Privacy Policy

Effective date: November 23, 2025

Overview

ZetaPrep (“we”, “our”, or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect the personal information you provide when you use our services and website. These services include signing up using email and password or signing in using Google OAuth. By using ZetaPrep, you consent to the practices described below.

Target audience & payments

ZetaPrep is primarily built for residents of Nepal. Services including classes, study plans, and subscriptions are priced and billed in Nepalese Rupees (NPR); we generally do not accept international payment methods unless explicitly stated in a specific offering. This helps ensure the best localized experience, pricing, and customer support for our core user base.

Information we collect

We collect information to operate and improve our services, provide better user experiences, and for security, billing, and support purposes. This includes:

  • Account information: email address, name and profile picture (via Google OAuth or provided by you), phone number (via profile completion or OTP flow), and a hashed password when you sign up with email and password.
  • Authentication: tokens we issue (access & refresh tokens) to enable authenticated API requests, and token metadata such as creation and last-used timestamps. We store server-issued tokens securely, and the client may store tokens in a secure or HttpOnly cookie depending on backend configuration.
  • Usage & content data: exam attempts, scores, quiz data, study plan progress, class attendance, user-generated responses (including audio recordings for speaking tasks), feedback, and assignments.
  • Referral and preferences: referral codes and preferred course track stored temporarily in localStorage and sent to the backend on registration or OAuth exchange to attribute promotions and personalize onboarding.
  • Analytics & logs: performance & usage analytics (page views, events), error diagnostics, and IP-based metadata to maintain and improve the platform.
  • Payment information: payment provider transaction IDs and receipts, and limited billing details processed by third-party gateways. We do not store full card numbers on our servers.

Google OAuth

We use Google Identity Services for OAuth-based authentication. When you sign in with Google we request the basic profile scope that includes your email address, name, and profile image URL. The client receives a Google credential (ID token) and immediately sends it to our backend's endpoint /auth/google/login, which validates and exchanges it for server-issued access and refresh tokens. We do not persist the Google ID token beyond this exchange.

On the backend, we store information that Google provides in your user profile such as name, email, and profile picture URL so your account can be identified and personalized.

Authentication & tokens

We support both form-based authentication (email & password) and Google OAuth. When you sign in with either method our backend issues server-side tokens (access and refresh tokens) that represent your authenticated session and are associated with your account ID. These tokens are used to authenticate requests and grant access to your account data.

On the client we persist tokens using a token manager that stores access and refresh tokens in cookies; secure cookie options such as SameSite and Secure are applied by default. Because the access token grants access to your account, you should not share it or expose it to other people or public repositories; if someone obtains your token they may access your account until the token expires or is revoked.

If you suspect your credentials or tokens have been compromised, please change your password, log out of all devices, and contact support immediately at [email protected].

We may rotate or revoke tokens at any time for security reasons, and sessions may be invalidated during account investigations.

Form-based authentication (email & password)

You can also create an account with your email and password. When you register, we collect your email, chosen password, and phone number. The password is securely transmitted over HTTPS to our backend; we do not store the plain-text password, we store a salted hash. We also use an OTP (one-time passcode) verification to confirm emails for registrations and password resets; see our OTP flow on the registration pages.

Phone numbers are used as part of our verification and payment flows. To access paid features and local payment providers, registrations must include a valid Nepali phone number (commonly starting with 97 or 98); we may validate that phone number as part of registration or payment authentication.

After successful authentication (OAuth or form-based), our backend issues an access token and a refresh token. We set these tokens as cookies ('access' and 'refresh') via our TokenManager. Cookies are set with secure attributes (Secure in production, SameSite=Strict) and appropriate expiration. Tokens are used by the client for authenticated API requests, and a refresh attempt is used automatically when an access token expires. On refresh failure, we remove tokens and ask the user to re-authenticate.

API endpoints & flows

  • POST /auth/register — Register user and trigger OTP for email verification.
  • POST /auth/verify-otp — Verify OTP during registration or password reset.
  • POST /auth/token — Exchange email & password for access & refresh tokens (login).
  • POST /auth/google/login — Exchange Google ID token for server-issued access & refresh tokens for OAuth login.
  • POST /auth/refresh — Use refresh token to obtain a new access token when the current access token expires.
  • POST /auth/request-password-otp — Request a password reset OTP for password recovery flows.

How we use your data

  • Authentication and account management.
  • Delivering and improving learning content, personalizing your study plan and dashboard.
  • Processing payments and refunds via secure third-party payment providers.
  • Research, analytics and security monitoring to protect the service and our users.
  • Communicating with you: transactional messages like OTPs and payment receipts or updates.

Cookies and analytics

We use cookies and similar tracking technologies to improve site experience (e.g., remembering preferences, login status) and analytic services (e.g., Google Analytics). Cookies can be session-based or persistent and may be set by us or by third-party services used on the site. You may manage your cookie preferences using your browser settings.

Data sharing and third parties

We may share personal information with service providers who perform services on our behalf: hosting, analytics, communication providers, and payment processors. We require these providers to safeguard personal data and only use it as we instruct. We do not sell personal data to third parties.

While the service is primarily aimed at Nepalese residents and our operational footprint focuses on Nepal, some third-party service providers (hosting, analytics, payment processors) may process or store data in other countries. We ensure contractual safeguards and appropriate technical controls are in place, but international processing by third-party providers may occur as part of normal operations.

Retention

We retain personal data for as long as necessary to provide services, comply with legal obligations, resolve disputes, and enforce our agreements. If you request deletion, we’ll de-identify or delete data per our data retention policy unless retention is required by law or for legitimate business purposes.

Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or restrict processing of your data, and in some cases to port data. To exercise your rights, please contact us at [email protected]. We will respond within required legal timelines.

Legal compliance: GDPR, CCPA, and other local laws

ZetaPrep is primarily designed for residents of Nepal; most services, courses, and payments are offered in Nepalese Rupees (NPR) and intended for local users only. We operate in compliance with relevant Nepali laws and data protection regulations applicable to our business operations. For visitors located in jurisdictions outside Nepal (for example the EEA or California), the GDPR or CCPA/CPRA rights may also apply; the descriptions below are provided for transparency and are not a substitute for local law or legal advice.

Paid features require billing in Nepalese Rupees (NPR) and a Nepalese phone number for verification (numbers commonly start with 97 or 98). As our payments integrate with local payment providers and billing flows in Nepal, international payment methods are not supported. Users outside Nepal may access non-paid features where applicable, but they cannot purchase paid subscriptions unless they meet the billing and verification requirements (e.g., a Nepali phone number and local billing address).

EU / EEA (GDPR)

  • Right of access: You can request a copy of the personal data we hold about you.
  • Right to rectification: You can request corrections to inaccurate or incomplete data.
  • Right to erasure: You may request deletion of your personal data in certain situations.
  • Right to restriction: You can ask us to restrict processing in limited situations.
  • Right to data portability: You can request a machine-readable copy of data you have provided for transmission to another controller where applicable.
  • Right to object: You can object to our processing for direct marketing or automated decision-making in certain contexts.

California (CCPA/CPRA)

  • Right to know: California residents can request information about the categories of personal data collected and how it is used or disclosed.
  • Right to delete: You can request deletion of personal data we collected about you subject to exceptions.
  • Right to opt-out of sale: We do not sell personal data; however, where a sale is applicable, California residents have the right to opt-out.
  • Non-discrimination: You may not be subject to discriminatory treatment for exercising your CCPA/CPRA rights.

ZetaPrep is headquartered and operated in Nepal. Our services and paid offerings are mainly intended for residents of Nepal; most classes, study plans, and subscriptions are priced and billed in Nepalese Rupees (NPR), and paid features require local billing and verification (for example, a valid Nepali phone number and local billing address). Users located outside Nepal may still access non-paid features and free content where available, but cannot purchase paid subscriptions unless they meet the eligibility requirements for local billing and verification.

If you are an EU/EEA or California resident and wish to exercise your rights under GDPR or CCPA/CPRA or have questions about compliance and data processing, please contact us at [email protected]. We will respond according to applicable legal timelines and may require identity verification to prevent unauthorized requests. If you are a resident of Nepal and have data privacy inquiries, contact us at the same address; we will respond in accordance with relevant Nepali laws and timelines.

Where applicable, we process data under the legal bases required by your jurisdiction, such as contractual necessity, consent, legitimate interests, legal obligations, or performance of a contract. For request handling and verification, we may require proof of identity to prevent unauthorized disclosures.

Security

We take reasonable technical and organizational measures to protect your data. Access to personal data is limited to personnel who need it to perform their job functions. However, no method of transmission or storage is perfectly secure and we cannot guarantee absolute security.

Account sharing & enforcement

Your ZetaPrep account identifier is linked to server-issued authentication tokens which grant access to your account and data. You are responsible for keeping your credentials and tokens private and secure. Sharing tokens or credentials with others is prohibited and undermines the integrity of our service.

If we detect account sharing, suspicious access from multiple geographically separate locations, or other misuse of tokens and credentials, ZetaPrep may temporarily suspend, freeze, or permanently deactivate the account during or after an investigation. We may also revoke tokens or require reauthentication if security events are detected.

If your account is suspended, you may contact support at [email protected] to submit an appeal. We will review the evidence and respond according to our policies; repeated or serious violations may lead to permanent deactivation.

Children

ZetaPrep is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with data, contact support so we can remove it.

Contact

If you have questions about this Privacy Policy, contact us at [email protected].

Return to HomeSee Terms & Conditions