Quick summary. We collect only what we need to run the app — your email, your study profile, and any documents you choose to upload. We do not sell your personal data. We share it only with the limited list of sub-processors named in Section 5, each contracted on data-processing terms substantially equivalent to those in this policy. You can delete your account and the data we hold about you at any time, subject to the narrow retention carve-outs in Section 6.
This is not legal advice. This policy describes our current practices for the Bramica app and website. The legally binding rights and obligations on each side are set out in the operative sections below; the summary above is informational.
1. Who we are
Bramica is a mobile application owned and operated by Icyarcanine, based in Mohali, Punjab, India. References in this policy to “we”, “us”, and “our” refer to Icyarcanine. The app and this website (bramica.com) are operated together.
For the purposes of the EU General Data Protection Regulation (GDPR), the UK GDPR, and India's Digital Personal Data Protection Act 2023 (the DPDP Act), Icyarcanineis the data controller (or, under DPDP, the “data fiduciary”) of the personal data described below.
2. Effective date and updates
This Privacy Policy is effective from May 15, 2026. We may update it from time to time. If we make a material change — for example, adding a new category of data collection or a new sub-processor — we will notify you in-app and update the “Last updated” date at the top of this page. Continued use of Bramica after a material update constitutes acceptance of the revised policy. You can always view the current version at bramica.com/legal/privacy.
3. Data we collect
We have grouped the data we collect by source and purpose. We only collect categories listed here.
3.1 Information you provide to us directly
- Account identifiers. When you sign in, we collect your email address. If you sign in with Google or Apple, we receive a verified email address and, when made available by the provider, your name and a unique identifier for that provider.
- Profile. During onboarding and at any time thereafter, you may provide: your name, age or date of birth, gender (optional), home country, current education level, academic stream, target countries, prior English-language test scores, and the names of educational institutions you have attended.
- Uploaded documents.If you choose to use our document-reader feature, you may upload images or PDFs of your Class 10 marksheet, Class 12 marksheet, bachelor's transcript, or IELTS Test Report Form. The contents of these documents are processed by our AI-OCR provider (see Section 5) and the extracted structured data is stored in your profile.
- Search queries. The program names and country combinations you search for, used to deliver results and to enforce daily usage limits.
- Communications. If you email us, we receive whatever you send us, including your email address.
3.2 Information collected automatically
- Authentication metadata. Time of sign-in, identity provider used, and a verified email-confirmation timestamp.
- OTP rate-limit signal. When you request a one-time login code, our server stores a SHA-256 hash of the requesting IP address so we can count recent requests within a 15-minute rate-limit window. The hash is retained up to 24 hours, then deleted. The raw IP address is never written to disk.
- Search-usage signal. The fact that you ran a program search (timestamp + query text), used to enforce per-user daily caps. Retained for seven days, then deleted.
- Crash and diagnostic logs. The app may write local debug logs while running on your device; these stay on your device unless you choose to email them to us for troubleshooting.
3.3 Information we do not collect
- Precise device location. The app does not ask for or store GPS coordinates.
- Contacts, calendar, photos library beyond what you upload.The app does not scan your phone's contacts or media gallery. When you choose to upload a document, only the file you pick is sent.
- Advertising identifiers. Bramica does not use IDFA (iOS) or AAID (Android) and does not display third-party advertising.
- Microphone, camera (except when you tap “Take photo” in the document upload flow), or biometric identifiers.
- Children's data. The service is not directed at users under 18. We do not knowingly collect data from minors. If you believe a minor has used the service, contact us at admin@icyarcanine.com and we will delete the account.
4. How we use your data
The table below maps each category to the purpose it serves and the lawful basis on which we rely (terms are GDPR / DPDP terminology; the practical effect is the same):
| What | Why | Lawful basis |
|---|---|---|
| Email + sign-in metadata | Provide and secure your account; deliver one-time login codes; respond to support | Contract / consent |
| Profile (education, country interests) | Generate the eligibility audit and personalised program suggestions you signed up for | Contract |
| Uploaded documents | Extract academic data via OCR so you do not have to retype it; show you the extraction for confirmation; store the file so you can re-view it | Consent (the upload action itself) |
| Search queries | Return program results; enforce daily usage limits; improve result quality by reviewing aggregate query patterns | Contract / legitimate interest |
| IP hash + OTP-request logs | Prevent automated abuse of the sign-in endpoint | Legitimate interest (security) |
| Communications you initiate | Reply to your support request | Legitimate interest |
We do not use your data to train AI models. We also do not profile you for advertising, sell your data to data brokers, or share it with anyone except the sub-processors listed in Section 5.
5. Sub-processors and third parties
To run the service we use the following sub-processors. Each receives only the minimum data required for its purpose:
| Sub-processor | Purpose | Region | Privacy policy |
|---|---|---|---|
| Supabase | Hosted Postgres database, authentication, file storage, and edge functions | Seoul, South Korea (region: ap-northeast-2) | link |
| AI processing partner | AI-powered document extraction and grounded program search | United States | link |
| Google Sign-In | Optional OAuth identity provider for Android users | United States | link |
| Apple | Optional Sign in with Apple OAuth identity provider for iOS users | United States | link |
| Vercel | Hosting this marketing website | Global edge network | link |
About AI processing.When you upload a document, the image or PDF and a structured prompt are sent to a third-party AI service for extraction. Our processor's terms state that prompts and content submitted through the paid API tier are not used to improve their models. We operate on the paid tier. Similarly, when you run a program search, your query (but not your identity) is sent to a third-party AI service with real-time web search enabled.
6. How long we keep your data
We aim for the following retention periods. Periods may be extended where (a) needed to investigate fraud, abuse, or a security incident, (b) required by law, regulation, court order, or legitimate legal process, (c) needed to assert, exercise, or defend legal claims, or (d) data has been cryptographically hashed and no longer identifies you.
- Active account data: while the account is active.
- Uploaded documents: while the account is active, or until you delete each document individually.
- OTP request logs (hashed IP): up to 24 hours.
- Program-search usage rows: up to 7 days.
- Deleted accounts: profile, education history, uploaded documents, and extracted data are deleted from active production systems within 30 days of your deletion request. Replicas in backups expire on their own rotation (longest retention: 30 days). A one-way SHA-256 hash of your email or provider identifier may be retained for up to 12 months on an internal abuse-prevention blocklist. This blocklist contains no reversible personal data.
- Records relating to billing, fraud, or legal obligations: for the period required by applicable law (typically up to 8 years for tax and 6 years for general commercial records under Indian law).
7. Your rights
Whether you are in India (DPDP Act 2023), the European Union or the UK (GDPR), California (CCPA / CPRA), or elsewhere, you have the following rights with respect to your personal data:
- Right to access. View what we hold about you. Your profile and uploaded documents are visible inside the app at any time; for a full machine-readable export, email admin@icyarcanine.com.
- Right to correction. Edit your profile information inside the app, or email us to correct anything else.
- Right to erasure (the “right to be forgotten”). Delete your account from Settings → Account → Delete account inside the app, or visit our account deletion page.
- Right to data portability. Request a JSON export of your profile and search history; we deliver within 30 days.
- Right to withdraw consent. Stop using the feature; for OCR uploads, individually delete the uploaded document.
- Right to object. Tell us what you object to and we will stop unless we have a stronger lawful basis.
- Right to lodge a complaint. See Section 11.
For California residents:We do not “sell” or “share” personal information for cross-context behavioural advertising as those terms are defined under the CCPA / CPRA. You have the right to know, to delete, to correct, and to limit the use of sensitive personal information.
8. International data transfers
Our primary database is hosted in Seoul, South Korea. Document OCR is performed by a third-party AI service in the United States. Email delivery is provided by infrastructure in the United States. When personal data is transferred out of the EEA, UK, or India, the transfer is protected by Standard Contractual Clauses or the equivalent applicable mechanism for that destination.
9. Security
We implement and maintain technical and organisational measures that we consider appropriate to the nature of the data we process and the risks of harm, including:
- encryption of data in transit using TLS 1.2 or higher;
- encryption of data at rest by our database hosting provider;
- row-level security in the database to restrict each user's records to that user;
- server-side rate limits on document upload, AI search, and login endpoints;
- access controls and audit logging on administrative access to production data; and
- two-factor authentication on administrative accounts.
No system can be guaranteed to be perfectly secure. We make no representation or warranty that the measures above will prevent every possible attack, defect, or disclosure. Your use of the Service is at your own risk to the extent permitted by law. If you become aware of a security issue affecting the Service or your account, please notify admin@icyarcanine.com so we can investigate. We follow applicable breach-notification obligations, including the timelines set out under the DPDP Act, the GDPR, and any other law that applies to you.
10. Children's privacy
Bramicais not directed at children. India's DPDP Act 2023 defines a child as a person under 18 and requires verifiable parental consent before any processing of a child's personal data. Rather than implement that mechanism, we restrict the Service to users aged 18 and over. We do not knowingly collect personal data from anyone under 18; the US Children's Online Privacy Protection Act (COPPA) threshold of 13 is therefore also satisfied. If you become aware that a minor has provided us with personal data, please contact us at admin@icyarcanine.com and we will delete the account.
11. Grievances and complaints
Under India's DPDP Act 2023, you have the right to a timely grievance resolution mechanism. Our designated grievance officer is:
The Grievance Officer
Email: admin@icyarcanine.com
Address: Icyarcanine, Mohali, Punjab, India
We aim to acknowledge complaints within 48 hours and resolve within 30 days. If you are not satisfied with our response, you may escalate to the Data Protection Board of India once it is operational under the DPDP Act.
EU / UK residents: You have the right to lodge a complaint with the data protection authority in the country where you live or work.
12. Cookies and similar technologies
The mobile app does not use browser cookies. The marketing website (bramica.com) uses only essential cookies set by our hosting provider (Vercel) for security and performance; it does not set analytics, advertising, or third-party tracking cookies.
13. Contact
For any privacy question, request, or complaint, contact us at admin@icyarcanine.com. We respond within 7 working days.