In short
- We let you sign in with Google. From Google we receive your email, name, and profile picture — nothing else.
- We store your quiz scores, Sanskrit Village game progress, and any comments or favourites you create.
- We use Google Analytics to understand how the site is used. It only loads after your first interaction (a click, scroll, or tap), not on page load.
- We use Google Search Console and Bing Webmaster Tools for site-verification only — they place a meta tag, no scripts.
- We never sell your data. We never run advertising trackers. We never store passwords. We never put auth tokens in
localStorage. - You can ask us to export or delete your data at any time by emailing privacy@abyasam.com.
1. Who runs Abyasam
Abyasam (https://abyasam.com) is a multilingual educational website focused on Indian culture, Sanskrit, and scriptures. The site is currently operated by an individual, not a registered company or organisation. References to "we" throughout this policy refer to the individual operator of the site.
This policy explains what information the site collects when you use it, why it is collected, who it is shared with, and what choices you have. For any privacy question or request, write to privacy@abyasam.com.
2. Information we collect
2.1 Account information (Google sign-in)
Sign-in is handled exclusively through Google OAuth. We do not run a username/password system, and we never see or store your Google password. When you sign in, Google sends us a signed identity token containing:
- your email address;
- your name (as set on your Google account);
- your profile picture URL;
- a stable Google user ID (the OAuth
subclaim) which we use to recognise you on return visits.
We store these in our users table along with the role we assign you (normally user; some accounts have admin or moderator roles), the time of your most recent login, and the timestamps of when your account was created and last updated.
2.2 Learning & activity data
When you use the platform, we keep a record of:
- Quiz attempts — which quiz you completed, your score, the total possible, the calculated percentage, and the completion timestamp.
- Sanskrit Village progress — your accumulated XP and level, the avatar gender you chose, the lists of words you have seen and mastered, the quests you have completed, your daily-play streak, and the date you last played.
- Onboarding tours — which page-specific walkthroughs you have dismissed, so we don't show them again.
2.3 Content you create
- Subhashitam (verse) favourites — the verses you save.
- Subhashitam comments — comments you post on verses (up to 2,000 characters). These are publicly visible and shown next to your name and profile picture.
- Subhashitam tags — short tags you attach to verses, stored in lowercase.
- Mailing-list signups — if you submit the newsletter form, we keep your name and email in a
subscriberstable until you ask to be removed. - Quiz-completion certificates — if you submit your name, email, and score through the certificate form, we store that submission and email you a PNG certificate via transactional SMTP.
- Brand Identity tool inputs — if you use this tool, we keep the brand name, industry, dharmic tradition, language, and country you selected.
- Color Palette tool inputs — the dharmic theme and language you chose.
2.4 Technical & log data
For security, debugging, and abuse prevention we generate structured server logs of every HTTP request. Each log line contains: the request method and path, the response status code and latency, the requesting IP address, the request Origin header, and a boolean flag indicating whether your auth cookie was present. We do not currently log User-Agent strings.
For the lighter analytics tables (blog reads, palette requests, brand-identity requests) we store an SHA-256 hash of the IP address rather than the raw IP, alongside your country (derived from a Cloudflare request header). Hashing makes casual cross-referencing harder but is not a guarantee of irreversibility.
We log automated scanner attempts (e.g. probes for .env files) with the originating IP, to support blocking and incident response.
2.5 Cookies & browser storage
The only cookie we set ourselves is:
aby_session— a signed JWT that authenticates your session. MarkedHttpOnly(not readable by JavaScript),Secure(HTTPS only),SameSite, scoped to.abyasam.com, lifetime 7 days. The JWT contains your internal user id, email, name, profile picture URL, and role.
We also use a small amount of browser storage:
localStorage["i18nextLng"]— your preferred language (en / hi / te).localStorage["abyasam-village-progress"]— your Sanskrit Village game state when you are not signed in, so progress isn't lost.localStorage["abyasam-page-tours"]— which onboarding tours you have dismissed.sessionStorage["chunk-reload"]— a one-shot flag used to recover from stale code bundles after we deploy.
We never store authentication tokens in localStorage or sessionStorage.
2.6 Analytics & search-engine verification
We use Google Analytics 4 (measurement ID G-CK35MD9B72). The GA script is not loaded on initial page render — it only loads after your first interaction with the page (click, scroll, key press, or touch). The events we send to GA4 are:
page_view— page path and title on each route change.blog_read— blog slug, language, and (if you are signed in) your user id.section_impression/section_unlock— the slug and section heading when you view a gated section of a blog post.
Google Analytics also collects its own standard signals (IP address, device, approximate location, etc.) governed by Google's privacy policy.
We use Google Search Console and Microsoft Bing Webmaster Tools for site verification only. Each places a single verification meta tag in the page head; neither loads any script and neither tracks individual visitors.
2.7 What we do not collect
- No passwords (Google OAuth only).
- No date of birth, age, gender (other than the avatar gender you choose in the Sanskrit Village game), phone number, postal address, or payment data.
- No biometric data and no precise device geolocation — we only know your country, derived from a Cloudflare header.
- No User-Agent strings in our application logs.
- No advertising cookies, tracking pixels, Google Tag Manager, Facebook Pixel, Hotjar, Mixpanel, or Segment.
3. How we use your information
- To authenticate you and keep you signed in.
- To save your learning progress, scores, and content (favourites, comments, tags) so they persist across visits.
- To deliver the Color Palette and Brand Identity tools, which call Anthropic's Claude API with the inputs you provide (see section 5).
- To send transactional emails (e.g. quiz-completion certificates).
- To prevent abuse and detect attacks (rate limiting, scanner detection, log review).
- To understand aggregated usage patterns through analytics so we can improve the platform.
- To comply with applicable laws and respond to legal requests.
4. Legal bases / lawful purposes
For users in India (DPDP Act 2023), our processing is principally for the lawful purposes of providing the educational services you have signed up for and protecting our systems against misuse. For users in the EU/UK (GDPR), the legal bases we rely on are:
- Contract — to operate your account, save progress, and deliver tools you request.
- Legitimate interests — for security logging, abuse prevention, and aggregated analytics.
- Consent — for any optional features you opt into (e.g. mailing-list subscription).
5. Who we share data with
We do not sell your personal data. We share data only with the third parties listed below, and only the data needed for them to perform their function:
| Recipient | Purpose | Data shared |
|---|---|---|
| Google (OAuth) | Verifies your sign-in | The Google ID token plus our client ID |
| Google Analytics 4 | Aggregated usage analytics | Page views, blog interactions, optional user id |
| Google Search Console | Site verification only | Verification meta tag — no visitor data |
| Microsoft Bing Webmaster Tools | Site verification only | Verification meta tag — no visitor data |
| Google Fonts | Font delivery (Devanagari, Telugu, Latin) | Your IP address and User-Agent (standard CDN request) |
| Anthropic (Claude API) | Generates output for the Color Palette and Brand Identity tools | The theme/brand inputs and language you selected. No user id, no email, no IP address. |
| Hostinger SMTP | Sends transactional emails (certificates) | Recipient email, name, score, certificate PNG |
| Cloudflare | CDN, DDoS protection, country detection | Standard request metadata (IP, headers) |
| Unsplash | Stock images embedded on some pages | Your IP and User-Agent (standard CDN request) |
| Hostinger | Hosts the site and database | All data we store |
We may also disclose data when required by law, to enforce our terms, or to protect our rights, users, or systems.
6. International data transfers
The hosting infrastructure and the third parties listed above (Google, Anthropic, Cloudflare, Hostinger, Unsplash) operate globally. By using Abyasam, you understand that your information may be processed outside your country of residence — including in the United States and the European Union — under those providers' standard contractual safeguards.
7. Data retention
Current retention practices:
- Account & learning data — kept until you ask us to delete your account, after which it is purged within 30 days, except where law requires longer retention.
- Server logs — currently retained without an automatic purge schedule; we plan to introduce a 30–90 day retention window.
- Anonymous analytics rows (blog reads, palette and brand-identity requests) — currently kept indefinitely; planned default 13 months.
- Quiz-certificate submissions — currently kept indefinitely; planned default 24 months.
- Mailing-list entries — kept until you unsubscribe.
8. Your rights
Subject to applicable law (DPDP Act 2023 in India, GDPR in the EU/UK, CCPA in California, and similar regimes elsewhere), you have the right to:
- access the personal data we hold about you;
- ask us to correct inaccurate data;
- ask us to delete your account and associated data;
- withdraw consent for any processing that depends on your consent (this won't affect processing already done);
- receive a copy of your data in a portable, machine-readable format;
- object to processing based on our legitimate interests, where applicable.
There is no self-serve "delete my account" button yet — to exercise any of these rights, email privacy@abyasam.com from the email address associated with your account. We aim to respond within 30 days.
Because Abyasam is currently operated by an individual rather than a company, the same email address handles all privacy queries — there is no separate Grievance Officer at this stage. If you are in India and feel your concern has not been adequately addressed, you may approach the Data Protection Board of India under the DPDP Act once it begins operations.
If you are in the EU/UK, you also have the right to lodge a complaint with your local data-protection authority.
9. Children's data
Abyasam is an educational platform and may be used by minors, but we do not currently operate an age gate or a verifiable parental-consent flow. If you are a parent or guardian and you believe your child has signed in without your consent, email privacy@abyasam.com and we will delete the account. We are aware that DPDP §9 (India), GDPR Art. 8 (EU), and COPPA (US, under 13) place additional duties on operators handling children's data, and we plan to add a verifiable parental-consent flow before actively inviting under-age users.
10. Security
We follow defence-in-depth practices: HTTPS everywhere; auth tokens in HttpOnly + Secure + SameSite cookies (never in localStorage); a strict Content Security Policy via Helmet; parameterised SQL queries; Zod validation on all write endpoints; CORS allow-listing of trusted origins; and rate limiting on public, authentication, and AI-tool endpoints. No system is perfectly secure, but we work to minimise risk and will notify affected users if we ever experience a breach involving personal data.
11. Changes to this policy
When we make material changes to this policy, we will update the "Effective" date at the top of this page and, for substantial changes, notify signed-in users by email or an in-app notice. Continued use of Abyasam after changes take effect means you accept the updated policy.
12. Contact
For any privacy question or request, write to privacy@abyasam.com. Abyasam is operated by an individual; a registered postal address will be added here if and when the site is incorporated as a legal entity.