India Compliance Statement
Public summary of ExamStack's India-focused privacy, consumer, payment, education-SaaS, and operational compliance practices.
Policy coverage now includes privacy, terms, refunds, institute data processing, data retention, breach workflow, and grievance contacts.
Product controls include tenant authorization, audit logs, payment verification, refund/dispute operations, emergency controls, and privacy settings.
Exact legal entity, office address, GSTIN, and invoice presentation should be configured from production business records.
1. Legal and Contact Disclosure
- Legal name
- ExamStack
- Website
- https://examstack.in
- Registered office
- India
- GSTIN
- Shown on the tax invoice where applicable
- Support
- Support: [email protected]
- Privacy
- Privacy and data rights: [email protected]
- Consumer grievance
- Consumer grievance officer: [email protected]
- Billing
- Billing and refunds: [email protected]
2. Privacy and DPDP Readiness
- Privacy notice describes categories of personal data, processing purposes, user rights, institute roles, retention, sharing, security, AI/OCR processing, and grievance contacts.
- Product architecture supports role-based access, tenant isolation, audit logs, security controls, backup procedures, and breach-response workflows.
- User and institute controls cover profile privacy, public ranking visibility, notification preferences, student/institute record management, and support-based data-rights requests.
- The DPDP Act and Rules have phased commencement dates; ExamStack policy text is aligned for readiness and should be reviewed as enforcement guidance evolves.
3. Consumer and E-Commerce Practices
- Terms, refund policy, support contact, billing contact, and consumer grievance contact are publicly linked from the site footer.
- Refund policy covers duplicate payments, failed-payment captures, wrong-plan charges, cancellation handling, non-refundable digital-use cases, timelines, and evidence required.
- Payment operations include Razorpay order creation, checkout verification, webhook handling, receipt foundation, refund creation/sync, dispute sync, dispute accept, and contest evidence workflows.
- Consumer grievances are intended to be acknowledged within 48 hours and resolved within one month where applicable.
4. Institute and Student Data
- Institute data processing terms identify institute responsibilities for notices, consents, role permissions, parent or guardian authority, student imports, public profiles, and educational use.
- ExamStack commits to processing institute workspace records for SaaS delivery, support, security, analytics, backups, notifications, AI/OCR, and legal compliance.
- Child/student data practices are framed around educational activities, attendance, safety, parent/guardian communication, and institute authorization.
5. Security and Operations
- Production controls include environment validation, readiness checks, secure secrets, CORS and HTTPS recommendations, file-storage providers, queue worker support, database backup scripts, and restore-drill documentation.
- Platform controls include payment emergency disablement, attendance emergency disablement, AI emergency disablement, AI quota and abuse detection, suspicious attendance review, and audit logs.
- Operational logs, payment records, audit records, and backups are retained where needed for security, lawful requests, tax, disputes, and continuity.
6. Business Records To Configure
The public pages are code-complete, but production should set the exact legal entity name, registered office address, GSTIN, support email, privacy email, grievance email, and billing email from verified business records before launch.
7. External Review
This statement is a practical product and policy summary. It should be reviewed by the business owner, tax advisor, and legal counsel before relying on it as the final public compliance position.