Privacy Policy
Last updated: June 2026
1. Who we are
Syllox ("we", "us", "our") operates https://syllox.in and the Syllox study-tracking application (the "Service"). Syllox is built and operated from India for students preparing for competitive exams such as NEET, JEE, and UPSC.
By using the Service you agree to the collection and use of information described in this Privacy Policy. If you do not agree, please do not use the Service.
2. Information we collect
Account information: Google account email (the only authentication method), your display name, username, optional profile picture, optional bio, and optional exam track preference (e.g. NEET, JEE, UPSC).
Syllabus & study activity: subjects and chapters you create, chapter completion status, daily study targets, and stopwatch sessions (duration, date, and the optional subject tag).
Streaks: a daily-consecutive-days counter derived purely from your study session activity; visible on your dashboard and public profile.
Mock test analytics & score prediction: mock test entries you log (test name, exam type, date, subject-wise scores, and total marks), and predicted scores computed from your performance trends. This data is private to you and is never shared with other users.
Reports: automatically computed summaries of your study time, chapters completed, mock test progression, and streak progress. Generated server-side from your own activity data.
AI doubt-solver content (Syllox AI): the text and any image you submit to Syllox AI, along with the AI's responses, stored only to maintain your conversation history. Trial and paid premium users receive identical AI access.
Achievements & badges: a permanent record of the badges you have unlocked across four categories (study hours, streak length, chapters completed, mock tests logged). 24 badges in total. We store the badge ID and the timestamp at which you earned it.
Leaderboards: your aggregated rank against other Syllox users on Weekly (Sunday → today, IST), Monthly (1st → today, IST), and All-Time windows. Ranking uses your total study time, current streak, and achievement count — all of which are already collected as part of your study activity above. You can opt out of being listed publicly from Settings; you will still see your own My Rank card.
Community feed (premium): public text posts, comments, and likes you create within the platform.
Friends system: friend requests sent or received, accepted friendships, and your visible friend count.
Private messaging (premium): 1-on-1 messages between you and an accepted friend. Stored to maintain chat history; visible only to you and the other participant.
Public profile: when other users view your profile (via @username), they see your name, username, avatar, bio, exam track, streak days, total study time, achievement count, friend count, and current leaderboard rank. They do not see your email or mock test data.
Premium & trial state: whether you are in the 30-day welcome trial, whether you received a Founder's Reward extension, whether you have a paid premium subscription, and the expiry date of either.
Payment information: handled entirely by Razorpay. We store only the Razorpay order ID, payment status, plan kind (monthly/yearly), and your premium expiry date — never your card number, UPI ID, or banking credentials.
Technical metadata: IP address (used solely for auth rate-limiting and abuse prevention), browser type, device type, and basic page/event analytics (see Section 5).
Authentication tokens: a JWT issued at login, stored in an HttpOnly Secure cookie AND mirrored in your browser's localStorage so the Service works correctly on iOS Safari and Android Chrome where third-party cookies are blocked.
3. How we use your information
Provide the core Service: create your account, save subjects/chapters/sessions/targets/mock tests, render dashboards, compute analytics, generate reports, surface achievement badges, rank you on weekly/monthly/all-time leaderboards, and deliver streak reminders and weekly recap emails.
Authenticate you: verify Google ID tokens, issue session JWTs, and protect against brute-force or replay attacks.
Run premium features for you: Syllox AI doubt-solver, community feed posting, 1-on-1 messaging, mock test analytics, score prediction, achievement progress tracking, full leaderboard visibility, daily targets, and custom themes.
Operate the 30-day welcome trial: automatically grant trial access to new accounts and downgrade trial access when the window expires.
Send transactional communications: streak reminders, unread message digests, weekly recap emails, and payment receipts. These are tied directly to product use and are not marketing.
Safety & abuse prevention: rate-limit auth attempts per IP, detect spam, log authentication failures for forensic review (anonymised), enforce community guidelines, and respond to violations.
Aggregate product analytics: understand which features help aspirants the most. Individually-identifying study data is never sold or shared with third parties.
4. Authentication and account security
Google Sign-In is our sole authentication method. We exchange Google's authorization code server-side, verify the ID token, and create or merge your account by email. We never receive or store your Google password. (Phone-number + OTP authentication was retired in Feb 2026 and is no longer available to new users.)
Session JWTs are issued on login and stored both in an HttpOnly Secure cookie (SameSite=None) AND in your browser's localStorage. The localStorage copy exists because some mobile browsers (iOS Safari, Android Chrome) block cross-site cookies, and without the Bearer-token fallback the Service would silently log you out. Both paths use the same signed JWT — your token never reaches third-party code.
Deleting your account immediately invalidates every active JWT for that account, on every device, with no waiting period.
5. Data sharing and third-party services
We share data only with the following processors, strictly to deliver the Service:
• Google OAuth — verifies your Google account on every login (Google receives the standard OAuth scopes: profile + email).
• Razorpay — processes premium subscription payments (your name, email, plan kind, and order amount).
• Resend — delivers transactional emails such as streak reminders and weekly recaps (your email address and name only).
• MongoDB Atlas — stores all application data on managed cloud infrastructure located in India.
• Emergent LLM service (powering Syllox AI) — receives the doubt text and any image you submit, with only an anonymous session identifier. Your name or email are never sent.
• Google Analytics (GA4) — receives anonymous page-view and event metrics (e.g. "subject_added", "premium_purchased", "badge_unlocked") to help us understand product usage. Individual study content, mock test scores, AI prompts, messages, and achievement history are NEVER sent to GA4.
We do NOT sell your personal data. We do NOT share your study performance, mock test scores, predicted scores, AI conversations, messages, or achievement details with coaching institutes, parents, advertisers, or any other third party.
6. AI doubt-solver, mock test analytics & score prediction
Syllox AI: When you submit a doubt, the text (and any image) is sent to our LLM provider via a server-side proxy. We don't include your real name, email, or phone in the request — only an anonymous session ID. Your conversation history is stored to your account so you can revisit it later.
Syllox AI is an educational aid. It can make mistakes, hallucinate facts, or give outdated answers. Always cross-verify important information with NCERT or your teacher.
Mock test analytics: When you log a mock test, we compute subject-wise performance, percentile-style insights, and trend lines. Calculations run on our servers and are visible only to you.
Score prediction: Predicted scores are derived from your own performance trend. They are estimates, not guarantees of any future exam outcome.
7. Friends, messaging & community feed
Friend requests: When you send or receive a friend request, both parties see the other's username, display name, avatar, and tier badge (Free, Trial, or Premium). Either party may cancel, decline, or unfriend at any time from Settings.
Private messaging: Once two users are friends, they can exchange direct messages. Messages are stored on our servers so chat history syncs across devices. Read receipts are computed server-side. Messages are visible only to the two participants and to Syllox staff in the event of a documented abuse investigation.
Community feed: Posts and comments are text-only and visible to all premium users (trial users included). Likes are counted publicly. Do not share personal contact details, paid coaching material, or private mock test answer keys.
Moderation: We may remove content that violates our Terms or community guidelines and may suspend accounts for repeated violations. Report concerns to syllox.in@gmail.com.
8. Premium trial, subscription & purchase data
30-day welcome trial: Every new account automatically receives 30 days of full premium access. The trial begins on signup and expires automatically — no card or payment is required. Once it expires, you continue using the free tier with the option to upgrade.
Founder's Reward: Accounts created before the campaign cutoff received an additional +20 days of premium access, applied automatically on top of the welcome trial. This was a one-time grant and is reflected in your premium expiry date.
Premium subscription: Paid monthly (₹49) or yearly (₹299) via Razorpay in Indian Rupees. Your subscription begins immediately on successful payment. We store the Razorpay order ID, payment status, plan kind, and expiry date — never your card or UPI details.
Premium does not auto-renew. When your paid period ends, your account reverts to the free tier with no further charges.
Premium feature scope may evolve. We may add, remove, or rebundle paid features and will announce material changes at least 14 days in advance.
9. Data retention and account deletion
Account data is retained as long as your account is active. You can permanently delete your account at any time from Settings → Danger Zone. Deletion is immediate, irreversible, and removes ALL of the following: your user profile; subjects, chapters, study sessions, targets, and mock tests; achievements and badge history; community posts and comments; friend requests, friendships, and messages (in both directions); AI conversations and usage counters; profile picture; trial and premium state.
Once deleted, your account cannot log in again and your username/handle does not appear in search results, the community feed, friends lists, leaderboards, or anywhere else.
A small audit record (your former user ID, masked email, plan history, and deletion timestamp) is retained for compliance review for a limited period. No personal content is preserved.
Payment records are retained as required by Indian tax and accounting law (typically 7 years).
Authentication failure logs (no token contents, only metadata) are auto-trimmed to the most recent 1,000 events for security debugging.
10. Your rights
You can: (a) view and update your profile from the Settings page, (b) export a copy of your study data on request, (c) permanently delete your account from Settings → Danger Zone, (d) opt out of streak-reminder, recap, and unread-message emails from Settings, (e) request that we restrict or correct any personal data we hold.
Under the Digital Personal Data Protection Act, 2023 (DPDP Act), Indian users have additional rights including the right to grievance redressal. Email syllox.in@gmail.com from your registered address and we will respond within 24 hours.
11. Security
All data is transmitted over HTTPS (TLS 1.2+). OTPs are HMAC-hashed before storage. Session JWTs are signed with HS256 and validated on every request. Database credentials, third-party API keys, and JWT secrets live in restricted environment variables, never in our codebase.
Despite our best efforts, no system is 100% secure. If you become aware of a vulnerability or suspect that your account has been compromised, please email syllox.in@gmail.com immediately.
12. Children and student safety
Syllox is intended for users aged 13 and above. If you are under 18, you must have a parent's or guardian's permission to use the Service and to make any premium purchases.
We do not require a government ID, a school ID, or proof of age. We do not collect your address.
The community feed and 1-on-1 messaging are user-generated and lightly moderated. Harassment, doxxing, spam, sexual content, and sharing of paid coaching material are prohibited and will result in account suspension.
13. Changes to this policy
We may update this Privacy Policy from time to time as the Service evolves. Material changes will be announced via in-app notification or email at least 7 days before they take effect. The "Last updated" date at the top of this page reflects the most recent version.
14. Contact
Questions, deletion requests, data-export requests, or grievances? Email syllox.in@gmail.com. We respond within 24 hours.
