Privacy Policy

What Does This Privacy Notice Apply To?

This Privacy Notice explains how we use your personal information when you use the Service, either as an individual user or when you access the Service through one of our subscription plans. We are the data controller of your personal information when we use it as described in this Privacy Notice, meaning that we determine and are responsible for how your personal information is processed.

Information We Collect

We collect the following types of information:

• Account Information: Name, email address, and password when you register. If you sign up via Google OAuth, we receive your name and email from Google. We do not receive or store your Google password.
• Onboarding Data: Your target exam (ECAT/BCAT), selected subjects, preparation level, and study preferences. This helps us personalize your experience from the start.
• Test & Performance Data: Your test results, answers, scores, time spent, and topic-wise performance analytics. This data powers our adaptive learning algorithm to identify your strengths and weaknesses.
• Subscription Data: Your subscription tier and payment transaction details (processed through third-party gateways — we do not store card numbers or sensitive financial information on our servers).
• Usage Data: Browser type, device information, IP address, pages visited, and interactions with the Platform, collected automatically through standard web technologies.

How We Use Your Information

We use the information we collect for the following purposes:

• To create and manage your account
• To generate personalized, adaptive practice tests based on your performance history
• To provide performance analytics and track your progress across subjects and topics
• To process subscriptions and payments
• To send transactional emails (verification, password reset, test completion summaries)
• To send occasional product updates and study reminders (you can opt out anytime via your account settings or email preferences)
• To improve our platform, fix bugs, and develop new features based on aggregated usage patterns
• To detect, prevent, and address technical issues, fraud, or security breaches

Data Storage & Security

Your account and test data is stored on secure cloud infrastructure using Supabase (PostgreSQL) and MongoDB Atlas, both with encryption at rest and in transit. We use bcrypt hashing for passwords and JWT-based authentication with secure, HTTP-only cookies.

We implement industry-standard security measures including encrypted connections (TLS/SSL), regular security audits, and access controls to protect against unauthorized access, alteration, disclosure, or destruction of your personal information. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide you the Service. If you delete your account, we will remove your personally identifiable information within 30 days, though we may retain anonymized and aggregated data (such as overall platform usage statistics) indefinitely. We may also retain certain information as required by law or for legitimate business purposes such as resolving disputes and enforcing our agreements.

Third-Party Services

We use the following third-party services to operate and improve the Platform. Each of these providers has their own privacy policies governing their use of your information:

• Google OAuth: For account sign-in (governed by Google's Privacy Policy)
• Resend: For transactional email delivery
• Supabase: For database hosting and authentication infrastructure
• MongoDB Atlas: For question bank storage
• Vercel: For application hosting and edge delivery

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

Cookies & Local Storage

We use cookies for authentication sessions and browser sessionStorage to temporarily store test data while you take a test. Session storage is automatically cleared when you close your browser tab. We do not use tracking cookies for advertising purposes, and we do not participate in any third-party ad networks.

Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

• Access and download a copy of your personal data
• Request correction of inaccurate or incomplete data
• Request deletion of your account and all associated personal data
• Opt out of non-essential emails and marketing communications
• Object to or restrict certain types of data processing
• Request portability of your data in a machine-readable format

To exercise any of these rights, contact us at support@acemax.codewithalpha.com. We will respond to your request within 30 days.

Children's Privacy

AceMax is intended for students aged 15 and above preparing for college admission exams. We do not knowingly collect personal information from children under 15. If you are a parent or guardian and believe your child under 15 has provided us with personal data, please contact us at support@acemax.codewithalpha.com and we will promptly take steps to delete such information.

International Data Transfers

Our servers and third-party service providers may be located in different countries. By using the Platform, you consent to the transfer of your information to countries outside of Pakistan, which may have different data protection laws. We take steps to ensure that your data receives an adequate level of protection in the jurisdictions in which we process it.

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Modified" date. If we make material changes, we will notify you by email or through a prominent notice on the Platform. Continued use of the Platform after changes constitutes acceptance of the revised policy.