← Home

Privacy Policy

Last updated: June 2026

AceMark ("AceMark", "we", "us") is a practice-test platform operated by AceMark, based in India, for a global audience with most users in the United States and additional users in the UK, EU, India, and Canada. This policy explains what personal data we collect, why, how long we keep it, who receives it, and the rights you have. We aim for plain English. The governing law for this policy is India; we also honour the rights described below for users in the EU/EEA, UK, and California.

Data we collect

When you sign in with Google: your name, email address, profile picture URL, and Google account ID. Google handles authentication; we never see your password.

When you take a practice test (including as a guest): the test, your score, time taken, per-topic accuracy, and your answers. No keystroke logging, no screen recording. Guest (no sign-in) attempts are kept on your own device; only signed-in attempts are stored on our servers against your account.

When you submit feedback or contact us: the message text, optionally your email, and which page you were on.

When you use AI features (Mentor/Coach study plans, in-app explanations, feedback auto-replies): see "AI features and your data" below.

When you visit any page: your approximate country (derived from your IP address by our hosting partner), the page URL, and standard server access logs (retained ~30 days for debugging and abuse prevention). We do not retain raw IP addresses in our own application database; our hosting partner processes IP addresses under its own policy.

Cookies and similar technologies: see "Cookies" below.

AI and language-model features

Some AceMark features you choose to use — the Mentor chat, study-plan generation, in-app answer explanations, and feedback replies — send the specific inputs you provide to third-party large language model (LLM) providers at the moment you use them, so the feature can respond. These features are optional and user-initiated: nothing is sent to an LLM unless you trigger one of them. We send only the inputs the feature needs — never your name, email address, or account ID — and, where a provider offers a setting to exclude submitted data from training its models, AceMark enables it. The current providers are listed at acemark.app/data-processors. The rest of the app — practising, scoring, and viewing pre-generated content — works without sending anything to an LLM.

Feature by feature, this is what is sent:

  • Mentor / Coach study plans — when you generate a study plan, we send the exam title, your overall score, and your weak/strong topic names and accuracy percentages to an LLM provider to draft the plan. We do not send your name, email, or account ID.
  • In-app explanations — relevant question and answer context is sent to draft an explanation.
  • Feedback auto-replies — your feedback text may be sent to an LLM to draft a reply.
  • Marketing content — generated from non-personal prompts.

AI-assisted features (such as draft study plans) may process the inputs you provide via third-party AI infrastructure providers. The current list is published at acemark.app/data-processors. Each provider processes your prompt under its own terms; where a provider offers a setting to exclude submitted data from model training, AceMark uses it.

Cookies

  • Essential — one session cookie when you sign in (NextAuth, httpOnly, Secure, ~30-day expiry). Required to keep you logged in; cannot be switched off.
  • Advertising — AceMark does not serve third-party ads and sets no advertising cookies.
  • We do not run our own analytics cookies.

Why we collect it (legal bases)

PurposeWhat we doGDPR legal basis
Provide the serviceSave attempts, show progress, deliver country-specific examsContract
Improve the platformSee popular/failing exams, country-level demandLegitimate interest
CommunicateNotify on subscribed exams, reply to feedbackConsent or contract
Prevent abuseRate-limit, block spam, investigate misuseLegitimate interest

For users in India, the lawful basis under the DPDPA 2023 is generally your consent (or a permitted "legitimate use"); the bases in the table above are framed for EU/EEA users.

How long we keep it

DataRetention
Profile + attempts (active account)Until you delete your account
After account deletionUser row and dependents removed within seconds; fully purged within 30 days
Feedback / search records after deletionRetained but anonymised (name + email stripped)
Server access logs~30 days
Email delivery logs (Resend)Per Resend's retention policy
LLM provider request logsPer each provider's policy

Who we share it with

We do not sell your personal data for money. We share data with the third-party processors listed at acemark.app/data-processors — hosting, database, email delivery, sign-in, and AI-assisted features — only as needed to deliver the service, under contracts that meet GDPR / DPDPA / CCPA requirements.

We will only disclose data to a government or law-enforcement body in response to a lawful request with valid jurisdiction.

Your rights

We honour the rights below for all users regardless of location:

  • Access / portability — download a complete JSON copy of your data, self-service at acemark.app/data-request.
  • Deletion / erasure — permanently delete your account and personal data, self-service at the same page.
  • Correction — fix anything wrong (email us).
  • Object / restrict / withdraw consent — for any processing based on consent or legitimate interest.
  • Opt out of "sale"/"share" and targeted advertising (California and similar US states) — AceMark does not serve targeted advertising and does not sell or share your personal data for money.
  • Non-discrimination — we will not penalise you for exercising any right.
  • Complain — to your local authority. EU/EEA: find yours via edpb.europa.eu. India: the Data Protection Board of India. UK: the ICO.

How to exercise rights: signed-in users use /data-request. If you are signed out or your request needs manual handling, email privacy@acemark.app; we may need to verify your identity. We respond within 30 days (often within 3 business days).

International transfers

We are based in India; our infrastructure and several processors are in the US. Your data is therefore transferred internationally. For EU/EEA/UK users we rely on the appropriate safeguards offered by each processor (such as Standard Contractual Clauses or Data Privacy Framework participation). Email privacy@acemark.app for details.

Data breaches

If a personal-data breach occurs, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it (GDPR Art. 33), and the Data Protection Board of India as required under the DPDPA 2023. Where a breach is likely to result in a high risk to you, we will notify you without undue delay (GDPR Art. 34). Report suspected security issues to security@acemark.app.

Children

AceMark accounts are not directed at children under 13 (US, COPPA), and parts of the EU set the age of consent for data processing at 16. If we learn that a child below the applicable age created an account, we delete it. Parents or guardians can flag an account at privacy@acemark.app. In India, the DPDPA 2023 treats anyone under 18 as a child requiring verifiable parental consent. When you create an account we ask you to confirm your age and block under-13 sign-ups, and a parent or guardian can manage a minor's account on their behalf. AceMark serves no advertising of any kind, so no ads — personalised or otherwise — are shown to anyone.

Changes to this policy

If we change anything material, we update the "Last updated" date and, for signed-in users, show a notice on next visit. Minor wording fixes don't trigger a notice.

Contact

Privacy: privacy@acemark.app · Security: security@acemark.app · General feedback: the feedback button on every page.