Privacy Policy

1. Who we are

SmartPrep CBSE (“SmartPrep,” “we,” “our”) is an assessment platform built for schools affiliated with the Central Board of Secondary Education (CBSE) in India. We help teachers generate worksheets, grade student work — including handwritten answers — and analyse student performance using artificial intelligence.

We are a small founding team. You can reach us at samaabhinavr@gmail.com or +91 93987 63261. This policy explains what information we collect, how we use it, and the choices you have.

2. Scope

This policy applies to everyone who uses smartprepcbse.com and the SmartPrep service. That includes:

School administrators who sign up their school
Teachers who use SmartPrep to create and grade assessments
Students who complete assignments on the platform
Visitors who browse the public website or our blog

3. The data we collect

3.1 Account information

For every user who signs in, we store:

Name and email address
Password (stored only as a one-way cryptographic hash — we cannot read it)
Role on the platform (school admin, teacher, or student)
The school the account is associated with
An optional profile image, if you upload one

3.2 Student information

For each student account, we additionally store:

Roll number (optional)
Classes the student is enrolled in
Optional parent or guardian contact details — name, phone number, and preferred communication language — provided only when entered by the student, teacher, or school. These are stored for a planned parent-communication feature that is not currently active.

We do not collect Aadhaar numbers, PAN, financial information, biometric data, or government-issued identifiers of any kind. We do not collect a student's home address or date of birth.

3.3 Academic content

When teachers and students use SmartPrep, we collect:

Worksheets and questions generated by teachers
Student answers — both typed responses and uploaded photographs of handwritten work
Marks awarded, teacher feedback, and any annotations made on student work
Submission metadata: when an assignment was started, how long it took, when it was submitted
Performance summaries derived from completed work (topic strengths, weak areas, trends)

3.4 Technical information

We collect basic technical information automatically:

Anonymised usage statistics through Vercel Analytics — page views, performance metrics, browser type. This data does not include personal identifiers.
Authentication cookies that keep you signed in, set by NextAuth.js
Server logs of API requests, which include the requesting account and the action taken, retained for diagnostic purposes

We do not use third-party advertising trackers, Google Analytics, Meta Pixel, or similar cross-site tracking technologies.

4. How we use information

We use the data we collect only for the following purposes:

To operate the SmartPrep service — letting teachers generate worksheets, grade submissions, and review analytics
To authenticate users and maintain account security
To provide AI-assisted grading and feedback on student work, as described in Section 5
To generate performance analytics scoped to the requesting teacher, school admin, or student
To communicate with users about their account, important service updates, or pilot programs they have opted into
To improve the service — for example, by understanding which features are used and where the application is slow or broken

We do not sell personal data. We do not share personal data with advertisers. We do not use student work to train or improve AI models, ours or anyone else's.

5. Our use of artificial intelligence

SmartPrep uses Google's Gemini AI models — specifically Gemini 2.0 Flash, Gemini 2.0 Flash Lite, and Gemini 2.5 Flash — to generate worksheet questions, grade subjective answers, transcribe handwritten work, and suggest feedback.

When an AI feature is invoked, the relevant content (a worksheet prompt, a student's answer, or a photograph of handwritten work) is sent to Google's Gemini API for processing. Per Google's published terms for the paid Gemini API, content sent through the paid API is not used to train Google's AI models.

We have chosen Gemini deliberately and do not use other AI providers. We do not send student data to OpenAI, Anthropic, or any other third-party AI service.

All AI-suggested marks and feedback are reviewed and editable by the teacher. The teacher remains the final authority on every grade — the AI cannot publish a mark on its own.

6. Where data is stored

SmartPrep relies on the following infrastructure providers:

MongoDB Atlas — our primary database. MongoDB Atlas is SOC 2, ISO 27001, and HIPAA-aligned. Data is encrypted at rest and in transit by default.
Vercel — our application hosting and serverless function runtime. Vercel holds SOC 2 Type 2 certification. Data in transit is protected by TLS.
Vercel Blob — used to store uploaded files such as photographs of handwritten answer sheets and school logos.
Google Cloud (Gemini API) — used only when AI features are invoked, as described in Section 5.
Email providers (Zoho Mail and Resend) — used to send transactional emails such as account confirmations.

Some of these providers may process data outside India. If your school requires that data remain in India, contact us before signing up — we will document your school's specific data residency requirements and confirm whether we can meet them.

7. Who can see what

SmartPrep is multi-tenant: every school's data is isolated by school identifier. The specific access rules are:

A student can see only their own submissions, marks, feedback, and performance analytics.
A teacher can see submissions, marks, and analytics for the classes they teach — and nothing outside those classes, even within the same school.
A school administrator can see school-wide reports for their own school. They cannot see another school's data.
A small number of SmartPrep founders have engineering access to production systems for debugging and operational purposes. We do not browse student work for any other reason and we will not do so without a documented support request.

8. How long we keep data

We retain account and academic data for as long as the school's account remains active. If a school discontinues using SmartPrep, we will work with the school administrator to either export or delete the school's data within 30 days of the request.

Server logs are retained for 90 days for operational and security purposes, then deleted automatically.

Individual deletion requests — for example, a parent requesting that a student's data be removed — should be sent to samaabhinavr@gmail.com. We will respond within 7 working days and process valid requests within 30 days.

9. Your rights

Depending on the jurisdiction where you live, you may have specific rights regarding your personal data. SmartPrep aims to honour these rights for all users, regardless of location:

The right to access the personal data we hold about you
The right to correct inaccurate personal data
The right to request deletion of your personal data
The right to receive a copy of your personal data in a portable format
The right to object to specific uses of your data
The right to lodge a complaint with the relevant data protection authority

To exercise any of these rights, email us at samaabhinavr@gmail.com. We may need to verify your identity before acting on a request.

10. Children and student data

SmartPrep is built for use inside schools and is used by students who are under 18. We collect student data only at the direction of a school that has signed up to use SmartPrep. The school decides which teachers and students to onboard.

We rely on the school to obtain any necessary consent from parents or guardians as required by Indian law, including under the Digital Personal Data Protection Act, 2023.

We do not knowingly use student data for advertising, profiling for any commercial purpose, or any purpose unrelated to the educational service the school has engaged us to provide.

11. Security

We take reasonable technical and organisational measures to protect personal data, including:

HTTPS / TLS encryption for all traffic between users and SmartPrep
Encrypted storage at rest in MongoDB Atlas and Vercel Blob
Password hashing using bcrypt — we never store plaintext passwords
Role-based access controls inside the application
Restricted access to production systems among the founding team

No system is perfectly secure. If we discover a data breach that affects you, we will notify the affected school administrator and any directly affected users within 72 hours of confirming the incident, as required by the Digital Personal Data Protection Act, 2023.

12. Data Processing Agreements

Schools that need a formal Data Processing Agreement (DPA) before signing up can request one from samaabhinavr@gmail.com. We are happy to sign a school-specific DPA. We are a small company, so DPAs requiring extensive custom legal review may take up to two weeks to turn around.

13. Changes to this policy

As SmartPrep grows, this policy will evolve. When we make material changes — for example, adding a new third-party service or changing how we use information — we will update the “Last updated” date at the top of this page and, for significant changes, notify school administrators by email.

Older versions of this policy are available on request.

14. Contact us

If you have any questions about this policy or our handling of your data:

Email: samaabhinavr@gmail.com
Phone: +91 93987 63261
Address available on request for legal correspondence.

1. Who we are

We are a small founding team. You can reach us at samaabhinavr@gmail.com or +91 93987 63261. This policy explains what information we collect, how we use it, and the choices you have.

2. Scope

This policy applies to everyone who uses smartprepcbse.com and the SmartPrep service. That includes:

School administrators who sign up their school
Teachers who use SmartPrep to create and grade assessments
Students who complete assignments on the platform
Visitors who browse the public website or our blog

3. The data we collect

3.1 Account information

For every user who signs in, we store:

Name and email address
Password (stored only as a one-way cryptographic hash — we cannot read it)
Role on the platform (school admin, teacher, or student)
The school the account is associated with
An optional profile image, if you upload one

3.2 Student information

For each student account, we additionally store:

Roll number (optional)
Classes the student is enrolled in
Optional parent or guardian contact details — name, phone number, and preferred communication language — provided only when entered by the student, teacher, or school. These are stored for a planned parent-communication feature that is not currently active.

We do not collect Aadhaar numbers, PAN, financial information, biometric data, or government-issued identifiers of any kind. We do not collect a student's home address or date of birth.

3.3 Academic content

When teachers and students use SmartPrep, we collect:

Worksheets and questions generated by teachers
Student answers — both typed responses and uploaded photographs of handwritten work
Marks awarded, teacher feedback, and any annotations made on student work
Submission metadata: when an assignment was started, how long it took, when it was submitted
Performance summaries derived from completed work (topic strengths, weak areas, trends)

3.4 Technical information

We collect basic technical information automatically:

Anonymised usage statistics through Vercel Analytics — page views, performance metrics, browser type. This data does not include personal identifiers.
Authentication cookies that keep you signed in, set by NextAuth.js
Server logs of API requests, which include the requesting account and the action taken, retained for diagnostic purposes

We do not use third-party advertising trackers, Google Analytics, Meta Pixel, or similar cross-site tracking technologies.

4. How we use information

We use the data we collect only for the following purposes:

To operate the SmartPrep service — letting teachers generate worksheets, grade submissions, and review analytics
To authenticate users and maintain account security
To provide AI-assisted grading and feedback on student work, as described in Section 5
To generate performance analytics scoped to the requesting teacher, school admin, or student
To communicate with users about their account, important service updates, or pilot programs they have opted into
To improve the service — for example, by understanding which features are used and where the application is slow or broken

We do not sell personal data. We do not share personal data with advertisers. We do not use student work to train or improve AI models, ours or anyone else's.

5. Our use of artificial intelligence

We have chosen Gemini deliberately and do not use other AI providers. We do not send student data to OpenAI, Anthropic, or any other third-party AI service.

All AI-suggested marks and feedback are reviewed and editable by the teacher. The teacher remains the final authority on every grade — the AI cannot publish a mark on its own.

6. Where data is stored

SmartPrep relies on the following infrastructure providers:

MongoDB Atlas — our primary database. MongoDB Atlas is SOC 2, ISO 27001, and HIPAA-aligned. Data is encrypted at rest and in transit by default.
Vercel — our application hosting and serverless function runtime. Vercel holds SOC 2 Type 2 certification. Data in transit is protected by TLS.
Vercel Blob — used to store uploaded files such as photographs of handwritten answer sheets and school logos.
Google Cloud (Gemini API) — used only when AI features are invoked, as described in Section 5.
Email providers (Zoho Mail and Resend) — used to send transactional emails such as account confirmations.

7. Who can see what

SmartPrep is multi-tenant: every school's data is isolated by school identifier. The specific access rules are:

A student can see only their own submissions, marks, feedback, and performance analytics.
A teacher can see submissions, marks, and analytics for the classes they teach — and nothing outside those classes, even within the same school.
A school administrator can see school-wide reports for their own school. They cannot see another school's data.
A small number of SmartPrep founders have engineering access to production systems for debugging and operational purposes. We do not browse student work for any other reason and we will not do so without a documented support request.

8. How long we keep data

Server logs are retained for 90 days for operational and security purposes, then deleted automatically.

9. Your rights

Depending on the jurisdiction where you live, you may have specific rights regarding your personal data. SmartPrep aims to honour these rights for all users, regardless of location:

The right to access the personal data we hold about you
The right to correct inaccurate personal data
The right to request deletion of your personal data
The right to receive a copy of your personal data in a portable format
The right to object to specific uses of your data
The right to lodge a complaint with the relevant data protection authority

To exercise any of these rights, email us at samaabhinavr@gmail.com. We may need to verify your identity before acting on a request.

10. Children and student data

We rely on the school to obtain any necessary consent from parents or guardians as required by Indian law, including under the Digital Personal Data Protection Act, 2023.

We do not knowingly use student data for advertising, profiling for any commercial purpose, or any purpose unrelated to the educational service the school has engaged us to provide.

11. Security

We take reasonable technical and organisational measures to protect personal data, including:

HTTPS / TLS encryption for all traffic between users and SmartPrep
Encrypted storage at rest in MongoDB Atlas and Vercel Blob
Password hashing using bcrypt — we never store plaintext passwords
Role-based access controls inside the application
Restricted access to production systems among the founding team

12. Data Processing Agreements

13. Changes to this policy

Older versions of this policy are available on request.

14. Contact us

If you have any questions about this policy or our handling of your data:

Email: samaabhinavr@gmail.com
Phone: +91 93987 63261
Address available on request for legal correspondence.

1. Who we are

2. Scope

3. The data we collect

3.1 Account information

3.2 Student information

3.3 Academic content

3.4 Technical information

4. How we use information

5. Our use of artificial intelligence

6. Where data is stored

7. Who can see what

8. How long we keep data

9. Your rights

10. Children and student data

11. Security

12. Data Processing Agreements

13. Changes to this policy

14. Contact us

Ready to Save Hours Every Week?

Privacy Policy

1. Who we are

2. Scope

3. The data we collect

3.1 Account information

3.2 Student information

3.3 Academic content

3.4 Technical information

4. How we use information

5. Our use of artificial intelligence

6. Where data is stored

7. Who can see what

8. How long we keep data

9. Your rights

10. Children and student data

11. Security

12. Data Processing Agreements

13. Changes to this policy

14. Contact us

Ready to Save Hours Every Week?