Skip to content
Abyasam
RishisFestivalsQuizBlogs
Abyasam

Dedicated to preserving and propagating the profound wisdom of Indian culture through modern education and technology.

Learn

  • Social Sanskrit
  • Devotional Sanskrit
  • Quiz
  • Dictionary

Explore

  • Tools
  • Subhashitam
  • Classical Texts
  • Rishis
  • Festivals
  • Blogs
  • Dharmic Design Studio

Connect

© 2026 Abyasam. All rights reserved.

Privacy PolicyTerms of Service
Back to Home

Legal

Privacy Policy

Effective: 7 May 2026

In short

  • We let you sign in with Google. From Google we receive your email, name, and profile picture — nothing else.
  • We store your progress and any content you create as you use the interactive features of the site, to make your gamified experience better.
  • We use Google Analytics to understand how the site is used.
  • We never sell your data and we never store passwords.
  • You can ask us to export or delete your data at any time by emailing privacy@abyasam.com.

1. Who runs Abyasam

Abyasam (https://abyasam.com) is a multilingual educational website focused on Indian culture, Sanskrit, and scriptures. The site is currently operated by an individual, not a registered company or organisation. References to "we" throughout this policy refer to the individual operator of the site.

This policy explains what information the site collects when you use it, why it is collected, who it is shared with, and what choices you have. For any privacy question or request, write to privacy@abyasam.com.

2. Information we collect

2.1 Account information (Google sign-in)

Sign-in is handled exclusively through Google OAuth. We do not run a username/password system, and we never see or store your Google password. When you sign in, Google sends us a signed identity token containing:

  • your email address;
  • your name (as set on your Google account);
  • your profile picture URL;
  • a stable Google user ID (the OAuth sub claim) which we use to recognise you on return visits.

We store these along with basic account timestamps to power your gamified experience on the site.

2.2 Learning & activity data

As you use the interactive features of the site, we keep a record of your activity and progress to power your gamified experience.

2.3 Content you create

  • Subhashitam (verse) favourites — the verses you save.
  • Subhashitam comments — comments you post on verses (up to 2,000 characters). These are publicly visible and shown next to your name and profile picture.
  • Subhashitam tags — short tags you attach to verses, stored in lowercase.
  • Mailing-list signups — if you submit the newsletter form, we keep your name and email in a subscribers table until you ask to be removed.
  • Quiz-completion certificates — if you submit your name, email, and score through the certificate form, we store that submission and email you a PNG certificate via transactional SMTP.
  • Brand Identity tool inputs — if you use this tool, we keep the brand name, industry, dharmic tradition, language, and country you selected.
  • Color Palette tool inputs — the dharmic theme and language you chose.

2.4 Technical & log data

For security, debugging, and abuse prevention we generate structured server logs of every HTTP request. Each log line contains: the request method and path, the response status code and latency, the requesting IP address, the request Origin header, and a boolean flag indicating whether your auth cookie was present. We do not currently log User-Agent strings.

For the lighter analytics tables (blog reads, palette requests, brand-identity requests) we store an SHA-256 hash of the IP address rather than the raw IP, alongside your country (derived from a Cloudflare request header). Hashing makes casual cross-referencing harder but is not a guarantee of irreversibility.

We log automated scanner attempts (e.g. probes for .env files) with the originating IP, to support blocking and incident response.

2.5 Cookies & browser storage

We set one cookie, aby_session, to keep you signed in. It lasts 7 days and is configured so it can only be sent over HTTPS and cannot be read by JavaScript.

We also use a small amount of browser storage to remember your language preference, save your game progress when you are not signed in, and remember which onboarding tours you have dismissed. Nothing in this storage identifies you to us.

2.6 Analytics

We use Google Analytics 4 to understand how the site is used. It records page views, blog reads, and when you open or unlock gated sections of a blog post. If you are signed in, these events are linked to your user id. Google Analytics also collects its own standard signals (IP address, device, approximate location, etc.) governed by Google's privacy policy.

2.7 What we do not collect

  • No passwords (Google OAuth only).
  • No date of birth, age, gender (other than the avatar gender you choose in the Household Explorer game), phone number, postal address, or payment data.
  • No biometric data and no precise device geolocation — we only know your country, derived from a Cloudflare header.
  • No User-Agent strings in our application logs.
  • No advertising cookies, tracking pixels, Google Tag Manager, Facebook Pixel, Hotjar, Mixpanel, or Segment.

3. How we use your information

  • To authenticate you and keep you signed in.
  • To save your learning progress, scores, and content (favourites, comments, tags) so they persist across visits.
  • To deliver the Color Palette and Brand Identity tools, which call Anthropic's Claude API with the inputs you provide (see section 5).
  • To send transactional emails (e.g. quiz-completion certificates).
  • To prevent abuse and detect attacks (rate limiting, scanner detection, log review).
  • To understand aggregated usage patterns through analytics so we can improve the platform.

4. Who we share data with

We do not sell your personal data. We share data only with the third parties listed below, and only the data needed for them to perform their function:

RecipientPurposeData shared
Google (OAuth)Verifies your sign-inThe Google ID token plus our client ID
Google Analytics 4Aggregated usage analyticsPage views, blog interactions, optional user id
Google Search ConsoleSite verification onlyVerification meta tag — no visitor data
Microsoft Bing Webmaster ToolsSite verification onlyVerification meta tag — no visitor data
Google FontsFont delivery (Devanagari, Telugu, Latin)Your IP address and User-Agent (standard CDN request)
Anthropic (Claude API)Generates output for the Color Palette and Brand Identity toolsThe theme/brand inputs and language you selected. No user id, no email, no IP address.
Hostinger SMTPSends transactional emails (certificates)Recipient email, name, score, certificate PNG
CloudflareCDN, DDoS protection, country detectionStandard request metadata (IP, headers)
UnsplashStock images embedded on some pagesYour IP and User-Agent (standard CDN request)
HostingerHosts the site and databaseAll data we store

We may also disclose data when required by law, to enforce our terms, or to protect our rights, users, or systems.

5. Data retention

Current retention practices:

  • Account & learning data — kept until you ask us to delete your account, after which it is purged within 30 days, except where law requires longer retention.
  • Server logs — currently retained without an automatic purge schedule; we plan to introduce a 30–90 day retention window.
  • Anonymous analytics rows (blog reads, palette and brand-identity requests) — currently kept indefinitely; planned default 13 months.
  • Quiz-certificate submissions — currently kept indefinitely; planned default 24 months.
  • Mailing-list entries — kept until you unsubscribe.

6. Your rights

Subject to applicable law (DPDP Act 2023 in India, GDPR in the EU/UK, CCPA in California, and similar regimes elsewhere), you have the right to:

  • access the personal data we hold about you;
  • ask us to correct inaccurate data;
  • ask us to delete your account and associated data;
  • withdraw consent for any processing that depends on your consent (this won't affect processing already done);
  • receive a copy of your data in a portable, machine-readable format;
  • object to processing based on our legitimate interests, where applicable.

There is no self-serve "delete my account" button yet — to exercise any of these rights, email privacy@abyasam.com from the email address associated with your account. We aim to respond within 30 days.

7. Children's data

Abyasam is an educational platform that may be used by children. We do not currently operate an age gate or a verifiable parental-consent flow. If you are a parent or guardian and you believe your child has signed in without your consent, email privacy@abyasam.com and we will delete the account. A parental-consent flow is planned before we actively invite under-age users.

8. Security

We follow defence-in-depth practices: HTTPS everywhere; auth tokens in HttpOnly + Secure + SameSite cookies (never in localStorage); a strict Content Security Policy via Helmet; parameterised SQL queries; Zod validation on all write endpoints; CORS allow-listing of trusted origins; and rate limiting on public, authentication, and AI-tool endpoints. No system is perfectly secure, but we work to minimise risk and will notify affected users if we ever experience a breach involving personal data.

9. Contact

For any privacy question or request, write to privacy@abyasam.com. Abyasam is operated by an individual; a registered postal address will be added here if and when the site is incorporated as a legal entity.