← Home

Privacy Policy

Last updated: May 2026

AceMark ("we", "us") is an independent practice-test platform run from India for a global audience. This policy describes what personal data we collect, why we collect it, how long we keep it, and the rights you have over it. We try to be plain-English.

Data we collect

When you sign in with Google: your name, email address, profile picture URL, and your Google account ID. We store these in our database and use them as your identity inside AceMark. Your password is never seen by us — Google handles authentication.

When you take a practice test: the test you took, your score, time taken, per-topic accuracy, and what you answered. No keystroke logging, no screen recording.

When you submit feedback or contact us: the message text, optionally your email, and which page you were on.

When you visit any page: your country (derived from your IP by our hosting provider — we never see the IP), the page URL, and standard server access logs that are retained for 30 days for debugging and abuse prevention.

Cookies: we set one session cookie when you sign in (NextAuth, httpOnly, Secure, 30-day expiry). Our ad partner (Google AdSense) sets advertising cookies if you've consented to them on a page that shows ads. We don't run our own analytics cookies.

Why we collect it

Provide the service — show you your progress, save your attempts, deliver the right country-specific exams. Legal basis: contract (you agreed when you signed in).

Improve the platform — see which exams are most requested, which questions are failing too often (a likely sign of a bad question), where users come from at a country level. Legal basis: legitimate interest.

Communicate with you — email you when an exam you subscribed to goes live, respond to feedback. Legal basis: consent (you opted in) or contract.

Prevent abuse — rate-limit requests, block spam, investigate misuse. Legal basis: legitimate interest.

How long we keep it

While your account exists, we keep your profile and attempts indefinitely so your progress survives. If you delete your account, we delete this data within 30 days (it's usually instant — see below). Server logs are retained 30 days. Feedback you've submitted is retained even after account deletion but anonymised — your name and email are stripped.

Who we share it with

We don't sell your data. We share it with service providers only as needed to run the service:

  • Vercel (hosting). Your requests transit Vercel servers. They see IP and edge metadata; we never store IPs ourselves.
  • Railway (database hosting). Stores the PostgreSQL database with the data described above. Snapshots are encrypted at rest.
  • Upstash (background queue + rate-limit counters). Sees only ephemeral message metadata.
  • Anthropic (the AI provider behind PrepFeed). When the auto-generation pipeline builds a new exam from a missing-search query, the query text is sent to Anthropic. We send only the query — no user identity.
  • Google (OAuth sign-in, fonts, AdSense). Google sees that you signed in via AceMark and serves ads per their own policy.

We never sell your email, your test scores, or any other personal data. We will only respond to a lawful government request with valid jurisdiction.

Your rights

Depending on where you live, you have some or all of these rights. We honour them globally regardless of jurisdiction:

  • Access — download a complete copy of your data. Self-service: acemark.app/data-request
  • Deletion — permanently delete your account and personal data. Self-service via the same page.
  • Correction — fix anything that's wrong. Email us at the address below.
  • Object / restrict / withdraw consent — ask us to stop processing in a particular way. Email us.
  • Complaint — if you believe we're not honouring your rights, you can complain to your local data protection authority. In the EU/EEA, find yours via edpb.europa.eu.

International transfers

We're based in India. Our infrastructure runs in the US (Vercel edge, Railway). Some of your data is transferred internationally. We rely on Standard Contractual Clauses with our vendors. If you're in the EU/EEA/UK and would like a copy of those clauses, email us.

Children

AceMark is not directed at children under 13 (or 16 in some jurisdictions). If we learn that a child under that age has created an account, we'll delete it. If you're a parent and want to flag an account, email us.

Changes to this policy

If we change anything material, we'll update the "Last updated" date at the top and, if you're signed in, show a notice the next time you visit. Minor wording fixes don't trigger a notice.

Contact

Privacy questions: privacy@acemark.app. Security issues: security@acemark.app. General feedback: the feedback button in the corner of every page.