Privacy Policy
Effective: 2025-01-01 · Last updated: 2025-01-01
1. Who We Are (Data Controller)
MLTPrep ("we", "us", "our") is the data controller for personal information collected through MLTPrep ( mltprep.ca). We are headquartered in Windsor Ontario.
For privacy enquiries, contact our data protection officer at: admin@mltprep.com
2. What Personal Data We Collect
We collect the following categories of personal data:
- Account data: Full name, email address, password (hashed — we never store plaintext passwords), account creation date.
- Authentication data: Login timestamps, IP address, browser type and version, operating system, device type. IP addresses are hashed after 30 days.
- Exam and study data: Questions answered, scores, time taken per question, field and set progress, flashcard confidence ratings.
- Payment data: Subscription plan, payment status. We do not store card numbers — payments are processed by Stripe, Paystack, or PayPal on their secure servers.
- Cookie consent: Your consent choices, the date of consent, and the applicable jurisdiction detected at time of consent.
- Communications: Support ticket messages you send us.
3. Legal Basis and Purpose of Processing
| Processing Activity | Purpose | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Creating and managing your account | Provide the service you signed up for | Contract (Art. 6.1.b) |
| Processing subscription payment | Fulfil your subscription order | Contract (Art. 6.1.b) |
| Sending transactional emails | Verify email, password reset, receipts, security alerts | Contract (Art. 6.1.b) |
| Security and auth logging | Detect fraud, protect accounts, audit trail | Legitimate interest (Art. 6.1.f) |
| Analytics (if consented) | Improve platform features and content quality | Consent (Art. 6.1.a) |
| Marketing emails (if consented) | Promotional messages and exam tips | Consent (Art. 6.1.a) |
| Tax and financial records | Legal compliance and accounting obligations | Legal obligation (Art. 6.1.c) |
4. How Long We Retain Your Data
- Account data: Until you request deletion, plus 30 days grace period.
- Authentication logs: 12 months, then deleted automatically.
- Access logs: 90 days, then deleted automatically.
- Exam activity: 2 years from last activity.
- Subscription records: 7 years (tax and legal compliance).
- Cookie consent records: 3 years (regulatory audit trail).
- IP addresses: Hashed (SHA-256, irreversible) after 30 days.
5. Who We Share Your Data With
We share data only with the following processors, under data processing agreements:
- Supabase — database hosting and authentication (servers in US/EU)
- Stripe / Paystack / PayPal — payment processing (as selected at checkout)
- Resend — transactional email delivery
- Anthropic — AI-generated exam feedback (no identifiable data sent)
- Vercel — web hosting (servers in US/EU)
We do not sell your personal data. We do not share it with advertisers.
6. International Data Transfers
Some of our processors store data in the United States. Where data is transferred outside the EEA or UK, we rely on Standard Contractual Clauses (SCCs) or equivalent adequacy mechanisms. You may request a copy of applicable transfer safeguards by contacting us.
7. Your Rights
Depending on your jurisdiction, you have some or all of the following rights:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Correct inaccurate or incomplete data.
- Erasure: Request deletion of your account and associated data.
- Portability: Receive your data in a machine-readable format.
- Restriction: Ask us to restrict processing while a dispute is resolved.
- Objection: Object to processing based on legitimate interest.
- Withdraw consent: Withdraw analytics or marketing consent at any time via your account settings. Withdrawal does not affect processing carried out before withdrawal.
To exercise any right, email admin@mltprep.com. We will respond within 30 days. For erasure requests, we may retain certain data where required by law (e.g., tax records).
If you are in the EU/UK, you have the right to lodge a complaint with your supervisory authority. For EU users: find your authority at edpb.europa.eu. For UK users: ico.org.uk.
8. Cookies
We use cookies and similar technologies. For full details see our Cookie Policy. You can manage your preferences via the cookie banner shown on first visit, or at any time through your account settings.
9. Age Requirement
MLTPrep is intended for users aged 18 and over. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us and we will delete it promptly.
10. Changes to This Policy
We will notify registered users by email if we make material changes to this policy. The effective date at the top of this page will always reflect the most recent version. Continued use of the platform after changes constitutes acceptance of the updated policy.
11. Contact
Data Protection Officer
MLTPrep
Windsor Ontario
admin@mltprep.com
Governing law: Ontario, Canada.
Questions about these policies? Contact us
MLTPrep is not affiliated with or endorsed by CAMLPR.