Privacy Policy

Effective date: 2026-06-13

1. Overview

ExamRift is operated by PAN-U INFORMATION COMPANY LIMITED ("we", "us", "our"). We respect your privacy. This Privacy Policy explains what data we collect, how we use it, and your rights regarding your personal information.

2. Data We Collect

  • Account information: Email address, name, and authentication data (managed by Firebase Authentication).
  • Learning data: Answers, scores, study time, progress, vocabulary lists, and study plan preferences. Used to power your personalized experience and proficiency model.
  • Audio recordings and written essays: Speaking recordings and written essays are stored on your device. If you use AI grading features, recordings and essays are transmitted to AI providers solely for evaluation and scoring — we do not store, retain, or use them for any other purpose.
  • Usage data: AP consumption, feature usage patterns, session duration, and device/browser information. Used for service improvement and abuse prevention.
  • Payment data: Processed by our payment provider (Lemon Squeezy). We do not store credit-card numbers or bank details.

3. How We Use Your Data

  • Provide and personalize the learning experience (adaptive question selection, proficiency tracking, study plans)
  • Power AI grading and feedback features
  • Manage your AP balance, subscription, and account
  • Improve our question bank and service quality
  • Prevent abuse, fraud, and Terms of Service violations
  • Send account-related notifications (billing, security, feature updates)
  • Send marketing emails (study tips, product updates, offers) — only with your explicit opt-in consent (see "Marketing Emails" below)

4. AI Processing

When you use AI grading features, your answers, recordings, and essays are sent to third-party AI providers for scoring and feedback. These providers process data according to their respective privacy policies and data processing agreements. We do not share your personal identity with AI providers — only the content needed for evaluation. We do not store or use your recordings or essays for any purpose beyond delivering your grading results.

5. Data Sharing

We do not sell your personal data. We share data only with:

  • Service providers: Firebase (auth), Neon (database), Cloudflare (hosting/CDN), Lemon Squeezy (payments), AI providers (grading), Brevo (email delivery and contact management — see "Marketing Emails" below)
  • Legal requirements: When required by law, court order, or to protect our rights
  • Aggregated/anonymized data: May be used for research or public statistics (e.g., average score improvements) without identifying individuals

6. Data Retention

  • Account and learning data: Retained while your account is active, plus 30 days after deletion request
  • Audio recordings and written essays: Stored on your device only; not retained on our servers
  • Payment records: Retained as required by tax and accounting regulations (typically 5-7 years)
  • Anonymized/aggregated data: May be retained indefinitely

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Export your learning data in a portable format
  • Withdraw consent for optional data processing
  • Object to automated decision-making

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

8. Cookies and Local Storage

We use essential cookies and localStorage for authentication, preferences (dark mode, language), and session management.

We also offer optional advertising cookies (Google Ads, Meta Pixel) used solely to measure campaign performance. These advertising cookies are off by default and only load if you explicitly accept the consent banner shown on your first visit. You can change your choice at any time by clearing site data or contacting us at [email protected]. We do not load advertising or third-party tracking cookies until and unless you opt in.

9. Marketing Emails

With your explicit consent, we send marketing emails such as welcome and onboarding tips, activation reminders, win-back messages when you have been away, and checkout reminders if you start but do not complete a purchase.

  • Consent is account-level and off by default. The marketing-email checkbox at signup is unchecked; we send marketing emails only if you opt in. If you have never made a choice, we treat that as no consent and do not send marketing email.
  • You can opt out at any time from Settings → Email Preferences, or by using the unsubscribe link in any marketing email. Opting out takes effect immediately for future sends.
  • Brevo is our email processor. We use Brevo (Sendinblue GmbH) to deliver emails and manage contact profiles (email address, name, plan, signup date, activity signals such as exam counts and blog-reading language). Brevo processes this data on our behalf under its data processing agreement. Marketing automation and CRM profiling are applied only to contacts who have opted in.
  • Transactional emails are separate. Service emails — password resets, payment receipts, billing and security notices — are necessary to operate your account and are sent regardless of marketing consent.

10. Children's Privacy

Children under 13 may only use the Service through a parent or legal guardian's Coach account. In Coach Mode, the parent creates a managed learner account for the child — no email address is required and the child logs in via a parent-generated QR code or link. The parent has full visibility into the child's learning progress and controls device access. We do not knowingly allow children under 13 to create independent accounts. If you believe a child under 13 has signed up without parental supervision, contact us and we will promptly suspend or delete the account.

11. Security

We use industry-standard security measures including encrypted connections (TLS), encrypted storage, access controls, and regular security reviews. However, no system is 100% secure, and we cannot guarantee absolute security of your data.

12. International Data Transfers

Your data may be processed in jurisdictions outside your country of residence (including the United States and EU) through our cloud infrastructure providers. We ensure appropriate safeguards are in place for cross-border transfers.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or in-app notification at least 14 days before taking effect.

14. Contact

For privacy questions or data requests, contact us at [email protected].