Privacy Policy

Last updated: 2026-05-03.

We collect the minimum needed to run the service. We don't sell your data, we don't run ad trackers, and we use self-hosted analytics. This page describes exactly what's stored and how to control it.

What we collect

• Email address — required to sign in (one-time code by email, or Google sign-in). This is your account identifier.
• Practice progress — for each question you answer: timestamp, correctness, and your selected answer. This powers the spaced-repetition mistake notebook.
• Display name (optional) — only if you set one in settings.
• Subscription state — payment status, plan tier, renewal date. This data is mirrored from our payment processor when their webhooks fire.
• Server logs — IP, user agent, request paths, response times. Retained for 30 days for abuse protection and capacity planning.
• Aggregate analytics — page-view and conversion counts via self-hosted Plausible. No cross-site cookies. No personal identifiers stored in analytics events.

What we don't collect

• No third-party tracking pixels (Google Analytics, Facebook Pixel, etc.).
• No cross-site cookies — we use one first-party cookie for authentication only.
• No social-login that hands your data to ad networks.
• No precise location, no device contacts, no microphone / camera.

Cookies

We set one cookie:

• hiexam_token — JWT session, HttpOnly, Secure, SameSite=Lax. Required for sign-in. Expires in 30 days.

We do not set marketing or tracking cookies. No banner is required because we don't use the cookie types that trigger consent obligations under GDPR / ePrivacy. If we add any, this page is updated and a banner appears.

Third-party processors

We share data with these providers strictly for service delivery:

• Gumroad (United States) — payment processing. Receives email and billing details at checkout. Their policy.
• Resend (United States) — transactional email (sign-in links, billing receipts). Receives your email and message body. Their policy.
• Azure OpenAI (Microsoft, United States/EU) — AI explanation and translation generation. Receives anonymized question text and image data from our content pipeline; no end-user data flows here.
• Cloudflare — DNS and CDN. Sees connection metadata (IP) but not user content.
• VPS provider — physical server hosting. Application data sits on disks they operate.

International transfers

Your data may be transferred to and stored in jurisdictions outside your country of residence (typically the United States and the European Union, depending on the provider). Where required, we rely on Standard Contractual Clauses or equivalent legal mechanisms.

Your rights

You can:

• Access your data — visible in settings; full export on email request to privacy@hiexam.net.
• Correct your display name from settings.
• Delete your account from settings — anonymizes immediately and purges progress / answers / sessions / streaks within 30 days.
• Object or restrict processing — email us; we'll comply within 30 days.

EU/UK residents: you also have the right to lodge a complaint with your local data-protection authority.

Children

Hiexam is not directed at users under 16. If we learn we've collected data from someone under that age, we delete it.

Security

Authentication is passwordless. Email sign-in uses a 6-digit code valid for 10 minutes; Google sign-in verifies a Google-issued ID token server-side. Sessions are JWT tokens. The database sits behind a private network. We run daily backups to off-site encrypted storage. We don't claim to be unbreakable — but we minimize what's at risk.

Retention

• Email + practice data: until account deletion.
• Server logs: 30 days.
• Backups: 30 days.
• Anonymized analytics: indefinitely (no personal data).

Changes

We may update this policy. Material changes are posted with a "Last updated" date and emailed to active subscribers.

Contact

Email privacy@hiexam.net for any privacy question or rights request. We respond within 30 days, usually within 5.