r-statistics.co by Selva Prabhakaran

About Sign in

Privacy Policy

Last updated: 23 May 2026. Effective date: 23 May 2026.

r-statistics.co ("we", "us", "our") is operated by Selva Prabhakaran as a sole proprietorship registered in India. This Privacy Policy explains what personal data we collect, why we collect it, how we store and share it, and the rights you have over your data.

1. Data we collect

a) Account data (Pro subscribers only)

  • Email address (used for sign-in and transactional emails)
  • Display name and avatar (if you set them)
  • Country (auto-detected from IP at signup; used for tax routing)
  • Authentication provider (Google, GitHub, or magic-link email) and provider user ID

b) Usage and progress data

  • Pages read, scroll position, time on page (saved as "reading progress")
  • Bookmarks / saved posts
  • Exercise submissions (code you submit, whether it passed, hints used, XP awarded)
  • Quiz / certification attempts (questions, answers, score)
  • Streak data (last active date, current streak length)
  • Upvotes and comments you submit

c) Billing data

  • Subscription plan, status, current period end date
  • Customer ID from the payment processor (Paddle or Razorpay)
  • We do not store card numbers, CVV, or bank account credentials. Those are handled directly by the payment processor.

d) Technical data (all visitors)

  • IP address (used briefly for rate-limiting, fraud prevention, and country detection; not stored long-term)
  • Anonymous analytics: page views, referrer, country, device type (collected via Cloudflare Web Analytics; no cookies, no cross-site tracking)
  • Server logs (request URL, status code, timestamp; rotated after 30 days)

e) Active session metadata (signed-in users only)

To power the "Active sessions" panel in your account (so you can see which devices are signed in and revoke any you don't recognise), we store for each active session:

  • A device label derived from your browser's User-Agent string (e.g. "Chrome on Mac", "Safari on iPhone"). The full User-Agent string is also kept as a fallback.
  • The session start timestamp, the most recent activity timestamp ("last seen"), and the natural expiry timestamp.

We do not store your IP address or any geolocation against the session. Session rows are deleted when you revoke the session, when it expires naturally, or when you delete your account.

2. Why we collect this data

  • Account operation: to identify you, sign you in, and personalize the experience
  • Service delivery: to track your progress, save your bookmarks, grade exercises, issue certificates
  • Billing: to process subscription payments and issue tax invoices
  • Communication: transactional emails (magic links, receipts, dunning) and (only if you opt in) our weekly newsletter
  • Security and abuse prevention: rate-limiting, trial abuse detection, fraud signals
  • Aggregate analytics: to understand which content is read, where users come from, what features are used (always in aggregate; never to track individuals across sites)
  • Legal compliance: tax reporting, retention obligations, lawful requests from authorities

3. Legal basis (for visitors in GDPR jurisdictions)

  • Account creation and Pro features: contract (you cannot use the Pro Service without these)
  • Newsletter: consent (opt-in only; one-click unsubscribe)
  • Analytics: legitimate interest (aggregate, non-identifying)
  • Security: legitimate interest
  • Tax and accounting: legal obligation

4. Sub-processors

We share data with these third-party services strictly for the purposes listed:

ServicePurposeData sharedLocation
Cloudflare (Pages, Workers, D1, R2, KV)Hosting and edge computeAll technical and account dataGlobal edge; primary in selected region
SupabaseAuthentication (magic links, OAuth)Email, display name, provider IDUS East (Virginia)
PaddleInternational subscription billing (Merchant of Record)Email, name, billing address, payment method (handled by Paddle, not us)UK / EU / US (Paddle decides)
RazorpayIndian customer billingSame as Paddle for Indian customersIndia
Zoho ZeptoMailTransactional emails (magic links, receipts, dunning)Email address, message contentIndia / EU / US (region-configured)
Zoho CampaignsWeekly newsletter (opt-in only)Email address, name, unsubscribe statusIndia / Ireland / US
SentryError monitoringAnonymized error context (no personal data unless it appears in an error message; sanitized)US / EU

Each sub-processor has its own privacy policy and data-processing agreement. We do not sell or trade your data with any party outside this list.

5. Cookies

We use cookies for these purposes:

  • Strictly necessary: session cookies set by Supabase Auth to keep you signed in; CSRF protection tokens. These cannot be turned off without breaking sign-in.
  • Preferences: dark-mode toggle, dismissed banners. Stored locally in your browser; not sent to our servers.
  • Payment: when you start a checkout, Paddle or Razorpay may set cookies for fraud prevention.

We do not use advertising cookies, cross-site trackers, or third-party marketing pixels. Our analytics (Cloudflare Web Analytics) is cookieless.

6. Data retention

  • Active accounts: data is retained as long as your account exists.
  • Deleted accounts: data is soft-deleted on request and hard-deleted (anonymized) 30 days later. Aggregate counters (votes, leaderboard rank) preserve the data point but anonymize the user reference.
  • Billing records: retained for 7 years as required by Indian tax law, even after account deletion. Stored in encrypted form.
  • Server logs: rotated and deleted after 30 days.
  • Webhook events: retained for 90 days for debugging and idempotency, then purged.

7. Your rights

Under GDPR, the Indian Digital Personal Data Protection Act 2023, and similar laws, you have the right to:

  • Access the personal data we hold about you (request via email; we deliver within 30 days)
  • Correct inaccurate data (most fields are editable in your account settings)
  • Delete your account and associated data (email us or use the account settings page)
  • Export your data in a portable format (JSON + CSV bundle; we email a download link)
  • Object to certain processing (e.g. unsubscribe from the newsletter)
  • Withdraw consent at any time (where consent is the legal basis)
  • Lodge a complaint with your local data protection authority

To exercise any of these rights, email selva86@gmail.com. We respond within 30 days.

8. Children's data

The Service is not directed at children under 13. We do not knowingly collect data from anyone under 13. If you believe we have collected data from a child under 13, email us and we will delete it.

9. International data transfers

We are based in India. Our sub-processors are based in various countries (see section 4). Your data may be transferred to, stored in, or processed in any of these locations. For transfers from the EU/UK, we rely on Standard Contractual Clauses with each sub-processor.

10. Security

We use industry-standard measures to protect your data, including TLS encryption in transit, encryption at rest for billing records, JWT-based authentication, hashed session tokens, and rate-limiting against brute-force attacks. No system is 100% secure; if a breach occurs, we will notify affected users within 72 hours.

11. Changes to this policy

We may update this policy. Material changes (new sub-processors, expanded data collection, changes to retention) will be announced by email at least 14 days before taking effect.

12. Contact

Privacy questions, data requests, or DPO contact: selva86@gmail.com with subject "Privacy". Acting as a sole-proprietor data controller; no separate DPO is appointed.

© 2016- Selva Prabhakaran. Refund · Terms · Privacy · About