Privacy Policy — EPSO Genius

                Short version: We collect the minimum data needed to run the service. We never sell your data. You have full control over your personal information under GDPR.
            

1. Who we are

EPSO Genius ("we", "us", "our") is an AI-powered EPSO exam preparation platform based in Brussels, Belgium. We are subject to the General Data Protection Regulation (GDPR) as an EU-based data controller.

Contact: hello@epsogenius.com

2. Data we collect

Account data

Email address (required to create an account)
Name (optional)
Password (stored as a bcrypt hash — never readable)

Usage data

Practice test results, scores, and performance metrics
Test session timestamps and question answers
Section-level analytics (verbal, numerical, abstract, EU knowledge, digital skills)

Payment data

Subscription status and plan type (Pro or Premium)
Payment is processed by Stripe — we do not store card details

Technical data

Session cookies for authentication
Basic server logs (IP addresses anonymised after 30 days)

3. Legal basis for processing

Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the service you signed up for
Legitimate interests (Art. 6(1)(f) GDPR): Analytics to improve the platform, security monitoring
Consent (Art. 6(1)(a) GDPR): Marketing emails (you can opt out anytime)
Legal obligation (Art. 6(1)(c) GDPR): Compliance with applicable laws

4. How we use your data

Provide and personalise practice tests
Track your progress and generate performance insights
Process subscription payments via Stripe
Send transactional emails (account confirmation, password resets, subscription updates)
Send marketing emails if you have opted in (unsubscribe anytime)
Improve the platform through aggregate, anonymised analytics

5. Data retention

Account data: retained while your account is active + 2 years after deletion request
Practice test data: retained for 3 years to enable long-term progress tracking
Payment records: retained for 7 years (EU accounting obligations)
Server logs: anonymised after 30 days

6. Third-party processors

Stripe — payment processing (US/EU, EU SCC-compliant)
Klaviyo — email marketing (US, EU SCC-compliant)
Neon / PostgreSQL — database hosting (US, EU SCC-compliant)
Render — application hosting (US, EU SCC-compliant)

All processors are bound by data processing agreements and only process data on our documented instructions.

7. Your rights under GDPR

As an EU resident, you have the right to:

Access — request a copy of your personal data
Rectification — correct inaccurate personal data
Erasure — request deletion of your data ("right to be forgotten")
Portability — receive your data in a machine-readable format
Restriction — restrict how we process your data
Objection — object to processing based on legitimate interests
Withdraw consent — for any consent-based processing

To exercise any right, email hello@epsogenius.com. We respond within 30 days.

You may also lodge a complaint with your national data protection authority. In Belgium: dataprotectionauthority.be.

8. Cookies

We use strictly necessary cookies for session authentication, and optional analytics cookies. See our Cookie Policy for details.

9. Security

We implement appropriate technical and organisational measures to protect your data, including bcrypt password hashing, HTTPS encryption, and access controls. No system is 100% secure — if you suspect a breach, contact us immediately.

10. Changes to this policy

We may update this policy. We'll notify you of material changes by email or prominent notice on the site. The "Last updated" date at the top reflects the most recent revision.

11. Contact

Questions about privacy? hello@epsogenius.com