This Privacy Policy explains how Study Cabinet ("Snippetz", "we", "us", "our") collects, uses, discloses, and protects your personal data when you use the Study Cabinet application ("the App"). We are committed to protecting your privacy and handling your data with complete transparency.
Controller: Pulakit Bararia · Email: snippetzlabs@gmail.com
Application: Study Cabinet (also referred to as "Snippetz") — an AI-powered study management platform for students, teachers, tutors, and coaching centres.
By using the App, you consent to the data practices described in this policy. If you do not agree with any part of this policy, you must stop using the App immediately.
We collect the following categories of data. Every field is listed explicitly below with its source and purpose.
We collect your full name and email address from the registration form. Your password is collected during registration but is immediately hashed using bcrypt and stored by Supabase Auth — we never have access to your plain-text password. You may optionally upload an avatar or profile image through settings. Your portal role (student, teacher, admin, or owner) is assigned during registration based on your chosen path. This data is used for account identification, authentication, personalisation, and access control.
You or your teacher can create courses/subjects with optional course codes, teacher name, icon, and colour preference. Within each course, you can create topics with a name, description, importance level (low/mid/high), completion status, and sort order. You can upload study notes with file name, file size, source type (upload/manual), icon, and file attachments stored in Supabase Storage.
You can create assignments with name, due date, completion status, exam reference, and attached document paths. A homework status toggle lets you mark work as done. You or your teacher can record grades and test scores including marks obtained, total marks, percentage, date, grade, and exam reference. You can create classes and timetable entries with name, subject, days of the week, time, duration, and location.
You or your teacher can create exam records containing the exam name, course name, exam type (single/midterm/final/practical/viva), exam date, duration in minutes, venue or location, total marks, and notes. You can mark exams as completed. Within each exam, you can record individual exam papers with paper name and mark.
For students, per-course attendance is tracked with a total count and attended count, entered by the user or teacher. For teachers, monthly attendance is recorded by the centre admin including classes held, classes attended, and optional notes.
You can create weekly timetable events with title, day of the week (0–6), start time, end time, colour, and location.
For students, fee records are created by admins or teachers including fee title, course association, total amount, paid amount, fee status (paid/pending/overdue/partial), due date, payment mode, and notes. For teachers, salary records are created by admins including salary title, total amount, paid amount, salary status, tenure/period, salary month, payment mode, and notes.
Centre admins create and manage coaching centre profiles including centre name, code, and branding preferences. They create classes within centres. When users enrol, their member user IDs, roles, and status (active/pending/rejected) are auto-recorded. Centres generate invite codes for student and teacher enrolment. Admins configure student permissions and settings controlling what students can see and do.
Users can set push notification preferences. The app records dismissed teacher push records to avoid showing the same notification twice. In-app notification read status is tracked. Teacher push content (title and message) is stored when teachers send coursework or announcements to students.
When you use the EDITH AI assistant, we collect your prompts and messages typed into the chat interface. The AI-generated responses produced by Groq are displayed to you and may be cached. We record which AI tools you invoke: flashcard generation, quiz creation, note summarisation, essay writing, comparison analysis, doubt solving, exam prediction, lesson planning, formula sheet creation, career guidance, and college matching. Contextual data from your account (course names, topic names, assignment details, exam schedules) is sent to Groq to provide relevant AI responses. Cached AI outputs are stored temporarily for performance optimisation and automatically cleaned up after 30 days.
You can upload note attachments (images, PDFs, documents) which are stored in Supabase Storage. Assignment document paths are recorded when you attach files to assignments or when teachers push materials to you. Course materials pushed by teachers are stored the same way.
You can select a theme (light, dark, or system default). You can configure Pomodoro timer durations for focus sessions, short breaks, and long breaks. You can toggle sound effects on or off. Study filter preferences allow you to customise what you see. Writing mode documents are auto-saved locally in your browser's localStorage.
If Google Analytics is enabled, we may collect page views and screen names you visit, session duration, approximate geographic location at city or country level derived from your IP address, device type (mobile, tablet, or desktop), browser type and version, operating system, screen resolution, referrer URL, and in-app interactions such as button clicks and feature usage. This data helps us understand how the App is used and improve it.
When you use the App, the third-party services we rely on may automatically collect certain data. Supabase (our database, authentication, storage, and realtime provider) collects your IP address, request timestamps, and authentication tokens stored in localStorage. Groq (our AI processing provider) receives your prompts, messages, contextual data, IP address, and request metadata when you use EDITH. Google Fonts and Font Awesome (content delivery networks) receive your IP address, user-agent string, and referrer URL when their resources load. If Google Analytics is enabled, it collects data as described in section 2.12 above.
We use your data for the following purposes, each supported by a legal basis:
Providing study management features — your academic data (courses, topics, notes, assignments) is used to deliver the core functionality of the App. This is necessary for the performance of our contract with you.
Tracking exams and deadlines — your exam data is used to display countdowns, send reminders, and help you plan. This is necessary for contract performance.
Tracking attendance — your attendance data is used to show progress rings and reports. This is necessary for contract performance.
Managing your timetable — your schedule data is used to display your weekly calendar. This is necessary for contract performance.
Providing the AI study assistant (EDITH) — your identity, academic data, and AI interaction data are sent to Groq to generate responses and study content. This is based on your explicit consent, which you give by using the AI features.
Generating flashcards, quizzes, notes, essays, and other AI content — your academic data and AI prompts are processed by Groq. This is based on your consent.
Operating coaching centre management — centre data and financial data are used to manage classes, members, fees, and salaries. This is necessary for contract performance with the centre.
Managing fees and salaries — financial data is processed for fee tracking and salary management. This is necessary for contract performance.
Enabling teacher-student communication — communication data is used to deliver pushes, notifications, and feedback. This is necessary for contract performance.
Personalising your experience — your preferences (theme, Pomodoro settings) are used to customise the App. This is based on our legitimate interest in providing a pleasant user experience.
Improving the App — anonymised usage data helps us understand what features to improve. This is based on our legitimate interest.
Analytics — if Google Analytics is enabled, analytics data is processed based on your consent.
Complying with legal obligations — account data and financial data may be retained and shared as required by law.
Protecting against abuse or fraud — all categories of data may be reviewed if we suspect misuse of the App. This is based on our legitimate interest.
We share your data only with essential service providers who help us deliver the App. Each provider is carefully vetted and bound by data processing agreements.
Supabase Inc. hosts all of our data including database records, authentication information, uploaded files, and realtime communication data. Their infrastructure is located in the United States and multi-region deployments. They are SOC 2 compliant, encrypt data at rest and in transit, and offer a Data Processing Agreement (DPA) for our compliance. All data stored in the database, files in storage, and authentication tokens fall under their processing.
Groq Inc. processes your AI interactions when you use EDITH. Your prompts, messages, and relevant academic context are sent to Groq's servers in the United States for inference. Groq has stated they do not train their models on API data, and enterprise-grade security measures are in place.
Tavily (accessed through Groq) handles AI-generated web search queries when you explicitly trigger the web search feature within EDITH. This only occurs on your direct action.
Google LLC processes analytics data if Google Analytics is enabled. Data is anonymised and subject to Google Analytics terms. You can opt out via the Google Analytics Opt-Out Browser Add-on.
Google Fonts and Font Awesome serve fonts and icons via content delivery networks. When your browser requests these resources, standard CDN data (IP address, user-agent, referrer URL) is transmitted. This is a standard part of how the modern web works and is not used by us for tracking.
Where a third-party service provider processes data on our behalf, we ensure they maintain at least equivalent data protection standards through Data Processing Agreements (DPAs). We do not authorise any third party to use your data for their own purposes.
The App is designed for users of all age groups, including children under 18. We take additional precautions for children's data and comply with applicable laws including India's DPDPA 2023, the US COPPA, and the EU/UK GDPR requirements for children.
For users under 18 (or the applicable age of digital consent in their jurisdiction), we require verifiable parental consent before collecting personal data. Parents may contact us at snippetzlabs@gmail.com to review, modify, or delete their child's data at any time. Parents may withdraw previously given consent, and we will stop processing the child's data upon such withdrawal.
Under India's Digital Personal Data Protection Act 2023, verifiable parental consent is obtained before processing any child's data. Parents have the right to access, correct, and delete the child's data. We do not conduct behavioural monitoring, targeted advertising, or any processing that could adversely affect the child.
Under the Children's Online Privacy Protection Act (COPPA), we collect only data that is reasonably necessary for the educational service. We do not condition a child's participation on disclosing more personal data than is reasonably necessary. Parents can review their child's data, refuse further collection or use, and request deletion at any time.
Under GDPR Article 8 and the UK GDPR, for children under 16 (or the lower age set by individual member states), consent is obtained from a parent or guardian. Parents may exercise the child's data rights on their behalf. We use clear, age-appropriate language in our notices and communications.
We apply strict data minimisation principles to all users, especially children. We collect only the data that is genuinely necessary for the educational services provided. We do not require children to disclose more data than is needed to use the App effectively.
Your data is stored in three locations. The primary database containing all your records (courses, topics, grades, exams, etc.) is hosted on Supabase's cloud infrastructure. Uploaded files such as note attachments and course materials are stored in Supabase Storage. Local data including your Supabase authentication session tokens and writing mode drafts are stored in your browser's localStorage.
We retain different types of data for different periods based on legal requirements and operational needs:
Account data (name, email) is retained until you delete your account, as it is necessary for contract performance. Academic data (courses, topics, notes, grades, assignments) is also retained until account deletion. AI cached outputs are automatically cleaned up after 30 days via our cleanup function. Writing mode documents are kept until you delete them or your account is deleted. Deleted account data is retained for 30 days after a deletion request to allow for recovery, after which it is permanently erased. Teacher push records are retained for 12 months for operational reference. Coaching centre data is retained until the centre is deleted. Financial records including fees and salaries are retained for 7 years (or as required by applicable tax law). Logs and analytics data are retained for 26 months in line with industry standards.
We implement multiple layers of security to protect your data. All API calls are encrypted in transit using HTTPS with TLS 1.3. Data at rest is encrypted by Supabase using AES-256. Passwords are hashed using bcrypt before storage. Row-Level Security (RLS) policies on every database table ensure that users can only access their own data — a student cannot see another student's records, and a teacher can only see their own class's data. File access is controlled through signed URLs with expiration times. In production, all API keys are stored as environment variables on Vercel, never hardcoded in the source code. Supabase performs automated daily backups with point-in-time recovery capability.
Every user has the following rights regardless of their location:
Right to Access — You can request to know what personal data we hold about you. Email us at snippetzlabs@gmail.com and we will provide a complete summary within the applicable timeframe.
Right to Correction — If your data is inaccurate or incomplete, you can correct it directly through the App's Settings or by emailing us.
Right to Deletion — You can delete your data and account permanently by using the "Delete Account" option in Settings or by emailing us. We will process your request within the applicable timeframe.
Right to Object — You can object to certain types of data processing by emailing us with your specific concerns.
Right to Withdraw Consent — If you have given consent for any processing (such as AI features), you can withdraw it at any time by emailing snippetzlabs@gmail.com.
In addition to the above, users in the European Union, United Kingdom, and European Economic Area have: the right to be forgotten (complete erasure of all personal data upon request), data portability (receive your data in a structured, machine-readable JSON format), restriction of processing (temporarily limit how we use your data while a dispute is resolved), the right to object to processing based on legitimate interests, the right to human review of significant AI-based decisions affecting you, and the right to lodge a complaint with your local data protection authority.
Under India's Digital Personal Data Protection Act 2023, users in India have: the right to know what data is collected and how it is processed, the right to correction of inaccurate or misleading data, the right to erasure of data when the purpose for collection is served, the right to grievance redressal via our Grievance Officer (see section 11), and the right to nominate a person to exercise their data rights after their death or incapacity.
We will respond to all data subject requests within the following timeframes: 30 days under India's DPDPA, 30 days under GDPR (extendable by up to 60 days for complex requests), and 45 days under COPPA and California law.
We use minimal storage technologies. Supabase localStorage stores your authentication session tokens for the duration of your session or until you log out. This is necessary for keeping you signed in. App localStorage stores your writing mode documents and user preferences. These remain until you clear your browser data or delete the specific content. If Google Analytics is enabled, it may set cookies for session tracking and interaction measurement according to Google's own cookie policy.
We do not use cookies for advertising, cross-site tracking, or any purpose unrelated to the core functionality of the App.
You can clear localStorage at any time through your browser's settings or by logging out of the App. Google Analytics can be opted out of via the Google Analytics Opt-Out Browser Add-on. Most browsers also allow you to view, manage, and delete stored data through their Settings or Preferences menu.
Your data may be transferred to and processed in countries outside your own. United States — our primary service providers Supabase, Groq, and Google Cloud operate servers in the US. Transfers are safeguarded by Standard Contractual Clauses (SCCs) and Data Processing Agreements as required by applicable law. Global CDN edges — Google Fonts and Font Awesome deliver content through global content delivery networks, which may involve temporary data processing in various regions under standard contractual protections.
For users in the European Union, United Kingdom, and European Economic Area, we ensure appropriate safeguards (SCCs) are in place for all international transfers as required by Chapter V of the GDPR. If you would like a copy of the relevant safeguards, please email us.
In the event of a data breach involving personal data, we have a clear response plan. We will identify the scope and cause of the breach within 48 hours of discovery. We will notify affected users within 72 hours (or as required by applicable law), providing details of what occurred, what data was involved, and what steps we are taking. We will notify relevant supervisory authorities including the Data Protection Authority in the EU and MeitY in India as applicable. We will take immediate remedial action to contain the breach and prevent recurrence. All breaches are documented along with our response for regulatory review.
As required under Section 5(9) of India's Digital Personal Data Protection Act 2023 and related rules, we have appointed a Grievance Officer to handle data protection complaints:
Role: Grievance Officer
Name: Pulakit Bararia
Email: snippetzlabs@gmail.com
Response commitment: All grievances will be acknowledged within 24 hours and resolved within 30 days.
Users in India may contact the Grievance Officer with any complaints regarding their personal data or our data processing practices.
We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. When we make material changes, the "Last Updated" date at the top of this page will be revised. We will notify users of material changes via email (if you have provided one) or through an in-app notification. Your continued use of the App after changes take effect constitutes your acceptance of the updated policy. We encourage you to review this policy regularly to stay informed about how we protect your data.
If you have any questions, concerns, or requests regarding your personal data or this Privacy Policy, please contact us:
Data Controller & Grievance Officer: Pulakit Bararia
Email: snippetzlabs@gmail.com
Application: Study Cabinet (Snippetz)
We are committed to addressing your privacy concerns promptly, transparently, and fairly. We aim to respond to all inquiries within 24 hours and resolve all matters within 30 days.