This Privacy Policy explains how AskMeAnything.life ("AskMeAnything", "AMA", "we", "our", or "us") collects, uses, stores, shares, and protects your personal data when you access our website, applications, live e-learning sessions, and AI-assisted features. We have prepared this policy in line with India's Digital Personal Data Protection Act, 2023 ("DPDP Act") and the DPDP Rules, 2025, with reference to the GDPR, the EU AI Act, and the AI governance principles of ISO/IEC 42001:2023 for users who interact with the platform's AI services.
AskMeAnything (AMA) is a live e-learning platform that connects learners with experienced professionals through live, interactive sessions. We value your privacy and are committed to handling your personal data lawfully, transparently, and securely.
This Privacy Policy applies to all users of askmeanything.life, including learners, mentors, visitors, and registered account holders. By creating an account, registering for a session, or otherwise using our services, you acknowledge that you have read and understood this Privacy Policy.
For the purposes of the DPDP Act, AskMeAnything is the Data Fiduciary responsible for determining the purpose and means of processing your personal data. You, the user, are the Data Principal.
We collect personal data directly from you, automatically as you use the platform, and from a limited set of trusted service providers (such as our payment gateway). The categories below reflect what is actually collected by AskMeAnything today.
OTP delivery, OTP entry, and reCAPTCHA risk scoring are handled by Firebase Authentication on Google's infrastructure — AMA does not see or store the OTP itself.
We do not collect this data today. This category will apply once AI features launch (see Section 5).
You may submit user-generated content (UGC) — including profile photos, mentor videos, pre-session questions, and post-session comments. UGC posted in public areas (such as a mentor's public profile or aggregated feedback shown alongside a session) will be visible to other users. Please do not include sensitive personal information in UGC.
Almost all data we hold is provided by you directly or generated by your activity on the platform. We additionally receive payment confirmations from Razorpay, OTP delivery receipts from Firebase, and analytics events via Google Analytics. We do not purchase data from data brokers or scrape third-party sources.
We use your personal data only for purposes that are clearly defined and reasonably connected to delivering the AMA service. Specifically, we use your information to:
Under the DPDP Act, all processing of personal data must rest on either consent (Section 6) or one of the eight enumerated certain legitimate uses (Section 7). The DPDP Act does not recognise a general "legitimate interests" basis. We map our processing activities to these bases as follows:
| Purpose | Data Used | Lawful Basis (DPDP Act) |
|---|---|---|
| Account creation, login, OTP authentication | Mobile, OTP, session cookie | Consent (Section 6) |
| Public mentor profile display | Mentor name, photo, bio, videos, stats | Consent — collected during mentor onboarding (AMA-managed) |
| Free session registration | Profile, session ID | Consent |
| Paid session registration & payment | Profile, session ID, payment data | Consent + performance of service the user requested |
| Pre-session Q&A delivery | User identity + question text | Consent |
| Post-session feedback (public, aggregated) | Rating, display name | Consent |
| Transactional notifications | Mobile, email | Consent (necessary for the service) |
| Marketing communications | Mobile, email | Separate, opt-in consent — required and revocable |
| Analytics and product improvement | Behavioural events, device data | Consent (cookie banner) |
| Fraud prevention, dispute resolution | Payment data, IP, logs | Certain Legitimate Uses (Section 7) |
| Compliance with law | Any data | Legal obligation (Section 7) |
You have the right to withdraw consent at any time. Withdrawing consent for processing essential to your account may require deletion of the account. Withdrawal does not affect the lawfulness of processing based on consent before withdrawal.
AskMeAnything plans to introduce artificial-intelligence- and machine-learning-assisted capabilities to enhance the learning experience — for example, to recommend sessions, surface relevant mentors, summarise content, support search, and assist users and our team. This section explains, in line with the AI transparency principles of ISO/IEC 42001:2023, how those AI features are intended to work and what choices you will have once they are released.
The AI features we are scoping for future release on AMA include:
For each AI feature we ship, we will document an intended purpose and the role a human plays in reviewing or overriding the AI's output. AI-generated suggestions and outputs on AMA will be assistive, not authoritative — they will support your decisions rather than replace them. Mentors and learners remain responsible for the substance of sessions, advice, and feedback. AMA staff will retain the ability to review and override automated moderation decisions.
To keep your information safe, please do not submit the following to AI prompts, chatbots, uploaded files, or any AI-driven interface on the platform:
Once AI features launch, we will use the AI Interaction Data described in Section 2 to:
We will not sell AI interaction data, and we will not use the content of your AI interactions to train foundation models offered to third parties. Where we use AI interaction data internally to improve our own features, we will work with aggregated or de-identified data wherever feasible.
Some AI features will be powered by third-party large language model (LLM) and machine learning providers acting as our data processors. When we send a prompt or content to such a provider on your behalf, we will do so under a written agreement consistent with Rule 16 of the DPDP Rules, 2025, which restricts the provider's use of the data to delivering the service to AMA. No AI sub-processor is engaged today; prospective AI sub-processors will be listed in Section 7 once selected, and users will be notified under Section 17 before the feature goes live. We will assess each AI provider for security, data handling, and responsible-AI commitments before onboarding and on a periodic basis thereafter.
AI systems can produce inaccurate, biased, outdated, or otherwise misleading outputs ("hallucinations"). We work to reduce these risks through prompt design, content filtering, human review of high-impact outputs, and feedback channels for users. Despite these measures, AI outputs may still contain errors. You should treat AI-generated content on AMA as informational and verify anything important before acting on it. AMA is not liable for decisions made solely on the basis of AI output where reasonable verification was not undertaken.
If you encounter an AI output that you believe is harmful, materially misleading, or discriminatory, please report it to our Grievance Officer (Section 18). We treat AI incidents through the same incident response process described in Section 16, and we maintain an internal register of AI incidents for continual improvement, consistent with the AI lifecycle and incident management controls of ISO/IEC 42001:2023 (Annex A.6 and A.8).
We use a small set of cookies and similar technologies to operate the platform, keep you signed in, prevent fraud, and understand how the service is used. We do not use cookies for cross-site behavioural advertising.
| Cookie / Tech | Purpose | Party | Duration |
|---|---|---|---|
Session cookie (sessionid) | Maintains your logged-in session | First-party | Until logout / expiry |
CSRF token (csrftoken) | Protects against cross-site request forgery | First-party | Session |
Google Analytics (_ga, _ga_<ID>) | Aggregated usage analytics | Third-party (Google) | Up to 2 years |
Essential cookies (session and CSRF) are loaded on first request because they are strictly necessary to deliver the service you have asked for. Non-essential cookies (such as Google Analytics) require your consent. We are rolling out a cookie consent banner that, once active, will gate non-essential cookies behind explicit consent for all users — including users in India under the DPDP Act and users in the EU / UK / EEA under the GDPR and ePrivacy Directive. Until the banner is live in your region, you can block analytics cookies through your browser settings, your device's tracking-protection controls, or by installing Google's official Google Analytics Opt-out Add-on. Some features of the platform may not function properly without essential cookies.
We share personal data only in the limited circumstances described below, and only to the extent necessary. We do not sell personal data.
| Processor | Role | Data Shared | Location |
|---|---|---|---|
| Razorpay Software Pvt. Ltd. | Payment processing | Name, email, mobile, amount, order metadata | India |
| Google LLC — Firebase Authentication & reCAPTCHA Enterprise | OTP delivery, OTP verification, abuse / bot protection | Mobile number (E.164), Firebase UID, device risk signals | US (with Google's SCCs and DPA) |
| Google LLC — Google Analytics | Web analytics | IP, device, behavioural events | US (with SCCs) |
| Google Cloud Platform | Application & database hosting (Cloud Run, Cloud SQL) | All stored personal data, encrypted | GCP region: us-central1 (Iowa, United States) with Google's SCCs and DPA |
| Email service provider | Not currently in use — AMA does not operate a standalone transactional email pipeline today. Payment receipts are issued by Razorpay (above) on our behalf. When a dedicated email provider is onboarded, this row will be updated and users notified under Section 17. | — | — |
| AI / LLM provider(s) Future | Not yet engaged. When AI features launch (see Section 5), the selected provider(s) will be named here and users notified under Section 17. AI providers will be bound by a DPA prohibiting training on AMA data. | — | — |
All sub-processors are bound by data processing agreements (DPAs) consistent with Rule 16 of the DPDP Rules, 2025, requiring confidentiality, purpose-limitation, and appropriate security safeguards.
The AMA application and database are currently hosted on Google Cloud Platform in the us-central1 region (Iowa, United States). Firebase Authentication (which delivers and verifies OTPs and runs reCAPTCHA Enterprise risk scoring) and Google Analytics also process data on Google's infrastructure, primarily in the United States. Razorpay processes payment data within India.
This means that, today, the majority of your personal data is stored and processed in the United States under Google's Standard Contractual Clauses and Data Processing Addendum; payment data is processed in India by Razorpay.
Under Section 16 of the DPDP Act, personal data may be transferred to any country outside India except those specifically restricted by notification of the Central Government. The United States is not currently subject to any such restriction. We monitor such notifications and will comply with any restrictions imposed. Where data is transferred internationally, we apply contractual safeguards and require recipients to provide protections at least equivalent to those described in this policy.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, satisfy legal obligations, resolve disputes, and enforce our agreements. The specific retention periods we apply are:
| Data Category | Retention Period |
|---|---|
| Active account profile | Retained while your account remains active. We do not currently apply a fixed inactivity-based deletion period; you may request deletion at any time under Section 11. |
| OTP codes | Auto-expiry within 5-10 minutes |
| Session cookies | Until logout or session timeout |
| Session registrations & attendance | For the life of the session record (to support history and disputes) |
| Pre-session questions | Until the underlying session is deleted |
| Post-session feedback & comments | Retained while the session remains visible publicly |
| Mentor ↔ AMA staff chat | Retained for operational continuity. You may request deletion of your messages at any time under Section 11. |
| AI interaction data (prompts, outputs, feedback) | Up to 12 months for quality and safety review; you may request earlier deletion (Section 11) |
| Payment records | Minimum 8 years (Income Tax Act, GST, RBI guidance for payment intermediaries) |
| Web server / access logs | 90-180 days, then auto-rotated |
| Analytics data (Google Analytics) | Per GA settings (default 2 months; up to 14 months) |
When the retention period for a category of data ends, we either securely delete the data or anonymise it so it can no longer be linked to you.
We implement reasonable technical and organisational safeguards to protect personal data, in line with Section 8(3) of the DPDP Act and Rule 7 of the DPDP Rules, 2025. These include:
While we work hard to protect your data, no system on the internet is perfectly secure. If you believe your account has been compromised, please contact our Grievance Officer immediately (Section 18).
Under the DPDP Act and, where applicable, the GDPR / UK GDPR / CCPA, you have meaningful rights over your personal data. We will respond to verifiable requests within a reasonable period — typically within 7 days for first response and 30 days for resolution.
| Right | How to Exercise |
|---|---|
| Access — obtain a summary of personal data and processing | Email the Grievance Officer |
| Correction & updating | Real-time via your /account page; or by email |
| Erasure / account deletion | Self-service deletion (where available) or by email; we will delete data we are not legally required to retain |
| Withdrawal of consent | For marketing: unsubscribe link or settings page. For account-essential processing: deletion of the account |
| Grievance redressal | Email the Grievance Officer (Section 18). You must use this channel before approaching the Data Protection Board |
| Nominate — appoint someone to exercise rights in case of death or incapacity (DPDP Section 14) | Submit a written request to the Grievance Officer |
| Data portability (GDPR users) | Email the Grievance Officer |
| Object to processing (GDPR users) | Email the Grievance Officer; reviewed case-by-case |
| AI-related rights — transparency about AI features, request for human review of automated moderation decisions, opt-out of non-essential AI features, deletion of AI interaction history | See Section 5 for details; contact the Grievance Officer to exercise |
If you are dissatisfied with our response, you may escalate your complaint to the Data Protection Board of India, after first using our grievance mechanism as required under Rule 17 of the DPDP Rules, 2025.
Our services are intended for users aged 18 and above. We do not knowingly process personal data of children (defined under the DPDP Act as individuals under the age of 18) without verifiable parental consent.
If you believe a child has provided personal data to us, please contact our Grievance Officer (Section 18). We will promptly investigate, delete the data, and where appropriate, terminate the account. In line with Section 9 of the DPDP Act, we do not undertake tracking, behavioural monitoring, or targeted advertising directed at children.
You agree not to use AMA — including profile fields, mentor videos, pre-session questions, post-session comments, or chat — for:
Accounts found violating these rules may be suspended or terminated. Where misuse involves personal data, we will treat the matter as a privacy incident and respond accordingly.
The AMA platform may contain links to third-party websites, services, video conferencing tools, and resources. We are not responsible for the content, privacy practices, or security of those third parties. We encourage you to read the privacy notices of any third-party site or service before providing personal data.
We may disclose personal data without your consent only where it is necessary to:
When we receive a request from law enforcement, we evaluate it for legal validity and disclose only the minimum data legally required.
In the event of a personal data breach, we will follow our internal incident response process and, in line with Rule 6 of the DPDP Rules, 2025:
We extend the same incident-response framework to AI incidents — events such as significant biased outputs, harmful or discriminatory generations, prompt-injection compromises, AI provider data leaks, or material model failures. AI incidents are logged, investigated, and where they materially affect users or their personal data, communicated to those affected. This aligns with the AI incident management controls of ISO/IEC 42001:2023 (Annex A.8).
We will also cooperate with any investigation undertaken by the Board and document our response for audit purposes.
We may update this Privacy Policy from time to time to reflect changes in our practices, the law, or the platform. When we make material changes, we will update the "Last Updated" date at the top of this page and provide reasonable advance notice — typically by an in-app notice at next login and by email for users who have provided one, at least 30 days before the change takes effect, where feasible.
Continued use of the AMA services after the effective date of any update constitutes acceptance of the revised Privacy Policy.
In accordance with the DPDP Act and the Information Technology Rules, 2021, we have appointed a Grievance Officer to address your privacy-related concerns and exercise your rights as a Data Principal.
Our Grievance Officer is your first point of contact for any privacy concern, rights request, or complaint about how AMA handles your personal data.
For non-grievance privacy questions, comments, or suggestions, please reach out to us:
If you are not satisfied with the response from our Grievance Officer, you may file a complaint with the Data Protection Board of India through the digital portal once it is operational. As required under Rule 17 of the DPDP Rules, 2025, please first attempt resolution through our grievance mechanism before escalating to the Board.
This Privacy Policy is governed by the laws of India. Subject to the Data Principal rights and adjudication mechanisms under the DPDP Act, the courts at TBD jurisdiction shall have exclusive jurisdiction over any disputes arising out of this policy.