Legal

Privacy

Effective 2026-05-27

TL;DR

We collect what we need to run the site: email and name (via Clerk), practice activity (so the dashboard works), and payment session ids (Stripe holds the card data, not us). No tracking cookies. Analytics are cookieless and pseudonymous. Delete your account from /settings any time — full erasure 30 days later.

1. What this covers

This policy explains what personal data ccaftestprep.com (operated by [LEGAL_ENTITY_NAME]) collects, why, who we share it with, and how you control it. We aim for plain English; if a section is unclear, email support@ccaftestprep.com.

2. What we collect

Account

When you sign up, our auth provider Clerk handles registration and stores your email address, name (if you provide one), and password / OAuth identity. We receive a Clerk user id and the email back. If you sign in with Google, we also receive your name and profile picture from Google.

Practice activity

For each question you answer we store:

The question id, your answer, whether it was correct, time spent.
Whether you answered in practice mode, exam mode, or via a permalink.
An attempt number (first attempt vs replays).
Your bookmarks.
Your exam date if you tell us one (used to drive the countdown).

Per-attempt rows are the basis of the dashboard, the recommendation engine, and aggregate question-difficulty stats.

Anonymous browser id

Before you sign up, we mint a random ccaf_anon_id cookie and store it on first visit. This lets us attribute your pre-signup practice attempts to your account when you eventually sign in. The cookie is opaque (a UUID) and not shared with third parties. You can clear it from your browser cookies any time.

Payments

Card data is handled entirely by Stripe; we never see it. We store the Stripe Checkout Session id, the amount, the status (pending / paid / refunded), and a timestamp. If you use a promo code, Stripe sends us which code was redeemed.

Analytics

We use PostHog in a cookieless configuration: in-memory only, no persistent identification, no autocapture, no pageview auto-tracking. We send a small set of named events (`practice_start`, `exam_complete`, `signup_click`, etc.) tied to your Clerk user id or anonymous browser id. We do not feed PostHog your name, email, or payment data.

Error tracking

Errors are sent to Sentry. Our Sentry configuration scrubs email addresses and authentication tokens from event payloads before they leave your browser. We do not log the contents of your practice sessions.

3. What we do NOT collect

We do not collect your IP address or precise location for analytics.
We do not run third-party advertising trackers or set advertising cookies.
We do not sell, rent, or trade your personal data.
We do not use your practice content to train AI models.

4. Why we collect it

To run the service — auth, the dashboard, recommendations, sync across devices.
To gate the free tier — counters tell us when you've used your free questions.
To process payments — confirm a purchase landed and unlock your account.
To improve the question bank — aggregate per-question difficulty signals from anonymized attempts.
To debug — Sentry errors when something breaks.

5. Who we share it with (sub-processors)

Clerk — authentication and user records.
Stripe — payments and tax (Managed Payments; Stripe is the merchant of record).
Neon — managed Postgres hosting our database.
Vercel — hosting and serverless functions.
PostHog — product analytics (cookieless mode).
Sentry — error tracking (with PII scrubbing).
Google — only if you sign in with Google.

Each sub-processor has its own privacy practices. We do not share your data with any party not listed here.

6. Cookies

Auth session (Clerk) — required to keep you signed in.
ccaf_anon_id — opaque random id (see §2). Required for free-tier counters.
Theme preference — your light/dark choice, stored in localStorage.

We do not set tracking, advertising, or third-party-analytics cookies. Because there are no tracking cookies, we do not show a cookie banner.

7. Data retention

We keep your account and activity data for as long as your account is active. When you delete your account (/settings):

Your account is locked immediately; you can't sign back in.
After 30 days, all your account data — User row, attempts, bookmarks, payment records, shared sets — is hard-deleted. This is automatic.
During the 30 days, email support@ccaftestprep.com to restore the account.
Anonymized aggregate stats (e.g., per-question difficulty) may be retained because they no longer identify you.

Payment records may need to be retained longer than 30 days where tax or accounting law requires; in that case we retain the minimum required record (session id, amount, date) and nothing else.

8. Your rights

Depending on where you live, you may have the right to:

Access — request a copy of the data we hold about you.
Correct — fix inaccurate data.
Delete — see §7 above.
Export — receive your data in a portable format.
Object — to certain processing.

For access, correction, or export, email support@ccaftestprep.com from the address on the account. We'll respond within 30 days.

9. Children

The site is not directed at children under 13, and we do not knowingly collect data from anyone under 13. Account creation requires you to be at least 18 (see the Terms).

10. International transfers

Our sub-processors operate primarily in the United States and may process your data there. If you access the site from outside the US, your data will be transferred to and stored in the US.

11. Changes to this policy

If we change this policy, we'll update the Effective date at the top. Material changes will be flagged in-app the next time you sign in.

12. Contact

Privacy questions or requests: support@ccaftestprep.com.