Your data, treated like ours.

• Account info — email, display name, and a hashed password (we never store your raw password).
• Payment info — purchase amount, plan or series ID, transaction reference. Card / UPI / bank details are handled by Razorpay and never reach our servers.
• Usage info — what you've watched and how far through, your bookmarks (My List), and basic device/browser info in our access logs.
• Communications — when you email us or message us on WhatsApp, we keep that conversation so we can help you better next time.

• We don't use third-party advertising trackers.
• We don't sell or rent your personal data to anyone, ever.
• We don't read your private messages or email beyond what you send us directly.

We use the data above to:

• Authenticate your sessions and keep your account secure.
• Deliver content you've purchased and remember where you left off.
• Show you a sensibly personalised library — "Continue watching", "My List", category recommendations.
• Process payments and prevent fraud.
• Improve the service — debugging, performance, and product decisions based on aggregate trends.
• Send you transactional emails (purchase receipts, password resets). Marketing emails are opt-in.

We use a single authentication token in your browser's local storage to keep you signed in. We do not use cross-site tracking cookies. Your browser may set a short-lived cookie via Cloudflare for bot protection — this is not used for advertising.

We share the minimum required data with carefully chosen vendors:

• Razorpay — to process payments.
• Cloud hosting and CDN providers — to serve the platform and stream videos.
• Email service provider — for transactional and (opt-in) marketing email.

Each vendor is contractually obligated to protect your data and use it only to perform the service we've engaged them for.

• Account info — for as long as your account is active.
• Payment receipts — 7 years (Indian tax law requirement).
• Watch progress & bookmarks — until you delete them or your account.
• Server access logs — 90 days, then anonymised.

You can, at any time:

• Request a copy of all the data we hold about you.
• Ask us to correct inaccurate information.
• Delete your account and all associated personal data (excluding payment records we are legally required to retain).
• Withdraw consent for marketing emails.

Email privacy@ontestamini.com from your registered address and we'll act within 30 days.

Ontesta Mini is suitable for general audiences but is not designed for children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has signed up, please contact us and we'll delete the account.

We use bcrypt-hashed passwords, JWT tokens with short expiry, HTTPS everywhere, and routine dependency audits. No system is perfectly secure — if you suspect a breach of your account, please email security@ontestamini.com immediately.

We'll notify you of meaningful changes via email and a banner on the platform at least 14 days before they take effect.