Privacy Policy - 990prep

Introduction

Welcome to 990prep ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your data when you use our TOEIC preparation platform at 990prep.com (the "Service").

This policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws. By using our Service, you agree to the collection and use of information in accordance with this policy.

1. Data Controller

990prep acts as the data controller for the personal information processed through our Service. We determine the purposes and means of processing your personal data.

Contact Information:

Email: [email protected]

For all privacy-related inquiries, data access requests, or concerns, please contact us at the email above.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use our Service, we collect:

Account Information: Email address, username, full name, and encrypted password
Profile Information: Target TOEIC score, current score, target exam date, study motivation (work, academic, etc.), and language preference
Payment Information: When you subscribe to premium features, we collect payment details through Stripe. We only store your Stripe customer ID; card details are securely stored by Stripe
Communications: Feedback, support requests, and any other information you choose to provide

2.2 Information Collected Automatically

When you use our Service, we automatically collect:

Usage Data: Test scores, practice session history, answers to questions, time spent on exercises, progress tracking, and marked items for review
Device Information: Browser type and version, operating system, IP address (anonymized), and device identifiers
Cookies and Similar Technologies: Session cookies for authentication, preference cookies for settings (language, theme), and local storage for application state

2.3 Information We Do NOT Collect

We do not:

Track your location or precise geolocation data
Access your contacts, camera, or microphone without explicit permission
Collect sensitive data such as health information, political views, or religious beliefs
Use third-party advertising trackers (we use PostHog for analytics with your consent)

3. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

Contractual Necessity (Art. 6(1)(b) GDPR)

Processing is necessary to perform our contract with you when you sign up for and use our TOEIC preparation services, including account creation, test delivery, and progress tracking.

Legitimate Interest (Art. 6(1)(f) GDPR)

We have a legitimate interest in improving our platform, analyzing usage patterns, ensuring security, preventing fraud, and enhancing user experience. We balance these interests against your rights and freedoms.

Consent (Art. 6(1)(a) GDPR)

For optional cookies, marketing communications, and non-essential data processing, we rely on your explicit consent, which you can withdraw at any time.

Legal Obligation (Art. 6(1)(c) GDPR)

Processing is necessary to comply with legal obligations such as tax law, accounting requirements, and responding to lawful requests from authorities.

4. How We Use Your Information

We use your personal data for the following purposes:

4.1 Service Delivery

Create and manage your account
Provide access to TOEIC practice tests and study materials
Track your progress and generate personalized study recommendations
Display your scores, statistics, and performance analytics
Enable practice sessions and full test simulations

4.2 Payment Processing

Process subscription payments through Stripe
Manage premium memberships and billing cycles
Send payment receipts and renewal notifications
Handle refund requests and payment disputes

4.3 Communication

Send service-related emails (account verification, password resets)
Notify you of important updates, maintenance, or policy changes
Respond to your support requests and feedback
Send optional marketing communications (only with your consent)

4.4 Platform Improvement

Analyze usage patterns to improve features and content quality
Identify and fix technical issues and bugs
Develop new features based on user behavior and feedback
Conduct anonymized research on learning effectiveness

4.5 Security and Compliance

Detect and prevent fraud, abuse, and security threats
Enforce our Terms of Service and acceptable use policies
Comply with legal obligations and respond to lawful requests
Maintain system security and data integrity

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We only share your information in the following limited circumstances:

5.1 Service Providers

Supabase (Database & Authentication)

We use Supabase for database hosting, user authentication, and backend infrastructure. Your data may be stored in EU or US data centers with GDPR-compliant safeguards.

Stripe (Payment Processing)

Payment processing is handled by Stripe, a PCI DSS Level 1 certified provider. Stripe stores your payment card details; we only store your Stripe customer ID.

PostHog (Analytics)

We use PostHog for product analytics to understand how users interact with our platform. PostHog collects anonymized usage data such as page views and feature usage. This data is only collected with your consent via our cookie banner.

5.2 Legal Requirements

We may disclose your information if required to:

Comply with a legal obligation, court order, or government request
Enforce our Terms of Service or investigate violations
Protect the rights, property, or safety of 990prep, our users, or the public
Detect, prevent, or address fraud, security, or technical issues

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States. These countries may have different data protection laws than your jurisdiction.

When we transfer personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs): Approved by the European Commission to protect data transferred outside the EEA
Adequacy Decisions: Transfers to countries deemed to have adequate data protection by the European Commission
Data Processing Agreements: Contractual obligations with service providers to maintain GDPR-level protection

For more information about international transfers or to request copies of safeguards, contact us at [email protected].

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

Active Accounts

Your account data is retained while your account is active and for 90 days after you delete your account. This allows you to recover your account if deletion was accidental.

Payment and Financial Records

Payment records, invoices, and transaction data are retained for 7 years to comply with tax and accounting regulations.

Usage and Analytics Data

Aggregated and anonymized usage data may be retained indefinitely for analytics, research, and service improvement. This data cannot be used to identify you personally.

Backups

Deleted data may remain in backup systems for up to 30 days before permanent deletion.

8. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), you have the following rights under the GDPR:

Right to Access (Art. 15 GDPR)

You can request a copy of all personal data we hold about you. This includes your profile information, test history, and account activity.

How to exercise: Email us at [email protected] with "Data Access Request" in the subject line. We will verify your identity and provide your data within 30 days.

Right to Rectification (Art. 16 GDPR)

You can update or correct inaccurate or incomplete personal information at any time.

How to exercise: Edit your information in your profile settings, or email us at [email protected]

Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

You can request deletion of your account and personal data, subject to legal retention requirements (e.g., payment records for tax compliance).

How to exercise: Email us at [email protected] with "Delete My Account" in the subject line. We will verify your identity and process your request within 30 days.

Right to Data Portability (Art. 20 GDPR)

You can export your data in a structured, machine-readable format (JSON) to transfer to another service.

How to exercise: Email us at [email protected] with "Data Export Request" in the subject line. We will verify your identity and send you a JSON file within 30 days.

Right to Restrict Processing (Art. 18 GDPR)

You can request that we limit how we use your data in certain circumstances (e.g., while we verify data accuracy).

How to exercise: Contact us at [email protected]

Right to Object (Art. 21 GDPR)

You can object to processing based on legitimate interests or direct marketing purposes.

How to exercise: Opt out of marketing emails or contact us

Right to Withdraw Consent (Art. 7(3) GDPR)

You can withdraw consent for optional data processing (e.g., cookies, marketing) at any time without affecting the lawfulness of prior processing.

How to exercise: Adjust cookie preferences or unsubscribe from emails

Right Not to be Subject to Automated Decision-Making (Art. 22 GDPR)

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

Response Time

We will respond to all rights requests within 30 days of receipt. If we need additional time, we will inform you of the delay and the reasons for it.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience and provide functionality. A cookie is a small text file stored on your device.

9.1 Types of Cookies We Use

Essential Cookies (Strictly Necessary)

Required for basic site functionality, authentication, and security. These cookies cannot be disabled as they are necessary for the Service to work.

Examples: Session cookies, authentication tokens, CSRF protection

Preference Cookies (Functional)

Remember your preferences such as language selection, theme (dark/light mode), and display settings. These are optional and require your consent.

Examples: Language preference, theme settings, UI customization

Local Storage

We use browser local storage to maintain application state, such as your current test progress and unsaved answers.

9.2 Managing Cookies

You can control cookies through:

Cookie Consent Banner: Accept or decline non-essential cookies when you first visit our site
Browser Settings: Most browsers allow you to refuse cookies or delete existing cookies. Note that disabling essential cookies may prevent you from using certain features

9.3 Third-Party Cookies

We do not use third-party advertising cookies or trackers. Service providers like Stripe may set cookies when processing payments, subject to their own privacy policies.

10. Data Security

We implement comprehensive security measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction:

Encryption

All data transmissions use HTTPS/TLS encryption (minimum TLS 1.2)
Passwords are hashed using bcrypt with salt before storage
Database connections are encrypted end-to-end

Access Controls

Row-Level Security (RLS) on database to isolate user data
Multi-factor authentication for administrative access
Principle of least privilege for system access
Regular access audits and permission reviews

Infrastructure Security

Automated backups with encryption at rest
Regular security patches and updates
Intrusion detection and monitoring systems
DDoS protection and rate limiting

Organizational Measures

Data protection training for personnel
Confidentiality agreements with team members
Incident response and breach notification procedures
Regular security assessments and penetration testing

Important: While we implement industry-leading security practices, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security of your data.

If you believe your account has been compromised, immediately change your password and contact us at [email protected].

11. Children's Privacy

Our Service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16 without parental consent.

If you are a parent or guardian and believe your child under 16 has provided us with personal information, please contact us immediately at [email protected]. We will delete such information from our systems promptly.

If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information as quickly as possible.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational needs.

When we make changes, we will:

Update the "Last Updated" date at the top of this policy
Notify you of significant changes by email (to your registered email address) or through a prominent notice on our platform
For material changes affecting your rights, we may require your renewed consent before the changes take effect

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

13. Data Breach Notification

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Art. 33)
Inform affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (as required by GDPR Art. 34)
Provide clear information about the nature of the breach, likely consequences, and measures taken to address it

Our incident response procedures are designed to minimize the impact of any security incidents and protect your data.

14. Your California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

Right to Know: Request disclosure of personal information we collect, use, and share
Right to Delete: Request deletion of your personal information, subject to exceptions
Right to Opt-Out: We do not sell your personal information, so opt-out is not applicable
Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights

To exercise these rights, contact us at [email protected] with "California Privacy Rights" in the subject line.

15. Complaints and Supervisory Authority

If you believe we have not handled your personal data properly or have concerns about our privacy practices, you have the right to:

Contact Us Directly

We encourage you to contact us first so we can address your concerns:

Email: [email protected]

Lodge a Complaint with a Supervisory Authority

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority:

EU/EEA Residents: Find your Data Protection Authority at edpb.europa.eu/about-edpb/board/members_en
UK Residents: Information Commissioner's Office (ICO) at ico.org.uk

16. How to Exercise Your Rights

To exercise any of your GDPR rights, please send an email to [email protected] with a clear subject line indicating your request:

📥 Data Access Request

Subject: "Data Access Request"
We will provide: A complete copy of your personal data in JSON format
Timeline: Within 30 days

📤 Data Export Request

Subject: "Data Export Request"
We will provide: Your data in a structured, machine-readable JSON file
Timeline: Within 30 days

🗑️ Account Deletion Request

Subject: "Delete My Account"
What happens: Your account and personal data will be permanently deleted (except legally required records like payment history for tax compliance)
Timeline: Within 30 days

✏️ Data Correction Request

Subject: "Data Correction Request"
What to include: Specify which information is incorrect and the correct information
Timeline: Within 30 days

Identity Verification: For your security, we will verify your identity before processing any data request. We may ask you to confirm details from your account or send a verification link to your registered email address.

17. Contact Information

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: [email protected]

Website: 990prep.com

We aim to respond to all inquiries within 48 hours during business days, and to all formal data rights requests within 30 days as required by GDPR.

18. Additional Resources

For more information about data protection and privacy:

This Privacy Policy was last updated on November 24, 2025.

Effective Date: January 20, 2025