Free for students · Ad-free · WCAG 2.1 AA Compliant · Accessibility

Privacy Policy

Last updated: 2026-05-12

Welcome to Shrutam! We are committed to protecting your privacy and handling your data with transparency and care. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data when you use our services.

Who We Are

Shrutam is operated by Ajay Agrawal, a sole proprietorship based in the United States. We are currently working towards 501(c)(3) non-profit status. Our mission is to provide accessible educational resources and empower high school students in their academic and research journeys.

Our Products and Data Collection

Shrutam offers two distinct products, and the data we collect depends on which product you use:

1. Shrutam Main (shrutam.com)

This website provides free K-12 and AP study guides, aligned to TEKS, Common Core, NGSS, and College Board CED. It features audio narration and is screen-reader friendly. You do not need an account to access this content.

  • Data Collected:
    • Page-view analytics: We collect anonymous page-view data in our own secure database. This helps us understand which content is popular and how users navigate our site, allowing us to improve our offerings. This data is aggregated and does not identify you personally.
    • Contact Form Submissions: If you choose to contact us via a form on the website, we will collect the information you provide (e.g., your name, email address, and message) to respond to your inquiry.
  • What We DO NOT Collect:
    • No Accounts: You do not create an account or provide any personal identifying information (PII) to read content on Shrutam Main.
    • No Third-Party Analytics: We do not use third-party analytics services like Google Analytics or Facebook Pixel.
    • No Advertising or Tracking Cookies: We do not use any cookies for advertising, tracking, or profiling on Shrutam Main.

2. Shrutam Research (research.shrutam.com)

This product is a free, AI-powered scholarship and research program matchmaker for US high schoolers. It requires you to sign in to use its features.

  • Data Collected at Sign-up:
    • Email Address: Your email address is collected to create and identify your account. We use a magic-link authentication system, so you never need to set or store a password with us.
    • IP Address and User-Agent: We collect your IP address and user-agent string (information about your browser and operating system) when you sign up and log in. This is used for fraud prevention and to enhance the security of our magic-link authentication process.
  • Data Collected During Onboarding Wizard (Optional, Student-Controlled):

    After signing up, you can choose to provide additional information to help us match you with relevant opportunities. You control what information you share.

    • Personal Details:
      • First and Last Name
      • Date of Birth (REQUIRED): This is essential for us to perform age verification and comply with children's privacy laws like COPPA. If you are under 13, you cannot sign up. If you are 13-17, parental consent is required.
      • Grade Level (9-12)
      • ZIP Code, State, High School Name
    • Academic & Achievement Information:
      • Intended College Major
      • GPA (unweighted and weighted)
      • AP / SAT / PSAT Test Scores
      • Extracurricular Activities, Achievements, and Awards (free-text field)
      • Target Colleges (free-text field)
    • Demographic & Background Information (Optional):
      • Heritage Tags (Multi-select, OPTIONAL): Providing this information can unlock matching to specific heritage-based scholarships.
      • Languages Spoken
      • Household Income Bracket (OPTIONAL): This is used exclusively for matching you with need-based scholarships and programs.
      • First-Generation College Status (OPTIONAL)
    • Writing Sample: You may optionally upload a writing sample. This is used to help our AI preserve your unique writing voice when drafting cold emails, ensuring the generated text sounds like you.
    • Parent Email (REQUIRED for 13-17 Minors): If you are between 13 and 17 years old, we require your parent's email address to obtain their verifiable consent before your account can be fully activated.
  • Computed Data:
    • Student Profile Vector Embedding: Based on the information you provide in your profile, we compute a 768-dimensional vector embedding. This mathematical representation of your profile is stored in our own secure Postgres database using the pgvector extension. It is used solely for semantic matching to scholarship and research opportunities and is never shared externally.
  • Data Generated by AI Features:

    As you use our AI-powered tools, certain content is generated and stored:

    • AI-Drafted Cold-Email Text: Our AI can help you draft personalized cold emails to professors. This text is generated and stored for your review and editing. Please note that these emails are sent from your OWN email client; Shrutam never automatically sends emails on your behalf.
    • AI Essay Critique: If you submit an essay for critique, the AI's feedback is returned to you and stored for your reference. This critique is never shown to anyone else.
    • AI Application Strategy Advice: Advice generated by our AI regarding application strategies for selective programs is stored for your benefit.
    • Student's Answers to AI-Asked Questions: When our AI asks you questions to gather information for drafting outreach, your answers are stored and linked to the relevant outreach drafts.

How We Use Your Information

We use the information we collect to operate, maintain, and improve our services, and to provide you with a personalized and effective experience:

  • To Provide and Personalize Services: We use your profile data to match you with relevant scholarship and research opportunities, provide AI-powered tools (like essay critique and cold email drafting), and offer tailored advice.
  • Account Management and Security: Your email is used for magic-link authentication. IP address and user-agent help prevent fraud and secure your account.
  • Communication: We use your email to send magic links, parent consent requests, and important service-related updates. All emails include a one-click unsubscribe option.
  • Service Improvement: Anonymous page-view analytics on Shrutam Main help us understand usage patterns. Aggregated, anonymized data from Shrutam Research may be used to improve our matching algorithms and AI features.
  • Compliance with Laws: We use your Date of Birth to comply with COPPA and other children's privacy regulations. We also process data as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

How We Share Your Information (Our Sub-processors)

We do not sell your personal data. We do not share your data with third parties for advertising purposes. We only share your data with trusted third-party service providers (sub-processors) who assist us in operating our services, under strict data processing agreements (DPAs) that ensure your data is protected.

  • Resend (Transactional Email Service): We use Resend.com to send magic-link emails and parent consent emails. Resend processes the recipient email address transiently to deliver these emails on our behalf.
  • Google Cloud / Vertex AI (Large Language Models - LLMs): We use Google Gemini API (specifically Gemma 4 31B and Gemini 3.1 Flash Lite models) for several AI-powered features:
    • Extracting structured eligibility criteria from scholarship descriptions (no student data involved here).
    • Scoring student-opportunity match (sends a snippet of your student profile and opportunity details to Gemini).
    • Drafting cold-email text from your answers to AI-asked questions.
    • Critiquing essay drafts (sends your essay text to Gemini).
    • Providing strategy advice for selective programs.

    Important AI Data Usage Disclosure: We currently use the FREE tier of the Google Gemini API. Per Google's documentation, prompts sent to the free-tier Gemini API may be used by Google to improve their models. We understand the privacy implications of this. We plan to migrate to the PAID tier of the Google Gemini API (which, according to Google's documentation, does NOT use prompts for training) before our public launch beyond the current friends-and-family beta phase. We are committed to minimizing data exposure and will update this policy upon migration.

  • Hostinger (Website Hosting): Hostinger provides hosting services for our Shrutam Main website (shrutam.com).
  • Cloudflare (DNS, CDN, DDoS Protection): We use Cloudflare for DNS management, content delivery network (CDN) services, and protection against Distributed Denial of Service (DDoS) attacks. Cloudflare sees request metadata, such as your IP address, but does not access your student PII beyond what is necessary for these network services.

What We DO NOT Do with Your Data:

  • We DO NOT sell student data. Ever.
  • We DO NOT show advertisements on any part of Shrutam.
  • We DO NOT use third-party tracking analytics (like Google Analytics or Facebook Pixel).
  • We DO NOT share student data with scholarship organizations. We surface opportunities for your discovery; you apply directly through the organization's official channels.
  • We DO NOT scrape, store, or share professors' contact information beyond what is publicly listed on their lab pages (the /professors feature is currently hidden).
  • We DO NOT use student data to train AI models on our side. The only potential for AI model training is Google's use of free-tier Gemini API prompts, as disclosed above, which we are actively working to eliminate by migrating to a paid tier.

Children's Privacy (COPPA Compliance)

We are deeply committed to protecting the privacy of children. Our practices are designed to comply with the Children's Online Privacy Protection Act (COPPA).

  • Under 13: We do not knowingly collect personal information from children under 13. Our Date of Birth check at onboarding will block sign-ups from users under 13 with a clear COPPA message.
  • Ages 13-17: For users aged 13 to 17, parental consent is required before their Shrutam Research account can be fully activated. The student submits their parent's email address, and we send the parent a one-click consent link (valid for 30 days). Only after the parent clicks this link is the student's account activated (is_active=TRUE in our database).
  • Parental Rights: Parents have the right to review their child's personal information, request its deletion, and refuse to permit its further collection or use. If a parent withdraws consent (by emailing [email protected] or via the unsubscribe link in the consent email), we will deactivate the child's account and delete their data within 30 days.

For more details, please see our dedicated Children's Privacy Notice.

Data Security

We implement robust security measures to protect your information from unauthorized access, alteration, disclosure, or destruction:

  • Encryption: All data transmitted between your browser and our servers is encrypted using HTTPS. Our daily Postgres database backups are encrypted at rest and retained for 30 days.
  • Magic-Link Authentication: We do not store passwords. Our magic-link system uses single-use, 15-minute expiry tokens that are SHA-256 hashed in our database, significantly reducing the risk associated with password breaches.
  • Access Control: Access to student data by Shrutam personnel is strictly limited to those who need it to perform their job functions, and is subject to confidentiality obligations.

Data Retention

We retain your personal data only for as long as necessary to provide our services, fulfill the purposes outlined in this policy, and comply with legal obligations.

  • Active Accounts: Data associated with active Shrutam Research accounts is retained as long as the account remains active.
  • Inactive Accounts: If a Shrutam Research account has no login activity for 24 consecutive months, the associated data will be automatically deleted via a nightly cron job.
  • Deleted Accounts: If you choose to delete your account (by emailing [email protected] or using the unsubscribe link), your data will be hard-deleted from our active systems within 7 days. A non-PII audit log entry may be retained for compliance purposes.
  • Backups: Daily Postgres database backups are retained for 30 days and are encrypted at rest.

Your Rights Regarding Your Data

You have specific rights concerning your personal information:

  • Access and Portability: You have the right to request access to the personal data we hold about you. We are planning to implement a feature at /students/me/export that will allow you to export your data in a JSON format.
  • Correction: You can update most of your profile information directly within your Shrutam Research account settings. If you need assistance, please contact us.
  • Deletion ("Right to be Forgotten"): You can request the deletion of your account and all associated personal data by emailing [email protected] or by clicking the unsubscribe link in any email from us. We will delete your data within 7 days (or 30 days for minors if parental consent is withdrawn).
  • Withdraw Consent: If you have provided consent for certain data processing (e.g., parental consent for minors), you have the right to withdraw that consent at any time.

To exercise any of these rights, please contact us at [email protected].

Geographic Scope

Shrutam operates primarily in the United States and is aimed at users within the US. While users from other regions, including the EU/UK, may access our site, our services are not specifically designed for them. If users from outside the US access our site, we treat their data with care equivalent to GDPR standards, but please be aware that our legal and operational framework is based in the US.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

Questions? Contact us at [email protected].