Privacy Policy

Cambridge Exam AI is an artificial-intelligence-powered educational platform operated by TCK Systems LLC, a limited liability company incorporated in the State of Florida, United States of America, with its registered place of business at 2400 SE Veterans Memorial Pkwy, STE 127, Port St Lucie, FL 34952, United States (hereinafter referred to as "the Company", "we", "us", or "our").

The Platform provides registered users with AI-generated English-language exercises modelled on Cambridge English Qualifications (including but not limited to B1 Preliminary, B2 First, C1 Advanced, and C2 Proficiency levels), study tools, progress-tracking statistics, and a subscription-based credits system. The Company acts as the data controller in respect of all personal data processed in connection with the Platform, as defined under Regulation (EU) 2016/679 of the European Parliament and of the Council (the "General Data Protection Regulation" or "GDPR") and applicable national implementing legislation.

This Privacy Policy applies to all individuals who: (i) create an account on the Platform; (ii) purchase a subscription or AI Credits; (iii) interact with AI-powered exercise-generation features; (iv) browse the Platform without registering; or (v) otherwise communicate with us through any channel.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the collection and processing of your personal data in accordance with this Privacy Policy. If you do not agree, you must discontinue use of the Platform immediately.

We collect the following categories of personal data, depending on how you interact with the Platform:

2.1 Account and Identity Data

When you register, we collect your first name, last name, email address, and optionally a profile photograph. If you choose a custom username, that identifier is also stored. This data is necessary to create and maintain your user account and to uniquely identify you across sessions.

2.2 Authentication Data

Authentication on the Platform is provided exclusively through third-party identity providers — currently Google Sign-In and Apple Sign-In. We do not offer, support, or operate any native password-based registration or login flow. When you authenticate, we receive from the identity provider an OAuth token and, where the provider makes it available, your name and email address. We never receive, store, process, or have access to your account password or any credential held by the identity provider under any circumstance.

2.3 AI Prompt and Exercise Data

When you use the AI exercise generator, we collect the topic prompt you submit (e.g., the subject matter you select for the generated exercise), the exercise type selected, the Cambridge level chosen, and the AI-generated output associated with that request. This data is used to deliver the service, enforce our content moderation policy, and improve the reliability of our content-filtering systems. We do not use your prompts to train large language models or sell them to third parties.

2.4 Usage and Interaction Data

We automatically collect information about how you interact with the Platform, including: pages or features visited, exercises started or completed, answer inputs, scores and performance metrics, timestamps of activity, and navigation paths. This data powers your personal statistics dashboard and is used for platform-wide analytics.

2.5 Payment and Billing Data

All payment processing is handled exclusively by Stripe, Inc. (our payment service provider). We do not collect, store, or have access to your full credit or debit card number, CVV, or bank account details. We receive from Stripe only: a tokenised customer identifier, subscription status, the last four digits of a payment card (for display purposes), billing country, and transaction history. Your full payment credentials remain exclusively within Stripe's PCI-DSS-compliant environment.

2.6 Device and Technical Data

We collect your IP address, browser type and version, operating system, device type, screen resolution, preferred language, and time zone. This information is used for security purposes, fraud prevention, and to optimise the Platform's rendering across devices.

2.7 Communications Data

If you contact our support team — via the in-Platform contact form, email, or our WhatsApp support channel — we collect the content of your messages and any attachments you submit. This data is retained for the purpose of resolving your enquiry and maintaining a record of communications.

2.8 Cookies and Tracking Technologies

We use cookies and similar technologies as described in Section 9 below. We do not collect Special Category Data (as defined under Article 9 GDPR), such as health data, biometric data, racial or ethnic origin, political opinions, or religious beliefs.

We process your personal data only where a lawful basis under Article 6 GDPR (or equivalent applicable law) exists. The table below sets out our principal processing activities:

Cambridge Exam AI uses third-party large language model (LLM) infrastructure to generate English-language exercises in real time. When you submit an exercise generation request, the following data is transmitted to our AI infrastructure provider: your selected topic prompt, chosen exercise type, target Cambridge level, and any additional parameters you specify (such as difficulty modifiers).

No personally identifiable information (such as your name, email address, or account identifier) is transmitted alongside your AI prompt to the LLM provider. Your prompt is processed in isolation, in accordance with a strict system-level content policy designed to prevent the generation of harmful, violent, sexually explicit, discriminatory, or otherwise prohibited content.

Content Moderation: All prompts are subject to automated content moderation prior to transmission to the AI model. Prompts that trigger our content filters are blocked and logged for review. Repeated or egregious violations of our content policy may result in account suspension, as described in our Terms of Service.

No Training on User Data: Your prompts and the AI-generated exercises associated with your account are not used to train, fine-tune, or otherwise improve any AI model operated by us or our third-party AI providers. Data transmitted to our AI provider is subject to that provider's own data processing agreement, which prohibits use of API-submitted data for model training purposes.

Exercise Storage: The AI-generated exercise content, together with your responses and performance data, is stored on our servers to power your exercise history, statistics dashboard, and personalised review features. This data is associated with your account identifier and retained in accordance with Section 8 of this Policy.

All payment transactions on the Platform are processed exclusively by Stripe, Inc. (510 Townsend Street, San Francisco, CA 94103, USA), a PCI-DSS Level 1 certified payment processor. When you initiate a purchase — whether for a subscription plan (Weekly, Monthly, or Annual) or a one-off AI Credits top-up — you are redirected to or interact with Stripe's secure payment interface.

Data held by Stripe: Stripe independently collects and processes your payment card data, billing name, billing address, and IP address at the time of transaction. This processing is governed by Stripe's Privacy Policy. We do not have access to your full card number or CVV at any point.

Subscription Management: Active subscribers may manage their billing details, change subscription plan, or cancel their subscription through the Stripe Customer Portal, accessible directly from within the Platform. Cancellation takes effect at the end of the current billing period; no partial refunds are issued for unused time within a billing cycle unless otherwise required by applicable consumer protection law.

Refund Policy: Refund requests are evaluated on a case-by-case basis in accordance with our Terms of Service and applicable consumer law. Where a refund is approved and processed by Stripe, the corresponding subscription and any Credits associated with that purchase are automatically revoked, and the account may be subject to suspension.

Subscription Source: Subscriptions purchased through third-party platforms (including, but not limited to, Apple App Store or Google Play) are subject to the billing and refund policies of those respective platforms and must be managed directly through them.

Cambridge Exam AI operates a Credits-based consumption model for AI exercise generation. Each Credits allocation is tied to your individual user account and is non-transferable. The following data is processed in connection with your Credits:

• Current balance: The number of Credits currently available on your account, updated in real time following each exercise-generation request or top-up event.
• Transaction ledger: A full chronological record of Credits deductions (exercise generation events) and Credits additions (subscription renewals, one-off purchases, promotional grants), including timestamps and the Credits quantity involved in each event.
• Cap enforcement: Your Credits balance is subject to a maximum cap (currently 150 Credits) regardless of your subscription plan. Credits that would exceed this cap upon a renewal or top-up event are not awarded.
• Expiration: Credits allocated under a subscription plan expire if the subscription is cancelled or lapses. One-off Credits purchases do not expire unless the account is closed or suspended.

The Credits ledger constitutes part of your account data and is retained for the duration of your account plus a further six (6) years after account closure, in accordance with applicable financial record-keeping obligations.

We do not sell, rent, or trade your personal data. We share your personal data only with the following categories of third-party recipients, and solely to the extent necessary to operate the Platform:

• Authentication Providers — Google LLC / Apple Inc.: We receive authentication tokens from these providers when you use their respective Sign-In services. Data sharing in this context is governed by each provider's privacy policy and applicable OAuth agreements.
• Payment Processor — Stripe, Inc.: Payment card data and billing information are processed directly by Stripe. We share with Stripe only your email address (for receipt delivery) and a user-level identifier (to associate payments with your account).
• AI Infrastructure Provider: Your exercise-generation prompt (stripped of personally identifiable data) is transmitted to our AI infrastructure provider for processing. The provider acts as a data processor under a Data Processing Agreement that prohibits secondary use of transmitted data.
• Analytics Services — Google Analytics / Firebase: We use Google Analytics and Firebase (operated by Google LLC) for platform-wide usage analytics and crash reporting. Data is transmitted to Google in pseudonymous or aggregated form. IP addresses are anonymised prior to transmission where technically feasible.
• Cloud Hosting and Infrastructure Providers: Our Platform is hosted on third-party cloud infrastructure. Data is stored and processed within those providers' environments under contractual obligations of confidentiality and security.
• Email Service Providers: We use third-party transactional email services to deliver account confirmations, password reset links, subscription receipts, and service notifications.
• Legal and Regulatory Authorities: We may disclose your personal data to competent courts, regulatory bodies, or law enforcement authorities where required by law, court order, or to protect the rights, property, or safety of the Company, our users, or the public.

All processors with whom we share your data are subject to contractual obligations requiring them to process such data solely on our instructions and in compliance with applicable data protection law.

We retain your personal data only for as long as is necessary for the purposes set out in this Policy, unless a longer retention period is required by law:

• Account data (name, email, username, avatar): Retained for the duration of your active account, plus six (6) years following account closure, to satisfy applicable legal and contractual obligations.
• Exercise and performance data: Retained for the duration of your active account. Upon account closure, exercise data is anonymised or deleted within ninety (90) days.
• Credits ledger and transaction records: Retained for six (6) years following the date of the relevant transaction, in accordance with financial record-keeping requirements.
• Billing records (Stripe transaction data): Retained for six (6) years following the date of transaction.
• Support communications: Retained for up to twenty-four (24) months from the date the relevant support ticket is closed.
• AI prompt logs (for moderation purposes): Retained for up to twelve (12) months, after which they are deleted or anonymised.
• Analytics data: Retained in aggregated or pseudonymous form for between twelve (12) and twenty-four (24) months.

Following expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised. Where deletion is technically infeasible in the short term (e.g., data held in encrypted backup archives), such data is isolated from active processing until it can be deleted.

We use cookies and analogous tracking technologies (including local storage and session storage) for the following purposes:

• Strictly necessary cookies: Essential for the operation of the Platform, including session authentication, CSRF protection, and load-balancing. These cookies cannot be disabled without impairing the functionality of the Platform. No consent is required for their placement.
• Preference cookies: Used to remember your language, display, and notification preferences across sessions. Placed on the basis of your implied consent through continued use of the Platform.
• Analytics cookies: Used by Google Analytics and Firebase to collect pseudonymous information about your interactions with the Platform (pages visited, session duration, feature usage). These are placed only with your consent where required by applicable law.
• Marketing and attribution cookies: Where we run paid marketing campaigns, we may use third-party attribution cookies to measure the effectiveness of our advertising. These are placed only with your explicit prior consent.

You may manage, restrict, or withdraw consent to non-essential cookies through your browser's cookie settings or, where available, through our cookie preference centre. Withdrawing consent to analytics or marketing cookies does not affect your ability to use the Platform.

Subject to applicable law and certain conditions, you have the following rights in respect of your personal data:

• Right of access (Art. 15 GDPR): You may request confirmation of whether we process your personal data and, if so, obtain a copy of that data together with supplementary information about the processing.
• Right to rectification (Art. 16 GDPR): You may request correction of inaccurate personal data or completion of incomplete data. Basic profile information (name, username) can be corrected directly within the Platform's account settings.
• Right to erasure / 'right to be forgotten' (Art. 17 GDPR): You may request deletion of your personal data where the data is no longer necessary for the purposes for which it was collected, you withdraw consent (where consent is the lawful basis), or the processing is unlawful. This right does not apply where retention is required for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.
• Right to restriction of processing (Art. 18 GDPR): You may request that we restrict processing of your data in certain circumstances, including where you contest the accuracy of the data or where processing is unlawful but you object to erasure.
• Right to data portability (Art. 20 GDPR): Where processing is based on your consent or the performance of a contract and carried out by automated means, you may request to receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21 GDPR): You may object at any time to processing of your personal data carried out on the basis of our legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defence of legal claims.

To exercise any of the above rights, please contact us using the details in Section 15. We will respond to verified requests within thirty (30) days of receipt. We may request proof of identity before fulfilling a request to protect your data against unauthorised access.

Cambridge Exam AI is not directed at, and is not intended for use by, individuals under the age of sixteen (16) years. We do not knowingly collect personal data from children under the age of 16. If you are under 16, you must not use the Platform or provide any personal data to us.

If we become aware that we have inadvertently collected personal data from a child under 16 without verifiable parental consent, we will take immediate steps to delete that data. If you believe we may have collected data from a minor, please contact us immediately at info@tcksystems.com.

Given the international nature of our operations and the location of our third-party service providers, your personal data may be transferred to, and processed in, countries outside the European Economic Area (EEA) — including, in particular, the United States of America. Such transfers are conducted in accordance with Chapter V of GDPR and are subject to one or more of the following safeguards:

• Adequacy decision: Where the European Commission has determined that the recipient country provides an adequate level of data protection.
• Standard Contractual Clauses (SCCs): We rely on the European Commission's standard contractual clauses (as adopted pursuant to Commission Implementing Decision (EU) 2021/914) for transfers to processors established outside the EEA where no adequacy decision applies.
• Supplementary measures: Where required by applicable guidance, we implement technical and organisational supplementary measures (such as data minimisation, pseudonymisation, and encryption in transit and at rest) to ensure that transferred data receives equivalent protection to that afforded under GDPR.

You may request information about the specific transfer mechanism applicable to any third-party recipient by contacting us at info@tcksystems.com.

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, without limitation:

• Encryption in transit: All communications between your browser or application and our servers are encrypted using Transport Layer Security (TLS 1.2 or higher).
• Encryption at rest: Sensitive data fields (including authentication tokens and session identifiers) are encrypted at rest using industry-standard algorithms.
• Access controls: Access to personal data is restricted to authorised personnel who require it in the performance of their duties, in accordance with the principle of least privilege.
• Infrastructure security: Our cloud infrastructure employs firewalls, intrusion detection systems, and regular vulnerability assessments.
• Incident response: We maintain an internal data breach response procedure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within seventy-two (72) hours of becoming aware of the breach, and will notify affected individuals where required by law.

Notwithstanding the foregoing, no method of transmission over the Internet or method of electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee its absolute security.

We reserve the right to amend this Privacy Policy at any time to reflect changes in applicable law, our data processing practices, or the features and functionality of the Platform. The "Last updated" date at the top of this document will be revised accordingly.

Where changes are material — meaning they affect your rights in a significant way or expand the categories of data we collect or the purposes for which we use your data — we will notify you by email to the address associated with your account, by means of a prominent notice displayed within the Platform, or by such other method as may be required by applicable law, no less than thirty (30) days prior to the changes taking effect.

Your continued use of the Platform following the effective date of any revised Privacy Policy constitutes your acceptance of the updated terms. If you do not agree to any revision, you must cease use of the Platform and may request deletion of your account in accordance with Section 10.

For all data protection enquiries, requests to exercise your rights, or to report a potential breach, please contact us using the details below. We endeavour to respond to all legitimate requests within thirty (30) calendar days.

If you are located in the European Economic Area and wish to exercise your GDPR rights, you may direct your request to either the Data Controller or the EU Representative above. For complaints regarding our processing of your personal data, you also have the right to contact the competent supervisory authority, as set out in Section 10 of this Policy.