Privacy Policy
Last Updated: June 20, 2026
Privacy at a Glance
Free Practice Exams
- No account required
- No personal data collection
- Anonymous analytics only
- Progress saved locally in browser
- Cookie consent required
Premium Courses (Optional)
- Account required with email address
- Sign up with email/password or Google Sign-In
- Email used for account access and recovery
At Nex Arc Learning ("we", "our", or "us"), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard information when you visit our website nex-arc-learning.com (the "Site").
1. Information We Collect
We collect minimal information from visitors to our Site:
- Analytics Data: We use Google Analytics to collect anonymous usage data, including pages visited, time spent on pages, browser type, device type, and general geographic location (country/region level).
- Conversion Data: When you interact with our site (e.g., start or complete a practice exam, sign up, or make a purchase), we may record these events for advertising measurement purposes using Google Ads conversion tracking. This data is anonymous and used solely to measure the effectiveness of our advertising campaigns.
- Visitor Data Only: We do not collect names, email addresses, or any personally identifiable information from visitors who do not create an account. If you create an account (via email/password or Google Sign-In), the personal data described in Section 5 is collected.
- Local Storage: Our practice exams may use browser storage to save your exam progress locally on your device. This data never leaves your browser.
Data Protection Impact Assessment (DPIA): We have conducted a Data Protection Impact Assessment under Article 35 GDPR. For our core practice-exam and account services, our data-minimization approach, local-first storage of exam progress, and pseudonymized analytics keep privacy risk low. For the Interview Prep feature — where you may paste a CV that could incidentally contain special-category data — we apply specific safeguards (your text is not stored unless you explicitly save it, is processed only in the EU, is not used to train any model, and the feature makes no automated decision about you; see Section 5a). We assess that, with these safeguards in place, the service does not carry out high-risk processing as defined under Article 35(3) GDPR.
Privacy by Design and by Default (Article 25 GDPR): We implement privacy by design principles throughout our service. This includes: data minimization (collecting only essential information), local-first storage (exam progress stored in your browser, not our servers), pseudonymized analytics (IP anonymization enabled), and granular cookie consent controls. Default settings prioritize your privacy.
2. How We Use Information
The information we collect is used solely to:
- Understand how visitors interact with our Site
- Improve our content and user experience
- Track which practice exams are most popular
- Measure the effectiveness of our educational materials
- Measure the effectiveness of our advertising campaigns (Google Ads conversion tracking)
3. Cookies and Tracking Technologies
We use cookies and similar tracking technologies for:
Google Consent Mode v2:
Google's analytics and advertising tags load with consent denied by default on every page. Before you accept cookies via the banner, only cookieless conversion signals are sent to Google (no personal identifiers, no cross-site tracking). When you accept, we update the consent state to granted and full attribution resumes. When you reject or revoke (via the “Cookie Preferences” link in the footer), we revert to consent denied and only essential cookies remain.
Analytics Cookies:
- Google Analytics: To collect anonymous usage statistics. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
Advertising / Conversion Tracking Cookies:
- Google Ads Conversion Tracking: To measure the effectiveness of our advertising campaigns by tracking actions like exam starts, completions, signups, and purchases. This data helps us understand which ads lead to meaningful interactions. Governed by the same consent as Analytics Cookies. Google Privacy Policy.
Functional Cookies (for paid course platform):
- Session Cookies: Store your login state when accessing paid courses
- Authentication Cookies: Essential for accessing purchased courses (required cookies, cannot be opted out while using paid platform)
- Expiration: Session cookies expire after 1 hour of inactivity
- Security: Secure, HttpOnly, SameSite=Strict flags for enhanced security
CloudFront Signed Cookies (for content protection):
- Used to protect paid course content from unauthorized access
- Expire after 1 hour
- Required for accessing premium content
- No personal data stored in cookies (only access tokens)
Local Storage:
- To save your exam progress locally on practice exams (optional functionality)
- Data never leaves your browser
- Can be cleared at any time through browser settings
Detailed Cookie Information
| Cookie Name | Type | Purpose | Expiration | Provider |
|---|---|---|---|---|
CognitoIdentityServiceProvider.* | Essential | Authentication session management | Session | AWS Cognito (First-party) |
CloudFront-Signature, CloudFront-Key-Pair-Id, CloudFront-Policy | Essential | Signed cookies for premium content access | 1 hour | AWS CloudFront (First-party) |
_ga | Analytics | Google Analytics user identification | 2 years | Google Analytics (Third-party) |
_ga_* | Analytics | Google Analytics session tracking | 2 years | Google Analytics (Third-party) |
_gcl_au | Analytics | Google Ads conversion linker (links ad clicks to site actions) | 90 days | Google Ads (Third-party) |
Cookie Categories:
- Essential Cookies: Required for site functionality (authentication, access control). Cannot be disabled.
- Analytics Cookies: Optional. Help us understand usage patterns and measure advertising effectiveness (includes Google Analytics and Google Ads conversion tracking). Requires your consent.
4. Payment Processing and Lemon Squeezy
When you purchase a course through our platform, payment processing is handled by Lemon Squeezy, LLC ("Lemon Squeezy"), our Merchant of Record. This means:
- You contract directly with Lemon Squeezy for purchases
- Lemon Squeezy processes your payment information (credit card, PayPal, etc.)
- Lemon Squeezy handles all payment-related data according to their Privacy Policy: https://www.lemonsqueezy.com/privacy
- Lemon Squeezy shares limited information with us (name, email, purchase details) for order fulfillment under legitimate interest (Art. 6(1)(f) GDPR)
Data shared by Lemon Squeezy with us:
- Email address
- Name (if provided)
- Course purchased
- Order ID
- Purchase date and amount
- Country/region
We use this data solely for:
- Granting access to purchased courses
- Providing customer support
- Sending purchase confirmations and receipts
- Legal compliance and fraud prevention
Important: We do NOT receive your full payment card details - these remain securely with Lemon Squeezy.
Legitimate Interest for Order Fulfillment (Art. 6(1)(f) GDPR):
We receive your email, name, and course ID from Lemon Squeezy via webhooks to fulfill your purchase. Our legitimate interest is providing the digital course you paid for. This minimal data sharing is necessary, expected by customers, and poses minimal privacy risk. Our interests do not override your rights, as you receive the purchased service and can exercise your GDPR rights at any time.
5. User Accounts and Authentication
When you create an account to access paid courses, we collect and process the following information:
Account Information (Email/Password Registration):
- Email address (required, used as username)
- Password (hashed and encrypted, never stored in plain text)
- Given name and family name (optional)
- Account creation date
- Last login date
Account Information (Google Sign-In):
If you choose to sign in with Google, we receive the following information from Google via OAuth 2.0:
- Email address (verified by Google)
- Given name and family name (from your Google profile)
- Google subject ID (a unique identifier for your Google account)
OAuth scopes requested: openid, email, profile
We do NOT receive: your Google password, Google contacts, Google Drive files, or any other Google account data beyond the scopes listed above.
Account linking: If you sign up with Google using an email address already registered via email/password, your accounts are linked automatically so you can use either method to sign in.
Legal basis: Art. 6(1)(b) GDPR (contract performance) for account creation; Art. 6(1)(f) GDPR (legitimate interest) for automatic account linking when the same email address exists.
Authentication is managed through AWS Cognito, a service provided by Amazon Web Services (AWS):
- AWS processes authentication data on our behalf (data processor under Art. 28 GDPR)
- Data is stored in AWS data centers in the EU region (eu-central-1, Frankfurt, Germany)
- AWS complies with GDPR through their Data Processing Addendum
- AWS Privacy Notice: https://aws.amazon.com/privacy/
You may enable optional multi-factor authentication (MFA) using time-based one-time passwords (TOTP) for enhanced security.
Account Data Retention:
- Active accounts: Retained while account is active
- Inactive accounts: Retained for 3 years after last login
- Deleted accounts: Personal data purged within 30 days
5a. Interview Preparation (AI Question Matching)
Our Interview Prep feature matches our curated interview-question bank to text you choose to paste or upload — a job title, job description, or your CV/résumé. Uploaded files are read in your browser; only the extracted text is sent. We have designed this feature to be privacy-protective by default:
- Your text is not stored by default. We use it once, in memory, to compute the match and then discard it. It is not written to any database, file, or log — unless you explicitly choose to save it (see below).
- Processed in the EU only. To find relevant questions we convert your text into a numeric vector (an “embedding”) using Amazon Bedrock (Amazon Titan Text Embeddings) in the AWS Frankfurt region (eu-central-1). This processing happens in-region — your text does not leave the EU through this feature, and Amazon Bedrock does not store your text or use it to train any model.
- Saved CV & job descriptions (only if you ask): you may save named versions of your CV and job descriptions to your profile to reload them later. If you do, the raw text is stored, encrypted at rest in the EU, capped at a small number of versions per type, and kept until you delete it or turn the setting off. You can view, export, or delete these at any time (Settings → Interview Prep, or your data export). This is optional and based on your consent.
- Recent matches (if enabled): we keep your last 3 matched sets so you can resume them. We store the matched questions plus an inferred experience level and a timestamp — never the CV or job-description text you typed. You can turn this off and delete them in Settings.
- Optional saved searches: if you save a search, we store the title you give it, the IDs of the matched questions, and a timestamp — never the text you pasted.
- A short-lived technical cache may hold a one-way hash of your input mapped to matched question IDs to make repeat searches faster and cheaper. It contains no readable text and no account identifier on the anonymous preview path, and it auto-expires.
- Please do not paste or save special-category data (for example health, religion, or trade-union information) or other people’s personal data — this matters all the more for documents you save, which persist. The feature does not need it, and you should not include it.
Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) for signed-in subscribers using the matcher; for the free preview, your deliberate act of pasting and submitting the text is the explicit, informed trigger for that single, transient processing. Saving a CV, job description, or recent match to your profile is an additional, optional step taken on your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time by deleting the item or switching the setting off in Settings. Matching only suggests practice questions — it makes no decision that produces legal or similarly significant effects about you, so it is not automated decision-making under Art. 22 GDPR (see Section 10c).
6. Purchase History and Course Entitlements
We store the following information in our secure database (AWS DynamoDB) to manage your course access:
Course Entitlement Records:
- User ID (internal identifier)
- Course IDs you have purchased
- Order IDs from Lemon Squeezy
- Access grant date
- Purchase amount and currency
Note: These records indicate which courses you own (entitlement), not when you access them (usage logs).
Transaction History:
- Transaction ID (internal and Lemon Squeezy)
- Course purchased
- Transaction date and time
- Transaction status (pending, completed, refunded)
- Amount paid
Data Storage:
- Hosted by Amazon Web Services (AWS) in Frankfurt, Germany (eu-central-1)
- Encrypted at rest using AWS-managed encryption keys
- Access restricted to authorized personnel only
- Backed up daily for disaster recovery
Data Retention:
- Active course access: Retained indefinitely (lifetime access promised)
- Transaction records: Retained for 10 years (German tax law requirement § 147 AO)
- Refunded transactions: Marked as refunded, retained for 10 years
7. Third-Party Services
Our Site uses the following third-party services:
- Google Analytics: For website analytics. Google Privacy Policy
- Google Ads: For conversion tracking and advertising measurement. Google Privacy Policy. Google Ads Settings.
- Google Identity Services (Google Sign-In): When you choose to sign in or create an account using Google, authentication is processed through Google's OAuth 2.0 service. Only your email address, name, and Google subject ID are shared with us (see Section 5 for details). Google Privacy Policy
- Third-party libraries and fonts (self-hosted): The site's UI framework (Bootstrap), icon set (Font Awesome), and typeface (Inter) are served directly from our own domain — they are not loaded from third-party content delivery networks. As a result, no data (including your IP address) is shared with Bootstrap, Font Awesome, Google Fonts, or any other CDN provider when you load our pages.
We are not responsible for the privacy practices of third-party websites or services.
7a. Subprocessors
We use the following subprocessors to provide our services:
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure (Cognito, DynamoDB, CloudFront, Lambda) | EU (Frankfurt, Germany) & US (Northern Virginia) |
| Amazon Web Services (AWS) - Amazon Bedrock | AI text-embedding for Interview-Prep question matching (transient; input not stored or used for training) | EU (Frankfurt, Germany) — In-Region inference only |
| Amazon Web Services (AWS) - CloudWatch | Log aggregation and monitoring (data processor) | EU (Frankfurt, Germany) |
| Lemon Squeezy (Lemonsqueezy Inc.) | Payment processing (Merchant of Record) | USA (Utah) - Protected by SCCs |
| Google LLC | Analytics (Google Analytics), Advertising measurement (Google Ads) & Authentication (Google Sign-In) | USA - Protected by adequacy decision |
Subprocessor Changes: We will notify you of any new subprocessors via email at least 30 days before the change takes effect. You have the right to object to new subprocessors.
Data Processing Agreements: We have executed Data Processing Agreements (DPAs) with all subprocessors as required by GDPR Article 28. Copies are available upon request by contacting info@nex-arc-learning.com.
8. Data Security
Our Site is hosted on AWS infrastructure with industry-standard security measures. Since we collect minimal data and store exam progress locally in your browser, there is minimal risk to your personal information.
8a. Data Breach Notification
In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:
- Authority Notification: Notify the relevant data protection authority (German BfDI for EU users, ICO for UK users) within 72 hours of becoming aware of the breach (GDPR Article 33).
- User Notification: If the breach poses a high risk to your rights and freedoms, we will notify you directly without undue delay via email (GDPR Article 34).
- Information Provided:
- Nature of the breach (what happened)
- Categories and approximate number of affected users
- Likely consequences
- Measures taken to address the breach
- Contact information for further inquiries
Reporting a Breach to Us: If you suspect unauthorized access to your account, immediately contact us at info@nex-arc-learning.com with subject "Security Breach Report".
9. Children's Privacy
Our Site is not directed to children under the age of 13. We do not knowingly collect information from children under 13. If you believe we have inadvertently collected such information, please contact us.
10. Your GDPR Rights
Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:
1. Right of Access (Art. 15 GDPR)
- Request a copy of all personal data we hold about you
- View your purchase history and account information
- Access application logs: Request logs containing your user ID from the last 30 days (older logs are automatically deleted)
- Response time: Within 30 days of your request
2. Right to Rectification (Art. 16 GDPR)
- Correct inaccurate personal data
- To update your email address or name, contact us at info@nex-arc-learning.com
3. Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)
- Request deletion of your account and associated data
- Exception: Transaction records must be retained for 10 years for tax compliance (§ 147 AO German tax law)
- Anonymized data may be retained for statistical purposes
4. Right to Data Portability (Art. 20 GDPR)
- Request your data by emailing info@nex-arc-learning.com
- We will provide your data in JSON format within 30 days
- Includes: Account info, purchase history, course entitlement records
5. Right to Restriction of Processing (Art. 18 GDPR)
- Temporarily restrict processing while disputes are resolved
6. Right to Object (Art. 21 GDPR)
- Object to processing based on legitimate interest
- We will stop processing unless we have compelling legitimate grounds
7. Right to Withdraw Consent (Art. 7(3) GDPR)
- Withdraw consent for optional data processing at any time
- Does not affect past processing based on consent
- You can clear browser local storage to remove saved exam progress
- You can opt out of Google Analytics using the opt-out browser add-on
How to Exercise Your Rights:
To exercise any of these rights, contact us at: info@nex-arc-learning.com
Response Timeline:
- Standard response: Within 30 days of receiving your request
- Complex requests: May be extended to 90 days if the request is particularly complex or we receive multiple requests from you
- If we need additional time, we will inform you within the initial 30 days and explain the reason for the extension
- All responses will be provided free of charge unless your request is manifestly unfounded or excessive
Right to Lodge a Complaint:
If you believe we are not complying with GDPR, you may lodge a complaint with:
- Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
- Website: https://www.bfdi.bund.de
- Email: poststelle@bfdi.bund.de
EU Representative:
Our data controller is established in the EU (Germany). For EU GDPR matters:
Nico Wichmann
c/o flexdienst
Kurt-Schumacher-Straße 76
67663 Kaiserslautern, Germany
Email: info@nex-arc-learning.com
10a. California Consumer Privacy Rights (CCPA/CPRA)
If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Categories of Personal Information Collected:
- Identifiers: Email address, name (optional), IP address (anonymized via Google Analytics)
- Commercial Information: Purchase history, courses accessed, subscription status
- Internet Activity: Browsing behavior (Google Analytics, anonymized)
- Professional or Employment-Related Information (Interview Prep only): If you use the Interview Prep matcher, the CV, job-description, or job-title text you choose to paste, upload, or save. This text is processed transiently in the EU to compute your question matches and is not stored unless you explicitly save it as a named CV/JD document, which you can export or delete at any time (see Section 5a).
Sensitive Personal Information (CPRA): We do not request, and we ask you not to include, sensitive personal information. A CV you paste into Interview Prep could incidentally contain it; if so, it is processed only transiently for the matching purpose and is not stored unless you explicitly save the document, and it is never used to infer characteristics about you. We do not sell or share any personal information, and we do not use any sensitive personal information for purposes beyond performing the service you requested.
Your California Rights:
- Right to Know: Request disclosure of personal information collected
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate information
- Right to Opt-Out of Sale/Sharing: We do NOT sell or share your personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
How to Exercise Your Rights:
Email: info@nex-arc-learning.com with subject "California Privacy Rights Request"
We will respond within 45 days (extendable to 90 days if complex).
Disclosure of Sale/Sharing:
We do NOT sell or share your personal information as defined by CCPA/CPRA.
Do Not Sell or Share My Personal Information: Not applicable - we do not sell or share your data.
California Regulatory Authority:
If you have a complaint about our CCPA compliance, you may contact:
- California Privacy Protection Agency: https://cppa.ca.gov
- California Attorney General: https://oag.ca.gov/privacy
10b. UK Data Protection Rights
If you are a UK resident, you have specific rights under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018:
Your UK Rights:
- Right of Access (Article 15 UK GDPR)
- Right to Rectification (Article 16 UK GDPR)
- Right to Erasure (Article 17 UK GDPR)
- Right to Data Portability (Article 20 UK GDPR)
- Right to Restrict Processing (Article 18 UK GDPR)
- Right to Object (Article 21 UK GDPR)
UK Data Controller:
Nico Wichmann, c/o flexdienst, Kurt-Schumacher-Straße 76, 67663 Kaiserslautern, Germany
Contact: info@nex-arc-learning.com
UK Supervisory Authority:
If you are in the UK, you can file a complaint with the Information Commissioner's Office (ICO):
- Website: https://ico.org.uk
- Phone: 0303 123 1113
International Data Transfers from UK:
Your data is primarily processed in the EU (AWS Frankfurt). The UK considers the EU an adequate jurisdiction for data protection. For any transfers outside the UK/EU, we use Standard Contractual Clauses approved by the UK ICO.
10c. Automated Decision-Making and Profiling
We do NOT use automated decision-making or profiling that produces legal effects or similarly significantly affects you (GDPR Article 22).
Exam Scoring: Our practice exam scoring is a transparent, rule-based algorithm for educational purposes only. It does not affect your legal rights, certification status, or have any binding effect.
Access Control: Course access is determined by a simple binary rule: paid users have access, unpaid users do not. This is a transparent business rule, not an automated decision with legal effects.
Interview-Prep Matching: Our Interview Prep feature uses an AI text-embedding model to rank which curated practice questions are most relevant to text you paste. This is a transparent relevance ranking that only suggests questions; it does not score, profile, or make any decision that produces legal or similarly significant effects about you. The embedding model is not a generative/large-language model and does not write answers or content about you.
10d. Brazil — LGPD (Lei Geral de Proteção de Dados)
If you are a resident of Brazil, you have specific rights under the Brazilian General Data Protection Law (LGPD, Law No. 13.709/2018):
Lawful Bases for Processing (Art. 7 LGPD):
- Performance of a contract (Art. 7, V): account creation, course delivery, payment processing.
- Compliance with a legal obligation (Art. 7, II): tax-law retention of transaction records.
- Legitimate interest (Art. 7, IX): fraud prevention, security, analytics with safeguards.
- Consent (Art. 7, I): optional analytics + advertising cookies (separate from essential cookies).
Your LGPD Rights (Arts. 15–22):
- Confirmation and access (Art. 18, I–II): confirm we process your data; access a copy.
- Correction (Art. 18, III): correct incomplete, inaccurate, or out-of-date data.
- Anonymization, blocking, or deletion (Art. 18, IV): for unnecessary, excessive, or non-compliant data.
- Portability (Art. 18, V): request your data in an interoperable format (we provide JSON).
- Deletion of consented data (Art. 18, VI): exception for the legal-retention obligations above.
- Information on shared parties (Art. 18, VII): see §7a (Subprocessors) above.
- Information on consequences of non-consent (Art. 18, VIII): you may decline optional analytics/ads without losing service access.
- Revoke consent (Art. 18, IX): via the cookie-preferences link in the footer at any time.
How to Exercise Your Rights:
Email privacy@nex-arc-learning.com with subject "LGPD Request". We respond within 15 days per Art. 19 LGPD.
Complaint Authority:
Autoridade Nacional de Proteção de Dados (ANPD) — www.gov.br/anpd/
10e. Canada — PIPEDA (Personal Information Protection and Electronic Documents Act)
If you are in Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws govern how we handle your personal information. We apply PIPEDA's fair-information principles as follows:
- Consent: We collect personal information with your knowledge and consent. For the Interview Prep feature, your deliberate act of pasting and submitting text is your consent to that single, transient processing; you can decline optional analytics/advertising cookies separately.
- Limiting collection & use: We collect only what the service needs and use it only for the purpose stated when collected. Pasted or uploaded CV/job-description/job-title text is used once, in memory, to compute matches and is not stored or repurposed unless you explicitly save it to your profile.
- Accuracy, safeguards & retention: Data is processed in the EU (AWS Frankfurt) with encryption in transit and at rest, and is kept only as long as needed (see Section 11).
- Access & correction: You may request access to, or correction of, your personal information, and request its deletion — use the data-export and account-deletion tools in your account, or the contact below (see Sections 8–9).
- No sale; service providers only: We do not sell your personal information. AWS, Lemon Squeezy, and Google process data on our behalf as service providers under contract (see Section 7a).
Email privacy@nex-arc-learning.com with subject "PIPEDA Request". Unresolved concerns may be raised with the Office of the Privacy Commissioner of Canada (OPC) — www.priv.gc.ca.
10f. Data Protection Officer
As a micro-enterprise (Einzelunternehmer/sole proprietor) operating below the thresholds in GDPR Art. 37(1) and ANPD Resolution CD/ANPD No. 2/2022, we have not appointed a dedicated Data Protection Officer. For all data-protection inquiries (GDPR, UK GDPR, CCPA/CPRA, LGPD), contact privacy@nex-arc-learning.com — we respond within the timelines specified per jurisdiction (GDPR: 30 days; LGPD: 15 days; CCPA: 45 days extendable to 90).
11. Data Retention Periods
We retain different types of data for specific periods based on legal requirements and business needs:
Analytics Data (Google Analytics):
- Anonymous usage data: 26 months (Google's default setting)
- Cookie consent records: 12 months
Account Data (AWS Cognito):
- Active accounts: Duration of account + 30 days after deletion
- Email verification data: 7 days after verification
- Password reset tokens: 1 hour
Interview-Prep Data (DynamoDB):
- Pasted/uploaded CV/JD/title text used for matching: not retained (used in memory once, then discarded)
- Saved CV & job-description documents (the raw text you choose to save): retained until you delete them, turn the setting off, or close your account; included in your data export and erased on account deletion
- Recent match sets (matched question IDs + inferred level + timestamp, no typed text): the most recent 3, auto-replaced; retained until you turn the setting off or close your account (a 180-day backstop also applies); included in your data export and erased on account deletion
- Saved searches (title + matched question IDs + timestamp): retained until you delete the saved search or close your account
- Match cache (one-way hash → question IDs, no readable text): short-lived, auto-expires (typically within hours)
- Daily reveal counter (a per-day count of how many answers you reveal — a number and a date, no readable text): retained until you close your account (older entries auto-expire on a rolling basis); included in your data export and erased on account deletion
Purchase and Transaction Data (DynamoDB):
- Transaction records: 10 years (German tax law: § 147 AO)
- Course entitlement records: Lifetime (perpetual access promised to customers); revoked immediately upon a successful refund of that course
- Refund records: 10 years (marked as refunded; same retention as the original transaction)
- Exam progress for a refunded course: deleted immediately upon refund (no retention)
Customer Support Communications:
- Support emails: 3 years after last correspondence
System Logs (AWS CloudWatch):
- Application logs (payment, course access, authentication): 1 month
- Health check logs: 1 week
- Performance metrics (aggregated, anonymous): Retained indefinitely
Legal Basis for Retention:
- Tax compliance: § 147 Abgabenordnung (AO) - 10 years
- Contractual obligations: BGB § 195 - 3 years limitation period
- Legitimate interest: Fraud prevention, dispute resolution
12. Email Communications
Transactional Emails (Required):
- Order confirmations and receipts
- Course access instructions
- Password reset requests
- Account security notifications
Legal Basis: Contract performance (Art. 6(1)(b) GDPR) - These emails cannot be opted out of as they are essential to providing our service.
Marketing Emails (Optional):
We do NOT currently send marketing emails. If we introduce a newsletter in the future, you will have the right to opt-out via an unsubscribe link in every message.
Email Retention:
Support emails: Retained for 3 years for customer service quality and dispute resolution.
13. International Data Transfers
Your data may be transferred outside the European Economic Area (EEA) under the following circumstances:
AWS Infrastructure:
- Primary storage: EU (Frankfurt, Germany - eu-central-1)
- No routine transfers outside EU
- AWS complies with EU-US Data Privacy Framework
Lemon Squeezy Payment Processing:
- Lemon Squeezy operates globally but maintains GDPR compliance
- Lemon Squeezy's servers are located in the US
- Data transfers protected by Standard Contractual Clauses (SCCs)
- Lemon Squeezy complies with applicable data protection frameworks
Google Analytics:
- Data may be transferred to US
- Google Analytics 4 complies with GDPR
- You can opt out using Google's opt-out add-on
Google Ads:
- Conversion data may be transferred to US
- Protected by EU-US Data Privacy Framework
- Governed by the same consent as Google Analytics
Google Sign-In Authentication:
- When you authenticate using Google Sign-In, authentication data is processed by Google's servers (US)
- Google LLC complies with the EU-US Data Privacy Framework
- Only the data described in Section 5 (email, name, Google subject ID) is transferred to our systems, which are hosted in the EU (Frankfurt, Germany)
We ensure all data transfers comply with GDPR Chapter V requirements through:
- Standard Contractual Clauses (EU Commission approved)
- Adequacy decisions where available
- Data Processing Agreements with all processors
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this policy periodically.
14a. Practice Exam Progress
When you are signed in and taking a purchased practice exam, we save your progress — current question, answer selections, score, and timestamps — to your account so you can continue across devices and sessions. Question content itself is never duplicated to your progress record (we re-fetch it by index on resume). If you retry an exam, the new attempt simply replaces the previously stored progress for that exam — we do not keep a separate history of past attempts.
As part of the same feature we also maintain your Missed Questions set per course: a list of the questions you have answered incorrectly, offered back to you as a review exam. We store only references to those questions (the exam number and the question’s position) — never the question text or your answers. A question is added the moment you answer it incorrectly and is removed once you answer it correctly in the review, so the set is dynamic.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Cross-device progress synchronization and the Missed Questions review set are inherent features of the premium practice exam product you purchased.
- Retention: 90 days after your last activity. Older progress records and Missed Questions sets auto-expire.
- Lifecycle: Automatically deleted when your account is closed (see 14b).
- Free practice exams are not synced — they remain on your device only, and do not contribute to Missed Questions.
- Refunds: When a refund is issued for a course, the associated progress records and Missed Questions set are removed alongside the access revocation.
- Included in your data export: both your progress and your Missed Questions sets are part of the data you can download (see § on your rights).
- Opt-out: A single switch — Exam progress & retry tracking — governs these features. You can disable it at any time via Account settings → Exam progress & retry tracking. Turning it off immediately and permanently deletes all of your stored progress records and Missed Questions sets from our servers, and stops the optional “retry” analytics event from being sent when you redo an exam; any progress already saved locally on the current device is preserved so an in-flight exam isn’t lost.
14b. Account Deletion (Right to Erasure)
You can request permanent deletion of your account at any time via Dashboard → Delete my account, or by emailing privacy@nex-arc-learning.com.
When you request deletion:
- Immediately: your account is disabled (you can no longer sign in).
- We email you a confirmation containing a one-time cancel link valid for 7 days. Clicking the link restores your account.
- After 7 days: all personal data is permanently removed from active systems within 24 hours.
Financial records (legal retention exception)
Tax laws in our jurisdiction (Germany, §147 Abgabenordnung) require us to retain transaction records for 10 years. This is the longest-applicable window covering the other frameworks our customers operate under (US IRS Reg. §1.6001-1: 7 years; UK VAT Notice 700/21: 6 years), so we apply 10 years uniformly to all anonymized records. After your account is deleted, we anonymize these records by removing your name and email and replacing the user-account reference with a one-way salted hash; only the transaction amount, date, product, and transaction reference remain. Billing address and payment details are never held by us — they remain solely with Lemon Squeezy, our merchant of record. The anonymized records cannot be linked back to you and are automatically purged after the 10-year retention period.
Backup retention
We maintain encrypted backups at two layers for resilience and legal-hold purposes:
- Short-term: Amazon DynamoDB Point-in-Time Recovery (PITR) retains a continuous rolling window of up to 35 days. Used only for short-term operational disaster recovery; not accessible to restore individual accounts.
- Long-term: AWS Backup vault daily snapshots, retained for 10 years in production, stored under immutable Vault Lock (WORM, AWS Backup Vault Lock in Compliance mode) for tax-law and audit purposes. Cannot be deleted before the retention period elapses, by us or by AWS.
We do not use either backup layer to restore deleted accounts. We keep an immutable audit log of completed deletions (Amazon S3 Object Lock in Compliance mode, 10-year retention in production). In the rare event a backup is ever restored due to a disaster, we replay those deletions against any restored data so your erasure remains effective for the full backup horizon.
Social account linking
If you signed up via Google or Facebook, deleting your Nex Arc account removes our copy of your authentication identity and unlinks the connection on our end. The underlying Google or Facebook account itself is unaffected — to delete that, please use the provider's own deletion process.
Third-party processors (data we cannot delete through us)
Our payment processor Lemon Squeezy acts as the merchant of record for your purchases. They maintain their own records of your transactions (name, email, billing address, payment method last 4 digits, etc.) independently of our systems. Deleting your Nex Arc account does not delete the records held by Lemon Squeezy. To request deletion of your data from their systems, contact them directly via their privacy policy.
Refunds are independent of account deletion
Refund eligibility is governed by our Refund Policy and the terms of Lemon Squeezy. Deleting your account does not affect your refund rights during the refund window — please initiate refund requests before or after account deletion.
14c. We Do Not Sell or Share Your Personal Information
Nex Arc Learning does not sell your personal information for monetary or other valuable consideration, and does not share your personal information with third parties for cross-context behavioral advertising. (California Consumer Privacy Act §§ 1798.100, 1798.115; CPRA equivalent.)
14d. Data Export (Right of Portability)
You can download a JSON copy of your account data at any time via Dashboard → Download my data. The export includes: your profile (email, name, sign-in method), course-access records, exam-progress records, transaction history, your subscription record, saved Interview-Prep searches (title + matched question IDs + timestamp), and your daily Interview-Prep reveal counter (count + date).
We generate the export on demand and provide a download link valid for 1 hour. Server-side copies of exports are automatically deleted after 7 days. You can request a new export at most once per hour.
If you cannot access the self-service flow (e.g., your account is disabled pending deletion), email privacy@nex-arc-learning.com for a manual export — we respond within 30 days per GDPR Art. 12.
15. External Links
Our Site may contain links to external websites and services. We are not responsible for the privacy practices or content of these external sites. We encourage you to read their privacy policies before providing any information.
16. Operational Logging and Monitoring
To ensure platform security, diagnose technical issues, and prevent fraud, we maintain system logs. This section explains what we log, why, and how long we keep it.
What We Log
Application Logs (AWS CloudWatch):
- Purpose: Troubleshooting, security monitoring, fraud prevention
- Data logged:
- User ID (anonymized UUID - not your name or email directly)
- Course IDs you access or purchase
- Transaction IDs (internal reference numbers)
- Timestamps of actions (login, purchase, course access)
- Error messages (if something goes wrong)
- Payment processor order IDs (Lemon Squeezy references)
- Retention: 1 month (automatically deleted after)
- Access: Only authorized technical staff for troubleshooting
- Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) for system security and fraud prevention
Performance Metrics (AWS CloudWatch Metrics):
- Purpose: Monitor system performance, detect outages
- Data logged: Aggregated, anonymous metrics (request counts, error rates, response times)
- Retention: Retained indefinitely (no personal data)
- Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) for service reliability
Why We Log
We use logs for:
- Troubleshooting: When you report an issue (e.g., "My payment failed"), logs help us find and fix the problem
- Security: Detecting unauthorized access attempts, preventing fraud
- Performance: Identifying slow pages, fixing errors
- Legal compliance: Investigating violations of our Terms of Service
Who Can Access Logs
Internal Access:
- Technical support team (for troubleshooting only)
- Platform administrators (for security monitoring)
- All access is audited
Third-Party Processors:
- Amazon Web Services (AWS) - Processes logs as a data processor (Art. 28 GDPR)
- AWS does not use our logs for their own purposes
- AWS complies with GDPR via Data Processing Addendum
Data Minimization
We practice data minimization in our logging:
- No sensitive data: We do NOT log passwords, full payment card numbers, or social security numbers
- Pseudonymization: User IDs are anonymized UUIDs (e.g., "***0000"), not your name or email
- Automatic deletion: Logs auto-delete after 1 month
- Need-to-know access: Only staff who need logs for their job can access them
Your Rights Regarding Logs
Under GDPR, you have the right to:
- Access: Request copies of logs containing your personal data (email info@nex-arc-learning.com)
- Explanation: Ask what specific data about you is logged and why
- Objection: Object to logging based on legitimate interest (we'll evaluate if we have overriding grounds for security)
Note: We cannot delete logs retroactively (they are immutable for security/audit purposes), but they auto-delete after 1 month. For account deletion (Right to Erasure), historical logs expire automatically.