Miss Lily
learn english, with heart
Sign inGet the app

Privacy Policy

Effective: 2026-05-14 · Last updated: 2026-05-14

BrightChamps Tech Private Limited (“we”, “us”, “our”) operates Miss Lily, an English-learning app. This Privacy Policy explains what personal data we collect, why we collect it, how long we keep it, who we share it with, and the choices you have under the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and other applicable Indian law. By using the App you confirm you have read and understood this policy.

1. Who is the data fiduciary

Under the DPDP Act we are the “Data Fiduciary” for personal data you give us through Miss Lily.

BrightChamps Tech Private Limited
Banjara Hills, Hyderabad, Telangana 500034, India
CIN: U80902TG2020PTC141486

2. What data we collect

2.1 Account & profile

  • Email address (used as your login identifier).
  • Display name, optional profile photo, native language, learning goal.
  • Phone number (required to set up UPI Autopay; mandated by RBI for recurring payment notifications).
  • Country and approximate locale (derived from device/IP).

2.2 Learning activity

  • Lesson progress, mastery scores, streak counters, time-on-task.
  • Practice responses you submit — typed answers, multiple-choice selections, drag-and-drop completions.
  • Anonymised event telemetry (taps, screens visited, completion rates) processed via PostHog for product analytics.

2.3 Voice & conversation data

  • Real-time speech-to-text. When you speak into a practice exercise or live conversation, audio is streamed to our speech-to-text provider (Deepgram) for transcription. The audio itself is processed in real time and is not stored on our servers by default.
  • Optional voice storage. If you explicitly consent during onboarding or in Settings, short voice clips may be retained for up to thirty (30) days to improve Indian-English accent recognition. You can withdraw this consent at any time; existing clips are deleted within seven (7) days of withdrawal.
  • Transcripts. The text transcript of your conversation is stored so we can give you feedback and let you revisit past sessions. Transcripts are retained for up to twelve (12) months, after which we anonymise them.
  • AI feedback. Transcripts (not audio) are sent to our large-language-model provider (OpenAI) to generate feedback. OpenAI processes this content under its enterprise API terms and does not use it to train its public models.

2.4 Payment data

  • Payment instrument details (card number, UPI ID, bank account) are handled exclusively by Razorpay. We do not see or store this data on our servers.
  • We store: your subscription plan, status (active/expired/cancelled), mandate identifier, payment-method type (UPI/card), invoice history, and the masked card BIN/UPI handle suffix returned to us by Razorpay for reconciliation.

2.5 Device & technical data

  • Device type, OS version, app version, language settings.
  • IP address (truncated for analytics, full address only briefly retained for fraud-prevention).
  • Crash reports and error stack traces (via Sentry) — no message content, only diagnostic context.

3. Why we collect this data (purposes)

  1. Provide the service. Authenticate you, transcribe your speech, generate feedback, save progress.
  2. Process payments. Initiate Razorpay subscriptions and reconcile recurring debits.
  3. Improve the product. Analyse aggregated, mostly anonymised usage to fix bugs, tune lesson difficulty, and improve AI feedback quality.
  4. Communicate. Send transactional emails (account, billing, security) and, with your consent, occasional product updates. Marketing notifications can be turned off in Settings.
  5. Comply with law. Tax records, eMandate audit logs, and fraud-prevention obligations under Indian law.
  6. Safety. Detect and prevent fraud, abuse, security incidents, and violations of our Terms.

4. Legal basis for processing

Under the DPDP Act, we rely on the following grounds:

  • Your consent — for optional voice-clip storage, marketing notifications, and any non-essential analytics.
  • Performance of contract — to operate the App and deliver the subscription you purchased.
  • Legitimate use as defined under Section 7 of the DPDP Act — for security, fraud-prevention, and statutory obligations such as tax records.

5. Third parties who process data for us

We engage the following processors. Each has a contractual obligation to keep your data secure and to only process it for the purpose listed.

ProcessorPurposeData sharedProcessing location
Supabase / AWS MumbaiDatabase, authentication, file storageAccount, transcripts, subscription stateIndia (ap-south-1)
RazorpayPayment processing, mandate setup, refundsName, email, phone, payment instrument (handled by Razorpay)India
DeepgramSpeech-to-text transcriptionReal-time voice audio (not stored)United States (processing only)
OpenAIAI feedback generationConversation text transcriptsUnited States (processing only, enterprise API)
ElevenLabsText-to-speech for characters and feedbackGenerated lesson textUnited States (processing only)
PostHogAnonymised product analyticsEvent names, screen views, feature flagsEU / US
SentryCrash and error monitoringStack traces, device metadata (no message content)United States
VercelApp hosting and content deliveryRequest metadata, IP address (truncated)Mumbai region (India)
InngestBackground job processing (feedback generation)Job payloads (no payment data)United States

Where processors are located outside India, transfers are made under the Central Government’s notified list of permissible countries (Section 16, DPDP Act). We do not transfer personal data to jurisdictions explicitly restricted by the Government of India.

6. How long we keep your data

Data typeRetention
Account profile (email, name, settings)Until you delete your account
Lesson progress & learning recordsUntil you delete your account
Conversation transcripts12 months, then anonymised
Optional voice clips (only if you consented)30 days from creation, or 7 days from consent withdrawal
Anonymised analytics events24 months
Subscription, invoice & eMandate audit logs8 years (statutory record-keeping under Indian tax law and RBI eMandate rules)
Crash / error diagnostics90 days

7. How we protect your data

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Data at rest is encrypted with AES-256 by our database and storage providers.
  • Row-Level Security policies restrict each row to its owning user. Admins follow least-privilege access with audit logging.
  • Webhook signatures are HMAC-SHA256 verified at the edge to prevent forgery.
  • We rotate API keys on incident or on personnel change and follow a documented incident-response process.

No internet-connected service can be 100% secure. If a personal data breach is reasonably likely to cause significant harm, we will notify affected users and the Data Protection Board of India without undue delay, as required by Section 8(6) of the DPDP Act.

8. Children

Miss Lily is intended for users aged 13 and above. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided personal data to us, please contact privacy@brightchamps.com and we will delete it. For users between 13 and 18, a parent or legal guardian’s consent is required as set out in our Terms; we process such accounts in line with the additional protections in Section 9 of the DPDP Act.

9. Your rights under the DPDP Act

You have the right to:

  1. Access — request a copy of the personal data we hold about you.
  2. Correction & updation — ask us to correct inaccurate or incomplete data.
  3. Erasure — ask us to delete your account and associated data, subject to retentions required by law. See our User Data Deletion Policy for the step-by-step process.
  4. Withdraw consent — for any processing that relies on your consent (e.g. voice-clip storage, marketing).
  5. Nominate — appoint a person to exercise these rights on your behalf in the event of your death or incapacity.
  6. Grievance — file a complaint with our Grievance Officer, and, if unresolved, escalate to the Data Protection Board of India.

To exercise any of these rights, email privacy@brightchamps.com from the email address associated with your account. We aim to respond within 72 hours and to fully resolve within 30 days.

10. Grievance Officer

In line with Rule 5 of the IT (Intermediary Guidelines) and the DPDP Act, our Grievance Officer is:

Souradeep Paul
Grievance Officer & Data Protection Officer
Email: s.paul@brightchamps.com
Office: Banjara Hills, Hyderabad, Telangana 500034, India
Response: 72 hours (first response) / 30 days (resolution)

11. Changes to this policy

We may update this policy when our product, processors, or applicable law changes. Material changes will be notified by email or in-app banner at least thirty (30) days before they take effect. The “Last updated” date at the top of this page is authoritative.

12. Contact

For any privacy question, email privacy@brightchamps.com or write to us at Banjara Hills, Hyderabad, Telangana 500034, India. For general support, see our Contact page.

These policies are issued by BrightChamps Tech Private Limited (the legal entity behind the Miss Lily brand). For full corporate details, see https://brightchamps.com.