Privacy policy

mocks.bloomupsc.com is operated by Bloom UPSC (“we”, “our”). We’re a small team building original Prelims content for UPSC aspirants. Contact: bloomupsc@gmail.com.

When you sign in with Google, we receive:

• Your name and email address, from your Google account.
• A unique identifier Google provides so we can recognise you on return visits.

As you use the app, we store:

• Your attempts — which mock, which options you picked, how long you took, your confidence label, whether you flagged a question.
• Your computed results — scores, subject-wise accuracy, time analysis.
• Any partner coupon you redeem and when, so we can prevent double-redemption and honour usage caps.
• Basic server logs (IP address, request path, timestamp) — retained for up to 30 days to debug outages and detect abuse.

We do not collect device fingerprints, third-party ad identifiers, location, or contacts. We do not use Google Analytics, Facebook Pixel, or any similar ad-network tracker.

• Deliver the mocks you have access to, resume attempts you’ve paused, and produce your result reports.
• Prevent abuse of partner coupons (rate-limiting, double-redeem checks).
• Reply to emails you send us about your account.
• Email you only when you’ve opted in (e.g. mock-release announcements). Transactional messages — password-reset, access grant — are always sent.

We use a small set of service providers to run the product:

• Supabase — our database and authentication provider. Your account, attempts, and results are stored in a Supabase-managed Postgres instance.
• Google — only for the OAuth sign-in flow. Google sees that you signed in to Bloom UPSC; we see your name and email from Google.
• Vercel — our hosting provider. Every request you make hits Vercel edge servers before reaching our app.
• PostHog — product analytics (how many people use a feature, which pages convert, where the funnel leaks). PostHog receives your email and name (after you sign in) + pageviews + key events (mock-started, mock-submitted, etc). It does NOT build advertising profiles and we do not share this data with advertisers.

We do not sell or rent your data to anyone. We do not share it with advertisers. We will share data only if required by a lawful legal process, and only after consulting legal counsel where feasible.

We set a small number of first-party cookies required for sign-in (Supabase session cookies). These are essential — you can’t stay logged in without them. We do not set advertising or tracking cookies.

• Account data and attempt history are retained for as long as your account is active.
• If you ask us to delete your account, we erase your personal data within 30 days. Anonymised, aggregate statistics (e.g. average difficulty of a question) may be retained.
• Server logs roll off after 30 days.

You can, at any time:

• Ask for a copy of the data we hold about you.
• Correct anything that’s wrong.
• Ask us to delete your account and all associated data.
• Withdraw consent for any non-essential email (we don’t actually send non-essential email today, but the option stands).

Email bloomupsc@gmail.com. We reply within 7 working days.

Passwords never touch our servers — sign-in runs through Google OAuth. Your attempt data is protected by database-level row security so one user can never read another’s responses. We use HTTPS everywhere.

Bloom UPSC is intended for adults preparing for the UPSC civil services examination. If you believe a child under 18 has created an account, email us and we’ll delete it.

If we change this policy materially, we’ll email account holders at least 14 days before the change takes effect, and update the date above.