Policies

Privacy policy.

A plain-English description of what we collect, why we collect it, where it goes, and how to get it back. Written to be readable in one sitting.

Last updated: 15 April 2026 Version: v3.4 Reading time: 7 min

1. What we collect

Three categories. Listed here, in full:

Account & profile

  • Your name, email, phone number, country of residence, target country.
  • The exam you're preparing for, your target score, your test date if you have one.
  • Academic background you share with your counsellor (school, college, marks, work experience).

Practice & usage

  • Recordings, written submissions and other content you upload for scoring.
  • Scores returned to you, examiner feedback notes, your score trend over time.
  • App-usage logs — which screens you visit, when you submitted a practice, app crashes.

Billing

  • Plan purchased, invoice amount, GST particulars, payment method type (UPI / card / netbanking). We do not store full card numbers; our payment processor handles that.

2. Why we collect it

Six lawful purposes, in line with the Digital Personal Data Protection Act, 2023:

  1. To provide the service — grade your practice, send you feedback, build your university shortlist, file your visa paperwork.
  2. To bill you — issue tax invoices, collect payment, process refunds.
  3. To improve our scoring models — using de-identified, aggregated data only. See §5.
  4. To prevent fraud — detect duplicate accounts, payment-method abuse, automated scraping.
  5. To meet legal obligations — tax records, statutory reporting, lawful requests from authorities.
  6. To communicate — appointment reminders, application deadlines, refund updates. Marketing emails only with your opt-in.

3. Who we share data with

We share specific categories of data with specific parties for specific purposes. The full list:

RecipientWhat they receiveWhy
Razorpay / Stripe IndiaName, email, billing address, payment instrument metadataPayment processing
Cloud infrastructure (AWS Mumbai region)All hosted data, encrypted at restApp hosting and storage
Universities you apply toThe application package you reviewed and approvedSubmitting your application
Visa authoritiesDocuments specified in the visa checklist for the country in questionVisa filing
Education loan providersOnly the documents you explicitly authorise, only on your requestLoan facilitation
Test bodies (IDP, ETS, Pearson, etc.)Your name and target test centre — only when booking on your behalfTest booking

We do not sell your data. We do not share it with advertising networks. We do not give it to data brokers.

4. How long we keep your data

  • Account information: for as long as your account is active, plus 18 months after closure (in case you return).
  • Practice submissions and scores: 24 months from submission, then deleted unless you opt to extend.
  • Counselling notes and SOP drafts: 3 years from your last interaction.
  • Billing records: 8 years, as required by Indian tax law.
  • Visa filings: 5 years from filing date, per regulatory practice.

You can request earlier deletion at any time — see §7.

5. AI model training

The clean version. Identifiable submissions are not used to train our scoring models unless you opt in. The training set is built from de-identified, aggregated data only — your name, account ID, recordings and writing are stripped before anything reaches a model trainer.

If you opt in — there is a toggle in your account, off by default — we may use your raw submissions to train and improve our scoring models. We pay a one-time credit of ₹500 to opted-in students at the end of each calendar quarter.

6. Cookies and analytics

The website uses two categories of cookies:

  • Essential — login session, cart state, security tokens. These cannot be disabled.
  • Analytics — Plausible Analytics, cookie-less, run from EU servers. We use page-view counts only, no per-user tracking.

We do not run advertising trackers. We do not embed third-party social pixels.

7. Your rights

Under the DPDP Act 2023 you can, at any time:

  • Access — request a copy of all your data, in a portable format.
  • Correct — fix anything that's inaccurate.
  • Delete — close your account and have your data erased, subject to retention obligations under law (tax, visa filings).
  • Withdraw consent — at any time, for any optional processing (marketing emails, model training).
  • Grievance redress — escalate a concern to our grievance officer.

Email privacy@bandlingo.edu with the request. We acknowledge within 3 business days and complete within 30.

8. Security

We're ISO 27001 certified. Data is encrypted at rest (AES-256) and in transit (TLS 1.3). Production access is limited to two engineers, gated by hardware security keys. We run quarterly third-party penetration tests; the most recent report is available under NDA.

If we ever experience a breach affecting your data we will notify you within 72 hours, alongside the Data Protection Board of India under §8(6) of the DPDP Act.

9. Children's data

Bandlingo is not designed for users under 16. We do not knowingly collect data from anyone under 16. If you believe a minor has registered, email privacy@bandlingo.edu and we will close the account and delete the data within 7 business days.

10. Contact

Data protection officer: dpo@bandlingo.edu. Grievance officer: grievance@bandlingo.edu. Postal: Bandlingo Edutech Pvt Ltd, 1st Floor, The Social, Sector 7, Chandigarh 160007.

Related

Read our DPDP-compliance statement for the specific compliance posture under the 2023 Act, or our Terms of service for the broader account agreement.

Email privacy team