Skip to main content

Privacy Policy

Last updated: 18 April 2026

Introduction

We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our practice games platform.

Information We Collect

1. Account Information

  • Name and email address
  • Password (encrypted and hashed — we never store it in plain text)
  • Subscription tier
  • Payment information (processed and stored by Stripe — we do not store card details)
  • Terms of Service and Privacy Policy acceptance timestamps and version
  • Current daily practice streak and personal best score

2. Game Session Data

Each time you complete a game, we store:

  • The full game state — including every trial, your responses, and timestamps — stored as structured data
  • Raw score, normalised score, and percentile ranking
  • Session start and end times, and total duration
  • Game-specific performance metrics (e.g., reaction time, accuracy, error patterns)
  • Performance category (e.g., average, above-average)

3. Feedback Reports

Feedback reports are generated on-demand from your session data and include:

  • Overall score and performance category
  • Identified strengths and areas for improvement
  • Personalised recommendations
  • Detailed insights based on your game metrics

Note: Feedback reports are not stored separately - they are generated dynamically from your session and score data.

4. Technical and Security Information

  • IP address (used for security and audit logging)
  • Browser user-agent string (used to identify your device type for display purposes)
  • Device fingerprint (a hash of your user-agent, used only for display in device management UI)
  • Device session tokens stored as secure cookies (used to enforce the 2-device limit)

Note: The 2-device limit is enforced using persistent device tokens (cookies), not fingerprinting. Each device gets a unique token that identifies it as one of your 2 allowed devices.

5. Preferences and Consent

  • Email notification and marketing email preferences
  • Cookie consent choices (analytics and marketing), with timestamps

How We Use Your Information

We use your personal data for the following purposes:

Service Delivery

  • Provide access to practice games and features
  • Manage your account and subscription
  • Process payments through Stripe
  • Authenticate and secure your account
  • Enforce the 2-device limit using persistent device tokens (stored as secure cookies)

Personalisation & Analytics

  • Display your game statistics, scores, and progress charts
  • Generate personalised feedback reports with strengths and recommendations (generated on-demand from your session data)
  • Calculate your percentile ranking against anonymised population benchmarks
  • Track your daily practice streak and personal best
  • Compute improvement trends across your session history

Anonymised Population Benchmarks

Your raw scores are included in aggregated, anonymised calculations to build population statistics (mean, median, standard deviation, percentile distributions) for each game. These statistics are used to calculate your percentile ranking. No individual scores are identifiable in this process.

Communication

  • Send service-related notifications
  • Send marketing emails (only with your explicit consent)
  • Notify you of important updates

Legal & Security

  • Maintain a GDPR audit trail of privacy-related actions on your account
  • Comply with legal obligations
  • Prevent fraud and abuse
  • Enforce our terms of service

Legal Basis for Processing (GDPR)

We process your personal data based on:

  • Contract - To provide services you've subscribed to
  • Consent - For analytics, marketing, and optional features
  • Legitimate Interest - To improve our service and prevent fraud
  • Legal Obligation - To comply with laws and regulations

Data Sharing and Third Parties

We share your data only with the following trusted third-party services:

Service Providers

  • Stripe - Payment processing (PCI-DSS compliant). Stripe stores your billing details; we only receive a customer reference ID.
  • Supabase - Authentication and database hosting. Your data is stored on Supabase-managed infrastructure.
  • Vercel - Application hosting and CDN. Vercel processes requests to serve the application.

We do not use third-party analytics services. We do not sell your personal data to third parties.

Data Security

We implement industry-standard security measures:

  • SSL/TLS encryption for data in transit
  • Encrypted database storage
  • Secure password hashing (bcrypt)
  • Regular security audits
  • Access controls and authentication
  • Device session management (max 2 active devices)

Data Retention

We retain your data for the following periods:

  • Account data — until you delete your account
  • Game sessions and scores — automatically deleted after 2 years, or immediately when you delete your account or request removal
  • Payment records — 7 years (legal requirement)
  • GDPR audit logs — deleted when you delete your account
  • Device session tokens — automatically removed after 30 days of inactivity (safety net to prevent permanent lockouts from lost devices)

The 2-year automatic deletion of game data and 30-day device session cleanup are enforced by a daily automated job. You can also delete your data at any time from your account settings.

Your Rights

Under GDPR and other privacy laws, you have the right to:

  • Access - Request a copy of your personal data
  • Rectification - Correct inaccurate data
  • Erasure - Request deletion of your data ("right to be forgotten")
  • Restriction - Limit how we process your data
  • Portability - Export your data in a machine-readable format
  • Object - Object to certain types of processing
  • Withdraw Consent - Revoke consent at any time

To exercise these rights, visit your account settings or contact us at support@cogniprep.app.

Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

International Data Transfers

Your data is processed by Supabase and Vercel, which may store and process data in the United States and other countries. We rely on the following safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions by the European Commission where applicable

Automated Decision-Making

We use automated processing to personalise your experience:

  • Game difficulty is adjusted automatically based on your performance scores
  • Personalised recommendations are generated from your game history
  • Performance percentiles are calculated by comparing your scores against aggregated population data

These automated processes do not produce legal or similarly significant effects. You can request human review of any automated assessment by contacting us at support@cogniprep.app.

Cookies

We use cookies to enhance your experience. For detailed information, please read our Cookie Policy.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of significant changes by:

  • Posting a notice on our website
  • Sending an email notification
  • Updating the "Last updated" date

Contact Us

If you have questions or concerns about this privacy policy:

  • Email: support@cogniprep.app
  • Data Protection Officer: support@cogniprep.app

California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know — Request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to Delete — Request deletion of your personal information, subject to certain exceptions
  • Right to Correct — Request correction of inaccurate personal information
  • Right to Opt-Out of Sale or Sharing — We do not sell or share your personal information with third parties for cross-context behavioural advertising. No opt-out is required, but you may contact us to confirm this.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights

To exercise your California privacy rights, visit your account settings or contact us at support@cogniprep.app. We will respond to verifiable requests within 45 days.

Supervisory Authority

If you're in the EU/EEA, you have the right to lodge a complaint with your local data protection authority. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk. For EU residents, contact your national supervisory authority listed at edpb.europa.eu.