Rattanote - Study Smarter, Not Harder

Effective Date: March 1, 2025 · Last Updated: May 18, 2026

Rattanote ("we," "us," or "our") operates rattanote.com and related services (collectively, the "Service"). This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the Service, and sets out your rights as a Data Principal under applicable Indian law.

This Policy is issued in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Digital Personal Data Protection Rules, 2025 ("DPDP Rules", notified on 14 November 2025), the Information Technology Act, 2000 ("IT Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and the CERT-In Directions of 28 April 2022 on the reporting of cyber security incidents.

The DPDP Rules are being implemented in phases. Provisions relating to the Data Protection Board of India took effect on 13 November 2025; provisions relating to consent managers take effect on 13 November 2026; and the substantive compliance obligations on Data Fiduciaries take effect on 13 May 2027. We have, however, chosen to apply DPDP-aligned safeguards on a best-practice basis from the date of this Policy.

By using the Service, you provide free, specific, informed, unconditional and unambiguous consent to the practices described in this Policy, as contemplated by Section 6 of the DPDP Act. You may withdraw consent at any time using the mechanisms in Section 5 below.

1. Information We Collect

1.1 Information You Provide

When you register or use the Service, we may collect:

Full name
Email address
Mobile number with country code (if provided, primarily +91 for Indian users)
Billing address details required by Dodo Payments to issue a valid GST invoice (typically state, city, PIN code; GSTIN if you opt for a business invoice)
Account display name or nickname
Payment information — collected and held by Dodo Payments, Inc. (our Merchant of Record); we do not see or store full card numbers, CVVs, or UPI PINs.

1.2 Information from Third-Party Sign-In Providers

When you sign in using Google or Facebook, we receive a limited set of profile data from that provider: a unique account identifier, your email address, and (where available) your display name. We do not receive or store your password from these providers. You may revoke our access through the provider's own settings at any time.

1.3 Information Collected Automatically

We may automatically collect:

Device information (browser type, operating system, device type)
Log data (IP address, access times, pages viewed, referring URL)
Usage data (features used, content accessed, purchase and download history)
Cookies and similar tracking technologies (see our Cookie Policy)

1.4 Sensitive Personal Data or Information (SPDI)

Under the SPDI Rules, 2011, we do not intentionally collect sensitive personal data such as financial account details, biometric or health information, sexual orientation, or medical records. Passwords for accounts you create directly on the Service are stored only in salted, one-way hashed form. Financial account details are handled exclusively by Dodo Payments under PCI-DSS Level 1 compliance and never reach our servers. If any SPDI is collected incidentally (for example, in a free-text support message), it is processed with heightened protection, restricted to the minimum personnel necessary, and not shared with third parties except as strictly required by law.

2. How We Use Your Information

We process your personal data for the following purposes and on the following legal bases:

Service delivery (contractual necessity): To provide, maintain, and improve the Service, including processing purchases and delivering digital materials.
Account management (contractual necessity): To create and manage your account, verify identity, and maintain security.
Transaction processing & tax invoicing (legal obligation): To facilitate payments, issue GST-compliant invoices through Dodo Payments, and meet record-keeping requirements under the GST Act, 2017.
Customer support (legitimate interest / consent): To respond to queries, complaints, and grievances.
Marketing communications (consent only): To send service updates, promotions, and relevant offers. We rely on opt-in consent for any marketing message and you may withdraw consent at any time via the unsubscribe link or by writing to us.
Personalisation (consent / legitimate interest): To tailor content recommendations to your study interests. We do not engage in profiling, behavioural advertising, or targeted advertising directed at children.
Security and fraud prevention (legitimate interest / legal obligation): To detect, prevent, and investigate fraud, abuse, and technical issues, and to meet our obligations under the IT Act, 2000 and CERT-In Directions.
Legal compliance (legal obligation): To meet obligations under applicable Indian law, including tax, consumer protection, and record-keeping requirements.

3. How We Share Your Information

We do not sell your personal data. We share your information only in the following circumstances:

Merchant of Record / Payment Processor: Dodo Payments, Inc. receives the personal and payment data necessary to complete your transaction, issue a GST invoice, manage refunds and chargebacks, and meet its own legal and financial-regulatory obligations. Dodo Payments acts as a Data Controller in respect of payment data. Its handling of that data is governed by its own Privacy Policy.
Hosting and Infrastructure: Supabase Inc. provides our database and file storage infrastructure as a Data Processor under contractual safeguards equivalent to those required by the DPDP Act.
Email delivery and notifications: Transactional email is sent through reputable email service providers acting as Data Processors strictly under our instructions.
Analytics: Where analytics are loaded, this is done only on the basis of your opt-in cookie consent. Shared data is anonymised or pseudonymised wherever possible. See our Cookie Policy.
Legal Requirements: We may disclose your information if required by a competent Indian authority under the IT Act, 2000, the DPDP Act, 2023, the Code of Criminal Procedure, or any other applicable Indian law, or by a court of competent jurisdiction. We will, where lawful, notify you before disclosing.
Business Transfers: In connection with a merger, acquisition, restructuring, or asset sale, your information may be transferred to the successor entity. We will notify you in advance and your data will remain subject to a privacy policy at least as protective as this one.

4. Data Retention

We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by law:

Active account data: Retained for the duration of your account.
Transaction and tax records: Up to 8 years from the relevant financial year, as required by the GST Act, 2017 and the Companies Act, 2013.
Payment-related data held by Dodo Payments: Retained by Dodo Payments per its own retention policy and applicable financial regulation.
Access logs: Up to 180 days for routine logs, with security event logs retained up to 1 year, consistent with the CERT-In Directions of 28 April 2022.
Inactive accounts: Accounts inactive for more than 12 months may have personal data moved to archival storage. Deletion requests are accepted at any time.

Upon a verified deletion request, personal data is removed from active systems within 30 days, subject to the mandatory legal retention periods above. To request deletion, visit My Page → Deactivate Account or write to contact@solvaaa.com.

5. Your Rights Under the DPDP Act, 2023 and DPDP Rules, 2025

5.1 Rights of Data Principals

As a Data Principal under the DPDP Act, 2023, you have the following rights:

Right to Access (Section 11): Obtain a summary of the personal data we process and our processing activities.
Right to Correction and Erasure (Section 12): Request correction of inaccurate or incomplete data, and erasure of data no longer necessary for its original purpose.
Right to Withdraw Consent (Section 6(4)): Withdraw consent at any time with the same ease with which it was given. Withdrawal does not affect the lawfulness of prior processing. Withdrawal may, however, make some features of the Service unavailable to you.
Right to Grievance Redressal (Section 13): Lodge a complaint with our Grievance Officer (Section 11 of this Policy) and receive a response within the time prescribed under the DPDP Rules.
Right to Nominate (Section 14): Nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity.

5.2 How to Exercise Your Rights

Submit requests to contact@solvaaa.com. We will verify your identity before acting on the request and respond within 30 days of receipt (or the period prescribed under the DPDP Rules, if shorter). Once consent-manager rules under the DPDP Rules, 2025 come into operational effect, you will also be able to route consent and rights requests through a registered Consent Manager.

5.3 Escalation to the Data Protection Board

The Data Protection Board of India is operational from 13 November 2025 under the DPDP Rules, 2025. If you are not satisfied with our response to a complaint, you may escalate it digitally to the Data Protection Board of India. Complaints can be filed online through the Board's portal once published, and tracked digitally. For residents of the EEA or the United Kingdom, you may also contact your local data protection supervisory authority.

5.4 Additional Rights for EEA/UK Residents (GDPR)

If you are in the European Economic Area or the United Kingdom, you additionally have:

Right to Restriction of Processing
Right to Data Portability
Right to Object to processing for direct marketing or legitimate interests
Right Not to Be Subject to Solely Automated Decision-Making producing legal or similarly significant effects

Our GDPR lawful bases include: performance of a contract (product delivery), consent (marketing, non-essential cookies), legitimate interests (fraud prevention, service improvement), and legal obligation.

6. Cookies and Tracking Technologies

We use cookies and similar technologies to maintain your session, analyse usage, and personalise content. Strictly necessary cookies are loaded by default; all other categories require your explicit opt-in. For full details, including how to manage and withdraw cookie consent, see our Cookie Policy.

7. Data Security

We implement reasonable security practices and procedures as required by Section 43A of the IT Act, 2000 and Rule 8 of the SPDI Rules, 2011, aligned with the ISO/IEC 27001 international standard. Our controls include:

Encryption of personal data in transit using TLS 1.2 or higher;
Encryption at rest for our database, with one-way salted hashing of account passwords;
Role-based access controls enforcing the principle of least privilege;
Centralised audit logging of administrative and payment-related events;
Network and application-layer protections against common web vulnerabilities;
Periodic review of access rights and security configurations.

We do not store payment-card numbers, CVVs, or UPI PINs — all payment data is processed exclusively by Dodo Payments under PCI-DSS Level 1 compliance.

8. Personal Data Breach Notification

In the event of a personal data breach affecting your rights:

We will notify CERT-In of qualifying cyber security incidents within 6 hours of becoming aware, in accordance with the CERT-In Directions of 28 April 2022 and the IT (CERT-In) Rules, 2013.
We will notify the Data Protection Board of India and affected Data Principals without undue delay, in the manner and form prescribed under the DPDP Act and DPDP Rules, once those notification provisions come into operational effect (currently scheduled for 13 May 2027).
Where the breach poses a real risk to your rights, we will notify you directly with a clear description of the incident, the data involved, the mitigation steps we have taken, and the steps you can take to protect yourself.

9. Cross-Border Data Transfers

Your information may be stored and processed on servers outside India, principally in the United States, where Supabase Inc. and Dodo Payments, Inc. operate their infrastructure. Section 16 of the DPDP Act permits transfers of personal data outside India except to countries notified by the Central Government as restricted. As of the “Last Updated” date above, no such restricted list has been published; transfers to the United States therefore remain permitted. We protect your data during transfer through:

Encrypted transport (TLS 1.2 or higher);
Contractual data-protection clauses with our overseas service providers, equivalent in substance to the protections required by the DPDP Act;
For transfers involving EEA / UK personal data, the use of the European Commission's Standard Contractual Clauses or equivalent UK IDTA, as appropriate.

By using the Service, you acknowledge and consent to these cross-border transfers.

10. Children's Privacy

Under Section 2(f) of the DPDP Act, 2023, a “child” is an individual who has not completed 18 years of age. The Service is designed for adult learners preparing for professional examinations and is not directed to children. We do not knowingly process personal data of a child without verifiable parental or lawful guardian consent.

We do not undertake tracking, behavioural monitoring, profiling, or targeted advertising directed at children, in line with Section 9(3) of the DPDP Act and Rule 10 of the DPDP Rules, 2025. Where verifiable parental consent is required, we will rely on the verification methods recognised under Rule 10 of the DPDP Rules, including identity verification through DigiLocker or other entities authorised under law. If you believe we have inadvertently collected personal data of a child without proper consent, please write to contact@solvaaa.com and we will erase it promptly.

11. Third-Party Services

We integrate with the following third-party services that may process your data:

Dodo Payments, Inc. (Merchant of Record) — handles payment processing, GST and other tax collection, invoicing, currency conversion, chargebacks, and refund administration. Payment data is governed by Dodo Payments' Privacy Policy and Terms of Use.
Supabase Inc.— provides database and file storage infrastructure (Data Processor).
Authentication providers— Google or Facebook, if you choose to sign in using a third-party identity provider.

We are not responsible for the privacy practices of these third parties. We encourage you to review their respective privacy policies.

12. Grievance Officer and Data Protection Contact

In accordance with the IT Act, 2000, the SPDI Rules, 2011, the DPDP Act, 2023, and the Consumer Protection (E-Commerce) Rules, 2020, we have designated a Grievance Officer to handle complaints relating to personal data and consumer rights:

Designation: Grievance Officer, Rattanote
Email: contact@solvaaa.com

We will acknowledge all complaints within 48 hours of receipt and aim to resolve them within 30 days, in line with the DPDP Act, 2023 and the Consumer Protection (E-Commerce) Rules, 2020. If our response does not resolve your concern, you may escalate the matter to the Data Protection Board of India or the National Consumer Helpline (1800-11-4000).

If our processing operations later cross thresholds that classify us as a Significant Data Fiduciary under Section 10 of the DPDP Act, we will appoint a Data Protection Officer based in India and update this Policy with their contact details.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by posting the updated policy on our website and updating the "Last Updated" date above. Where the change materially reduces your rights or expands the categories of data we process, we will provide additional notice and, where required, obtain fresh consent.

14. Contact Us

For privacy-related queries, to exercise your rights, or to withdraw consent, please write to:

Email: contact@solvaaa.com