Privacy Policy

1) Who We Are & Scope

This Privacy Policy (“Policy”) explains how RadMentor (“we”, “us”, “our”) collects, uses, shares, secures, and retains personal information when you use our websites, dashboards, mobile views, RadGen AI drafting tools, and related services (collectively, the “Platform”).

Controller: RadMentor (legal entity details to be updated). Contact: privacy@radmentor.app. If you are in the EU/UK, we process your data according to GDPR/UK GDPR. For India, the Digital Personal Data Protection Act, 2023 (DPDP) applies.

2) Key Definitions

• Personal Data / Personal Information: Information that can identify you or is reasonably linkable to you.
• Processing: Any operation performed on personal data (collection, storage, analysis, deletion, etc.).
• Processor: A vendor that processes data for us under our instructions (e.g., Firebase, PayU).

3) What We Collect

We collect the following categories of data, depending on how you use the Platform:

• Account & Identity: name, email, email verification status, optional profile fields (designation, institution, country), access level, profile completion.
• Authentication: handled by Firebase Authentication. We never store plaintext passwords. If you sign in with Google, we receive basic profile data permitted by Google (e.g., name, email).
• Subscription & Payments: plan, term, status, amounts, PayU transaction IDs, coupon use, timestamps. We do not store card numbers.
• Learning Activity: question attempts, scores, bookmarks, notes, progress analytics, “Question of the Day” responses.
• AI / RadGen: prompts you provide and AI-generated outputs; optional feedback/rating. Do not submit PHI.
• Support & Communications: emails and chat transcripts with support; abuse reports and appeals.
• Device & Usage: IP address, approximate location from IP, device/OS/browser, pages viewed, referrer, session timing, crash logs; cookie/local-storage identifiers for sign-in and preferences.
• Admin Tools: impersonation mode flag (e.g., rm_impersonate_uid in sessionStorage), plus audit logs (who impersonated whom, when, reason).

4) Why We Process Data (Purposes & Legal Bases)

• Provide & secure the Platform (contract/legitimate interests): account access, learning features, fraud prevention, service integrity.
• Payments & billing (contract/legal obligation): processing subscriptions, receipts, taxes, and compliance.
• Analytics & product improvement (legitimate interests; consent where required): aggregate learning analytics, feature usage, performance insights.
• AI processing (RadGen) (contract/legitimate interests; consent if reused for improvement): generate drafts from your prompts; we may use de-identified and/or aggregated prompts/outputs to improve our features unless you opt out.
• Marketing (consent/legitimate interests): optional product updates and offers; you can opt out anytime.
• Compliance & enforcement (legal obligation/legitimate interests): handle legal requests, prevent abuse, enforce Terms.

5) Cookies, Local Storage & Similar Technologies

We use:

• Strictly Necessary: Firebase auth/session persistence (localStorage/IndexedDB), CSRF/session cookies, security flags.
• Functional: preferences (e.g., theme, recent activity).
• Analytics/Measurement (if enabled): aggregate usage metrics. In the EU/UK we obtain consent before setting non-essential cookies/SDKs.
• Marketing (if enabled): only with consent where required.

Manage preferences via the cookie banner (where shown) or your browser settings. Disabling strictly-necessary storage may break sign-in.

6) Sharing & Recipients

We do not sell personal information. We share data only with:

• Processors/Vendors under data-processing terms:
  • Google Firebase & Google Cloud: authentication, Firestore database, hosting, storage, email verification.
  • PayU: payment processing; we never store card numbers. A Cloudflare Worker generates PayU hashes and handles webhooks.
  • Email service (e.g., SES/SendGrid) for transactional email.
  • Error logging/analytics (if enabled) for stability and usage metrics.
• Legal/Compliance: when required to comply with law or protect rights, safety, and security.
• Business transitions: merger, acquisition, or transfer of assets (we’ll notify you of changes of control).
• Aggregated/De-identified data: for research and statistics, not reasonably re-identifiable.

7) International Transfers

Your data may be processed in countries outside your own (including the EU/EEA, UK, US, and India). Where required, we use appropriate safeguards such as Standard Contractual Clauses (and the UK Addendum/IDTA) and vendor assurances. By using the Platform, you understand your data may be transferred internationally subject to these safeguards.

8) Retention Schedule

We may retain anonymized or aggregated data for longer for statistics and research.

9) Security

• Transport security (TLS) and at-rest encryption with Firebase/Google Cloud.
• Strict access controls, least-privilege, admin MFA, and periodic access reviews.
• Impersonation mode is visibly bannered and fully audited (who/whom/when/reason).
• Secure key management; webhook signing; anti-fraud checks.
• Vulnerability handling and incident response procedures.

No method is 100% secure. If a breach risks your rights and freedoms, we will notify you and regulators as required by law.

10) AI / RadGen Specifics

• RadGen drafts educational content; outputs may be inaccurate. Human review is required.
• Do not submit patient-identifiable information (PHI/PII). If you do, contact us for deletion.
• Improvement use: we may use aggregated and/or de-identified prompts/outputs to improve features. You can opt out by emailing privacy@radmentor.app.
• We do not sell personal data or permit third parties to train models in a way that identifies you.
• No solely automated decisions producing legal/equivalent effects on you.

11) Your Rights & Choices

India (DPDP 2023): access, correction, erasure, grievance redressal, and consent withdrawal for optional processing.

EU/UK (GDPR/UK GDPR): access, rectification, erasure, portability, restriction, objection; lodge a complaint with a supervisory authority.

California (CCPA/CPRA): right to know, delete, correct, and to opt out of “sale”/“sharing.” We do not sell or share personal information in the CCPA sense, nor use sensitive personal information for inferring characteristics.

To exercise rights, email privacy@radmentor.app from your account email. We may verify requests (e.g., sign-in or emailed codes). We acknowledge within 7 days and aim to resolve within 30 days, or as otherwise required by applicable law.

12) Your Controls

• Email preferences: unsubscribe links in emails or contact support.
• Cookie preferences: via banner (where shown) or browser settings.
• AI data opt-out: email privacy@radmentor.app.
• Account deletion: request in-app (Settings > Privacy) or email us. We will delete personal data subject to legal/backup retention noted above.

13) Third-Party Links

Links to other sites are provided for convenience. Their privacy practices are their own; review their policies.

14) Children

The Platform is for users aged 18+. We do not knowingly collect data from children under 18. If discovered, we will delete it.

15) Changes to this Policy

We may update this Policy. Material changes will be announced via email and/or in-app notice. The “Last Updated” date at the top will change. Continued use after the effective date means you accept the updated Policy.

16) Contact & Grievance Redressal

Data Protection & Grievance Officer
RadMentor
Email: privacy@radmentor.app
Postal address: [Add official address]
Acknowledgement within 7 days; resolution target within 30 days (subject to applicable law).

17) Jurisdiction

This Policy is governed by the laws of India. Courts in New Delhi, India shall have exclusive jurisdiction, unless overridden by mandatory local law.