Support & legal

Privacy Policy

Last updated: 8 July 2026

Stucare Innovation and Creation Private Limited ("Stucare", "StuQuiz", "we", "our", or "us") operates the StuQuiz student quiz and rewards platform, available as the StuQuiz mobile application (Google Play package com.stuquiz.stuquiz_mobile and its iOS equivalent) and the stuquiz.comwebsite (collectively, the "Platform"). This Privacy Policy explains what personal data we collect, how and why we use it, who we share it with, how long we keep it, and the rights you have over it. It is written to comply with the Digital Personal Data Protection Act, 2023 (the "DPDP Act") and the Information Technology Act, 2000 and rules made thereunder.

Please read this Policy together with our Terms & Conditions and Refund & Cancellation Policy. By using the Platform you confirm that you have read and understood this Policy.

1. Who we are and the scope of this Policy

1.1 The Data Fiduciary responsible for your personal data is Stucare Innovation and Creation Private Limited, a company incorporated in India, using the contact details set out at the end of this Policy.

1.2 This Policy applies to all personal data we process when you register for, access, or use the Platform, including through the mobile app, the website, and any related programs, events, quizzes, rewards, payments, or support services. It does not apply to third-party websites, apps, or services that we do not control, even where we link to them.

2. Information we collect

We collect the following categories of personal data. Depending on how you use the Platform, not all of it will apply to you.

(a) Account & identity data

  • Email address and display name;
  • Password, which is stored only in hashed (irreversible) form;
  • Two-factor authentication (2FA) / time-based one-time-password (TOTP) secret, where you enable 2FA;
  • Federated sign-in identifiers - your Google account ID and/or Apple account ID (note that Apple Sign in may provide an Apple private-relay email address instead of your real email);
  • Referral code and referral relationships (who referred you and whom you referred);
  • A legacy internal user ID for accounts migrated from earlier versions of the service.

(b) Contact & location data

  • Phone number;
  • College or university;
  • Location details you provide, such as state, city, and PIN code;
  • Shipping addresses saved in your address book (recipient name, phone, address line 1 and 2, city, state, and PIN code).

(c) Profile data

  • Profile photo or avatar;
  • Date of birth;
  • Other profile details you choose to add.

(d) Financial & payment data

  • Payment transaction records for purchases (including Cashfree order and payment IDs, amounts, and the raw response returned by the payment gateway);
  • Apple in-app purchase (IAP) receipts for purchases made on iOS;
  • Premium subscription details (plan, expiry date, and auto-renewal status);
  • Donation records;
  • Cash wallet (real Indian Rupee) balance and transaction ledger, where the cash-wallet feature is available to you;
  • Bank account and/or UPI details you provide to receive withdrawals or payouts.

We do not store your full card number, CVV, or UPI PIN. Card and UPI payment details are collected and processed directly by our payment processors (see Section 5).

(e) Identity & verification documents

  • Date-of-birth proof / identity documents you upload for age or eligibility verification;
  • Scholarship application data and supporting documents you upload (such as photo ID and marksheets);
  • Photos you upload when claiming a reward.

(f) Usage & behavioral data (including anti-cheat)

  • Quiz attempts, the answers you submit, and the time taken per question;
  • Anti-cheat behavioral logs, such as tab-switch and window-focus events and violation counts recorded during quizzes and live events, used to detect cheating and enforce fair play;
  • Live-event participation, including per-question answers and response times;
  • Gamification state, including StuCoins balance, streaks, spins, and game high scores.

(g) Rewards, fulfilment & communications data

  • Reward claims and their status;
  • Courier and shipment details for physical rewards (such as the tracking / AWB number, courier name, and delivery address);
  • Push-notification device tokens;
  • Your in-app notifications inbox.

(h) Security & account-management data

  • Session and refresh tokens used to keep you signed in;
  • Password-reset one-time passwords (OTPs);
  • Consent and acceptance metadata (for example, which version of these terms you accepted and when);
  • Login, sign-up, and usage timestamps;
  • Moderation flags (for example, whether an account is banned and the reason);
  • Administrative audit snapshots recording changes made to your account by authorized staff.

(i) Device & technical data

  • IP address and user-agent (browser / device and operating-system information);
  • Device type, model, and OS version;
  • Crash and error diagnostics (stack traces and attached technical context).

(j) Cookies & analytics data

  • Mobile and web analytics identifiers and behavioral events (such as screen views, feature usage, purchases, and other custom events);
  • Cookies and similar technologies used on the website (see Section 12).

3. How we use your information

We use the personal data described above to:

  • Create and manage your account and authenticate you (including 2FA and password resets);
  • Provide the core service - quizzes, live events, gamification, StuCoins, and rewards;
  • Process payments, premium subscriptions, donations, cash-wallet transactions, and withdrawals, and maintain the associated financial records;
  • Verify eligibility and identity (including age and scholarship verification);
  • Fulfil and ship physical rewards through our courier partners;
  • Operate the referral program;
  • Send you transactional messages and push notifications (for example, order, reward, and account updates);
  • Detect, investigate, and prevent cheating, fraud, multiple accounts, and other abuse, including through anti-cheat behavioral logs;
  • Provide customer support and respond to your queries;
  • Measure, analyse, and improve the Platform and develop new features;
  • Comply with our legal obligations (including tax, accounting, and payment-compliance requirements) and respond to lawful requests.

4. Legal bases and consent

4.1 Under the DPDP Act, we process your personal data on the basis of your consent, which you give when you create an account, accept these policies, and use specific features (for example, uploading documents or providing withdrawal details). Where you provide the personal data of another person (such as a reward recipient), you confirm that you have their consent to do so.

4.2 We also process certain data for legitimate uses recognised under the DPDP Act and applicable law - for example, to provide a service you have requested, to secure the Platform and prevent fraud, and to comply with legal obligations.

4.3 You may withdraw your consent at any time (see Section 10). Withdrawing consent does not affect processing carried out before withdrawal, and some features may stop working if the data required to provide them is withdrawn.

5. Sharing and disclosure

5.1 We do not sell or rent your personal data. We share it only with the service providers (data processors) and in the situations described below, and only to the extent needed for the stated purpose.

5.2 Service providers and processors. We share relevant data with the following third parties:

  • Cashfree Payments - payment processing on the web and Android (receives customer name, email, phone, a customer identifier, and the transaction amount).
  • Apple (App Store / StoreKit & receipt verification) - Apple is the payment processor for purchases made on iOS and verifies in-app purchase receipts.
  • Google Sign-In and Apple Sign in (OAuth) - federated login, providing us with your account identifier, email, name, and avatar where available.
  • Google Places API - college / institution autocomplete (receives the college text you type).
  • NimbusPost - courier and shipping partner for physical rewards (receives the consignee name, address, and phone number).
  • ZeptoMail (Zoho) - sending transactional email, with open and click tracking (receives recipient email and name).
  • Firebase Cloud Messaging - delivery of push notifications (receives device tokens).
  • Firebase Analytics and Google Analytics 4 - usage and behavioral analytics (receives a user identifier, attributes such as premium status, screen views, and custom events including purchases, plus device information).
  • Cloudflare Web Analytics and Vercel - website hosting and analytics (receives page views, Web Vitals, and request metadata such as IP address, user-agent, and URL).
  • Cloudflare R2 - object storage that holds uploaded files such as avatars, date-of-birth proof documents, scholarship documents, and reward-claim photos.
  • Sentry - crash and error monitoring for the mobile app (receives stack traces, device / OS information, and attached diagnostic context).
  • Amazon Web Services (AWS) - our primary cloud host, including the production database (Amazon RDS for PostgreSQL), cache (Amazon ElastiCache for Redis), and compute. Substantially all of the personal data described in this Policy is stored on AWS.
  • India Post PIN code API - PIN code to state / city lookup (receives the PIN code you enter).

5.3 Legal, safety, and business transfers. We may disclose personal data where we reasonably believe it is required to comply with a law, regulation, court order, or lawful request from a public authority; to enforce our terms; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of Stucare, our users, or the public. If we are involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, subject to this Policy.

6. Authorized staff and administrator access

6.1 Authorized StuQuiz staff and administrators may access your account and activity data to the extent necessary to operate, support, secure, moderate, and improve the service - for example, to answer a support request, investigate suspected fraud or cheating, verify a scholarship or reward claim, process a withdrawal, or fix a technical problem.

6.2 Such access is role-restricted (granted only to staff who need it for their role) and logged through administrative audit records. Staff are bound by confidentiality obligations.

7. Children and minors

7.1StuQuiz is a student-focused platform, and we collect date of birth to determine a user's age. Under the DPDP Act, a "child" is anyone under 18 years of age.

7.2 Where a user is a child, we require verifiable consent from a parent or legal guardianbefore processing the child's personal data, and we do not knowingly process a child's data without it.

7.3 In line with the DPDP Act, we do not knowingly carry out processing that is likely to cause a detrimental effect on the well-being of a child, and we limit tracking, behavioral monitoring, and targeted advertising directed at children. Anti-cheat and security logging that applies to all users is used only to keep the Platform fair and safe.

7.4Parents and guardians may contact us using the details in Section 11 to review, correct, or delete their child's data, or to withdraw consent. If we learn that we have collected a child's data without the required consent, we will delete it.

8. Data retention

8.1 We keep your personal data only for as long as needed for the purposes described in this Policy, or for as long as required by law. When you delete your account (see Section 10 and our Delete account page), we delete or anonymise your personal data, generally within 30 days.

8.2 Certain records must be retained even after account deletion, and are anonymised (personal fields removed or replaced) where possible:

  • Payment and transaction records and withdrawal / payout records - retained for the period required by Indian tax and financial law (for example, up to 8 years under the CGST Act, 2017 and payment-compliance rules);
  • Fraud and abuse logs for accounts banned for abuse - retained for a limited period (for example, 2 years) to prevent re-registration and repeat abuse;
  • Aggregated, non-identifying analytics (which cannot be linked back to you) - retained indefinitely.

9. Data security

We implement reasonable technical and organisational safeguards to protect your data, including:

  • Encryption of data in transit using TLS / SSL;
  • Storing passwords only as salted, hashed values;
  • Role-based access controls that limit who can access personal data;
  • Administrative audit logging of privileged actions;
  • Use of reputable cloud infrastructure providers (see Section 13).

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. If a personal-data breach occurs, we will act in accordance with our obligations under the DPDP Act and applicable law.

10. Your rights under the DPDP Act

Subject to applicable law, you have the right to:

  • Access - request a summary of the personal data we process about you and how we process it;
  • Correction - request that we correct inaccurate or incomplete data;
  • Erasure - request deletion of your personal data (subject to the retention rules in Section 8);
  • Withdraw consent - withdraw consent you previously gave;
  • Grievance redressal - raise a complaint about how we handle your data;
  • Nominate - nominate another person to exercise your rights in the event of death or incapacity.

You can exercise these rights by contacting us using the details in Section 11. You can start an account deletion yourself at any time using the in-app flow (Profile → Account settings → Delete account) or by following our Delete account page. We may need to verify your identity before acting on a request.

11. Grievance Officer and contact

If you have any questions, requests, or complaints about this Policy or your personal data, please contact us. In accordance with the DPDP Act and the Information Technology Act, 2000, our Grievance Officer is:

Grievance Officer: Devesh Shukla
Grievance Officer email: legal@stuquiz.com

We will acknowledge and respond to grievances within the timelines required by applicable law. General privacy queries can also be sent to the contact details below.

Stucare Innovation and Creation Pvt. Ltd.
Phone: 08069409050
WhatsApp: 9324920750
Email: support@stucares.com
Instagram: @stucare.innovation

12. Cookies and analytics

12.1 On the website we use cookies and similar technologies to keep you signed in, remember your preferences, and understand how the Platform is used.

12.2 We use the following analytics services: Google Analytics 4 and Firebase Analytics (usage and behavioral analytics on web and mobile), and Cloudflare Web Analytics and Vercel Analytics (privacy-friendly website measurement). These services may process identifiers, device information, and event data as described in Section 5.

12.3 You can disable cookies through your browser settings (though some features may stop working), limit ad and analytics tracking through your device settings, and opt out of analytics-based personalisation where such controls are offered by the relevant provider. Note that Cloudflare Web Analytics does not use client-side state such as cookies for tracking.

13. Where your data is processed

The Platform is hosted on cloud infrastructure operated by Amazon Web Services (AWS), Cloudflare, and Vercel, and certain processing is carried out by the third-party services listed in Section 5. Some of these providers may process or store data on servers located outside India. Where data is transferred or processed outside India, we do so in accordance with the DPDP Act and applicable law, and we require our processors to protect your data.

14. Changes to this Policy

We may update this Policy from time to time to reflect changes in our services, technology, or legal requirements. We will post the updated version on the Platform with a revised "Last updated" date. Where changes are material, we may ask you to review and re-accept the Policy, and your continued use of the Platform after an update takes effect constitutes acceptance of the updated Policy.

15. Effective date

This Privacy Policy is effective from 8 July 2026.