Privacy Policy

Syllox ("we", "us", "our") operates the website https://syllox.in and the Syllox study-tracking application (collectively, the "Service"). Syllox is operated from India and is designed primarily for Indian students preparing for competitive exams such as NEET and JEE.

By using the Service you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree, please do not use the Service.

Account information: phone number (used as your primary login identifier via OTP), name, username, optional profile picture, and — if you sign up via email — your email address and password hash.

Study activity: subjects you create, chapter completion status, timer sessions (duration, date, optional subject tag), reports and analytics data, and aggregate statistics computed from the above.

AI doubt-solver content (premium): the text and images you submit to Syllox AI, along with the AI's responses, stored to maintain conversation history.

Community content (premium): posts, comments, likes, and direct messages you create within the platform.

Payment information: handled entirely by Razorpay. We store only the Razorpay order ID, status, and your premium expiry date — never your card number, UPI ID, or banking details.

Technical metadata: IP address (used solely for rate-limiting and abuse prevention on OTP and authentication endpoints), browser type, device type, and basic usage analytics (PostHog) used to improve the product.

Cookies: a single httpOnly authentication cookie (JWT) is set after login to keep you signed in. We do not set advertising or tracking cookies of our own.

Provide the Service: create your account, save your subjects/chapters/sessions, render dashboards, deliver streak reminders and weekly recap emails.

Authenticate you: send OTP via SMS through Fast2SMS, verify the code server-side, and issue secure session tokens.

Operate premium features: process payments via Razorpay, unlock the AI doubt-solver, community feed, and 1-on-1 messaging.

Send transactional communications: streak reminders, unread message digests, weekly recap emails, password reset links. These are tied directly to product use and not marketing.

Safety & abuse prevention: rate-limit OTP requests, detect spam, and respond to violations of our Terms.

Aggregate analytics: understand which features help aspirants the most. Individual study data is never shared with third parties.

We use phone-number + OTP as the primary authentication method. OTPs are 6 digits, valid for 5 minutes, single-use, and stored only as a cryptographic hash on our servers — never in plain text.

Email/password accounts (legacy) use bcrypt password hashing.

Session tokens are issued as JWTs and stored in httpOnly, Secure, SameSite=Lax cookies. We never expose your token to client-side JavaScript.

We rate-limit OTP requests per phone number and per IP address to protect against abuse.

We share data ONLY with the following processors, strictly to deliver the Service:

• Fast2SMS — delivers your OTP via SMS (phone number only).

• Resend — delivers transactional emails (email address + your name only).

• Razorpay — processes premium subscription payments (your name, email, phone, and order metadata).

• MongoDB Atlas — stores all application data on managed cloud infrastructure.

• Emergent LLM service (powering Syllox AI) — receives the doubt text/image you submit, with only an anonymous session ID, never your name or contact info.

• PostHog — anonymous usage analytics. Individually-identifying study data is never sent.

We do NOT sell your personal data. We do NOT share study performance, scores, or any individual analytics with coaching institutes, parents, advertisers, or any third party.

Account data is retained as long as your account is active. You can request deletion at any time by emailing syllox.in@gmail.com — we will permanently delete your account and all associated study data within 30 days.

OTP records are automatically purged 1 hour after expiry. Password reset tokens expire after 1 hour.

Payment records are retained per Indian tax and accounting law (typically 7 years).

Syllox is intended for users aged 13 and above. If you are under 18, you must have a parent or guardian's permission to use the Service and make any premium purchases.

We do not require government ID, school ID, or proof of age. We do not collect your address.

The community feed and 1-on-1 messaging are moderated. Harassment, doxxing, spam, or sharing of paid coaching material is prohibited and will result in immediate account suspension. Report any concern to syllox.in@gmail.com.

The AI doubt-solver is an educational aid. It can make mistakes — always cross-verify important answers with NCERT or your teacher.

You can: (a) view, update, or delete your profile from the Settings page; (b) export your study data on request; (c) request a full account deletion; (d) opt out of weekly recap and unread-message emails.

To exercise any of these rights, email syllox.in@gmail.com from the email address registered with your account.

All data is transmitted over HTTPS (TLS 1.2+). Passwords are hashed with bcrypt. OTPs are HMAC-hashed. Database credentials and API keys live in restricted environment variables, never in our codebase.

Despite our best efforts, no system is 100% secure. If you become aware of a vulnerability or suspect your account has been compromised, please email us immediately.

We may update this Privacy Policy from time to time. Material changes will be announced via in-app notification or email at least 7 days before they take effect. The "Last updated" date at the top of this page reflects the most recent version.

Questions, deletion requests, or concerns? Email us at syllox.in@gmail.com. We respond within 24 hours.