Privacy Policy — CafeTele

01 Who we are

CafeTele (operating at cafetele.com) is a telecom training platform headquartered in India. When this policy says "we", "us", "our" or "CafeTele", that's who we mean.

For privacy questions you can always reach us at [email protected].

02 What data we collect

Data you give us directly

Account: name, email, password (hashed with bcrypt — we never see plaintext).
Course progress: which lessons you've watched, how far through, when you completed them.
Optional profile: avatar, role/job title, bio if you choose to add them.
Communications: emails you send us, support tickets, course feedback.

Data collected automatically

Server logs: IP address, user-agent, pages visited, timestamps. Retained 30 days, used for security & abuse detection.
Analytics: aggregated page views & session counts via Google Analytics on marketing pages only — never inside paid courses.
Tool inputs: if you use our free tools (CellScope Pro, MML parsers, etc.) the inputs are processed in your browser. We do not transmit your project data to our servers unless you explicitly save it to your account.

03 Why we collect it

Provide the service: account login, course access, certificate generation.
Track learning progress: so you can resume from where you left off and we can show "47 of 68 lessons completed".
Process payments for paid courses (via Razorpay — see §06).
Improve the platform: identify which lessons cause confusion (drop-off points), which tools are most useful, which articles are most read.
Security: detect & block brute-force login attempts, fraud, and abuse.
Communications: course welcome emails, certificate delivery, occasional product updates if you opted in.

We do not profile you for advertising, sell your data to third parties, or build behavioral profiles.

04 Who we share it with

We share data only when necessary to operate the service, and only with vendors who are contractually bound to protect it:

Razorpay (payments) — receives your name, email, payment method.
Hostinger (hosting) — operates our servers but cannot access account data.
MongoDB Atlas / managed Mongo — encrypted database storage.
Vimeo (video delivery) — receives anonymous playback signals (no name/email).
Cloudflare (CDN + DDoS protection) — sees IP addresses for security.
Google Analytics 4 — aggregated marketing-page metrics only. IP anonymized.
Hostinger SMTP — used to send transactional emails (signup, payment, certificates).

We will disclose information if compelled by valid legal process (court order, subpoena), and we will tell you unless legally prohibited.

05 Cookies & analytics

Session cookie — keeps you logged in. Lifetime: 30 days. Httponly + Secure + SameSite=Lax.
Preference cookies — remember dark/light theme, language, video volume. Lifetime: 1 year.
Analytics cookie (GA4) — set only on marketing pages (homepage, course pages). NOT inside paid course content. You can opt out via Google's opt-out.

We do not use third-party advertising cookies, retargeting pixels, Facebook pixel, LinkedIn Insight, or similar.

06 Payment data

Payments are processed by Razorpay. We never see your card number, CVV, or bank details — those go directly from your browser to Razorpay's PCI-DSS-Level-1 compliant servers.

What we store on our side:

Razorpay payment ID (e.g. pay_Sk0KD8oZyzrK2Y)
Razorpay order ID
Amount, currency, payment method (e.g. "card", "UPI")
Status: completed / refunded / failed

Razorpay's privacy policy: razorpay.com/privacy.

07 How long we keep it

Account data: as long as your account is active. If you request deletion, we remove personally-identifiable fields within 30 days.
Course progress: kept while account is active so you can resume; deleted with the account.
Payment records: retained 7 years (Indian tax law) — but only the financial fields, not browsing data.
Server logs: 30 days.
Email backups: 90 days.

08 Your rights

Under GDPR, India DPDP, and CCPA you have the right to:

Access: get a copy of all data we hold about you.
Rectify: correct anything that's wrong.
Erase: delete your account & associated data ("right to be forgotten").
Port: get your data in a machine-readable format.
Object: opt out of any processing not strictly required for the service.
Restrict: ask us to pause certain processing while we investigate.
Withdraw consent at any time without affecting prior lawful processing.

Exercise any right by emailing [email protected]. We respond within 30 days, free of charge.

One-click delete

Logged-in users can also self-delete from profile settings. Pending — coming soon as part of our profile-page redesign.

09 Security

Passwords hashed with bcrypt (12 rounds). Plaintext is never stored.
All traffic served over HTTPS (TLS 1.2 + 1.3 only — older protocols disabled).
HSTS enforced with 1-year max-age.
SSH key-only server access — no password authentication.
fail2ban blocks brute-force attempts.
Daily automated security patches via unattended-upgrades.
Database isolated on private network, encrypted at rest.
No payment data stored on our servers (handled by Razorpay).

If you discover a security vulnerability, please email [email protected] with subject [SECURITY]. We acknowledge within 48 hours.

10 Children

CafeTele is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has registered, contact us at [email protected] — we'll delete the account immediately.

11 Changes to this policy

We update this policy as the platform evolves. Material changes (new data collection, new sharing partners, changes to your rights) will be:

Announced via email to all registered users at least 14 days before taking effect.
Highlighted at the top of this page with a "What's new" banner for 30 days.

The "Last updated" date at the top of this page reflects the most recent change. Past versions are available on request.

12 Contact

Questions, concerns, or requests under any of the rights in §08:

Email: [email protected]
Subject line tip: "[Privacy] short description" gets you a faster reply.

If you're in the EU/UK and we can't resolve your concern, you have the right to lodge a complaint with your local data protection authority. In India, that's the Data Protection Board under the DPDP Act 2023.