Privacy Policy

1. Introduction

Conor Ghobrial ("we", "us", "our"), operator of ExamCrafter (https://app.examcrafter.app), is the data controller for this Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service. We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Information We Collect

Account Information: Email address, first and last name (from Google OAuth if used), and account preferences.

Uploaded Content: PDFs, slides, Word documents, and other educational materials you upload for question generation.

Usage Data: Exam scores, review progress, study activity logs, and feature usage.

Payment Information: Billing details are processed by Stripe. We do not store credit card numbers or full payment details on our servers.

Device Information: Browser type, device type, IP address, and authentication logs collected through Supabase.

3. How We Use Your Information

We use your information to: (a) provide and maintain the Service; (b) process AI-powered question generation from your uploaded materials; (c) process payments and manage subscriptions; (d) send transactional emails (exam readiness notifications); (e) monitor and improve Service performance; (f) detect and prevent fraud or abuse; (g) comply with legal obligations.

4. Third-Party Service Providers

We share data with the following third-party processors to operate the Service:

• Supabase — Database hosting, authentication, and file storage (US and EU servers).

• Stripe — Secure payment processing for subscriptions.

• Sentry — Error tracking and performance monitoring (may capture stack traces with request data).

• Google (Gemini API) — Your uploaded content is sent to generate AI-powered questions and analysis.

• OpenAI — Alternative AI provider for question generation when selected by the user.

• Resend — Transactional email delivery for notifications.

5. AI Processing Disclosure

When you use AI question generation features, your uploaded document content is sent to Google's Gemini API (or OpenAI, if selected) for processing. These providers may temporarily process your content to generate questions but do not retain your data for training purposes under our agreements. No personally identifiable information beyond your content is shared with AI providers.

6. Cookies

We use strictly necessary cookies for authentication and session management provided by Supabase (sb-* cookies). These cookies are essential for the Service to function and cannot be disabled. We do not use analytics, marketing, or preference cookies at this time.

7. Data Retention

Account data: Retained until you delete your account, then permanently removed within 30 days. Uploaded files: Retained until you delete them from the Service. Payment records: Retained as required by applicable tax and financial regulations. Error logs: Automatically purged after 90 days in Sentry.

8. Your Rights

Under GDPR, CCPA, and other applicable laws, you have the right to: (a) Access your personal data; (b) Delete your account and all associated data; (c) Export your data in a portable format; (d) Correct inaccurate data; (e) Object to processing based on legitimate interests; (f) Withdraw consent at any time. To exercise these rights, contact us at conor.ghobrial@gmail.com.

9. Data Security

We implement industry-standard security measures including encryption in transit (TLS/SSL), encrypted database connections, Row Level Security (RLS) in our database, and regular security audits. However, no method of electronic transmission or storage is 100% secure.

10. Do Not Sell My Personal Information

We do not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. California residents may exercise their CCPA rights by contacting us at conor.ghobrial@gmail.com.

11. International Data Transfers

Your data may be processed in the United States and the European Union through our service providers. We ensure appropriate safeguards are in place for international transfers in compliance with GDPR.

12. Children's Privacy

ExamCrafter is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Your continued use of the Service after changes constitutes acceptance.

14. Contact Us

For privacy-related questions or to exercise your rights, contact us at: conor.ghobrial@gmail.com