Last updated · May 8, 2026

Privacy policy.

Short version: we collect what we need to teach you the SAT or ACT and nothing else. We don't sell student data. We let you delete it. Every word below is the long version.

1. What we collect

• Account info: name, email, current grade (we ask), school (optional), the test you're prepping for.
• Diagnostic + study data: every question you answer, time spent, mistakes, what Pax said back. This is how the plan adapts.
• Payment info: we never see your card directly — Stripe handles all payment data per PCI-DSS Level 1.
• Device info: rough device + browser type, for bug-fixing. We don't fingerprint.

2. What we don't do

• We don't sell or rent your data to anyone — not test-prep companies, not universities, not data brokers, not ad networks.
• We don't share with your parents, school, or counselor unless you opt in.
• We don't train external AI models on your data. Period.
• We may use third-party analytics and advertising tools to measure app performance and reach new students. These tools may collect anonymous usage data; they never receive your name, email, or study history.

3. Children & FERPA

If you're under 13, we won't accept your account without parental consent (COPPA-compliant). For school-distributed accounts, we operate under the school's FERPA umbrella as a school official with legitimate educational interest. We do not retain student records past 18 months after last login unless required by district contract.

4. How long we keep data

Account data: until you delete your account. Diagnostic / study data: same. Anonymized aggregate data (e.g., "users in the 1300-1400 band tend to miss this question type"): retained indefinitely for research. Payment metadata: 7 years for tax compliance.

5. Your rights

• See everything we know about you — Me → Privacy → Export my data in-app, or email legal@prepful.ai.
• Delete your account and associated data — Me → Account → Delete account, or follow the steps on our account deletion page.
• Pause parent notes anytime — Me → Parents.
• EU/UK users: full GDPR rights apply (access, rectification, portability, erasure, restriction, objection).
• California users: CCPA rights apply. We do not sell personal information.

6. Security

Data at rest is encrypted with AES-256, in transit with TLS 1.3. We conduct regular security reviews and penetration testing. If we ever have a breach, you'll hear from us within 72 hours.

7. Changes to this policy

We'll email you at least 14 days before any material change. The current and previous versions are always at prepful.ai/privacy.

8. Contact

Trust & safety: support@prepful.ai. Data protection officer: legal@prepful.ai.