1. Who we are
Practicks (operated by Agattiya, India) provides a self-assessment and practice platform. We act as the "data fiduciary" (controller) for personal data of self-service users, and as a "data processor" for institutional users acting on behalf of the subscribing institution.
2. Information we collect
2.1 Account information
- Name, email address, phone number (optional), password hash, profile photo (optional).
- Role (student / candidate / faculty / parent-guardian / admin), customer / institution affiliation, campus, class, subjects enrolled.
- Locale, timezone, accessibility preferences.
2.2 Practice and assessment data
- Attempts, answers, time spent per question, scores, confidence signals.
- Wrong-answer notebook entries, spaced-repetition state.
- Doubts, comments, faculty notes you upload or post.
2.3 Proctoring data (only on opted-in attempts)
- Periodic webcam photos (every 30 seconds) and browser telemetry (tab switches, full-screen state).
- Optional continuous-inference face signals computed in-browser, batched as anonymous observations.
- Consent is recorded explicitly before any capture begins. Candidates see exactly what is captured.
2.4 Technical data
- IP address, device type, browser type, app version.
- Audit logs of security-relevant events (sign-in, password change, role change, etc.).
- Aggregated, anonymised usage analytics.
3. Why we collect it (purposes)
- Operating the service: authentication, attempt grading, reporting, scheduling, notifications.
- Integrity: surfacing suspected plagiarism, supporting proctoring decisions on opted-in attempts.
- Personalised feedback: mistake notebooks, adaptive next-best-question, reactive recap flashcards — all derived from your own attempts.
- Service health: error reporting, performance monitoring, security investigations.
- Communication: account-related emails (sign-in, password reset, account changes) and opt-in notifications (assessment reminders, doubt replies, etc.).
- Legal and compliance: responding to lawful requests, defending claims, enforcing these policies.
4. Where data is stored
Personal data is stored on Amazon Web Services (AWS) in the ap-south-1 (Mumbai) region. Backups remain within the same region. We do not transfer personal data outside India for ordinary service operation. If a future feature requires cross-border processing (e.g. integration with a specific third-party vendor), this policy will be updated and affected users notified.
5. Who can see your data
- You, through the in-app surfaces (your performance, your notebook, your account settings).
- Your institution's authorised staff— your faculty, campus admins, and organisation admins — for the purpose of operating your education or hiring process. Each role's view is scoped by design (faculty see their assigned classes; campus admins see their campus; org admins see their organisation).
- Parents / guardians linked to a minor student account, on a read-only basis, for the activities the institution permits.
- Reviewers for manually-graded attempts (video, short-answer, coding) — only for the specific attempts assigned to them.
- Practicks personnel with a need-to-know for service operation, support, or security. Internal access is audited.
We do not sell personal data. We do not share personal data with advertisers or data brokers.
6. Third-party services
Practicks integrates a small set of third-party services to operate the platform:
- Amazon Web Services (AWS) — hosting, storage, email (SES), push (SNS Mobile / FCM / APNs), code execution sandbox.
- Firebase Cloud Messaging (FCM) and Apple Push Notification service (APNs) — for mobile push notifications you have opted into.
- face-api.js (runs in-browser) — for in-browser continuous-inference face signals on opted-in proctored attempts. Models are downloaded to your browser; the inference does not leave your device for the telemetry stream.
We do not currently integrate advertising trackers or third-party analytics SDKs that profile users across sites.
7. Cookies and local storage
We use cookies and local storage strictly to operate the service — keeping you signed in, remembering your locale / theme preferences, preserving in-progress attempts so a page reload doesn't lose your work. We do not use cookies for advertising.
8. Children's data
Practicks supports student accounts in school-edition deployments. Where a student is below the age of majority in their jurisdiction (18 in India), we treat their account as a minor's account. Parental / guardian consent is sought through the institution's onboarding flow before the minor begins using the platform; a linked guardian account can view the minor's practice activity on a read-only basis. We do not target advertising at minors and we do not profile minors for any non-service-operation purpose.
9. Your rights
Under the DPDP Act and similar applicable laws, you have the right to:
- Access the personal data we hold about you and request a copy.
- Correct inaccurate or incomplete personal data.
- Request deletion of your account and associated personal data, subject to legitimate retention requirements (see our Data Retention Policy).
- Withdraw consent for optional processing (e.g. notifications).
- Lodge a grievance with our grievance officer (see Section 12).
- Nominate another individual to exercise your rights in the event of incapacity or death.
To exercise these rights, contact us using the details on the Contact page. Institutional users should also notify their institution's administrator since that administrator may hold your record on the institution's behalf.
10. Security
We use industry-standard technical and organisational measures to protect personal data: transport encryption (TLS), at-rest encryption on cloud storage, role-based access control, audit logging, periodic security review. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.
11. Data breach notification
In the event of a personal data breach likely to result in significant harm, we will notify the relevant Data Protection Board and affected users in accordance with the DPDP Act timelines.
12. Grievance officer and contact
As required under the IT Act 2000 and the DPDP Act 2023, the grievance officer's contact details are listed on the Contact page. We will acknowledge grievances within the statutory timeline and resolve them within thirty (30) days where possible.
13. Changes to this policy
We may update this policy as the platform evolves. Material changes are reflected in the "Last updated" date at the top and signalled to active users.