Privacy Policy

Last Updated: June 20, 2026

Privacy at a Glance

Free Practice Exams

  • No account required
  • No personal data collection
  • Anonymous analytics only
  • Progress saved locally in browser
  • Cookie consent required

Premium Courses (Optional)

  • Account required with email address
  • Sign up with email/password or Google Sign-In
  • Email used for account access and recovery

At Nex Arc Learning ("we", "our", or "us"), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard information when you visit our website nex-arc-learning.com (the "Site").

1. Information We Collect

We collect minimal information from visitors to our Site:

Data Protection Impact Assessment (DPIA): We have conducted a Data Protection Impact Assessment under Article 35 GDPR. For our core practice-exam and account services, our data-minimization approach, local-first storage of exam progress, and pseudonymized analytics keep privacy risk low. For the Interview Prep feature — where you may paste a CV that could incidentally contain special-category data — we apply specific safeguards (your text is not stored unless you explicitly save it, is processed only in the EU, is not used to train any model, and the feature makes no automated decision about you; see Section 5a). We assess that, with these safeguards in place, the service does not carry out high-risk processing as defined under Article 35(3) GDPR.

Privacy by Design and by Default (Article 25 GDPR): We implement privacy by design principles throughout our service. This includes: data minimization (collecting only essential information), local-first storage (exam progress stored in your browser, not our servers), pseudonymized analytics (IP anonymization enabled), and granular cookie consent controls. Default settings prioritize your privacy.

2. How We Use Information

The information we collect is used solely to:

3. Cookies and Tracking Technologies

We use cookies and similar tracking technologies for:

Google Consent Mode v2:

Google's analytics and advertising tags load with consent denied by default on every page. Before you accept cookies via the banner, only cookieless conversion signals are sent to Google (no personal identifiers, no cross-site tracking). When you accept, we update the consent state to granted and full attribution resumes. When you reject or revoke (via the “Cookie Preferences” link in the footer), we revert to consent denied and only essential cookies remain.

Analytics Cookies:

Advertising / Conversion Tracking Cookies:

Functional Cookies (for paid course platform):

CloudFront Signed Cookies (for content protection):

Local Storage:

Detailed Cookie Information

Cookie Categories:

4. Payment Processing and Lemon Squeezy

When you purchase a course through our platform, payment processing is handled by Lemon Squeezy, LLC ("Lemon Squeezy"), our Merchant of Record. This means:

Data shared by Lemon Squeezy with us:

We use this data solely for:

Important: We do NOT receive your full payment card details - these remain securely with Lemon Squeezy.

Legitimate Interest for Order Fulfillment (Art. 6(1)(f) GDPR):

We receive your email, name, and course ID from Lemon Squeezy via webhooks to fulfill your purchase. Our legitimate interest is providing the digital course you paid for. This minimal data sharing is necessary, expected by customers, and poses minimal privacy risk. Our interests do not override your rights, as you receive the purchased service and can exercise your GDPR rights at any time.

5. User Accounts and Authentication

When you create an account to access paid courses, we collect and process the following information:

Account Information (Email/Password Registration):

Account Information (Google Sign-In):

If you choose to sign in with Google, we receive the following information from Google via OAuth 2.0:

OAuth scopes requested: openid, email, profile

We do NOT receive: your Google password, Google contacts, Google Drive files, or any other Google account data beyond the scopes listed above.

Account linking: If you sign up with Google using an email address already registered via email/password, your accounts are linked automatically so you can use either method to sign in.

Legal basis: Art. 6(1)(b) GDPR (contract performance) for account creation; Art. 6(1)(f) GDPR (legitimate interest) for automatic account linking when the same email address exists.

Authentication is managed through AWS Cognito, a service provided by Amazon Web Services (AWS):

You may enable optional multi-factor authentication (MFA) using time-based one-time passwords (TOTP) for enhanced security.

Account Data Retention:

5a. Interview Preparation (AI Question Matching)

Our Interview Prep feature matches our curated interview-question bank to text you choose to paste or upload — a job title, job description, or your CV/résumé. Uploaded files are read in your browser; only the extracted text is sent. We have designed this feature to be privacy-protective by default:

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) for signed-in subscribers using the matcher; for the free preview, your deliberate act of pasting and submitting the text is the explicit, informed trigger for that single, transient processing. Saving a CV, job description, or recent match to your profile is an additional, optional step taken on your consent (Art. 6(1)(a) GDPR), which you can withdraw at any time by deleting the item or switching the setting off in Settings. Matching only suggests practice questions — it makes no decision that produces legal or similarly significant effects about you, so it is not automated decision-making under Art. 22 GDPR (see Section 10c).

6. Purchase History and Course Entitlements

We store the following information in our secure database (AWS DynamoDB) to manage your course access:

Course Entitlement Records:

Note: These records indicate which courses you own (entitlement), not when you access them (usage logs).

Transaction History:

Data Storage:

Data Retention:

7. Third-Party Services

Our Site uses the following third-party services:

We are not responsible for the privacy practices of third-party websites or services.

7a. Subprocessors

We use the following subprocessors to provide our services:

Subprocessor Purpose Location
Amazon Web Services (AWS) Cloud infrastructure (Cognito, DynamoDB, CloudFront, Lambda) EU (Frankfurt, Germany) & US (Northern Virginia)
Amazon Web Services (AWS) - Amazon Bedrock AI text-embedding for Interview-Prep question matching (transient; input not stored or used for training) EU (Frankfurt, Germany) — In-Region inference only
Amazon Web Services (AWS) - CloudWatch Log aggregation and monitoring (data processor) EU (Frankfurt, Germany)
Lemon Squeezy (Lemonsqueezy Inc.) Payment processing (Merchant of Record) USA (Utah) - Protected by SCCs
Google LLC Analytics (Google Analytics), Advertising measurement (Google Ads) & Authentication (Google Sign-In) USA - Protected by adequacy decision

Subprocessor Changes: We will notify you of any new subprocessors via email at least 30 days before the change takes effect. You have the right to object to new subprocessors.

Data Processing Agreements: We have executed Data Processing Agreements (DPAs) with all subprocessors as required by GDPR Article 28. Copies are available upon request by contacting info@nex-arc-learning.com.

8. Data Security

Our Site is hosted on AWS infrastructure with industry-standard security measures. Since we collect minimal data and store exam progress locally in your browser, there is minimal risk to your personal information.

8a. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  1. Authority Notification: Notify the relevant data protection authority (German BfDI for EU users, ICO for UK users) within 72 hours of becoming aware of the breach (GDPR Article 33).
  2. User Notification: If the breach poses a high risk to your rights and freedoms, we will notify you directly without undue delay via email (GDPR Article 34).
  3. Information Provided:
    • Nature of the breach (what happened)
    • Categories and approximate number of affected users
    • Likely consequences
    • Measures taken to address the breach
    • Contact information for further inquiries

Reporting a Breach to Us: If you suspect unauthorized access to your account, immediately contact us at info@nex-arc-learning.com with subject "Security Breach Report".

9. Children's Privacy

Our Site is not directed to children under the age of 13. We do not knowingly collect information from children under 13. If you believe we have inadvertently collected such information, please contact us.

10. Your GDPR Rights

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

1. Right of Access (Art. 15 GDPR)

2. Right to Rectification (Art. 16 GDPR)

3. Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

4. Right to Data Portability (Art. 20 GDPR)

5. Right to Restriction of Processing (Art. 18 GDPR)

6. Right to Object (Art. 21 GDPR)

7. Right to Withdraw Consent (Art. 7(3) GDPR)

How to Exercise Your Rights:

To exercise any of these rights, contact us at: info@nex-arc-learning.com

Response Timeline:

Right to Lodge a Complaint:

If you believe we are not complying with GDPR, you may lodge a complaint with:

EU Representative:

Our data controller is established in the EU (Germany). For EU GDPR matters:
Nico Wichmann
c/o flexdienst
Kurt-Schumacher-Straße 76
67663 Kaiserslautern, Germany
Email: info@nex-arc-learning.com

10a. California Consumer Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Categories of Personal Information Collected:

Sensitive Personal Information (CPRA): We do not request, and we ask you not to include, sensitive personal information. A CV you paste into Interview Prep could incidentally contain it; if so, it is processed only transiently for the matching purpose and is not stored unless you explicitly save the document, and it is never used to infer characteristics about you. We do not sell or share any personal information, and we do not use any sensitive personal information for purposes beyond performing the service you requested.

Your California Rights:

How to Exercise Your Rights:

Email: info@nex-arc-learning.com with subject "California Privacy Rights Request"
We will respond within 45 days (extendable to 90 days if complex).

Disclosure of Sale/Sharing:

We do NOT sell or share your personal information as defined by CCPA/CPRA.

Do Not Sell or Share My Personal Information: Not applicable - we do not sell or share your data.

California Regulatory Authority:

If you have a complaint about our CCPA compliance, you may contact:

10b. UK Data Protection Rights

If you are a UK resident, you have specific rights under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018:

Your UK Rights:

UK Data Controller:

Nico Wichmann, c/o flexdienst, Kurt-Schumacher-Straße 76, 67663 Kaiserslautern, Germany
Contact: info@nex-arc-learning.com

UK Supervisory Authority:

If you are in the UK, you can file a complaint with the Information Commissioner's Office (ICO):

International Data Transfers from UK:

Your data is primarily processed in the EU (AWS Frankfurt). The UK considers the EU an adequate jurisdiction for data protection. For any transfers outside the UK/EU, we use Standard Contractual Clauses approved by the UK ICO.

10c. Automated Decision-Making and Profiling

We do NOT use automated decision-making or profiling that produces legal effects or similarly significantly affects you (GDPR Article 22).

Exam Scoring: Our practice exam scoring is a transparent, rule-based algorithm for educational purposes only. It does not affect your legal rights, certification status, or have any binding effect.

Access Control: Course access is determined by a simple binary rule: paid users have access, unpaid users do not. This is a transparent business rule, not an automated decision with legal effects.

Interview-Prep Matching: Our Interview Prep feature uses an AI text-embedding model to rank which curated practice questions are most relevant to text you paste. This is a transparent relevance ranking that only suggests questions; it does not score, profile, or make any decision that produces legal or similarly significant effects about you. The embedding model is not a generative/large-language model and does not write answers or content about you.

10d. Brazil — LGPD (Lei Geral de Proteção de Dados)

If you are a resident of Brazil, you have specific rights under the Brazilian General Data Protection Law (LGPD, Law No. 13.709/2018):

Lawful Bases for Processing (Art. 7 LGPD):

Your LGPD Rights (Arts. 15–22):

How to Exercise Your Rights:

Email privacy@nex-arc-learning.com with subject "LGPD Request". We respond within 15 days per Art. 19 LGPD.

Complaint Authority:

Autoridade Nacional de Proteção de Dados (ANPD) — www.gov.br/anpd/

10e. Canada — PIPEDA (Personal Information Protection and Electronic Documents Act)

If you are in Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws govern how we handle your personal information. We apply PIPEDA's fair-information principles as follows:

Email privacy@nex-arc-learning.com with subject "PIPEDA Request". Unresolved concerns may be raised with the Office of the Privacy Commissioner of Canada (OPC) — www.priv.gc.ca.

10f. Data Protection Officer

As a micro-enterprise (Einzelunternehmer/sole proprietor) operating below the thresholds in GDPR Art. 37(1) and ANPD Resolution CD/ANPD No. 2/2022, we have not appointed a dedicated Data Protection Officer. For all data-protection inquiries (GDPR, UK GDPR, CCPA/CPRA, LGPD), contact privacy@nex-arc-learning.com — we respond within the timelines specified per jurisdiction (GDPR: 30 days; LGPD: 15 days; CCPA: 45 days extendable to 90).

11. Data Retention Periods

We retain different types of data for specific periods based on legal requirements and business needs:

Analytics Data (Google Analytics):

Account Data (AWS Cognito):

Interview-Prep Data (DynamoDB):

Purchase and Transaction Data (DynamoDB):

Customer Support Communications:

System Logs (AWS CloudWatch):

Legal Basis for Retention:

12. Email Communications

Transactional Emails (Required):

Legal Basis: Contract performance (Art. 6(1)(b) GDPR) - These emails cannot be opted out of as they are essential to providing our service.

Marketing Emails (Optional):

We do NOT currently send marketing emails. If we introduce a newsletter in the future, you will have the right to opt-out via an unsubscribe link in every message.

Email Retention:

Support emails: Retained for 3 years for customer service quality and dispute resolution.

13. International Data Transfers

Your data may be transferred outside the European Economic Area (EEA) under the following circumstances:

AWS Infrastructure:

Lemon Squeezy Payment Processing:

Google Analytics:

Google Ads:

Google Sign-In Authentication:

We ensure all data transfers comply with GDPR Chapter V requirements through:

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this policy periodically.

14a. Practice Exam Progress

When you are signed in and taking a purchased practice exam, we save your progress — current question, answer selections, score, and timestamps — to your account so you can continue across devices and sessions. Question content itself is never duplicated to your progress record (we re-fetch it by index on resume). If you retry an exam, the new attempt simply replaces the previously stored progress for that exam — we do not keep a separate history of past attempts.

As part of the same feature we also maintain your Missed Questions set per course: a list of the questions you have answered incorrectly, offered back to you as a review exam. We store only references to those questions (the exam number and the question’s position) — never the question text or your answers. A question is added the moment you answer it incorrectly and is removed once you answer it correctly in the review, so the set is dynamic.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Cross-device progress synchronization and the Missed Questions review set are inherent features of the premium practice exam product you purchased.

14b. Account Deletion (Right to Erasure)

You can request permanent deletion of your account at any time via Dashboard → Delete my account, or by emailing privacy@nex-arc-learning.com.

When you request deletion:

  1. Immediately: your account is disabled (you can no longer sign in).
  2. We email you a confirmation containing a one-time cancel link valid for 7 days. Clicking the link restores your account.
  3. After 7 days: all personal data is permanently removed from active systems within 24 hours.

Financial records (legal retention exception)

Tax laws in our jurisdiction (Germany, §147 Abgabenordnung) require us to retain transaction records for 10 years. This is the longest-applicable window covering the other frameworks our customers operate under (US IRS Reg. §1.6001-1: 7 years; UK VAT Notice 700/21: 6 years), so we apply 10 years uniformly to all anonymized records. After your account is deleted, we anonymize these records by removing your name and email and replacing the user-account reference with a one-way salted hash; only the transaction amount, date, product, and transaction reference remain. Billing address and payment details are never held by us — they remain solely with Lemon Squeezy, our merchant of record. The anonymized records cannot be linked back to you and are automatically purged after the 10-year retention period.

Backup retention

We maintain encrypted backups at two layers for resilience and legal-hold purposes:

We do not use either backup layer to restore deleted accounts. We keep an immutable audit log of completed deletions (Amazon S3 Object Lock in Compliance mode, 10-year retention in production). In the rare event a backup is ever restored due to a disaster, we replay those deletions against any restored data so your erasure remains effective for the full backup horizon.

Social account linking

If you signed up via Google or Facebook, deleting your Nex Arc account removes our copy of your authentication identity and unlinks the connection on our end. The underlying Google or Facebook account itself is unaffected — to delete that, please use the provider's own deletion process.

Third-party processors (data we cannot delete through us)

Our payment processor Lemon Squeezy acts as the merchant of record for your purchases. They maintain their own records of your transactions (name, email, billing address, payment method last 4 digits, etc.) independently of our systems. Deleting your Nex Arc account does not delete the records held by Lemon Squeezy. To request deletion of your data from their systems, contact them directly via their privacy policy.

Refunds are independent of account deletion

Refund eligibility is governed by our Refund Policy and the terms of Lemon Squeezy. Deleting your account does not affect your refund rights during the refund window — please initiate refund requests before or after account deletion.

14c. We Do Not Sell or Share Your Personal Information

Nex Arc Learning does not sell your personal information for monetary or other valuable consideration, and does not share your personal information with third parties for cross-context behavioral advertising. (California Consumer Privacy Act §§ 1798.100, 1798.115; CPRA equivalent.)

14d. Data Export (Right of Portability)

You can download a JSON copy of your account data at any time via Dashboard → Download my data. The export includes: your profile (email, name, sign-in method), course-access records, exam-progress records, transaction history, your subscription record, saved Interview-Prep searches (title + matched question IDs + timestamp), and your daily Interview-Prep reveal counter (count + date).

We generate the export on demand and provide a download link valid for 1 hour. Server-side copies of exports are automatically deleted after 7 days. You can request a new export at most once per hour.

If you cannot access the self-service flow (e.g., your account is disabled pending deletion), email privacy@nex-arc-learning.com for a manual export — we respond within 30 days per GDPR Art. 12.

15. External Links

Our Site may contain links to external websites and services. We are not responsible for the privacy practices or content of these external sites. We encourage you to read their privacy policies before providing any information.

16. Operational Logging and Monitoring

To ensure platform security, diagnose technical issues, and prevent fraud, we maintain system logs. This section explains what we log, why, and how long we keep it.

What We Log

Application Logs (AWS CloudWatch):

Performance Metrics (AWS CloudWatch Metrics):

Why We Log

We use logs for:

Who Can Access Logs

Internal Access:

Third-Party Processors:

Data Minimization

We practice data minimization in our logging:

Your Rights Regarding Logs

Under GDPR, you have the right to:

Note: We cannot delete logs retroactively (they are immutable for security/audit purposes), but they auto-delete after 1 month. For account deletion (Right to Erasure), historical logs expire automatically.

Back to Homepage