Last updated: 20 April 2026
This policy describes what Lakshya Kumar (“Capstok”, “we”) collects when you use the Service, what we do with it, and the controls you have. We try to collect the minimum we need to run a learning platform.
Account data. When you sign up we store your email, display name, a salted bcrypt hash of your password (never the password itself), and a verification status. You can update or delete this at any time from settings.
Sign-in and security signals. To protect your account we keep a log of sign-in events (successful and failed), session creation and revocation, OTP sends and verifications, and changes to security settings. Each log entry records the timestamp, IP address, and browser user-agent string.
Learning activity. Task completions, quiz submissions, capstone submissions, progress, and feedback you leave on courses and modules. Admin reviewers see capstone submissions when deciding whether to issue a certificate.
Billing metadata. Order identifiers, plan keys, amounts, and currency. Card numbers, UPI handles, or any other payment instrument data are handled by our payment processor (Razorpay for INR, Stripe for USD when enabled). We never see or store them.
Cookies. We set a small number of first-party cookies: capstok_access and capstok_refresh keep you signed in; capstok_currency remembers the currency you prefer; capstok_cart persists your checkout cart between tabs; and capstok_invite_code remembers a coupon from an invite link so the discount applies at checkout. We do not use tracking pixels, ad cookies, or third-party analytics.
We only share personal data with:
We do not sell personal data. Ever.
When you mint an API key at /dashboard/api-keys, your AI agent can fetch course content through our MCP server scoped to your tier. We log the requests your key makes so we can rate-limit and audit abuse. Your prompts and the model's responses are not routed through or logged by us — they stay between you and your AI provider.
You can access, correct, export, or delete your personal data at any time. From settings you can edit your profile, change your password, revoke active sessions, and delete your account. For a machine-readable export or any question we can't resolve in-app, email lklsquare@gmail.com and we'll respond within 30 days.
Our infrastructure may process data in regions outside your country of residence. Where that happens we rely on standard contractual clauses or equivalent mechanisms with our providers.
Capstok is not directed to children under 13, and we don't knowingly collect data from them. If you think a child has signed up, email us and we'll delete the account.
Passwords are hashed with bcrypt. Sessions use short-lived access JWTs and rotating refresh tokens bound to a server-side session record we can revoke. All traffic is served over TLS. We take security seriously but no system is perfectly secure — if you find a vulnerability, please report it to lklsquare@gmail.com rather than disclosing it publicly.
If we change this policy in a way that affects how we handle data we already hold, we will notify you by email or an in-app notice at least 7 days before the change takes effect.
Privacy questions: lklsquare@gmail.com.