Privacy Policy

1. Who We Are

ExamKlaar (www.examklaar.nl) is an online platform that helps people prepare for the Dutch inburgering (civic integration) exam through realistic practice exams and AI-powered feedback. ExamKlaar is operated by [Legal Entity Name], registered at the Dutch Chamber of Commerce (KvK) under number [KvK Number], located at [Address, City, the Netherlands].

Contact: [email protected]. We have not appointed a Data Protection Officer, as we are not required to do so under Article 37 GDPR.

2. What Personal Data We Collect

We collect only the data necessary to provide our services:

• ✓Account data: Your name and email address, collected when you register an account.
• ✓Exam results and progress: Your answers, scores, AI-generated feedback, and exam history, so you can track your progress over time.
• ✓Audio recordings: For speaking exercises, we collect the audio you submit. These are used solely to generate AI-powered feedback and are automatically deleted after 30 days.
• ✓Payment reference data: We store a reference to your Paddle customer ID and subscription status. We do not receive, store, or process your payment card details. These are handled exclusively by Paddle as Merchant of Record.
• ✓Usage and analytics data: Anonymised data about how visitors use our website, including page views, referral source, and general device and browser type. IP addresses are used only to derive a country-level location and are not stored in identifiable form.
• ✓Technical logs: Standard server logs may include your IP address, browser type, and request timestamps, retained for up to 90 days for security and debugging purposes.

3. How We Use Your Data

We use your personal data only for the following purposes:

• ✓To create and manage your account and authenticate your access
• ✓To deliver our exam practice services and AI-generated feedback
• ✓To send transactional emails via our email service provider (e.g. email confirmation, password reset, subscription updates)
• ✓To manage your subscription status in coordination with Paddle
• ✓To monitor for fraud, abuse, and security threats on the platform
• ✓To analyse anonymised, aggregated usage patterns to improve the platform

4. Legal Basis for Processing (GDPR)

We process your personal data on the following legal grounds under the GDPR and the Dutch UAVG:

• ✓Contract performance (Art. 6(1)(b)): Processing your account data, exam data, audio recordings, and subscription reference is necessary to deliver the services you signed up for.
• ✓Legitimate interest (Art. 6(1)(f)): We process anonymised analytics data and security logs to improve the platform and prevent abuse. We have assessed that these interests do not override your fundamental rights.
• ✓Legal obligation (Art. 6(1)(c)): We retain financial reference records for 7 years as required under Dutch tax law (art. 52 AWR).
• ✓Consent (Art. 6(1)(a)): Where we rely on your consent (for example, for optional marketing communications), you may withdraw it at any time by contacting [email protected] or using the unsubscribe link in any email. Withdrawal does not affect the lawfulness of prior processing.

5. Data Sharing and Processors

We do not sell your personal data. We share data only with the following service providers, each bound by appropriate agreements:

• ✓Supabase Inc., Data Processor: Our database, authentication, and file storage provider. Your account data, exam results, and audio recordings are stored on Supabase infrastructure hosted in Ireland (EU). No data is transferred outside the EEA.
• ✓Google LLC (USA), Data Processor: We use Google AI models to generate feedback on your written answers and audio. Only exam content is shared, no account identifiers. Transfers are covered by SCCs.
• ✓Paddle.com Market Ltd (UK), Independent Data Controller: Paddle acts as Merchant of Record for all payments. Paddle is independently responsible for processing your payment and billing data under their own privacy policy. Transfers from the EU to the UK are lawful under the EU adequacy decision for the UK.
• ✓Brevo SAS (France), Data Processor: Our email service provider for transactional emails (account verification, password reset, subscription notifications) and optional marketing communications. Only your email address and name are shared. Brevo is based in the EU (Paris, France), so no international data transfer occurs.
• ✓Umami Analytics (USA), Data Processor: We use Umami to understand how visitors use our website. Umami does not use persistent tracking cookies and does not collect personally identifiable information. Only anonymised, aggregated usage data is processed. Transfers are covered by SCCs.

We do not share your data with any other third parties, except where required by law (e.g. a court order or regulatory request from a competent authority).

6. International Data Transfers

Your core data (account, exam results, recordings) is stored within the EEA on Supabase infrastructure in Ireland and is not transferred internationally. Some of our other service providers are based outside the EEA. Where such transfers occur, we ensure appropriate safeguards are in place:

• ✓Standard Contractual Clauses (SCCs): For transfers to Google (AI feedback) and Umami (analytics), both based in the USA, we rely on the European Commission's Standard Contractual Clauses under Article 46(2)(c) GDPR.
• ✓Adequacy decision: For transfers to Paddle (United Kingdom), the European Commission has recognised the UK as providing an adequate level of data protection.

You may request more information about the applicable transfer safeguards by contacting [email protected].

7. Data Retention

We retain personal data only for as long as necessary:

• ✓Account data (name, email): Retained for the duration of your account. Deleted within 30 days of account deletion.
• ✓Exam results and progress: Retained for the duration of your account. Deleted within 30 days of account deletion.
• ✓Audio recordings: Automatically deleted after 30 days, regardless of account status.
• ✓Subscription reference records: Retained for 7 years as required under Dutch tax and accounting law.
• ✓Server logs: Retained for up to 90 days for security purposes, then deleted.
• ✓Analytics data: Aggregated and anonymised. No individual retention period applies.

8. Your Rights Under the GDPR

You have the following rights regarding your personal data. Contact us at [email protected] to exercise them. We will respond within 30 days (extendable by 60 days for complex requests, with notice):

• ✓Access (Art. 15): Request a copy of the personal data we hold about you.
• ✓Rectification (Art. 16): Ask us to correct inaccurate or incomplete data.
• ✓Erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations.
• ✓Portability (Art. 20): Receive your data in a structured, machine-readable format.
• ✓Objection (Art. 21): Object to processing based on our legitimate interest. We will stop unless we can demonstrate compelling grounds.
• ✓Restriction (Art. 18): Ask us to limit how we process your data in certain circumstances.
• ✓Withdraw consent (Art. 7(3)): Where processing is based on consent, withdraw it at any time without affecting prior processing.

If you are not satisfied with our response, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), Postbus 93374, 2509 AJ Den Haag, at autoriteitpersoonsgegevens.nl, or by calling +31 70 888 8500.

9. Cookies and Analytics

• ✓Essential cookies: We use session cookies that are strictly necessary for authentication and platform functionality. These cannot be disabled without breaking the service.
• ✓Analytics (Umami): We use Umami Analytics to understand traffic patterns. Umami does not use advertising or tracking cookies, does not build individual user profiles, and does not share data with third parties. It collects only anonymised, aggregated data.
• ✓No advertising or tracking cookies: We do not use Google Analytics, Facebook Pixel, or any third-party advertising or retargeting cookies.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. All data is encrypted in transit using TLS and encrypted at rest in our database. Access to personal data is restricted to personnel who require it to operate the service, and is subject to confidentiality obligations. In the unlikely event of a data breach that poses a risk to your rights, we will notify the Autoriteit Persoonsgegevens within 72 hours and inform affected users without undue delay.

11. Children

ExamKlaar is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please contact us at [email protected] and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make significant changes, we will notify you by email or via a notice on the platform at least 14 days before they take effect. The date at the top of this page always reflects the latest version.

13. Contact

If you have questions about this Privacy Policy or our data practices, please contact us at [email protected]. We aim to respond within 30 days.

[Legal Entity Name], [Address, City, the Netherlands]. KvK: [KvK Number].