Legal · Privacy Policy

What we collect, why, and your rights.

Last updated: May 8, 2026

Summary (the short version)

ProjectAI is a project-based programming learning platform. We collect what we need to log you in, save your progress, charge you if you subscribe, and send you the occasional product update. We don't sell your data. You can delete your account at any time. Inactive accounts (no completed task in 6 months) are removed automatically with 14 days of email notice — but never if you've ever paid us.

The full policy is below. Reach us any time at [email protected] if anything is unclear.

1. Who we are

ProjectAI ("we", "us") is operated by Arpan Abhishek as an individual, based in India. The website is projectai.in. For the purposes of data protection law, Arpan Abhishek is the data fiduciary (controller). Email: [email protected].

2. What we collect

When you create an account

Email address, name, and profile image — from Google or GitHub OAuth. We don't support email/password sign-up; the only way to create an account is via Google or GitHub.

When you use the platform

Projects you start, tasks you complete, and timestamps — used to track and resume your progress.
AI chat history — questions you ask and the responses, so we can send relevant context back to your AI provider on follow-ups.
Comments, feedback, and showcase submissions — anything you voluntarily share with the community.

When you make payments

Subscription status, plan, billing cycle dates, and Razorpay payment IDs. We do not store card details — Razorpay handles those directly.

Collected automatically

Your country (detected from Cloudflare's edge — used for currency and pricing). We store the country code, not the IP.
Anonymous usage analytics via Google Analytics.
Session cookies for authentication (essential).

What we do NOT collect

Your AI provider API keys. When you connect Groq, OpenAI, Gemini, or Claude, your key is stored only in your browser (IndexedDB and localStorage). It never reaches our servers. Your AI conversations go directly between your browser and the provider — we route the request, but the provider sees your key, not us.

3. How we use it

Authenticate your account and keep you signed in.
Save your progress so you can pick up where you left off across devices.
Generate context-aware AI responses — past task questions are summarized and sent to your chosen AI provider so follow-up answers make sense.
Process subscription payments and emit receipts.
Send transactional emails (welcome, payment confirmations, subscription renewal / cancellation notices) via Resend.
Send occasional product updates and learning content. You can unsubscribe from these any time using the link in any email.
Improve the product through aggregate, anonymized analytics.
Notify you 14 days before inactive-account cleanup so you have a chance to keep your account.

4. Who we share data with

We share data only with the third-party processors we need to run the service. Each is a contractually-bound data processor:

Supabase — Postgres database hosted in ap-south-1 (India). Stores your account, progress, payments.
Razorpay — processes subscription payments. Card details and bank info are exchanged directly between you and Razorpay; we receive only the transaction reference.
Resend — delivers transactional and product emails on our behalf.
Google, GitHub — OAuth sign-in (only when you choose those providers).
Google Analytics — anonymized usage analytics.
Cloudflare — DNS, CDN, and country detection.
Your chosen AI provider (Groq, OpenAI, Gemini, Anthropic) — receives your task questions when you use the AI assistant. The connection uses your own API key.

We never sell your data to advertisers or data brokers.

5. Data retention

We keep your data for as long as your account is active. If your account becomes inactive (no completed task in 6 months, or no activity at all 6 months after signup), we may delete it.

Before any inactive-account deletion: we send a warning email at least 14 days in advance with a "log in to keep your account" link. Logging in once resets the inactivity clock.

Anyone with a payment history is exempt from inactive-account cleanup. Paid users keep their accounts and data regardless of recent activity.

When an account is deleted, all associated data — projects, progress, AI chat history, comments, sessions — is permanently removed. Approved community showcase submissions are kept in the public gallery without attribution (rendered as "Anonymous") because they're part of the community record other users rely on.

6. Your rights

You can, at any time:

Access — your /me page shows most of your data; for a full export, email us and we'll send a JSON dump within 14 days.
Correct — update your profile from /me.
Delete — email us to delete your account. The deletion is permanent; we don't keep backups beyond 30 days.
Object / restrict — email us to limit how we process your data.
Unsubscribe — every product email has an unsubscribe link. Transactional emails (payment receipts, login alerts) we'll keep sending while your account is active.
Withdraw consent — for any optional processing.

Indian users have rights under the Digital Personal Data Protection Act, 2023 (DPDP). EU/EEA users have rights under GDPR. California users have rights under CCPA. We honor all of them. Email [email protected] to exercise any of these.

7. Cookies and tracking

Essential cookies — authentication, CSRF protection. Cannot be disabled (login won't work).
Analytics cookies — Google Analytics with IP anonymization where possible.
Preference cookies — remember your cookie-banner choice so we don't ask twice.

You can manage cookies via your browser settings. Blocking essential cookies will prevent login.

8. Children

ProjectAI is intended for users 13 and older. We don't knowingly collect data from children under 13. If you believe a child has signed up, email us and we'll remove the account immediately.

9. Security

We transmit data over HTTPS, store user records in Supabase's encrypted Postgres, validate Razorpay webhook signatures with constant-time comparison, rotate webhook secrets, and deduplicate webhook events to prevent replay attacks. Authentication is handled by Google or GitHub OAuth — we never see your provider password. We don't guarantee perfect security — please enable 2FA on your Google or GitHub account.

If you discover a security issue, please email [email protected] before disclosing publicly. We aim to respond within 48 hours.

10. International transfers

Your account data is primarily stored in India (Supabase ap-south-1). When you use OAuth or AI providers, data may be transferred to the United States, the European Union, or other regions per those providers' policies.

For EU users: international transfers are made under appropriate safeguards (Standard Contractual Clauses) where required.

11. Changes to this policy

We may update this policy as the product evolves. The "Last updated" date at the top reflects the latest revision. Material changes (new categories of data collected, new third-party processors, changes to user rights) will be communicated by email at least 14 days before they take effect.

12. Contact

Questions, requests, or concerns? Email [email protected]. We aim to respond within 5 business days.

For DPDP-related complaints, you may also contact the Data Protection Board of India.

← Back to ProjectAI