Privacy Policy

1. Controller

The controller responsible for processing personal data on Prepliq is:

Prepliq is operated as a sole proprietorship; there is no separate data-protection officer (Art. 37 GDPR does not require one for an operation of this size). Privacy questions go to the same contact address.

2. Data we process and why

a. Account & authentication

Email address (required for magic-link sign-in), optional display name, hashed session tokens, sign-in timestamps and IP addresses (security audit).

Legal basis: Art. 6 (1)(b) GDPR — performance of the user contract. Sessions are also based on Art. 6 (1)(f) — legitimate interest in preventing abuse.

b. Exam attempts & feedback

Your written answers, speaking transcripts, scores, automated feedback, time stamps, and progress markers. We need this to score your attempts, show your history, and improve the platform.

Legal basis: Art. 6 (1)(b) GDPR — performance of the contract.

c. Payments & invoices

For each purchase we store: the customer ID and session ID issued by our payments processor, plan slug, amount, currency, billing address, and (if you opt into the business toggle at checkout) company name and VAT ID. Card numbers are handled exclusively by the payments processor and never reach our servers.

Legal basis: Art. 6 (1)(b) GDPR (contract) and Art. 6 (1)(c) GDPR (legal obligation under § 14 UStG and § 147 AO — 10-year retention of invoice records).

d. Usage counters & technical logs

Aggregate per-user counters for scoring requests, error events, and incident timestamps. Used to detect abuse, enforce fair-use limits, and debug outages.

Legal basis: Art. 6 (1)(f) GDPR — legitimate interest in operating a reliable, abuse-resistant service.

e. Cookies & local storage

A small number of strictly-necessary cookies and browser-local-storage keys (session, locale preference, exam-provider preference, cookie-consent record). See our Cookie Policy for the full list.

Legal basis: § 25 (2) TTDSG (essential cookies) and Art. 6 (1)(b) GDPR (contract).

3. Processors and recipients

We use the following sub-processors (Art. 28 GDPR data-processing agreements in place):

Transfers to the USA are protected by EU Standard Contractual Clauses (SCCs, Art. 46 (2)(c) GDPR) and supplementary technical measures. We do not sell or rent your data. We will name the specific sub-processor handling your data on written request to [email protected].

4. Retention

• Account email and name: until you delete your account.
• Sessions and sign-in logs: up to 30 days, then automatically purged.
• Exam attempts and feedback: until you delete your account; then anonymized.
• Purchase records and invoices: retained for 10 years after issuance to comply with § 147 AO. Anonymized once the account is deleted — the row stays for tax law but personal identifiers are stripped.
• Usage counters and technical logs: anonymized on account deletion; retained only in aggregated form for service-improvement and abuse-prevention analytics.

5. Your rights

Under Articles 15–22 GDPR you have the right to:

• access the personal data we hold about you (Art. 15);
• request correction of inaccurate data (Art. 16);
• request erasure (Art. 17) — see “Delete your account” below;
• request restriction of processing (Art. 18);
• receive your data in a portable format (Art. 20);
• object to processing based on legitimate interest (Art. 21);
• withdraw consent for any consent-based processing at any time (Art. 7 (3)).

To exercise any of these rights, email [email protected]. You also have the right to lodge a complaint with a supervisory authority — for Berlin residents this is the Berliner Beauftragte für Datenschutz und Informationsfreiheit.

6. Delete your account

You can delete your account yourself at any time from Profile → Settings → Delete Account. The form asks you to type your email address to confirm.

When you confirm:

• Your name, email, sign-in sessions, and authentication records are deleted immediately.
• Exam attempts, purchase records, action logs and cost-ledger entries are anonymized — your user ID is replaced with a randomized sentinel so the rows can no longer be linked back to you, but are kept for the legal retention period set out above.

If self-service deletion is not available to you (for example, because you have lost access to your email), email [email protected] and we will process the request manually within 30 days (Art. 12 (3) GDPR).

7. Automated scoring

Writing and speaking responses are scored automatically against the official criteria of each exam provider. This is automated processing in the sense of Art. 22 GDPR, but the result is a practice score with no legal or similarly significant effect on you — it does not certify, accredit, or replace an official exam.

8. Security

All connections to and from Prepliq use TLS 1.2+ encryption. Data at rest is encrypted by our hosting and database providers. Administrative access is restricted to the controller named above and protected by passwordless sign-in.

9. Children

Prepliq is intended for users aged 16 or older (Art. 8 GDPR). If you are under 16 you may use the service only with the consent of a parent or legal guardian.

10. Changes to this policy

We may update this policy as the service evolves. Material changes will be announced by email or via an in-app notice before they take effect. The “Last updated” date at the top of this page always reflects the current version.

11. Contact

Questions about this policy or about how we handle your data: [email protected].