PRE-FLIGHT BRIEFING

Privacy Policy

Version 1.0 (draft for legal review) · Last updated 3 July 2026
Contents
  1. Who is responsible for your data
  2. What data we collect
  3. Why we process it and our legal bases
  4. Anti-sharing and security monitoring
  5. Who we share data with
  6. International transfers
  7. How long we keep data
  8. Your rights
  9. Marketing communications
  10. Cookies and local storage
  11. Security
  12. Children
  13. Changes to this policy
  14. Contact and complaints

1. Who is responsible for your data

The data controller is [DECISION-1: legal entity name, registration number, and registered address], operating Pre-Flight Briefing at atplprep.pages.dev.

Privacy contact: privacy@atplprep.pages.dev

[DECISION-6: if you have no EU establishment but offer paid services to EU users, GDPR Article 27 requires appointing an EU representative — confirm with counsel whether your scale triggers this and appoint if so.]

2. What data we collect

2.1 Information you give us at registration

DataRequired?
First, middle, last nameFirst and last required; middle optional
Date of birthRequired (minimum age verification)
Email addressRequired
Country of residenceRequired
Phone number and country dialing codeRequired
Approved Training Organisation (ATO)Optional
Training stage and target exam windowRequired
How you heard about usOptional
Marketing consent choiceRecorded either way
Terms and privacy acceptance timestampsRecorded automatically

2.2 Information generated by your use of the Service

2.3 Payment data

Card and payment credentials are collected and processed by our payment providers (Paddle for USD; XPay for PKR) — we never see or store your full card number. We receive transaction confirmations, subscription status, and, from Paddle as merchant of record, limited billing metadata.

3. Why we process it and our legal bases

PurposeData usedLegal basis (GDPR)
Providing the Service — account, quizzes, progress trackingRegistration data, study dataContract performance (Art. 6(1)(b))
Payment processing and subscription managementPayment metadata, subscription statusContract performance (Art. 6(1)(b))
Age verificationDate of birthLegal obligation / legitimate interest (Art. 6(1)(c)/(f))
Preventing account sharing and abuseDevice fingerprints, session data, IPLegitimate interest (Art. 6(1)(f)) — protecting our service and content
Payment routing by regionIP-derived countryLegitimate interest (Art. 6(1)(f))
Marketing emails (study tips, exam reminders, offers)Email, name, training stage, exam windowConsent (Art. 6(1)(a)) — opt-in only, withdrawable any time
Service improvement and aggregate analyticsStudy data (aggregated / de-identified where possible)Legitimate interest (Art. 6(1)(f))
Legal compliance, records, disputesAcceptance timestamps, transaction recordsLegal obligation (Art. 6(1)(c))

4. Anti-sharing and security monitoring

Paid subscriptions are personal. To enforce this we operate automated measures:

These measures can result in automated suspension of an account exhibiting sharing behaviour. If your account is suspended and you believe this is an error, contact us — a human will review the decision (this is your right under GDPR Article 22 in respect of decisions with significant effects).

5. Who we share data with

We do not sell your personal data. We share it only with processors and partners necessary to run the Service:

RecipientRoleData involved
Supabase Inc.Database and authentication hostingAll account and study data
Cloudflare Inc.Website hosting, CDN, security, country detectionIP address, technical logs
Paddle.com Market LtdMerchant of record for USD paymentsName, email, country, transaction data
XPayPayment gateway for PKR paymentsName, email, transaction data
[DECISION-7: email provider — e.g. Resend/SendGrid/Postmark once custom SMTP is configured]Transactional and marketing email deliveryEmail address, name
Google (Fonts)Font delivery — see Section 10 noteIP address on font request

We may also disclose data where required by law, court order, or to protect our legal rights.

6. International transfers

Our processors store and process data in multiple regions, including the United States and the European Union. Where personal data of EU/EEA/UK residents is transferred outside those areas, we rely on our processors' compliance mechanisms, including Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework. Details are available in each processor's own privacy documentation.

7. How long we keep data

DataRetention
Account and profile dataWhile your account is active, then deleted or anonymised within [DECISION-8: recommended 90 days] of account closure
Study/progress dataWhile your account is active; deleted with the account
Transaction and billing recordsRetained as required by tax and accounting law (typically 6–7 years)
Terms/privacy acceptance timestampsDuration of account plus limitation period for legal claims
Security logs (IP, session events)[DECISION-8: recommended 12 months]
Marketing consent recordsUntil consent is withdrawn, plus proof-of-consent retention

8. Your rights

Depending on your location, you have the right to:

To exercise any right, email privacy@atplprep.pages.dev. We respond within one month (GDPR) or the period required by your local law. We may need to verify your identity before acting on a request.

9. Marketing communications

We send marketing emails (study tips, exam-window reminders, product news, offers) only if you opted in at registration or later. Every marketing email contains an unsubscribe link. Unsubscribing does not affect transactional emails (receipts, security notices, service announcements), which we send as part of operating the Service.

10. Cookies and local storage

We use a minimal set of strictly necessary storage mechanisms:

ItemTypePurposeDuration
Supabase auth tokenLocal storageKeeping you signed inUntil sign-out / expiry
Session tokenLocal storageConcurrent-session enforcementSession
Cloudflare security cookiesCookieBot protection and securitySet by Cloudflare

We do not use advertising or cross-site tracking cookies. Because we use only strictly necessary storage, no consent banner is required; if we ever introduce analytics or marketing cookies, we will implement a consent mechanism first.

Fonts: pages currently load fonts from Google Fonts, which involves your browser sending your IP address to Google. [DECISION-9: self-host fonts before launch to remove this disclosure and the associated GDPR exposure — see blind spots.]

11. Security

No system is perfectly secure. If we become aware of a personal-data breach likely to result in a risk to you, we will notify the relevant supervisory authority and, where required, affected users without undue delay.

12. Children

The Service is not directed at children under 16, and we do not knowingly collect data from anyone under 16. Date of birth is checked at registration. If you believe a child under 16 has created an account, contact us and we will delete it.

13. Changes to this policy

We may update this policy. Material changes will be notified by email or in-Service notice at least 14 days before taking effect. The "last updated" date at the top reflects the current version.

14. Contact and complaints

Privacy questions and rights requests: privacy@atplprep.pages.dev

If you are in the EU/EEA or UK and believe our processing infringes data-protection law, you have the right to lodge a complaint with your local supervisory authority, without prejudice to any other remedy.