This policy describes how SourceForge Software Services Pvt Ltd (“we”, “us”, “CognitiveIQ”) collects, uses, stores, and shares your personal information when you use the CognitiveIQ assessment platform. It is governed by the Information Technology Act 2000 (and its rules, including the SPDI Rules 2011), the Digital Personal Data Protection Act 2023 (DPDP Act), and applicable consumer protection law in India.
1. Who we are
SourceForge Software Services Pvt Ltd, a private limited company incorporated under the Companies Act 2013 with registered offices in Kolkata, West Bengal, India. We are the data fiduciary for personal data processed through CognitiveIQ. Our designated grievance officer can be reached at privacy@cognitiveiq.in.
2. Data we collect
Account data. Your name, email address, password (stored only as a bcrypt hash), and the date you registered.
Profile data. Optional photograph (validated by automated moderation for face count and explicit content), date of birth (used for age-adjusted IQ scoring), and any biographical detail you choose to add.
Assessment data. Your answers to test questions, the time taken, scores, derived IQ and personality profile values, and any narrative summary generated for you.
Payment data. Order amounts, currency, and payment status. We do not store your card number, UPI ID, or net-banking credentials. Razorpay processes the actual payment instrument and we receive only a transaction reference.
Operational logs. IP address (hashed), session cookies, browser user agent, and timestamps for security and abuse-prevention purposes. Detailed below in our cookie policy.
3. Why we collect it
- Service delivery. Running tests, scoring, generating certificates and narratives, sending email confirmations.
- Account safety. Authentication, rate limiting, fraud prevention.
- Payment processing. Through Razorpay, our payment gateway partner.
- Compliance. Tax, audit, and regulatory record-keeping.
- Service improvement. Aggregate, de-identified statistics on test performance to refine question difficulty calibration.
We do not sell, rent, or trade personal data to third parties.
4. How long we keep it
- Account and assessment data: retained while your account is active, plus three years from last activity.
- Payment records: retained for eight years per Indian tax law (Income Tax Act, 1961).
- Operational logs: 90 days, then automatically purged.
- Certificates: retained indefinitely so issued certificates remain verifiable, even if you close your account. You may request anonymisation of personal details on a stored certificate.
5. Where it’s stored
Personal data is stored on infrastructure hosted in the AWS Asia Pacific (Mumbai) region — i.e. within India. Backups are encrypted and stored in the same region.
6. Who we share it with
We share personal data only with the following data processors, all under contractual data-protection terms:
- Razorpay Software Pvt Ltd — for payment processing.
- Amazon Web Services India Pvt Ltd — for hosting, storage (S3), email delivery (SES), and image moderation (Rekognition).
- Anthropic, PBC — for generating personalised narrative assessments. The narrative request is sent over a secure connection with your assessment scores and first name; we do not transmit your full name, email, or any direct identifier.
We disclose personal data to law-enforcement or government authorities only on receipt of a lawful, written, and properly addressed request, and never beyond what the request compels.
7. Your rights
Under the DPDP Act 2023 you have the right to:
- access a copy of the personal data we hold about you;
- request correction of inaccurate data;
- request erasure of data we no longer need (subject to retention obligations above);
- withdraw consent at any time, where processing is consent-based;
- nominate another individual to exercise these rights on your behalf in case of incapacity or death; and
- file a grievance with our grievance officer (above) and, if unresolved, escalate to the Data Protection Board of India.
Requests can be sent to privacy@cognitiveiq.in and will be acknowledged within seven days and resolved within thirty.
8. Children
CognitiveIQ is intended for use by individuals aged 18 and over. We do not knowingly collect personal data from children under 18. If you believe a minor has registered, please contact us and we will delete the account and associated data.
9. Security
We protect personal data with industry-standard controls including encryption in transit (TLS 1.2+), encryption at rest for backups, hashed passwords (bcrypt cost factor 12), SHA-256-hashed session tokens, rate limiting on authentication endpoints, and access controls scoped by role. No system is impenetrable; we encourage you to use a unique strong password and report suspected unauthorised access immediately.
10. Changes
We may update this policy as our practices evolve or as law requires. Material changes will be communicated by email to registered users at least seven days before they take effect. The latest revision date is shown at the bottom of this page.
Last updated: April 2026 (draft)