Hexyra

Privacy Policy

Last updated: March 2025 | DPDP Act 2023 Compliant

1. Introduction

Hexyra ("we", "our", "us") is committed to protecting your personal data in accordance with India's Digital Personal Data Protection (DPDP) Act 2023. This policy explains what data we collect, why we collect it, and how we protect it.

2. Data We Collect

Account Information

Name, email address, mobile number (optional), educational institution details, and department. Password is stored as a bcrypt hash — we never store plain-text passwords.

Usage Data

Number of ideas generated, features used, and session activity for improving our service and enforcing fair use limits.

Payment Data

We store only the Razorpay order ID and payment status. We never store card numbers, CVV, or bank details. All payment processing is handled by Razorpay (PCI-DSS Level 1 certified).

3. How We Use Your Data

  • To provide and improve the Hexyra service.
  • To process payments and manage subscriptions.
  • To send transactional emails (account verification, payment receipts).
  • To enforce rate limits and prevent abuse.
  • To send service announcements (you may opt out).

4. Data Sharing

We do not sell your personal data. We share data only with:

  • Razorpay — For payment processing.
  • Google Gemini / OpenAI — Prompts sent to AI are anonymized (no PII included).
  • Sentry — Error tracking with PII scrubbed before transmission.
  • Cloud infrastructure providers — AWS/Render for hosting (data stays in India where possible).

5. Your Rights (DPDP Act 2023)

  • Right to Access: Request a copy of your personal data at any time.
  • Right to Correction: Update inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your account and all associated data.
  • Right to Grievance Redressal: Contact our Data Protection Officer at privacy@hexyra.in.

6. Data Retention

We retain your data for as long as your account is active. Upon account deletion, personal data is permanently erased within 30 days, except where retention is required by law (e.g., financial records for 7 years under Indian tax laws).

7. Cookies

We use only essential cookies for authentication (JWT tokens stored in secure, HttpOnly cookies) and user session management. We do not use advertising or tracking cookies.

8. Security

We implement industry-standard security: bcrypt password hashing, JWT authentication, HTTPS/TLS in transit, encrypted database connections, and regular security audits.

9. Children's Privacy

Hexyra is not intended for children under 16. We do not knowingly collect data from minors. If you believe a minor has registered, contact us immediately.

10. Contact & Grievances

Data Protection Officer: privacy@hexyra.in
General support: support@hexyra.in