Legal

Privacy Policy for Speak Up

Effective date: 19 May 2026

Last updated: 19 May 2026

Applies to: Speak Up mobile application (Android), published on Google Play under the developer display name “Blood Boy Studios”.

1. Introduction

This Privacy Policy explains how the Speak Up mobile application (“the App”) collects, uses, stores, shares, and protects your personal information when you use it. By creating an account or otherwise using the App, you agree to the practices described in this Policy.

Speak Up is operated by an individual developer, not a company or registered organisation. Throughout this Policy, the words “I”, “me”, and “my” refer to that individual, identified in Section 2 below.

I have written this Policy in plain language so that you can clearly understand what I do with your data. If anything is unclear, please reach out using the contact details in Section 15.

This Policy is governed by the laws of India, including the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000 together with the rules made under it.

2. Who I am (the Data Fiduciary)

The “Data Fiduciary” under the DPDP Act, 2023 — that is, the person who decides why and how your personal data is processed — is an individual:

Ankita Paliwal, an individual residing in India. The App is published on Google Play under my personal (individual) developer account, using the developer display name “Blood Boy Studios”. “Blood Boy Studios” is only a publisher display name on Google Play; it is not a registered company, partnership, LLP, or any other separate legal entity.

Name (legal): Ankita Paliwal
Account type on Google Play: Personal / Individual
Developer display name on Google Play: Blood Boy Studios
Contact email: bloodboystudios@gmail.com

Because the App is run by a single individual, “I” and “the developer” are used interchangeably in this Policy.

3. Information I collect

I only collect what I need to operate the App, give you a working learning experience, process payments, and meet my legal obligations.

3.1 Information you provide to me

Category	Examples	When collected
Account identifiers	Mobile phone number (E.164 format)	When you register using mobile-number OTP
Google account data	Your name, email address, and Google profile picture	When you sign in with Google Sign-In
Profile preferences	Display name, UI language (English / Hindi), Hindi-meaning toggle, notification preferences	During onboarding and from in-app settings
Support correspondence	Any information you include when you email me	When you contact me

3.2 Information collected automatically

Category	Examples	Purpose
Learning progress	Lessons started/completed, exercise answers (correct/incorrect), XP, streaks, badges, scores, last-played lesson	To save your progress, unlock content, and run gamification
Device & technical data	Device model, OS version, app version, language/locale, IP address (transient, for API requests), Firebase Installation ID	To deliver the service, debug, and prevent fraud
Push notification token	Firebase Cloud Messaging (FCM) registration token	To send you learning reminders if you opt in
Diagnostic data	Crash stack traces, non-fatal errors, performance traces	Through Firebase Crashlytics, to fix bugs
Product analytics	Screen views, lesson funnel events, paywall events, button taps	Through Google Analytics for Firebase, to improve the App
Subscription status	Plan, status (active/expired), renewal date, anonymised payment reference IDs	To gate paid content; I never see or store your card or UPI details — see Section 5

3.3 What I do not collect

To remove any doubt, Speak Up Phase 1 does not collect or process:

Voice or audio recordings. All Text-to-Speech in Phase 1 runs on-device via the flutter_tts engine. I do not record your voice, I do not use the microphone, and no audio leaves your device.
Photos, videos, or files from your device.
Precise location (GPS). I do not request or use location permissions.
Contacts, calendar, SMS, or call logs.
Sensitive personal data such as health, biometric, financial account credentials, sexual orientation, religious or political beliefs, or caste.

If this changes in a future version (for example, when speech recognition is added in Phase 2), I will update this Policy and ask for your consent before any new collection begins.

4. How I use your information

I use your personal data only for the following purposes:

To provide the App — create and authenticate your account, save and sync your learning progress, deliver lesson content, run the gamification (XP, streaks, badges), and remember your preferences.
To process payments and subscriptions — verify subscription status with the payment processor and unlock paid content. I do not store card or UPI details myself.
To communicate with you — send transactional messages (OTP, payment receipts, subscription updates) and, if you opt in, learning reminders and streak nudges via push notifications.
To keep the App safe and working — detect bugs, prevent fraud, debug crashes, throttle abusive traffic, and improve stability.
To improve the App — understand which lessons and features work, where users get stuck, and where to invest content effort. I use aggregated and pseudonymous analytics for this.
To comply with the law— respond to lawful requests from courts, regulators, and law-enforcement authorities, and to enforce the App's Terms of Use.

Legal basis for processing (DPDP Act)

I process your data based on:

Your consent, given when you create an account, enable notifications, or opt into analytics. You can withdraw consent at any time (see Section 8).
The performance of a contract with you (delivering paid lessons after you subscribe).
My legal obligations (such as retaining payment invoices for tax purposes).
Legitimate uses as defined under Section 7 of the DPDP Act (e.g., responding to a medical emergency, complying with a court order).

5. How I share your information

I do not sell your personal data, and I do not share it for third-party advertising.

I share limited personal data with the following processors, only to the extent each one needs to perform its function:

Processor	What is shared	Purpose	Where data is processed
Google LLC (Google Sign-In)	Authentication tokens, your Google profile (name, email, photo) — only if you choose Google Sign-In	Sign-in	India / United States
Google Firebase (Cloud Messaging, Crashlytics, Installations, Google Analytics for Firebase)	FCM token, device & app identifiers, crash stack traces, non-fatal logs, pseudonymous analytics events (e.g., lesson_completed, paywall_viewed)	Push notifications, crash reporting, product analytics	Google data centres (multi-region)
Razorpay Software Pvt. Ltd.	Your name, mobile number, email, and payment instrument data (collected by Razorpay directly inside its payment sheet — I never see your card or UPI details)	Subscription payments, refunds	India
DigitalOcean, LLC	Encrypted API traffic, server-side copies of account data and learning progress, lesson content (images and pre-generated assets)	Application hosting (API servers, database, object storage for content)	India — Bangalore (BLR1) region. DigitalOcean is a US-incorporated company; data resides in India but is administered by a US legal entity.

Each of these processors is contractually bound (through its standard terms of service) to use your data only for the purposes I instruct, to keep it secure, and to delete it when no longer needed.

Legal disclosures

I may disclose personal data when required by law — for example, in response to a valid order from an Indian court, regulator, or law-enforcement authority, or where disclosure is necessary to prevent fraud, protect my legal rights, or protect the safety of any person.

Transfer of the App

If I sell, transfer, or otherwise hand over the App to another developer or entity in the future, your personal data may be transferred as part of that transaction. I will notify you in-app or by email before that happens, and the receiving party will be required to honour this Policy or a policy at least as protective.

6. Data storage, transfer, and security

Primary storage location: The application database and servers are hosted in India (DigitalOcean — Bangalore, BLR1 region).
International transfers:Some processors named in Section 5 store or administer data outside India. Google Firebase services (FCM, Crashlytics, Google Analytics for Firebase) process data in Google's multi-region data centres, including the United States. DigitalOcean keeps the data in India but is a US-incorporated company that administers the underlying infrastructure. I rely on the safeguards offered by those processors and on the cross-border-transfer mechanisms permitted under the DPDP Act, 2023.
In transit: All communication between the App and the servers uses TLS 1.3 encryption.
At rest:Passwords are never stored. Authentication tokens on your device are stored using the platform's secure storage (Android Keystore via flutter_secure_storage). Server-side databases and object storage are encrypted at rest by DigitalOcean.
Access controls: Production systems are accessed only by me; access is protected by strong authentication and logged.
No system is perfectly secure. If I ever discover a personal-data breach that is likely to cause harm, I will notify affected users and the Data Protection Board of India as required under the DPDP Act.

7. Data retention

I keep your personal data only as long as I need it for the purposes described in this Policy.

Data category	Retention
Account data (phone, name, email, preferences)	While your account is active. If you delete your account, I keep it for 30 days as a grace period, then permanently delete it.
Learning progress (XP, streaks, lesson history)	Same as above — deleted with your account after the 30-day grace period
Push notification tokens	Until you uninstall the App, disable notifications, or delete your account
Crash and diagnostic logs	Up to 90 days, then deleted or aggregated
Analytics events (Google Analytics for Firebase)	Up to 14 months, in line with Google Analytics for Firebase's default retention, then deleted or aggregated
Payment and subscription records	Up to 8 years after the transaction, to comply with Indian tax and accounting laws (e.g., GST, Income Tax Act)
Support correspondence	Up to 24 months after the last interaction

After the retention period, I either permanently delete the data or anonymise it so it can no longer be linked back to you.

8. Your rights

Under the DPDP Act, 2023, you have the following rights regarding the personal data I hold about you. You can exercise any of these by emailing bloodboystudios@gmail.com from the email/phone number linked to your account.

Right	What it means
Right to access	Request a summary of the personal data I process about you and the processors I share it with
Right to correction & updating	Ask me to correct inaccurate, incomplete, or outdated information. You can update most of this yourself from the App's Settings screen
Right to erasure	Ask me to delete your personal data when it is no longer needed for the purposes for which it was collected. You can also delete your account directly from Settings → Account → Delete Account
Right to withdraw consent	Withdraw your consent for processing at any time. Withdrawal does not affect the lawfulness of processing done before the withdrawal
Right to grievance redressal	Contact me as the Grievance Officer (Section 15) if you are unhappy with how your data is handled
Right to nominate	Nominate another person to exercise your rights in the event of your death or incapacity

I will respond to all valid requests within 30 days. I may need to verify your identity before acting on a request, to protect your data from unauthorised disclosure.

9. App permissions

Speak Up requests only the following permissions on Android. Each one is used solely for the purpose described below.

Permission	Why it is needed
`INTERNET`, `ACCESS_NETWORK_STATE`	To talk to the App's servers and stream lesson content
`POST_NOTIFICATIONS` (Android 13+)	To show learning-reminder and streak notifications — only after you say yes
`BILLING` / payment-related	To launch the Razorpay payment sheet for subscriptions
`VIBRATE`	Subtle haptics on correct/incorrect answers

The App does not request: Microphone, Camera, Location, Contacts, SMS, Storage (legacy), or any “Restricted Permission” as defined by Google Play.

10. Children's privacy

Speak Up is intended for users aged 13 years and above.

I do not knowingly collect personal data from children under 13.
For users aged 13 to 17 (minors), the DPDP Act, 2023 requires the verifiable consent of a parent or lawful guardian before any personal data is processed. By using the App, a minor user confirms that such consent has been obtained.
I will not perform tracking, behavioural monitoring, or targeted advertising directed at minors.
If you are a parent or guardian and believe that a child under 13 has provided personal data through the App, or that consent was not properly given for a minor between 13 and 17, please email bloodboystudios@gmail.com and I will delete the data promptly.

11. Push notifications

If you grant the notification permission, I may send you:

Daily streak reminders
Re-engagement nudges (after 3 days of inactivity, stopping after 7 days of no use)
Transactional updates (payment success, subscription expiry)

You can turn any of these off at any time from Settings → Notifications inside the App, or from your Android system settings.

12. Payments

Subscription payments are processed by Razorpay Software Pvt. Ltd., a payment aggregator regulated by the Reserve Bank of India.

Your card number, CVV, UPI ID, and bank credentials are entered directly into Razorpay's payment sheet. I never see, transmit, or store them.
I only receive the result of the transaction (success/failure), a transaction reference, your subscription plan, and the renewal date.
Razorpay's processing of your payment data is governed by its own privacy policy, available at https://razorpay.com/privacy/.
For refunds, billing disputes, or chargebacks, email bloodboystudios@gmail.com. I will respond within 7 working days.

13. Cookies and similar technologies

Speak Up is a native Android application and does not use browser cookies. It does use device-level identifiers (Firebase Installation ID, FCM token, and the pseudonymous app-instance ID used by Google Analytics for Firebase) for the purposes described in this Policy. These identifiers are reset if you reinstall the App, or if you clear the app's storage from Android system settings.

14. Changes to this Privacy Policy

I may update this Policy from time to time — for example, when new features are added, processors change, or to reflect changes in the law.

When I make a change, I will update the “Last updated” date at the top of this Policy.
If the change is significant (for example, a new category of data, a new processor, or a new purpose), I will give you advance notice in the App or by email and, where required by law, ask for your fresh consent.
The current version of this Policy is always available inside the App at Settings → Privacy Policy and at https://www.speakupnow.world/privacy.

15. Grievance Officer and contact details

If you have any questions, requests, or complaints about how your personal data is handled, please reach out — I want to help.

Because Speak Up is run by a single individual, the same person serves as both the contact point for general privacy matters and the Grievance Officer required under Rule 5(9) of the Information Technology (Reasonable Security Practices) Rules, 2011 and Section 8(9) of the DPDP Act, 2023.

Name: Ankita Paliwal
Designation: Data Fiduciary and Grievance Officer
Capacity: Individual developer (sole operator of the App)
Email: bloodboystudios@gmail.com

I will acknowledge your grievance within 48 hours of receiving it and resolve it within 30 days.

If you remain unsatisfied with my response, you have the right to escalate your complaint to the Data Protection Board of India under the DPDP Act, 2023.

Speak Up is an independent app made by an individual developer in India. Thank you for trusting me with your learning journey.