two-step confirm with a concrete delete-list.
- 14-day recoverable grace window — sign in to recover.
- After grace: Firestore records deleted within 7 days, analytics pseudo-IDs severed, companion chat logs anonymised or fully deleted per your choice.
- Final deletion receipt sent with reference ID.
Parents have a parallel verified-email request path. Parent deletion is additional, never a precondition — a minor can always delete their own account.
10 · Changes to this policy
When we change the policy in a way that materially affects your rights, we'll notify you in the app and (if you've given email) by email. We keep a version history.
11 · Contact & grievance officer
Grievance Officer: [NAME · DESIGNATION]
Email: grievance@careersahoy.app
WhatsApp: [NUMBER]
Address: [INDIA REGISTERED OFFICE]
Response time: 7 calendar days for acknowledgement, up to 30 days for resolution.
For general questions: privacy@careersahoy.app. For account deletion or data download, use the in-app controls — they're faster.
If your complaint isn't resolved by the Grievance Officer within 30 calendar days, you may escalate to the Data Protection Board of India under Section 13 of the DPDP Act.
Delete my account
Sign in, then go to Settings → Privacy & data → Delete my account. One tap, 14-day grace period, fully reversible during grace, irreversible after. Sign in →