AceTCF (“we”, “us”, “AceTCF”) operates the AceTCF online exam preparation service (the “Service”). This Privacy Policy explains what personal data we collect, how we use it, and the choices you have. By using the Service you agree to the practices described below.

1. Information we collect

Account information. Your email address (required for sign-in via magic link) and an optional display name.
Practice activity. Your answers, attempt history, notes, highlights, vocabulary entries, and mastery / mistake state. We use this to run the smart-set engine and show your progress.
Device identifier. Before sign-in we mint a signed anonymous “device cookie” so you can practice without an account. After you sign in, anonymous data is merged into your account and the device cookie is no longer associated with you.
Payment information. Payments are handled by Stripe. We never see or store your full card number. We store a Stripe customer ID and subscription status so we can recognize you on return visits.
Telemetry. We may collect anonymized usage events (e.g. which features are opened) and runtime errors. Telemetry never includes the content of your answers or notes.
AI feature content. When you use AI coaching, your writing answer or speaking recording is processed to generate feedback. Speaking audio is uploaded only to produce a text transcript and is then discarded — we do not keep the raw audio. We store the transcript, the feedback, and a quality estimate so you can revisit them and track progress.

2. How we use your information

Operate the Service and personalize your practice plan.
Send magic-link sign-in emails and essential service messages.
Process payments and manage your subscription.
Diagnose bugs and improve performance.
Detect and prevent abuse (e.g. trial farming through fake referrals).

We do not sell your personal data. We do not use your data to train third-party AI models without an explicit opt-in.

3. Third-party processors

To deliver the Service we rely on the following providers:

Neon (PostgreSQL hosting) — stores your account and practice data.
Cloudflare R2 — stores audio and image assets.
Stripe — payment processing.
Resend — transactional email (magic links, payment receipts).
Fly.io — application hosting.
Sentry — error monitoring (if configured).
PostHog — product analytics (if configured).
OpenAI — AI text feedback and speech-to-text transcription for the AI coaching features, when enabled.
Self-hosted / local model service — we may process AI coaching requests on our own operator-controlled model service over a secured connection instead of, or in addition to, OpenAI.

Each processor is contractually obligated to protect your data and use it only for the purposes for which we engage them. We do not permit these AI processors to use your submissions to train their models.

4. Data retention

We retain your account data for as long as your account is active and for a reasonable period afterwards to handle billing disputes or legal obligations. You can delete your account at any time from the Settings page; deletion is permanent and removes your practice data, notes, attempts, AI submissions and feedback, and subscription history within 30 days.

Speaking audio is never retained. Recordings you submit for AI review are processed to create a transcript and then discarded; only the transcript and feedback are stored. Because the raw audio does not persist, it is not part of your data export.

5. Your rights

You have the right to:

Access the personal data we hold about you.
Correct inaccurate data.
Delete your account and associated data.
Export your data in a machine-readable format.
Object to or restrict certain processing.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

6. Cookies

We use cookies strictly necessary to operate the Service: a signed device cookie for anonymous practice, an authentication session cookie after you sign in, and a short-lived tcf_referral cookie when you arrive through an invite link. We do not use advertising or cross-site tracking cookies.

7. Children

The Service is intended for users aged 16 and older. We do not knowingly collect personal data from anyone under 16. If you believe we have collected data from a child, contact us and we will remove it.

8. International data transfers

Our infrastructure is hosted internationally (currently in the Asia-Pacific region). By using the Service you consent to your data being processed outside the country where you reside.

9. Changes to this policy

We may update this Privacy Policy. Material changes will be announced on this page and, where required by law, by email. Your continued use of the Service after a change constitutes acceptance of the updated policy.

10. Contact

Questions about this Privacy Policy or your data? [email protected].

Note: this is a starting-point policy. Please have it reviewed by qualified counsel before relying on it for legal compliance in your jurisdiction.