Privacy policy

The short version: we collect the minimum we need to run the site, we don't sell data, and we don't run third-party advertising trackers (no Google Analytics, no Facebook Pixel). Our product analytics are first-party and live in our own database. For error tracking and debugging we use Sentry, which records uncaught exceptions and a sampled session replay so we can see what broke when something does - details in section 4. You can read, export or delete everything we hold about you from your account settings.

1. What we collect when you visit without an account

Quiz progress stays in localStorage in your own browser. We never see it.

An anonymous session id. On your first visit we generate a random UUID and store it in a first-party cookie named pp-anon-id (one year, SameSite=Lax). It's not derived from anything personal - just a random number. We use it to:

• Count visitors without counting the same person twice.
• Stitch your activity to your account if you sign up later, so we can show you which question you flagged last week.
• Tell which marketing channel a signup came from.

Where you arrived from. If you click in from a link with UTM parameters (utm_source, utm_medium, etc.), or your browser sends a Referer header from an off-site URL, we record those on first visit only. We don't store same-origin referrers and we never read your full browsing history.

Page views. Each route you visit on passprepper.com is logged (path + off-site referrer + timestamp + your anonymous id). This is our first-party analytics - the equivalent of a small access log. No IP, no user-agent string, no fingerprinting.

Quiz attempts. If you take a free quiz without signing in, we store the attempt against your anonymous id (questions shown, answers, score, timestamps). This is what makes per-course completion + average-score analytics work.

Ratings. If you thumb up/down a question or star-rate a quiz we keep your rating + optional comment.

2. What we collect when you have an account

Everything from section 1 plus: email address, a bcrypt-hashed password (we never see the plaintext), the display name you chose, and the date you joined. Quiz attempts that were anonymous get attached to your account at signup so your history survives across devices.

If you buy a course we record the purchase row (course slug, amount, Stripe identifiers) so you keep access. Card details never touch our servers - Stripe holds them.

If you author a course through the maker, we store the drafts you create and any submission you make for review.

3. Cookies we set

• authjs.session-token - signed-in session, HTTP-only. Set when you log in, cleared when you log out.
• pp-anon-id - the anonymous id described in section 1. One year.
• pp-cookie-consent - remembers your choice on the cookie banner so we don't show it twice.

We do not use third-party cookies, ad cookies, social login cookies or fingerprinting. The first two cookies are necessary for the site to function; the consent cookie remembers your preference. The cookie banner is informational so you know what's happening - we treat the first-party analytics described in section 1 as legitimate interest under GDPR (no PII, no third-party sharing, no cross-site profiling).

4. Third-party processors

To run the service we share data with a small, named set of providers:

• Neon (Postgres database) - stores account, course and progress data. EU-eligible hosting region available.
• Vercel (hosting + CDN) - serves the site and runs server-side functions.
• Resend (transactional email) - delivers welcome, password-reset, contact replies and (if you opt in) product announcements.
• Stripe (payments) - handles checkout and stores card data. We never see or store your full card details.
• OpenAI (AI features in the course maker) - when you use Draft-with-AI in /create, the contents of your prompt are sent to OpenAI to generate a response. Don't paste anything confidential.
• Sentry (error tracking, when configured) - captures uncaught exceptions, a sampled subset of performance traces, and Session Replay (a recorded reconstruction of the DOM, network and console for ~10% of sessions and 100% of sessions that hit an error). We use Sentry's default capture posture so we can actually debug what went wrong - request URLs, IP, user-agent, and signed-in user id are sent with each event. Replay masks text inputs and media by default. Events are tunnelled through passprepper.com/monitoring so adblockers don't silently drop error reports. We never re-sell this data and Sentry keeps it for 30-90 days depending on plan.

Each processor has its own privacy policy. We pick providers that meet GDPR / UK-GDPR standards. We do not share data with any other third party for marketing or analytics purposes.

5. Email we send

Transactional - sign-up welcome, password reset, contact reply, purchase receipts, account-status changes (e.g. account suspended). These send to anyone who triggers them and are exempt from opt-out under GDPR legitimate-interest grounds.

Product / marketing - occasional updates about new courses or site features. You can opt out at any time on your account settings (toggle next to "Email notifications"). Opting out only stops marketing email; transactional sends still arrive.

6. Your rights and the tools we've built for them

Account settings (/account/settings) is the self-service hub:

• Right of access & portability - one click downloads a JSON blob of every row we hold tied to your account (profile, attempts, flags, submissions, entitlements, ratings, session metadata, last 10,000 page views). Passwords and active session tokens are excluded.
• Right to rectification - edit your name and email any time.
• Right to erasure - the "Delete account" button does a cascade delete (account, attempts, flags, submissions, ratings, entitlements, email tokens, audit log entries linked to you). Aggregate, unattributed page-view counts stay because they're not personal data; rows for you are detached from your identity. Stripe purchase records may be retained where tax law requires.
• Right to object / withdraw consent - the marketing opt-out toggle, the cookie-banner choice and the account-deletion button collectively cover this.
• Right to complain - to your local data-protection authority if you think we've mishandled your data.

7. Admin audit log

When an admin takes a consequential action (suspending an account, granting access to a course, sending a broadcast, resolving a contact ticket), we record that action with a timestamp + the admin's id so we have an internal audit trail. The log is not visible to other users; it's for our own accountability.

8. Children

Passprepper is not designed for under-16s. We don't knowingly collect data from children. If you believe a child has signed up, contact us and we'll delete the account.

9. Data retention

Account data is kept while your account is active. When you delete your account the rows are removed immediately - we don't hold a 30-day grace period any more (that's no longer the standard). Page-view rows are anonymised at deletion rather than wiped, so aggregate analytics aren't corrupted. Stripe purchase records, payouts, and tax-related records are kept as long as tax law in our operating jurisdiction requires (typically 7 years).

10. Security

Passwords are bcrypt-hashed. All traffic is HTTPS. Sessions are signed JWTs. Sensitive secrets (database URL, signing key, Stripe key) are stored as environment variables on Vercel and never committed to source control. If you spot a vulnerability, please report it via contact; we'll work with you on coordinated disclosure.

11. Changes

If we materially change this policy we'll notify registered users by email at least 14 days before the change takes effect.

12. Contact

Questions, requests, or complaints about your data? Reach us via contact. We aim to reply within 2 business days.