Privacy Policy

• Account information. Your email address and display name, and a password that is hashed and stored by our authentication provider (Supabase Auth). We never store your password in plain text. If you enable two-factor authentication, we store the associated factor metadata, not your one-time codes.
• Profile information. An optional avatar (a URL you provide or an image you upload) and study preferences such as daily goal, questions per quiz, theme, reminder settings, how you prefer reviews to be scheduled, and your chosen exam date. Your exam date is stored only in your browser and is not sent to our servers.
• Study activity. Quiz attempts and scores, objective mastery, streaks, mock-exam sessions, and spaced-repetition schedules tied to your account. If you use the study tutor, we also keep daily usage counts tied to your account to enforce its daily limit.
• Payment information. If you buy a paid plan, payment is handled by Stripe. Stripe collects your card or payment details directly; we do not see or store full card numbers. Our paid plans are one-time purchases, not subscriptions. We receive and store limited billing metadata such as a Stripe customer ID, payment or charge identifiers, the plan you bought, your access status, and the date your access expires.
• Technical and usage data. Limited data such as IP address, browser type, device, pages viewed, and aggregate usage, collected by our hosting provider (Netlify), our privacy-focused analytics (Plausible), and our error-monitoring tool (Sentry) to keep the Service running, secure, and reliable.
• Referral link clicks. If you arrive through an affiliate or referral link (a link beginning with /r/), we log the click with limited technical data: your IP address, approximate country, browser and user-agent, and the referring page. We use it only to credit the referrer and to detect click fraud. We do not use it to build advertising profiles or track you across other sites.
• Reviews you submit. If you leave a review, we store the star rating and any written note, linked to your account. Approved reviews may be published on the site anonymously, attributed to "Verified learner" with no name or other identifier shown.
• Communications. If you email us for support, we keep your messages and contact details to respond and maintain records.

• provide, operate, personalize, and improve the study platform;
• authenticate you and enforce access to free and paid features;
• process payments and send receipts and billing notices;
• send service messages and the study reminders you opt into;
• diagnose and fix errors, prevent fraud and abuse, and secure our systems;
• comply with legal obligations and enforce our Terms.

Where the GDPR or UK GDPR applies, we rely on a legal basis for each purpose:

• Contract. Creating and authenticating your account, providing the free and paid features, and processing payments.
• Legitimate interests. Securing, maintaining, and improving the Service, preventing fraud and abuse, and keeping the Service reliable.
• Consent. Optional study reminders and any non-essential cookies, where required. You can withdraw consent at any time without affecting processing already carried out.
• Legal obligation. Keeping tax, payment, and other records the law requires us to retain.

We use a small number of strictly necessary cookies and browser local storage to run the Service: an authentication token that keeps you signed in; a preferences and progress store on your device that remembers things like your theme, study settings, exam date, flashcard progress, and a local copy of your study activity so the app works smoothly; a note that you dismissed this notice and, if you arrived through a referral link, the referral code; and security cookies set by our infrastructure providers. These are essential to provide the Service, so they do not require consent. Our analytics provider, Plausible, is cookieless and does not track you across sites or build advertising profiles. Card payment is handled on Stripe's own checkout page, so any payment cookies are set by Stripe there, not by us. Because we use no advertising or cross-site tracking cookies and do not serve ads, we do not gate the Service behind a cookie-consent wall; instead, on your first visit we show a brief, dismissible notice that describes the essential storage above and links to this section. Some browsers send a Do Not Track or Global Privacy Control signal; because we do not track you across third-party sites and do not sell or share personal information, our behavior is the same whether or not such a signal is present.

We share personal information with vetted providers only as needed to run the Service:

• Supabase - authentication and database storage.
• Stripe - payment processing.
• Netlify - website hosting and serverless functions.
• Cloudflare - DNS, content delivery, and email routing.
• Plausible - privacy-respecting, cookieless analytics.
• Sentry - error monitoring, configured to minimize personal data: we do not send your authentication tokens, cookies, or full request contents, and reports carry only what we need to diagnose a problem, such as the affected feature and, where necessary, an internal account identifier.
• Resend - transactional, reminder, and policy-update notice emails.
• Anthropic - powers the optional study tutor, available on the Lifetime plan. When you use it, the questions you type, the quiz question being discussed, the answers you selected, and the related lesson text are sent to generate a response. No account identifiers are sent, and your inputs are not used to train models.

Each provider has its own privacy policy and processes data on our behalf under appropriate terms.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We disclose information only: to the service providers above; when required by law or valid legal process; to protect the rights, safety, and security of users, the public, or us; and in connection with a merger, acquisition, or sale of assets, in which case we will notify you and any successor will be bound by this Policy.

We keep account and study data while your account is active and for a reasonable period afterward to honor refund windows, keep tax and transaction records, resolve disputes, and maintain security logs. When you delete your account, we delete or de-identify your personal data within a reasonable time, except where we must retain it to comply with law (for example, payment and tax records held by us or Stripe).

We protect your data with measures including encryption in transit (HTTPS/TLS), row-level security so each account can access only its own records, server-side verification of paid access, and minimized error logging. No method of transmission or storage is perfectly secure. If a security breach involving your unencrypted personal information occurs, we will notify affected Michigan residents without unreasonable delay as required by Michigan's Identity Theft Protection Act (MCL 445.72), and we will notify other affected individuals and authorities as required by applicable law.

Depending on where you live, you may have the right to access, correct, delete, or receive a portable copy of the personal information we hold about you, and to object to or restrict certain processing. Residents of California (under the CCPA/CPRA) have the right to know, delete, correct, and to opt out of "sale" or "sharing" of personal information, and as noted above, we do not sell or share personal information for those purposes. Residents of the EU/UK have rights under the GDPR, including the right to lodge a complaint with a supervisory authority. To exercise any right, email us at support@secplusmastery.com; we will verify your request and respond within the time required by law. We will not discriminate against you for exercising your rights.

The Service is intended for users 13 and older and is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us information, contact us and we will delete it.

We operate from the United States, and our providers may process and store data in the United States and other countries. If you access the Service from outside the United States, you understand your information may be transferred to and processed in the United States, where data-protection laws may differ from those in your location.

Michigan does not currently have a comprehensive consumer data privacy law in effect. Regardless, we apply the practices described in this Policy to all users, and we comply with Michigan's Identity Theft Protection Act and other applicable Michigan and federal law. If Michigan enacts a comprehensive privacy law, we will update this Policy as needed.

We may update this Policy as the product and the law evolve. If we make material changes, we will notify you in advance of the effective date: registered users by email at the address on their account, and others by a notice on the site. We will also update the "Last updated" date above. These change notifications are service messages about your account and these documents, not marketing, so they are sent whether or not you have opted into other emails.

Questions about this Policy or your data, or to exercise your rights: support@secplusmastery.com.