Table of Contents
- 1. Introduction & Data Controller
- 2. Data We Collect
- 3. How We Use Your Data
- 4. Legal Basis for Processing (GDPR)
- 5. Data Sharing & Third-Party Processors
- 6. International Data Transfers
- 7. Data Retention
- 8. Your Rights
- 9. Children's Privacy
- 10. Data Security
- 11. California Residents (CCPA)
- 12. Cookies
- 13. Changes to This Policy
- 14. Contact & Complaints
1. Introduction & Data Controller
This Privacy Policy explains how TestOn AI (operated by [COMPANY LEGAL NAME], referred to as "we", "us", or "our") collects, uses, stores, and protects your personal data when you use our platform at www.testonai.online and www.testonai.com.
We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws worldwide.
[COMPANY LEGAL NAME]
[REGISTERED ADDRESS – TO BE COMPLETED]
[COMPANY REGISTRATION NUMBER – if applicable]
Email: testonai.tech@gmail.com
If you have questions about how we handle your data or wish to exercise your rights, please contact us at the email address above.
2. Data We Collect
2.1 Account Data
- Email address;
- Password (stored in hashed form — never in plaintext);
- Display name / nickname;
- Profile avatar (optional);
- Educational details: institution, degree, year of study (optional, self-provided).
2.2 Subscription & Payment Data
- Current subscription plan and status;
- Stripe Customer ID (reference token only — we do not store full card details);
- AI Credit balance and Credit Pack purchase history;
- Billing history (transaction dates, amounts, payment status).
2.3 User Content
- Projects, questions, answer options, and notes you create;
- Flashcard content and images you upload;
- Test results and performance data;
- Questions marked as "difficult" for review;
- AI Creator workspace data (saved prompts and generated content).
2.4 Usage & Technical Data
- IP address;
- Browser type, version, and operating system;
- Device type;
- Pages visited, features used, and session duration;
- Error logs and crash reports;
- Theme preference (dark / light / study mode).
2.5 Authentication Data
- Session tokens (HTTP-only cookies managed by Supabase Auth);
- Google OAuth profile data if you choose Google Sign-In (name, email, Google account ID).
2.6 Multiplayer & Sharing Data
- Multiplayer room participation data (nickname, score, session ID);
- Shared project access tokens you generate.
3. How We Use Your Data
| Purpose | Data Used |
|---|---|
| Provide and operate the Service (account management, project storage, learning modes) | Account data, User Content, technical data |
| Process payments and manage subscriptions | Payment data, email, Stripe Customer ID |
| Provide AI generation features (route prompts to AI models) | Content you input to AI features, credit balance |
| Enable multiplayer and project sharing features | Nickname, session data, shared project tokens |
| Track progress and personalise learning experience | Test results, difficult questions, usage patterns |
| Send transactional emails (payment confirmations, account alerts) | Email address |
| Ensure security, detect fraud, and prevent abuse | IP address, login data, technical logs |
| Comply with legal obligations (accounting, tax records) | Payment data, billing records |
| Improve the Service (aggregate analytics, bug fixing) | Usage data, error logs (anonymised where possible) |
| Send marketing communications (with your consent) | Email address |
4. Legal Basis for Processing (GDPR)
Under the GDPR, we process your personal data on the following legal bases:
Art. 6(1)(b) – Contract Performance
Processing necessary to provide the Service: account creation, storing your content, processing payments, and delivering subscription benefits.
Art. 6(1)(c) – Legal Obligation
Processing required to comply with legal obligations, such as retaining accounting and tax records.
Art. 6(1)(f) – Legitimate Interests
Processing for our legitimate interests, including platform security, fraud prevention, and service improvement. We have determined these interests do not override your fundamental rights.
Art. 6(1)(a) – Consent
Where processing is consent-based (e.g., marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing.
5. Data Sharing & Third-Party Processors
We share your data only with the following processors, all bound by strict Data Processing Agreements (DPAs):
| Processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database hosting, authentication, real-time features | USA (EU SCCs in place) |
| Stripe, Inc. | Payment processing and subscription management | USA (EU SCCs in place) |
| Vercel, Inc. | Web hosting and content delivery | USA (EU SCCs in place) |
| Cloudflare, Inc. | Serverless compute, edge delivery, DDoS protection | USA (EU SCCs in place) |
| OpenRouter AI, Inc. | AI model routing for content generation features | USA (EU SCCs in place) |
| Google LLC | OAuth authentication (only if you use Google Sign-In) | USA (EU SCCs in place) |
We do not sell your personal data. We do not share data with advertisers or marketing networks.
6. International Data Transfers
Our third-party processors operate in the United States. When transferring personal data outside the EEA, we ensure appropriate safeguards under GDPR Chapter V, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- Adequacy decisions where applicable.
You may request a copy of the applicable transfer mechanisms by contacting us at testonai.tech@gmail.com.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account data and User Content | Until account deletion; permanently erased within 30 days of deletion request |
| Payment records and billing history | 5 years from transaction (legal / tax obligation) |
| Server and access logs | Up to 90 days |
| Multiplayer session data | Deleted at session end or within 24 hours |
| Marketing consent records | Until consent is withdrawn + 1 year |
After account deletion, we retain only anonymised, aggregated statistical data that cannot be linked back to you.
8. Your Rights
Under the GDPR and other applicable data protection laws, you have the following rights:
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your personal data, subject to legal retention requirements.
Right to Restriction
Request that we limit processing of your data in certain circumstances.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Right to Withdraw Consent
Withdraw consent at any time where processing is consent-based.
Right to Lodge a Complaint
File a complaint with your national supervisory authority (e.g., UODO in Poland).
To exercise any right, contact us at testonai.tech@gmail.com. We respond within 30 days and may verify your identity before processing requests.
9. Children's Privacy
The Service is not directed to children under 13. Users aged 13–17 may use the Service only with verifiable parental or guardian consent.
We do not knowingly collect personal data from children under 13. If we discover such data has been collected, we will promptly delete it. Parents or guardians who believe their child under 13 has registered should contact us at testonai.tech@gmail.com.
10. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Passwords stored using industry-standard hashing (bcrypt via Supabase Auth);
- All data transmitted over HTTPS / TLS encryption;
- HTTP-only session cookies preventing client-side script access;
- Row-level security (RLS) policies in the database;
- Bearer token authentication on all API endpoints;
- Regular security reviews of our infrastructure.
11. California Residents (CCPA / CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the CPRA:
- Right to Know: Disclose categories and specific pieces of personal information collected, used, or disclosed.
- Right to Delete: Request deletion of your personal information, subject to exceptions.
- Right to Opt-Out of Sale / Sharing: We do not sell or share personal information for cross-context behavioural advertising.
- Right to Non-Discrimination: We will not discriminate against you for exercising CCPA rights.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Limit Sensitive Data Use: We do not use sensitive personal information beyond providing the Service.
To submit a CCPA request, email testonai.tech@gmail.com with subject line "CCPA Request".
12. Cookies
We use cookies and similar technologies to operate the Service. For full details on which cookies we use and how to manage them, please see our Cookie Policy.
13. Changes to This Policy
We may update this Privacy Policy at any time. When we make material changes, we will:
- Update the "Effective date" at the top of this page;
- Send an email notification to registered users;
- Display a prominent notice within the Service.
Continued use of the Service after changes take effect constitutes acceptance of the revised Policy.
14. Contact & Complaints
For privacy-related questions, data requests, or complaints, please contact us:
TestOn AI – Data Protection
Email: testonai.tech@gmail.com
Website: www.testonai.com
Address: [COMPANY ADDRESS – TO BE COMPLETED]
You also have the right to lodge a complaint with your local supervisory authority. In Poland: Urząd Ochrony Danych Osobowych (UODO) — uodo.gov.pl.