Privacy Policy

1. Introduction

ExamPull ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered practice exam generation service ("the Service").

This policy is designed to comply with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Family Educational Rights and Privacy Act (FERPA) where applicable.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, and phone number when you create an account.
• Authentication Data: Login credentials, OAuth tokens from Google Sign-In, and session information.
• Study Materials: Documents, PDFs, images, text, and links you upload for exam generation.
• Exam Attempts: PDF documents of your completed practice exams submitted for grading.
• Payment Information: Billing details processed through Stripe. We do not store your full credit card number; Stripe handles all payment data securely.

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, exam generation history, and interaction patterns.
• Device Information: Browser type, operating system, device type, and screen resolution.
• Log Data: IP address, access times, and referring URLs.
• Cookies: Session cookies for authentication and functional cookies for preferences. See Section 7 for details.

3. How We Use Your Information

We use the information we collect to:

• Provide the Service: Generate practice exams, grade attempts, and deliver feedback based on your uploaded materials.
• Manage Your Account: Authenticate your identity, maintain your subscription, and process payments.
• Improve the Service: Analyze usage patterns to improve features, fix bugs, and optimize performance.
• Communicate: Send transactional emails (receipts, account notifications) and, with your consent, promotional updates.
• Ensure Security: Detect and prevent fraud, abuse, and unauthorized access.
• Comply with Legal Obligations: Respond to legal requests and enforce our Terms of Service.

4. AI Processing

Your uploaded materials and exam attempts are processed by AI models (Google Gemini via Vertex AI) to generate exam content and grading feedback. Important details:

• No Model Training: Your uploaded materials and personal data are never used to train or fine-tune AI models. They are used solely for generating your requested exam content and grading feedback.
• Processing Scope: AI processing occurs on Google Cloud Platform infrastructure with enterprise-grade security and data protection.
• Data Retention in AI: Content sent to AI models is not retained by the AI provider beyond the immediate processing request.
• Human Review: We do not routinely review your materials or generated content. Automated quality checks are performed on generated PDFs for formatting issues only.

5. Data Sharing and Disclosure

We do not sell your personal information. We share data only in these limited circumstances:

• Service Providers: We use third-party services to operate our platform:
  • Google Cloud Platform (GCP) for hosting, storage, AI processing, and authentication
  • Stripe for payment processing and subscription management
  • Firebase for authentication and real-time data
• Legal Requirements: When required by law, court order, or governmental authority.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users.
• With Your Consent: When you explicitly authorize sharing, such as generating a shareable exam link.

6. Data Storage and Security

• Storage Location: Data is stored on Google Cloud Platform servers in the United States (multi-region US).
• Encryption: All data is encrypted at rest using Google Cloud's default encryption (AES-256) and in transit using TLS 1.3.
• Access Controls: Access to user data is restricted to authorized personnel and systems using the principle of least privilege.
• Payment Security: Payment data is handled entirely by Stripe, which is PCI DSS Level 1 compliant. We never store complete card numbers on our servers.

7. Cookies

We use the following cookies:

• Session Cookie (__session): Essential for authentication. Contains your encrypted session token. Expires after 5 days.
• Theme Preference: Stores your dark/light mode preference. Persistent, first-party only.

We do not use third-party advertising or tracking cookies. You can disable cookies in your browser settings, but this may prevent you from using authenticated features of the Service.

8. Data Retention

• Account Data: Retained for the duration of your account. Deleted within 30 days of account deletion.
• Uploaded Materials: Stored as long as your account is active. You may delete individual materials at any time.
• Generated Exams: Stored as long as your account is active. You may delete individual exams at any time.
• Payment Records: Retained for 7 years for tax and legal compliance purposes.
• Server Logs: Retained for 90 days for security and debugging purposes.

9. Your Rights (GDPR / CCPA)

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate personal data.
• Erasure: Request deletion of your personal data ("right to be forgotten").
• Portability: Request your data in a structured, machine-readable format.
• Restriction: Request that we limit how we process your data.
• Objection: Object to processing of your data for certain purposes.
• Withdrawal of Consent: Withdraw consent at any time where processing is based on consent.
• Non-Discrimination (CCPA): We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, please contact us at privacy@exampull.com. We will respond within 30 days.

10. International Data Transfers

If you are located outside the United States, your data will be transferred to and processed in the United States. We rely on Google Cloud's data processing agreements and Standard Contractual Clauses (SCCs) as the legal mechanism for international data transfers.

11. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected data from a child under 13, we will promptly delete it. If you believe a child under 13 has provided us with personal information, please contact us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or an in-app notification. The "Last updated" date at the top of this page indicates when the policy was last revised.