Privacy Policy
_Effective date: 2026-06-28_
This Privacy Policy describes how ArchitectCoach AI ("we") collects, uses,
and protects personal data. We are the Data Fiduciary under India's
Digital Personal Data Protection Act (DPDP) and the business under
California's CCPA/CPRA.
Data Fiduciary / Privacy contact: Rahul (rahulbsw) — privacy@architectcoach.example.
1. What we collect
| Category | Examples | Purpose |
|---|---|---|
| Identifiers | email, name (optional), Google account id | Sign-in, account identity |
| Consent records | ToS acceptance time + version, birth year, parental-permission flag | DPDP/COPPA compliance |
| Service content | resumes you upload, practice session transcripts, AI feedback, progress (XP, streaks, achievements) | Deliver the Service to you |
| Provider credentials | your LLM provider API key (encrypted at rest with AES-256-GCM) | BYOK feature |
| Diagnostic | server logs, request IP, error traces | Reliability + abuse detection |
We do not sell or share your personal data.
2. Legal basis
- DPDP (India): consent at signup (ToS checkbox) for service delivery
and ongoing communication; legitimate use for security and fraud prevention.
- CCPA/CPRA (California): business purpose — providing the Service you
signed up for, plus security and legal compliance.
3. How long we keep it
- Account-scoped data is retained while your account exists.
- If you delete your account, data is locked immediately and permanently
deleted 30 days later (grace window).
- Server logs are retained 7 days (Vercel default).
- Audit log entries: 90 days.
4. Who we share with (subprocessors)
The full list lives at Subprocessors. They process
data only on our instructions and only to deliver the Service.
5. Your rights
You can exercise these rights from Settings → Account or by emailing
privacy@architectcoach.example. We respond within 30 days (DPDP
requirement) or 45 days (CCPA requirement), whichever is sooner for you.
- Access / Portability: request a copy of your data (delivered as a
one-time signed download link, JSON+ZIP, valid 24 hours).
- Correction: edit your profile and consent state via the app.
- Deletion: schedule account deletion (30-day grace, then permanent
hard delete with cascading removal of all your records).
- Withdraw consent: delete your account. We retain only the minimum
records required by law (e.g. invoice records, audit logs of the delete
itself).
- Object / Restrict: stop processing for non-essential purposes by
closing your account.
Do Not Sell or Share my personal information (California users): We
do not sell or share your personal information. You can confirm this by
emailing privacy@architectcoach.example.
6. Children's data
The Service is available to users 13 and older. Users between 13 and 17
must confirm parental permission at signup. If you believe a user under 13
has registered, email privacy@architectcoach.example and we will delete the
account.
7. Security
- Sensitive columns (LLM keys, resume text) are encrypted at rest using
AES-256-GCM.
- All traffic is encrypted in transit (TLS).
- Sessions are revocable; deleted/locked accounts cannot sign in.
8. Breach notification
If we suffer a personal-data breach that affects you, we will notify you
without undue delay, and notify the Data Protection Board of India
within 72 hours, in accordance with DPDP requirements.
9. Changes
Material changes to this Policy require you to re-accept at next sign-in.
10. Contact
privacy@architectcoach.example