PastpaperLMPastpaperLM
Log inGet Started

Privacy Policy

Last Updated: 13 June 2026

1. Introduction

Your privacy is important to us. This Privacy Policy explains how PastpaperLM, a company based in Sri Lanka, collects, uses, stores, and protects personal information when you use PastpaperLM. This policy applies to all users of the PastpaperLM web application (available at app.pastpaperlm.com) and the marketing website (at pastpaperlm.com).

By using PastpaperLM, you agree to the collection and use of information in accordance with this Privacy Policy. We are committed to handling your data with care and in compliance with applicable privacy laws, including the Personal Data Protection Act (PDPA) No. 9 of 2022 of Sri Lanka.

If you have any questions about this policy or our data practices, please contact us at support@pastpaperlm.com.

2. Data We Collect

We collect a limited set of data necessary to operate and improve the Service. The categories of data we collect are:

  • Account data: When you sign in via Google OAuth, we receive your name and email address from Google. We store these to create and maintain your account record.
  • Usage and billing data: We record which features you use, how many credits you consume, your credit balance, transaction history (Order IDs, purchase dates, pack amounts), and which plan you are on. This data is necessary for us to operate the credit metering and billing system.
  • Chat content: Messages you send to EPIS and the responses generated are stored in order to provide context across a session and to maintain your chat history, which you can review in the application. We may also use aggregated or anonymised chat telemetry to evaluate and improve model performance.
  • Device identifiers: We collect and store device identifiers to enforce our device policy and prevent account sharing or abuse. These identifiers do not identify you personally but are associated with your account to limit the number of devices from which your account may be actively used.
  • Uploaded files: If you upload files (such as photographs of questions or handwritten notes), those files are stored on our file storage infrastructure solely to provide the requested feature and are accessible only to you within your account.
  • UI preferences: Your theme preference (light or dark mode) is stored locally in your browser's localStorage only. This preference is never transmitted to our servers.

3. What We Do NOT Collect

We are committed to collecting only data that is necessary to operate the Service. We explicitly do not collect any of the following:

  • Card numbers, credit or debit card details, CVV codes, or bank account credentials of any kind. All payment data is handled exclusively by PayHere and is never transmitted to or stored by us.
  • National identity card numbers or passport numbers.
  • Biometric data.
  • Sensitive personal data such as health information, religion, or ethnicity.

4. How We Use Your Data

We use the data we collect for the following purposes, all of which are necessary to provide or improve the Service:

  • Providing the Service: Your account data and usage data enable us to authenticate you, show you your personalised content, and operate all features of PastpaperLM.
  • Credit and subscription metering: We use your usage data to track how many credits you have consumed, manage your daily allowance, and record your subscription or wallet balance accurately.
  • Payment processing: When you make a purchase, your Order ID and payment confirmation from PayHere are used to credit your account with the correct plan or credit pack.
  • Usage limit enforcement: Device identifiers and account usage data are used to enforce fair use limits, prevent account sharing, and detect and act against abuse.
  • Fraud prevention: We use transaction records and account behaviour data to identify potentially fraudulent activity, including duplicate purchases, chargeback fraud, and multi-account abuse.
  • Service quality and improvement: Anonymised or aggregated usage and performance telemetry is used to understand how students use the platform, identify areas for improvement, and evaluate model accuracy.
  • Customer support: When you contact us, we use your account data and relevant transaction or usage records to investigate and resolve your query.

5. Third-Party Processors (International Data Transfers)

To operate the Service, we share certain data with third-party service providers. Some of these providers are located outside Sri Lanka. We share only the minimum data necessary for each provider to perform their function.

  • PayHere (Sri Lanka): Our payment gateway. When you initiate a purchase, you are redirected to PayHere's payment pages. PayHere receives your payment details directly and returns a payment confirmation to us. PayHere is governed by its own privacy policy.
  • AI model providers (United States): EPIS is powered by large language model APIs. Your messages to EPIS and relevant context are transmitted to these providers to generate responses. We use providers that offer appropriate data processing terms and do not use your messages to train their public models without consent.
  • Cloud hosting (United States and/or European Union): Our application servers and database infrastructure are hosted on cloud platforms. Your account data and usage records are stored on these platforms.
  • Vector search infrastructure (United States and/or European Union): To enable EPIS to retrieve relevant past-paper content, we use vector database services. These services may receive embeddings derived from your queries but do not receive your personal identifiers.
  • File storage (United States): Files you upload to the platform are stored in cloud object storage. Your uploaded files are accessible to you within your account and are not shared with third parties beyond storage.
  • Frontend hosting and CDN (United States): The PastpaperLM application and marketing website are served via a global content delivery network. Standard server logs, including IP addresses, may be retained briefly by this provider in accordance with their data processing policies.

6. Data Retention

We retain your data for different periods depending on its category and purpose:

  • Payment records: Transaction records including Order IDs, purchase dates, and amounts paid are retained for as long as required by applicable Sri Lankan law, including tax and financial record-keeping obligations.
  • Credit transaction ledger: Your credit balance and the history of credit additions and deductions are retained for the lifetime of your account so you can always audit your usage and purchases.
  • Daily usage counters: The counters used to track your daily question allowance are reset every 24 hours and the previous day's counter data is purged after 30 days.
  • Chat telemetry: Chat history and associated telemetry are retained for up to 24 months. After this period, records are anonymised or aggregated and individual conversational content is deleted.
  • Account data: Your name and email address are retained for as long as your account remains active. If you request account deletion, we will delete your personal data within 30 days, subject to any retention obligations arising from payment records or ongoing dispute resolution.

7. Your Rights (PDPA)

Under the Personal Data Protection Act No. 9 of 2022 of Sri Lanka and, where applicable, other privacy regulations, you have the following rights in relation to your personal data:

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to correction: You may request that we correct any inaccurate or incomplete personal data we hold about you.
  • Right to deletion: You may request that we delete your personal data, subject to any legal retention obligations. Requesting deletion will result in your account being closed.
  • Right to object to processing: You may object to processing of your personal data where we are relying on legitimate interests as our legal basis. We will consider your objection and respond within a reasonable timeframe.

To exercise any of these rights, please contact us at support@pastpaperlm.com. We will respond to all requests within 30 days. We may ask you to verify your identity before fulfilling a request.

8. Children's Privacy

PastpaperLM is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you are under 13, you must not use this Service. If we become aware that we have inadvertently collected personal data from a child under 13, we will take prompt steps to delete that information and close the associated account.

PastpaperLM is intended for students aged 16 and above. Purchases by users under 18 require parental or guardian consent. We do not knowingly collect data from children under 13.

9. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of Sri Lanka, including the Personal Data Protection Act (PDPA) No. 9 of 2022. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts of Sri Lanka.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the features of our Service. When we update this policy, we will revise the "Last Updated" date at the top of the page and post the revised policy here. For significant changes that materially affect how we process your personal data, we will notify registered users by email or through a notice in the application. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

11. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact us at:

support@pastpaperlm.com

PastpaperLM · Sri Lanka