Privacy Policy
Last Updated: February 3, 2026
Effective Date: February 3, 2026
Executive Summary
FMGEPrep is an FMGE exam preparation platform operated by FMGEPrep ("we," "us," or "our"). We collect your account information (name, email via Google OAuth), learning data (test attempts, progress), device information, and payment details (processed securely by Razorpay). We use Firebase for analytics and crash reporting on our mobile app. Your data is stored on encrypted servers, primarily in India, with some services hosted internationally. You have rights to access, correct, delete, and port your data under Indian law. We do not sell your personal information.
DPDP Act 2023 Compliance Statement
This Privacy Policy is drafted in compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
- Data Fiduciary: FMGEPrep acts as a Data Fiduciary under the DPDP Act
- Lawful Purpose: We process your data only for specified, lawful purposes disclosed in this policy
- Consent: We obtain your consent before collecting personal data, with granular options for analytics
- Data Minimization: We collect only data necessary to provide our educational services
- Accuracy: We maintain reasonable accuracy of personal data and provide correction mechanisms
- Storage Limitation: We retain data only as long as necessary for the stated purposes
- Security: We implement reasonable security safeguards to protect your data
Scope of This Policy
This Privacy Policy applies to:
- FMGEPrep Website: www.fmgeprep.com and all subdomains
- FMGEPrep Android App: Available on Google Play Store
- Related Services: APIs, payment processing, and customer support
By using our platform, you consent to the collection and use of information as described in this policy. If you do not agree, please do not use our services.
Information We Collect
A. Information You Provide
- Account Information: Name, email address, profile picture (via Google OAuth)
- Payment Information: Name, email, phone number, billing address, state, city, pincode (card details are NOT stored - handled by Razorpay)
- Support Communications: Messages, feedback, and queries you send us
B. Information Collected Automatically
Web Platform (fmgeprep.com)
- Usage Data: Test attempts, answers, bookmarks, progress, performance analytics
- Session Data: Current question position, time spent, visited questions (LocalStorage)
- Device Information: IP address, browser type, operating system, screen resolution
- Cookies: Session cookies, authentication tokens, preference settings
- Analytics Data: Page views, click patterns, feature usage (via Google Analytics)
Android App
- Device Information: Device model, Android version, unique device identifiers
- App Usage: Features used, session duration, navigation patterns
- Push Notification Tokens: FCM tokens for delivering notifications
- Crash Data: Error logs, stack traces, device state at time of crash (via Firebase Crashlytics)
- Performance Data: App launch time, network latency, frame rendering
- Image Cache: Medical images cached locally (up to 100MB) for faster loading
C. Android App Permissions
Our Android app requests the following permissions:
| Permission | Purpose |
|---|---|
| INTERNET | Connect to our servers for content and authentication |
| ACCESS_NETWORK_STATE | Check network connectivity status |
| POST_NOTIFICATIONS | Send study reminders and important updates |
We do NOT request camera, microphone, location, or contacts permissions.
How We Use Your Information
| Purpose | Legal Basis (DPDP Act) |
|---|---|
| Provide FMGE question bank service | Contract performance |
| Track progress and performance analytics | Contract performance + Consent |
| Process payments and manage subscriptions | Contract performance |
| Send transactional notifications | Legitimate interest |
| Analytics and service improvement | Consent (opt-out available) |
| Crash reporting and debugging | Legitimate interest |
| Fraud prevention and security | Legal obligation + Legitimate interest |
Google Play Data Safety Disclosure
As required by Google Play, here is our data collection summary for the Android app:
Data Collected:
| Data Type | Collected | Shared | Purpose |
|---|---|---|---|
| Name | Yes | No | Account functionality |
| Yes | Payment processor only | Account, communications | |
| Phone number | Optional | Payment processor only | Payment verification |
| Payment info | No (Razorpay handles) | N/A | N/A |
| App activity | Yes | Analytics (anonymized) | Service improvement |
| Crash logs | Yes | Firebase Crashlytics | Debugging |
| Device identifiers | Yes | Firebase (analytics) | Analytics, security |
Security Practices:
- Data encrypted in transit (HTTPS/TLS)
- Data encrypted at rest on our servers
- You can request data deletion via support@fmgeprep.com
Third-Party Services & Data Flows
We use the following third-party services that may process your data:
Google OAuth
Purpose: Secure authentication | Data: Name, email, profile picture
Google Privacy PolicyRazorpay
Purpose: Payment processing | Data: Name, email, phone, billing address
PCI DSS Level 1 Compliant - Card details never touch our servers
Razorpay Privacy PolicyFirebase Analytics (Mobile App)
Purpose: App usage analytics | Data: Device info, app events, user properties
Firebase Privacy PolicyFirebase Crashlytics (Mobile App)
Purpose: Crash reporting | Data: Crash logs, device state, stack traces
Firebase Privacy PolicyFirebase Cloud Messaging (Mobile App)
Purpose: Push notifications | Data: FCM tokens, notification preferences
Firebase Privacy PolicyGoogle Analytics (Web)
Purpose: Website analytics | Data: Page views, user behavior, demographics
Google Privacy PolicyCross-Border Data Transfers
Your data may be transferred to and processed in countries outside India for the following purposes:
- Cloud Infrastructure: Our services use Vercel (global CDN) for hosting
- Analytics: Google Analytics and Firebase servers may be located in the USA
- Payment Processing: Razorpay processes payments within India
Where data is transferred internationally, we ensure appropriate safeguards are in place as required by the DPDP Act, 2023. You consent to such transfers by using our services.
Data Security
We implement industry-standard security measures:
Technical Measures:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Secure password hashing using bcrypt
- HTTP-only, secure cookies for session management
- Regular security audits and vulnerability assessments
Mobile App Security:
- Encrypted token storage (Android EncryptedSharedPreferences)
- Screenshot and screen recording prevention for exam content
- Authentication tokens excluded from device backups
- Certificate pinning for API communications
While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute security of your data transmitted over the internet.
Data Breach Notification
In compliance with the DPDP Act, 2023, in the event of a personal data breach that is likely to cause harm to you:
- We will notify the Data Protection Board of India within 72 hours of becoming aware
- We will notify affected users without unreasonable delay
- Notification will include: nature of breach, data affected, likely consequences, and remedial measures
- We maintain an incident response plan and conduct regular breach simulation exercises
Your Rights Under DPDP Act
As a Data Principal, you have the following rights:
Right to Access
Request a summary of your personal data and processing activities
Response time: Within 30 days
Right to Correction
Request correction or completion of inaccurate/incomplete data
Response time: Within 15 days
Right to Erasure
Request deletion of your personal data
Acknowledgment: Within 72 hours | Completion: Within 30 days
Note: Some data may be retained for legal compliance (payment records: 7 years)
Right to Data Portability
Request your data in a structured, machine-readable format (JSON)
Data included: Profile, test history, progress, bookmarks
Right to Withdraw Consent
Withdraw consent for optional data processing (analytics)
Method: Email support@fmgeprep.com or app settings
To exercise any of these rights, email us at support@fmgeprep.com with subject line "Data Rights Request - [Right Name]".
Consent Management
Required Data (Core Functionality):
The following data processing is necessary for our service and cannot be opted out:
- Account information for authentication
- Test attempts and responses for progress tracking
- Payment information for subscription management
Optional Data (Consent-Based):
You can opt out of the following:
- Analytics data collection (Firebase Analytics, Google Analytics)
- Promotional emails and notifications
- Performance monitoring data
To opt out: Email support@fmgeprep.com with subject "Opt-Out Request" specifying which data collection you wish to disable. Note: Opting out of analytics does not affect core functionality.
Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account Data | Until account deletion + 30 days | Service provision |
| Test Attempts & Responses | Subscription period + 90 days | Progress review |
| Payment Records | 7 years | Indian tax regulations |
| LocalStorage Data | 1 hour or test submission | Resume functionality |
| Analytics Data | 26 months (Google default) | Service improvement |
| Crash Logs | 90 days | Debugging |
| Support Communications | 3 years | Service quality |
Cookies and Local Storage
Cookies We Use:
| Cookie | Type | Purpose |
|---|---|---|
| next-auth.session-token | Essential | Authentication |
| _ga, _gid | Analytics | Google Analytics |
LocalStorage Usage:
test-state-[id]: Current test progress (expires: 1 hour)test-answers-[id]: Your answers during test (expires: submission)skipTrial: Trial preference flag
You can manage cookies through your browser settings. Disabling essential cookies will affect login functionality.
Children's Privacy
Our service is intended for medical students and professionals aged 18 years and above. We do not knowingly collect personal data from individuals under 18.
If you believe we have collected data from a minor, please contact us immediately at support@fmgeprep.com. We will take steps to delete such data promptly.
Information Sharing
We do not sell your personal information to third parties.
We may share your information only in these limited cases:
- Service Providers: With trusted partners who help operate our platform (under data processing agreements)
- Payment Processing: With Razorpay to process payments securely
- Analytics Providers: Anonymized/aggregated data with Google/Firebase for analytics
- Legal Requirements: When required by law, court order, or government request
- Safety: To protect rights, safety, or property of FMGEPrep, users, or the public
- Business Transfer: In connection with merger, acquisition, or sale of assets (with notice)
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last Updated" date at the top
- We will notify you via email or in-app notification for significant changes
- We will provide at least 30 days notice before changes affecting your rights
- Continued use after changes constitutes acceptance
Contact Us
For any questions or concerns about this Privacy Policy or your data:
General Inquiries: support@fmgeprep.com
Website: www.fmgeprep.com
This Privacy Policy is governed by Indian laws, including the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.
Any disputes arising from this Privacy Policy shall be subject to the exclusive jurisdiction of courts in India.