privacy · what we collect and why

Privacy Policy

What we collect, why, who it's shared with, and how to access or delete it. Plain language, complete coverage.

Last updated · March 29, 2026
§ 01 — Who we are

The operator.

ZeroCourse is operated by Abhaya Code Labs OPC Pvt Ltd, a One Person Company registered in Mumbai, India. We provide an online computer science learning platform at zerocourse.dev.

For privacy questions, contact us at [email protected].

§ 02 — What we collect

The data.

Account information

When you sign up (via email or GitHub), we collect and store:

  • Email address — for account login, notifications, and learning reminders.
  • Password — securely hashed with bcrypt (if you sign up with email; never stored in plaintext).
  • Name and username — for your profile.

If you sign up or link via GitHub, we additionally receive:

  • Profile photo URL — from your GitHub avatar.
  • GitHub access token — encrypted at rest, used to create project repositories in your GitHub account.

You can also optionally provide a bio and timezone in your profile settings.

Learning data

As you use ZeroCourse, we collect:

  • Course enrollments and progress — which lessons you've completed.
  • Notes and discussions — content you write on lessons.
  • Assessment answers and scores — your quiz and project results.
  • Concept mastery data — spaced repetition state for learning science.
  • Learning reflections — confidence ratings and study notes.

AI conversations

When you chat with Bodhi (our AI tutor), your messages and Bodhi's responses are stored to maintain conversation history and improve your learning experience.

Server logs

When you use ZeroCourse, our servers automatically log:

  • IP address — for security and abuse prevention.
  • Request metadata — pages visited, timestamps, browser type.
  • Error context — when errors occur, we log the action that triggered them for debugging.

Server logs are retained for 30 days, then automatically deleted.

Derived learning data

From your learning activity, we derive:

  • Mastery levels — how well you understand each concept (Bloom's Taxonomy levels).
  • Review scheduling — when you should review concepts (spaced repetition).
  • Confidence calibration — how accurate your self-assessments are.

This derived data is used only to personalize your learning experience and is never shared with third parties.

API keys (optional)

If you bring your own AI provider API keys, they are encrypted at rest using Rails Active Record Encryption. We never share your API keys with anyone.

Payment information

Payments are processed by Razorpay (Razorpay Software Pvt Ltd, India), a PCI DSS Level 1 compliant payment processor. When you subscribe:

  • Your credit card, debit card, UPI, or bank details are collected and processed directly by Razorpay — we never see or store your full payment credentials.
  • We store only: Razorpay transaction ID, order ID, payment status, amount, and currency.
  • Razorpay may process payments in INR or USD depending on your location.
  • For international payments, Razorpay handles currency conversion and cross-border data transfer in compliance with applicable laws.
  • Razorpay's privacy policy governs how they handle your payment data: razorpay.com/privacy.
§ 03 — How we use your data

What it's for.

  • Provide the learning platform and AI tutoring service.
  • Personalize your learning experience (spaced repetition, adaptive assessments).
  • Create project repositories on your GitHub account.
  • Send emails: password resets, daily review reminders, weekly progress digest (you can opt out of non-essential emails in Settings).
  • Monitor platform usage and costs.
  • Prevent abuse and enforce our terms.

We do not sell your data, use it for advertising, or share it with data brokers.

§ 04 — Third-party services

Who else processes it.

To provide our service, your data is processed by:

Service Data shared Purpose
GitHub Email, name, avatar, repo access Authentication, project repositories
AI providers Your chat messages, lesson context (Google Gemini, DeepSeek, Mistral, Anthropic, OpenAI, and others) AI tutoring responses
Razorpay Card / bank / UPI details (handled directly by Razorpay, PCI DSS compliant) Payment processing (INR & USD)
Resend Email address, email content Transactional emails
Hetzner Cloud All platform data (server hosting) Infrastructure
Cloudflare IP address, request metadata CDN, DNS, SSL
Important — When you use Bodhi (AI tutor), your messages are sent to third-party AI providers to generate responses. If you prefer not to send your messages to our platform's AI providers, you can bring your own API key in Settings.
§ 05 — International data transfers

Where data travels.

ZeroCourse is operated from India. Your data may be processed in:

  • United States — server hosting (Hetzner Ashburn), AI providers (OpenAI, Anthropic, Google, DeepSeek, NVIDIA).
  • European Union — server hosting (Hetzner Germany), AI provider (Mistral, France).
  • China — AI providers (Z.AI, Kimi / Moonshot) if used as fallback.
  • India — Razorpay payment processing, company operations.

For EU/EEA residents, transfers outside the EEA are protected by Standard Contractual Clauses (SCCs) where required by GDPR. For Indian residents, cross-border transfers comply with the DPDP Act 2023.

§ 06 — Cookies & tracking

A short list.

We use minimal cookies:

  • Session cookie — keeps you logged in (essential, expires on browser close).
  • CSRF token — security protection (essential).
  • Dark mode preference — stored in your browser's localStorage (never sent to our servers).

We do not use any tracking cookies, analytics services, advertising pixels, or fingerprinting.

§ 07 — Data security

How it's protected.

  • All connections use HTTPS / TLS encryption in transit.
  • API keys are encrypted at rest using Rails Active Record Encryption.
  • Passwords are hashed with bcrypt (never stored in plaintext).
  • GitHub access tokens are encrypted at rest.
  • Database hosted on encrypted storage.
§ 08 — Data retention

How long it lives.

  • Active accounts — your data is retained for as long as your account exists.
  • Account deletion — when you delete your account, all your data is permanently deleted from our systems (profile, chats, progress, notes, submissions, and reflections).
  • GitHub repositories — repositories created on your GitHub account remain there — you can delete them from GitHub directly.
  • Third-party copies — data previously sent to AI providers, Razorpay, or Resend is subject to their own retention policies.
§ 09 — Data breach notification

If something goes wrong.

In the unlikely event of a data breach affecting your personal data, we will:

  1. Investigate immediately to determine scope and severity.
  2. Notify relevant regulators within 72 hours as required by GDPR and DPDP Act.
  3. Notify affected users without undue delay by email.
  4. Provide details — what data was affected, what happened, remediation steps, and what you should do.
§ 10 — Your rights

What you can do.

Depending on your location, you have the following rights:

For all users

  • Access — view your data in your dashboard and settings.
  • Rectification — edit your profile, notes, and settings at any time.
  • Deletion — delete your account from Account Settings — all data is permanently removed.
  • Portability — export all your data as JSON from Profile Settings.
  • Email opt-out — control email preferences in Settings.

For EU/EEA users (GDPR)

Our legal basis for processing your data:

  • Contract performance (Art. 6(1)(b)) — account data, learning progress, AI tutoring — necessary to provide the service.
  • Legitimate interest (Art. 6(1)(f)) — security monitoring, abuse prevention, error logging, cost tracking.
  • Consent (Art. 6(1)(a)) — optional emails (review reminders, weekly digest) — withdrawable anytime in Settings.

You additionally have the right to object to processing, request restriction, and lodge a complaint with your local Data Protection Authority. Contact us at [email protected].

For Indian users (DPDP Act 2023)

As a Data Fiduciary under the Digital Personal Data Protection Act, 2023, we process your data for the purpose of providing educational services. You have the right to access, correct, erase, and port your personal data. You may file a complaint with the Data Protection Board of India.

For California users (CCPA)

We do not sell or share your personal information for cross-context behavioral advertising. You have the right to know what data we collect, request deletion, and opt out of any future sale (which we do not engage in). To exercise your CCPA rights, email [email protected].

How to exercise your rights

  1. Self-service — access, edit, export, and delete your data directly from your Settings and Account page.
  2. Email request — for additional requests, email [email protected].
  3. Response time — we respond within 30 days (45 days for complex requests).
  4. Verification — we will verify your identity via your registered email before processing requests.
§ 11 — Children's privacy

Under 13.

ZeroCourse is not intended for users under 13 years of age. We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, please contact us and we will delete the account.

§ 12 — Changes to this policy

When we update this.

We may update this policy from time to time. When we make significant changes, we will notify you by email and update the "Last updated" date above. Continued use after changes constitutes acceptance.

§ 13 — Contact

How to reach us.

For privacy-related questions, data requests, or concerns:

Abhaya Code Labs OPC Pvt Ltd · Mumbai · March 29, 2026