The data controller is [DECISION-1: legal entity name, registration number, and registered address], operating Pre-Flight Briefing at atplprep.pages.dev.
Privacy contact: privacy@atplprep.pages.dev
[DECISION-6: if you have no EU establishment but offer paid services to EU users, GDPR Article 27 requires appointing an EU representative — confirm with counsel whether your scale triggers this and appoint if so.]
| Data | Required? |
|---|---|
| First, middle, last name | First and last required; middle optional |
| Date of birth | Required (minimum age verification) |
| Email address | Required |
| Country of residence | Required |
| Phone number and country dialing code | Required |
| Approved Training Organisation (ATO) | Optional |
| Training stage and target exam window | Required |
| How you heard about us | Optional |
| Marketing consent choice | Recorded either way |
| Terms and privacy acceptance timestamps | Recorded automatically |
Card and payment credentials are collected and processed by our payment providers (Paddle for USD; XPay for PKR) — we never see or store your full card number. We receive transaction confirmations, subscription status, and, from Paddle as merchant of record, limited billing metadata.
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Providing the Service — account, quizzes, progress tracking | Registration data, study data | Contract performance (Art. 6(1)(b)) |
| Payment processing and subscription management | Payment metadata, subscription status | Contract performance (Art. 6(1)(b)) |
| Age verification | Date of birth | Legal obligation / legitimate interest (Art. 6(1)(c)/(f)) |
| Preventing account sharing and abuse | Device fingerprints, session data, IP | Legitimate interest (Art. 6(1)(f)) — protecting our service and content |
| Payment routing by region | IP-derived country | Legitimate interest (Art. 6(1)(f)) |
| Marketing emails (study tips, exam reminders, offers) | Email, name, training stage, exam window | Consent (Art. 6(1)(a)) — opt-in only, withdrawable any time |
| Service improvement and aggregate analytics | Study data (aggregated / de-identified where possible) | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance, records, disputes | Acceptance timestamps, transaction records | Legal obligation (Art. 6(1)(c)) |
Paid subscriptions are personal. To enforce this we operate automated measures:
These measures can result in automated suspension of an account exhibiting sharing behaviour. If your account is suspended and you believe this is an error, contact us — a human will review the decision (this is your right under GDPR Article 22 in respect of decisions with significant effects).
We do not sell your personal data. We share it only with processors and partners necessary to run the Service:
| Recipient | Role | Data involved |
|---|---|---|
| Supabase Inc. | Database and authentication hosting | All account and study data |
| Cloudflare Inc. | Website hosting, CDN, security, country detection | IP address, technical logs |
| Paddle.com Market Ltd | Merchant of record for USD payments | Name, email, country, transaction data |
| XPay | Payment gateway for PKR payments | Name, email, transaction data |
| [DECISION-7: email provider — e.g. Resend/SendGrid/Postmark once custom SMTP is configured] | Transactional and marketing email delivery | Email address, name |
| Google (Fonts) | Font delivery — see Section 10 note | IP address on font request |
We may also disclose data where required by law, court order, or to protect our legal rights.
Our processors store and process data in multiple regions, including the United States and the European Union. Where personal data of EU/EEA/UK residents is transferred outside those areas, we rely on our processors' compliance mechanisms, including Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. Details are available in each processor's own privacy documentation.
| Data | Retention |
|---|---|
| Account and profile data | While your account is active, then deleted or anonymised within [DECISION-8: recommended 90 days] of account closure |
| Study/progress data | While your account is active; deleted with the account |
| Transaction and billing records | Retained as required by tax and accounting law (typically 6–7 years) |
| Terms/privacy acceptance timestamps | Duration of account plus limitation period for legal claims |
| Security logs (IP, session events) | [DECISION-8: recommended 12 months] |
| Marketing consent records | Until consent is withdrawn, plus proof-of-consent retention |
Depending on your location, you have the right to:
To exercise any right, email privacy@atplprep.pages.dev. We respond within one month (GDPR) or the period required by your local law. We may need to verify your identity before acting on a request.
We send marketing emails (study tips, exam-window reminders, product news, offers) only if you opted in at registration or later. Every marketing email contains an unsubscribe link. Unsubscribing does not affect transactional emails (receipts, security notices, service announcements), which we send as part of operating the Service.
We use a minimal set of strictly necessary storage mechanisms:
| Item | Type | Purpose | Duration |
|---|---|---|---|
| Supabase auth token | Local storage | Keeping you signed in | Until sign-out / expiry |
| Session token | Local storage | Concurrent-session enforcement | Session |
| Cloudflare security cookies | Cookie | Bot protection and security | Set by Cloudflare |
We do not use advertising or cross-site tracking cookies. Because we use only strictly necessary storage, no consent banner is required; if we ever introduce analytics or marketing cookies, we will implement a consent mechanism first.
Fonts: pages currently load fonts from Google Fonts, which involves your browser sending your IP address to Google. [DECISION-9: self-host fonts before launch to remove this disclosure and the associated GDPR exposure — see blind spots.]
No system is perfectly secure. If we become aware of a personal-data breach likely to result in a risk to you, we will notify the relevant supervisory authority and, where required, affected users without undue delay.
The Service is not directed at children under 16, and we do not knowingly collect data from anyone under 16. Date of birth is checked at registration. If you believe a child under 16 has created an account, contact us and we will delete it.
We may update this policy. Material changes will be notified by email or in-Service notice at least 14 days before taking effect. The "last updated" date at the top reflects the current version.
Privacy questions and rights requests: privacy@atplprep.pages.dev
If you are in the EU/EEA or UK and believe our processing infringes data-protection law, you have the right to lodge a complaint with your local supervisory authority, without prejudice to any other remedy.