KitCat
 Back to home
Legal

Privacy Policy

Last updated: 29 June 2026

1. Introduction

KitCat (“KitCat”, “we”, “our”, “us”) is an adaptive learning platform for the Common Admission Test (CAT), operated by Cenizas Labs Pvt. Ltd.. This Privacy Policy explains what data we collect, why we collect it, how we use and share it, and the rights you have over it. It is written to align with India’s Digital Personal Data Protection Act, 2023 (DPDP Act) and the EU General Data Protection Regulation (GDPR) where applicable.

By using KitCat you agree to this Policy. If you do not agree, please discontinue use of the service. Questions can be sent to privacy@kitcat.app.

2. Data we collect

We collect only the data we need to run the service:

  • Account data — your name, email address, and (if you sign in with Google) the profile fields Google returns to us (name, email, avatar URL).
  • Study data — your diagnostic answers, practice attempts, mock submissions, time spent, mastery estimates, and the conversations you have with the Coach. This data exists so we can personalize your plan.
  • Billing metadata — when you subscribe we store a Razorpay customer ID, subscription ID, plan, status, and renewal date. We do not store card numbers, UPI handles, or bank credentials. All payment data is handled directly by Razorpay.
  • Anonymous diagnostic ID — if you take the diagnostic before signing up, we set a signed, HTTP-only cookie so we can keep your results across the session and attach them to your account when you sign up.
  • Product telemetry — basic page-view and click events via PostHog so we can understand which screens are slow or broken. We do not enable session replay or third-party advertising trackers.
  • Operational logs — request logs, error traces (via Sentry), and security audit events. These are kept only as long as needed to investigate incidents.

3. How we use your data

  • To provide and operate the KitCat service.
  • To personalize your study plan, recommend practice, and ground the Coach’s responses in your real performance.
  • To send transactional emails (sign-in links, billing receipts, billing receipts, password resets, and account notices). We do not send marketing emails without your explicit opt-in.
  • To debug issues, prevent abuse, and improve the product.
  • To comply with our legal and tax obligations in India.

We do not sell your personal data, and we do not share it with third parties for their own advertising purposes.

4. Cookies and similar technologies

KitCat uses a small number of cookies that are strictly necessary to run the service:

  • Auth session — issued by NextAuth when you sign in; lets you stay logged in.
  • Anonymous diagnostic ID — a signed, HTTP-only cookie that links pre-signup diagnostic attempts to your eventual account.
  • PostHog — first-party analytics cookies for understanding product usage.

We do not use third-party advertising cookies, retargeting pixels, or social media trackers.

5. Sub-processors

We rely on a small set of vendors to run the service. Each of them processes data only on our instructions:

  • Vercel — application hosting.
  • Neon — primary Postgres database (Mumbai region).
  • Razorpay — payment processing.
  • Resend — transactional email delivery.
  • Anthropic — the LLM that powers the Coach.
  • Sentry — error monitoring.
  • PostHog — product analytics.
  • Google — authentication via Sign in with Google.

6. Where your data lives

Your account, practice, and mock data are stored in databases hosted in India. Some sub-processors (Anthropic, Sentry, PostHog) may process data outside India under standard contractual safeguards. Coach conversations are sent to the LLM provider for inference and are not used by them to train future models.

7. How long we keep it

We keep your account and study data for as long as your account is active. If you delete your account, we erase your personal data within 30 days, except for the minimum financial records we are legally required to retain (typically up to 8 years under Indian tax law). Aggregate, fully de-identified data may be kept indefinitely.

8. Your rights

Under the DPDP Act and the GDPR (where applicable) you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Erase your data (and your account) at any time.
  • Export your data in a machine-readable format (portability).
  • Withdraw consent for any optional processing you previously agreed to.
  • Lodge a complaint with the Data Protection Board of India or your local supervisory authority.

You can exercise most of these rights directly from your profile page, or by emailing privacy@kitcat.app. We respond within 30 days.

9. Security

Data is encrypted in transit (TLS 1.2+) and at rest. Passwords, where used, are hashed with bcrypt. Access to production systems is restricted to named engineers and is logged. We follow the principle of least privilege and review access quarterly.

No system is perfectly secure. If we ever discover a personal data breach that affects you, we will notify you and the relevant authority without undue delay and in any case within 72 hours of becoming aware of it.

10. Children

KitCat is intended for users aged 18 and over. The CAT is taken by graduates and is not aimed at minors. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, please email us and we will delete it.

11. Changes to this policy

We may update this Policy from time to time. If we make a material change, we will email all active users at least 30 days before the change takes effect, and we will update the “Last updated” date at the top of this page. Continued use of KitCat after a change means you accept the updated Policy.

12. Contact

Data controller: Cenizas Labs Pvt. Ltd.
Address: Cenizas Labs Pvt. Ltd., Bengaluru, Karnataka, India
Email: privacy@kitcat.app

Terms of Servicekitcat.app