Privacy Policy

We collect information that you provide directly to us when using the Service, as well as information collected automatically during your usage. Information you provide: • Account information: name, email address, and password (or OAuth credentials) • Profile data: display name, avatar, language preferences, and professional background • Assessment data: your answers, scores, CEFR levels, and certificate records • Payment information: transaction records and billing address (processed via PayPal) • Communication data: messages sent through our contact form or support channels Information collected automatically: • Device information: browser type, operating system, device identifiers • Usage data: pages visited, features used, time spent, click patterns • Technical data: IP address, referring URLs, and system configuration • Assessment analytics: performance patterns, skill strengths, and improvement areas

We use the collected information for the following purposes: • To provide, maintain, and improve the TestCEFR platform and services • To process assessment results and generate CEFR-aligned proficiency certificates • To personalize your learning experience and recommend relevant courses and content • To communicate with you about your account, progress, and platform updates • To provide customer support and respond to your inquiries • To detect, prevent, and address fraud, abuse, and security issues • To analyze usage patterns and improve our AI assessment algorithms • To comply with legal obligations and enforce our Terms of Service • To send promotional communications (only with your opt-in consent)

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following limited circumstances: • Service providers: We share data with trusted third-party services that help us operate the platform, including: — Payment processors (PayPal) for secure transaction handling — Cloud infrastructure providers for hosting and storage — Analytics services to understand platform usage patterns • Authentication providers: When you sign in with Google or GitHub, we receive only your basic profile information (name, email) as permitted by your OAuth consent. • Legal requirements: We may disclose information if required by law, court order, or governmental regulation. • Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. • With your consent: We may share information when you explicitly authorize us to do so.

We take reasonable and appropriate measures to protect your personal information: • All data transmission is encrypted using TLS/SSL protocols (HTTPS) • Passwords are hashed using industry-standard bcrypt algorithms (never stored in plain text) • Database access is restricted and monitored • Regular security audits and vulnerability assessments are conducted • Payment data is processed exclusively through PCI-DSS compliant processors While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you acknowledge that you provide information at your own risk. In the event of a data breach affecting your personal information, we will notify affected users within 72 hours in accordance with applicable data protection laws.

We use cookies and similar tracking technologies to enhance your experience: Essential cookies: • Session cookies to maintain your logged-in state • CSRF tokens for security protection • Authentication tokens for secure API access Analytics cookies: • To understand how users interact with the platform • To identify popular features and areas for improvement • All analytics data is aggregated and anonymized You can manage your cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the Service. We do not use third-party advertising cookies or sell data to advertising networks.

Depending on your jurisdiction, you may have the following rights regarding your personal data: • Access: You can request a copy of all personal data we hold about you • Correction: You can update or correct your personal information through your account settings • Deletion: You can request deletion of your account and associated data (subject to legal retention requirements) • Portability: You can request your data in a machine-readable format • Restriction: You can request restriction of processing in certain circumstances • Objection: You can object to processing for direct marketing purposes • Withdrawal of consent: You can withdraw any consent you have previously given To exercise any of these rights, please contact us at support@testcefr.com. We will respond within 30 days. Note: Some data (such as anonymized assessment analytics) may be retained for research and service improvement purposes even after account deletion.

Our platform integrates with the following third-party services: • Google OAuth: Used for authentication. Google's Privacy Policy applies: https://policies.google.com/privacy • GitHub OAuth: Used for authentication. GitHub's Privacy Policy applies: https://github.com/privacy • PayPal: Used for payment processing. PayPal's Privacy Policy applies: https://www.paypal.com/privacy We are not responsible for the privacy practices of these third-party services. We encourage you to review their respective privacy policies. These services collect information independently and are governed by their own terms and privacy policies. Your use of these services is voluntary and subject to their terms.

TestCEFR is not intended for children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us immediately at support@testcefr.com. We will take steps to delete such information from our systems. If we discover that we have collected personal information from a child under 16 without verification of parental consent, we will delete that information as quickly as commercially feasible.

We may update this Privacy Policy from time to time. When we make changes: • We will update the "Last Updated" date at the top of this page • Material changes will be communicated via email notification or a prominent notice on the platform • Continued use of the Service after changes take effect constitutes acceptance of the revised policy • We recommend reviewing this page periodically for any updates

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us: TestCEFR — Privacy Team Email: support@testcefr.com Website: https://testcefr.com For data-related requests (access, deletion, portability), please include "Privacy Request" in your email subject line. We aim to respond within 30 business days.