Privacy Policy
Last updated: 2026-05-21
Effective: 2026-05-21
Who We Are
PeakMocks is an independent exam-preparation platform serving Indian competitive-exam aspirants. We help you understand your eligibility, track your application milestones, and prepare with free mock tests.
PeakMocks is not affiliated with the Staff Selection Commission (SSC), Government of India, or any user ministry. We are an independent third party. All eligibility determinations and application decisions rest exclusively with the relevant government authority.
What Data We Collect, Why, and How Long We Keep It
Every data-collection point is listed below, with purpose and retention period.
| Data | Consent basis | Purpose | Retention |
|---|---|---|---|
| Email address | Explicit consent at account signup | Account access, password reset, exam-date reminders | Until account deletion + 30-day encrypted-backup window, then permanently purged |
| Name | Explicit consent at account signup | Personalised dashboard display | Until account deletion + 30-day backup window |
| Date of Birth (DOB) | Explicit consent on EligibilityChecker first use | Age-band eligibility calculation under SSC/DoP&T rules | 12 months from entry, or until account deletion (whichever is earlier) |
| Category β SC / ST / OBC / EWS / UR (SPDI) | Explicit consent on EligibilityChecker first use | Category-specific eligibility verdict and age-relaxation calculation | 12 months from entry, or until account deletion |
| Disability type and degree (SPDI) | Explicit consent on EligibilityChecker first use | PwBD eligibility, scribe/compensatory-time entitlement, Aadhaar-exemption awareness | 12 months from entry, or until account deletion |
| Educational qualification and region | Explicit consent on EligibilityChecker first use | Post-eligibility verdict (post preferences, regional posts) | 12 months from entry, or until account deletion |
| ApplicationProgress milestone state | Explicit consent on MilestoneTracker first write | Cycle-progress display, step-completion reminders | 24 months after cycle year closes, then permanently deleted |
| Cookie data | Essential: always on. Analytics/marketing: explicit opt-in via banner | Session management, CSRF protection, authenticated access; anonymised usage analytics; opt-in reminders | Essential: session lifetime. Analytics/marketing: 12 months max |
What We Do NOT Collect
We explicitly do not collect or store:
- Aadhaar number, Aadhaar OTP, biometric data. We never ask for or store your Aadhaar. The Aadhaar Flowchart is an informational guide to SSC's portal β verification happens on SSC's own site, not ours.
- SSC application acknowledgement number or payment transaction ID. These are accepted as optional voluntary fields in MilestoneTracker if you want a personal record, but we recommend not entering them. We do not need them to function.
- Caste certificate scans, disability certificate scans, or identity proofs. Never, under any circumstance.
- Bank account details, UPI IDs, or payment card numbers. PeakMocks is free. We do not process payments.
- Contact list, GPS location, camera, microphone, or device-sensor data. Not collected.
PhotoSignatureChecker Disclosure
The PhotoSignatureChecker tool runs entirely in your browser using the Canvas API. Your photos and signatures never leave your device. No image is transmitted to our servers. The check is a heuristic only β pixel-dimension and file-size validation against published SSC guidelines. It is not affiliated with SSC and does not guarantee acceptance. Final acceptance is determined solely by SSC's portal.
Sub-Processors
We use these third-party infrastructure providers. We do not share your personal data with advertising networks, data brokers, or marketing analytics platforms.
| Provider | Role | Location |
|---|---|---|
| Cloudflare | CDN, edge cache, WAF, DDoS mitigation | Global edge network including India POPs |
| PostgreSQL (self-hosted) | Primary data store β all personal data | India (specific region: TBD β same region as production host) |
| Redis (self-hosted) | Ephemeral session cache + rate-limit counters only. No PII at rest. | Same host as DB |
| AWS SES (or equivalent β TBD) | Transactional email (reminders, OTP, welcome) | AWS region TBD |
| FCM / Web Push | Push notifications (opt-in only) | Google infrastructure |
| Anthropic | Not used. Hindi translation was removed from scope (2026-05-21). No data is sent to Anthropic. | β |
Your Rights (DPDP Act 2023)
Access and Portability (DPDP Β§11)
Request a machine-readable copy of all personal data we hold about you.
- Self-serve (instant): Visit
/api/v1/me/export.jsonwhile logged in. Your browser will download a JSON file with your full data. - By email: [email protected] β we respond within 30 days.
Erasure / Right to Be Forgotten (DPDP Β§12)
Request permanent deletion of your account and all associated personal data.
- Self-serve: Send
POST /api/v1/me/deletewith body{"confirm": "DELETE_MY_ACCOUNT"}(auth required). Hard-deleted immediately from live database. Encrypted backups purged within 30 days. - By email: [email protected] β completed within 30 days of verification.
Correction
Update name, email, and preferences in Account Settings. Re-run EligibilityChecker to overwrite SPDI fields. Or email us.
Withdraw Consent
Withdraw consent for any data-collection point at any time. Revoking EligibilityChecker consent deletes your quiz responses immediately. Cookie consent is managed via the banner.
Grievance / DPO Contact
Email: [email protected] (TBD: a dedicated [email protected] once provisioned). Grievances acknowledged within 48 hours and resolved within 30 days.
Children
PeakMocks is intended for users 18 years of age and older. The EligibilityChecker includes an age-gate; users under 18 see a parental-consent notice and their responses are not silently stored. If we learn we have collected data from a user under 18 without verifiable parental consent, we delete it within 30 days of discovery.
Security
- Transport: HTTPS everywhere. Strict Transport Security enforced at Cloudflare edge.
- Field-level encryption (P3.20 β upcoming): SPDI fields (category, disability, DOB) encrypted at rest using pgcrypto with a separately-managed key.
- Backups: Encrypted at rest on Cloudflare R2 with separate access credentials.
- No third-party JS tracking: No Google Analytics, Facebook Pixel, or ad-network scripts. Analytics are server-side only.
- Audit log: All privileged mutations are written to an append-only audit_logs table.
Cross-Border Data Transfer
Cloudflare serves your traffic from the nearest Point of Presence, which may be outside India. DPDP Act Β§16 permits this; no blacklisted countries are in Cloudflare's network. No personal data (other than anonymous request metadata) is stored outside India at the database layer.
Cookie Policy
See the cookie-consent banner on any page for your current preferences. Three categories:
| Category | Always on? | Description |
|---|---|---|
| Essential | Yes β required for service | Session cookie, CSRF token, authentication token. Without these, login does not work. |
| Analytics | Opt-in | Anonymised server-side usage signals. No third-party JavaScript. No cross-site tracking. |
| Marketing | Opt-in; off by default | Cycle-announcement emails and push reminders. You can also manage these in notification settings. |
Changes to This Policy
We will notify registered users via email if we make material changes. Each historical version is preserved in data/legal/ for audit. The βLast updatedβ date at the top reflects the current version.
Contact
Email: [email protected]
TBD: dedicated [email protected] once provisioned.
PeakMocks Β· Independent exam-prep platform Β· India