Privacy Policy

Privacy Policy

_Effective date: 2026-06-28_

This Privacy Policy describes how ArchitectCoach AI ("we") collects, uses,

and protects personal data. We are the Data Fiduciary under India's

Digital Personal Data Protection Act (DPDP) and the business under

California's CCPA/CPRA.

Data Fiduciary / Privacy contact: Rahul (rahulbsw) — privacy@architectcoach.example.

1. What we collect

CategoryExamplesPurpose
Identifiersemail, name (optional), Google account idSign-in, account identity
Consent recordsToS acceptance time + version, birth year, parental-permission flagDPDP/COPPA compliance
Service contentresumes you upload, practice session transcripts, AI feedback, progress (XP, streaks, achievements)Deliver the Service to you
Provider credentialsyour LLM provider API key (encrypted at rest with AES-256-GCM)BYOK feature
Diagnosticserver logs, request IP, error tracesReliability + abuse detection

We do not sell or share your personal data.

2. Legal basis

  • DPDP (India): consent at signup (ToS checkbox) for service delivery

and ongoing communication; legitimate use for security and fraud prevention.

  • CCPA/CPRA (California): business purpose — providing the Service you

signed up for, plus security and legal compliance.

3. How long we keep it

  • Account-scoped data is retained while your account exists.
  • If you delete your account, data is locked immediately and permanently

deleted 30 days later (grace window).

  • Server logs are retained 7 days (Vercel default).
  • Audit log entries: 90 days.

4. Who we share with (subprocessors)

The full list lives at Subprocessors. They process

data only on our instructions and only to deliver the Service.

5. Your rights

You can exercise these rights from Settings → Account or by emailing

privacy@architectcoach.example. We respond within 30 days (DPDP

requirement) or 45 days (CCPA requirement), whichever is sooner for you.

  • Access / Portability: request a copy of your data (delivered as a

one-time signed download link, JSON+ZIP, valid 24 hours).

  • Correction: edit your profile and consent state via the app.
  • Deletion: schedule account deletion (30-day grace, then permanent

hard delete with cascading removal of all your records).

  • Withdraw consent: delete your account. We retain only the minimum

records required by law (e.g. invoice records, audit logs of the delete

itself).

  • Object / Restrict: stop processing for non-essential purposes by

closing your account.

Do Not Sell or Share my personal information (California users): We

do not sell or share your personal information. You can confirm this by

emailing privacy@architectcoach.example.

6. Children's data

The Service is available to users 13 and older. Users between 13 and 17

must confirm parental permission at signup. If you believe a user under 13

has registered, email privacy@architectcoach.example and we will delete the

account.

7. Security

  • Sensitive columns (LLM keys, resume text) are encrypted at rest using

AES-256-GCM.

  • All traffic is encrypted in transit (TLS).
  • Sessions are revocable; deleted/locked accounts cannot sign in.

8. Breach notification

If we suffer a personal-data breach that affects you, we will notify you

without undue delay, and notify the Data Protection Board of India

within 72 hours, in accordance with DPDP requirements.

9. Changes

Material changes to this Policy require you to re-accept at next sign-in.

10. Contact

privacy@architectcoach.example