Privacy Policy

1. Definitions

1.1 Personal Information means information that identifies a Learner, including but not limited to first and last name, email address, age, gender, country of residence, professional qualifications, photograph, and phone number, provided at the time of registration or any time thereafter on the Platform.

1.2 Sensitive Personal Information includes:

• (a) Passwords and financial information (excluding the truncated last four digits of credit/debit cards);
• (b) Health data;
• (c) Official identifiers (such as biometric data, Aadhaar number, PAN, Social Security Number, driver's license, passport);
• (d) Information about sexual life, sexual identification, race, ethnicity, political or religious beliefs or affiliation;
• (e) Account credentials and passwords;
• (f) Any other data categorised as "sensitive personal data" or "special categories of data" under the DPDP Act 2023, GDPR, CCPA, or other applicable Data Protection Laws.

1.3 Processing means any operation performed on Personal Information, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, erasure, or destruction.

References to "Personal Information" in this Policy shall include Sensitive Personal Information where the context so requires.

2. Information We Collect

ThioSuxa is committed to data minimisation. We collect only the information necessary to provide our services. Specifically:

2.1 Personal Information You Provide to Us

When You register for an account or purchase Content, we collect:

• Name
• Email address
• Phone number (if provided)
• Country of residence
• Professional qualifications or training level (if provided)
• Payment-related information (processed by our third-party payment processors — see Section 5)
• Any Learner Content You submit through Public Forums, support queries, or feedback channels

2.2 Non-Personal Information Automatically Collected

When You interact with the Platform, we may automatically collect:

• Browser type and language preference
• Device type, operating system, and screen resolution
• IP address (which may be used to infer approximate geographic location)
• Referring website
• Date, time, and duration of each visit
• Pages viewed and features used
• Performance and error logs

2.3 Cookies and Similar Technologies

The Platform uses cookies and similar technologies. A cookie is a small text file that the Platform stores on Your device. We use:

• (a) Strictly necessary cookies — required for Platform functionality (login sessions, security);
• (b) Functional cookies — for preferences and personalisation;
• (c) Analytics cookies — for usage statistics and performance monitoring (via Graphy's analytics infrastructure);
• (d) Third-party cookies — set by payment processors and other integrated services.

You may refuse cookies via Your browser settings, but doing so may disable some Platform features.

2.4 Information From Third Parties

We may receive information about You from our payment processors (transaction confirmations), hosting infrastructure (Graphy), and service providers, to the extent necessary to operate the Platform.

3. How We Use Your Information

We use Your Personal Information for the following purposes, each with a defined legal basis:

3.1 To Provide the Platform and Services

• Create and manage Your account
• Deliver purchased Content
• Provide customer support
• Process transactions
• Verify Your identity

Legal basis: Performance of a contract; Your consent.

3.2 To Improve the Platform

• Analyse usage patterns
• Identify and fix technical issues
• Develop new features and improve existing Content
• Conduct research into Learner behaviour in aggregate, anonymised form

Legal basis: Our legitimate interests in improving the Platform; Your consent.

3.3 To Communicate With You

• Respond to Your queries, feedback, and support requests
• Send transactional communications (purchase confirmations, access notifications, renewal reminders)
• Send informational updates about Platform features, Content updates, or Policy changes
• Send marketing communications (only with Your explicit opt-in consent)

Legal basis: Performance of a contract; Your consent (for marketing).

3.4 To Protect the Platform and Enforce Our Terms

• Detect and prevent fraud, abuse, and unauthorised access
• Investigate and take action against violations of our Terms of Use
• Comply with legal, tax, and regulatory obligations

Legal basis: Our legitimate interests; legal obligation.

3.5 Automated Processing and AI-Assisted Operations

ThioSuxa uses artificial intelligence (AI)-assisted tools in the creation of educational content. We do not use Your Personal Information to train AI models, make automated decisions that produce legal or similarly significant effects on You, or engage in profiling as defined under GDPR Article 22 or DPDP Act 2023.

Aggregate, anonymised usage data may be analysed using AI-assisted tools for the purpose of improving educational content and user experience. Such data cannot be used to re-identify individual Learners.

3.6 What We Do Not Do

• We do not sell, trade, rent, or commercially exploit Your Personal Information
• We do not share Your Personal Information with advertisers for targeted advertising
• We do not make automated decisions that legally or significantly affect You without human review

4. How We Share Your Information

We share Personal Information only in the following circumstances:

4.1 Service Providers

We share information with trusted third-party service providers who support our operations:

• Graphy — Platform hosting and learning management infrastructure
• Payment processors — Transaction processing (we do not store Your financial details)
• Email and communication services — Transactional and support communications
• Analytics providers — Aggregate usage analysis
• Cloud infrastructure providers — Secure data storage

Each service provider is bound by contractual confidentiality and data protection obligations.

4.2 Legal and Regulatory Disclosure

We may disclose Personal Information if required to:

• (a) Comply with applicable law, regulation, court order, or government request;
• (b) Enforce our Terms of Use or other agreements;
• (c) Protect the rights, property, or safety of ThioSuxa, our Learners, or others;
• (d) Investigate and prevent fraud or security threats.

Where permitted by law, we will attempt to notify You before disclosing Your information in response to such requests.

4.3 Business Transfers

If ThioSuxa is involved in a merger, acquisition, sale of assets, or similar business transaction, Personal Information may be transferred as part of that transaction. We will provide notice and, where required, seek Your consent before Your information becomes subject to a materially different privacy policy.

4.4 Aggregated or De-Identified Information

We may share aggregated or de-identified information that cannot reasonably be used to identify You, for research, analytics, or marketing purposes.

5. Payment Information

We do not capture, process, or store sensitive payment information such as full credit card numbers, CVV codes, or banking credentials. All payment transactions are processed by PCI-DSS compliant third-party payment processors, whose own privacy policies govern the handling of such data.

We receive only limited transaction metadata (such as transaction ID, amount, date, and the last four digits of payment cards) necessary for order fulfilment, refund processing, and compliance.

6. Data Retention

We retain Your Personal Information only as long as necessary for the purposes for which it was collected:

Where legal obligations require longer retention, we retain only the minimum information necessary to fulfil those obligations.

Upon account deletion, we delete or anonymise Personal Information within reasonable timeframes, except where we are required to retain it by law or for legitimate business purposes (such as fraud prevention or dispute resolution).

7. Your Rights

Subject to applicable Data Protection Laws, You have the following rights regarding Your Personal Information:

• 7.1 Right of Access — To obtain confirmation of whether we process Your Personal Information and request a copy.
• 7.2 Right of Correction — To request correction of inaccurate or incomplete Personal Information.
• 7.3 Right of Erasure — To request deletion of Your Personal Information, subject to legal retention obligations.
• 7.4 Right to Restrict Processing — To request that we limit our processing of Your Personal Information under certain circumstances.
• 7.5 Right to Data Portability — To request Your Personal Information in a structured, commonly used, machine-readable format.
• 7.6 Right to Object — To object to our processing of Your Personal Information where the legal basis is our legitimate interests.
• 7.7 Right to Withdraw Consent — To withdraw any consent You have previously given, at any time, without affecting the lawfulness of prior processing.
• 7.8 Right to Nominate — Under the DPDP Act 2023, You may nominate another individual to exercise these rights on Your behalf in the event of death or incapacity.
• 7.9 Right to Lodge a Complaint — To lodge a complaint with a supervisory authority if You believe Your rights have been infringed.

How to Exercise Your Rights: Please contact our Grievance Officer (see "Grievances" section). We will respond to verified requests within the timeframes required by applicable law (generally 30 days, extendable to 60 days for complex requests).

Identity Verification: To protect Your data, we will verify Your identity before fulfilling most requests. Where we cannot verify identity to the required standard, we may decline the request.

8. Children's Data

ThioSuxa is intended exclusively for medical professionals, medical students, and postgraduate medical trainees aged 18 years or older. We do not knowingly collect Personal Information from individuals under 18.

If we become aware that we have inadvertently collected Personal Information from a person under 18, we will delete such information promptly and terminate the associated account.

Parents, guardians, or any person who believes a minor has provided Personal Information to ThioSuxa is encouraged to contact our Grievance Officer immediately for account removal.

Under the DPDP Act 2023 Section 9, we do not process children's Personal Information for tracking, behavioural monitoring, or targeted advertising.

9. Data Security

We implement reasonable and appropriate technical, administrative, and organisational security measures to protect Personal Information against unauthorised access, use, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (HTTPS/TLS)
• Secure data storage via our infrastructure provider (Graphy and its cloud service providers)
• Access controls limiting Personal Information to authorised personnel
• Contractual data protection obligations imposed on service providers
• Regular security reviews

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, and You acknowledge this limitation when sharing information with us.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in risk to Learners, ThioSuxa will:

• (a) Take prompt action to investigate and contain the breach;
• (b) Notify affected Learners without undue delay;
• (c) Notify the Data Protection Board of India in accordance with the DPDP Act 2023;
• (d) Notify the relevant Supervisory Authority within 72 hours where required by GDPR;
• (e) Implement remedial measures to prevent recurrence.

11. Cross-Border Data Transfers

ThioSuxa operates from India. Your Personal Information is primarily stored and processed on servers located in India, operated by our infrastructure provider (Graphy) and its underlying cloud service providers.

In some cases, Personal Information may be transferred to, stored, or processed in countries other than Your country of residence, where our service providers operate. Such transfers are safeguarded by:

• (a) Contractual commitments with service providers, including Standard Contractual Clauses where applicable;
• (b) Compliance with DPDP Act 2023 Section 16 restrictions on cross-border transfer;
• (c) Adequacy decisions where available under GDPR;
• (d) Your explicit consent, where required.

By using the Platform, You consent to the transfer of Your Personal Information to India and other jurisdictions as described herein.

12. Third-Party Links and Services

The Platform may contain links to third-party websites or services (including payment processors, examining body websites, and educational references). ThioSuxa is not responsible for the privacy practices or content of such third parties. We encourage You to review the privacy policies of any third-party services You interact with through the Platform.

14. Modifications to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified via the Platform or email. The "Last Updated" date at the top of this Policy indicates when the most recent changes were made. Your continued use of the Platform following notification of changes constitutes acceptance of the updated Policy.

15. Grievances and Grievance Officer

In accordance with the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and applicable rules, ThioSuxa has designated the following Grievance Officer to address formal Learner concerns relating to Personal Information, platform conduct, or service delivery:

What Constitutes a Grievance

A grievance under this Policy includes, but is not limited to, complaints regarding:

• (a) Processing, storage, or disclosure of Your Personal Information;
• (b) Exercise of Your rights under applicable Data Protection Laws, including access, correction, erasure, or data portability;
• (c) Suspected or actual data breaches affecting Your information;
• (d) Violations of this Privacy Policy or our Terms of Use;
• (e) Content published on the Platform that You believe infringes Your rights, including intellectual property, privacy, or personality rights;
• (f) Harassment, abuse, or inappropriate conduct by other Learners on Public Forums;
• (g) Material deficiencies in Content or services that were not disclosed at the time of purchase;
• (h) Any other matter requiring formal redress under applicable law.

What is Not a Grievance

General support queries, product questions, technical assistance requests, feedback on Content, or routine operational issues (such as password resets, payment confirmations, or feature enquiries) are not grievances. These should be directed to support@thiosuxa.com and will be addressed through our standard support channels.

Response Timelines

• Grievances will be acknowledged within 48 hours of receipt
• Grievances will be resolved within 30 days, or such other timeframe as required by applicable law
• If a grievance requires longer investigation, You will be informed of the expected timeline

Escalation

If You are dissatisfied with the resolution provided by our Grievance Officer, You may escalate the matter to:

• (a) The Data Protection Board of India (for DPDP Act matters);
• (b) The relevant consumer forum under the Consumer Protection Act, 2019 (for service-related matters);
• (c) Your local Supervisory Authority (for GDPR/UK GDPR matters, if applicable);
• (d) The courts of competent jurisdiction as provided in our Terms of Use.

For general queries or support requests that are not grievances, please contact us at support@thiosuxa.com .

16. Contact Us

If You have any questions, concerns, or queries about this Privacy Policy or our data practices, please write to us at: