Skip to main content
CloudCertPrep

Legal

Privacy Policy

GDPR-compliant, EU-hosted, no data sold. Guest users generate no personal data.

Last updated: June 2026

Data Controller

CloudCertPrep is operated by Alex Santonastaso (the "Data Controller") based in the United Kingdom. For any data protection enquiries, contact us at alex@cloudcertprep.io.

What data we collect

We only collect data when you create an account. Guest users generate no personal data on our servers.

  • - Email address: used to identify your account and send password reset emails.
  • - Practice history: the questions you answered, whether you got them right, and when. Used to power spaced repetition and track your domain mastery.
  • - Exam attempts: your scores, timing, and domain breakdowns from practice exams. Used to display your History page.

Signing in with Google

When you sign in with Google, CloudCertPrep receives your email address, your name, and your profile picture URL from Google. We do not request any other Google data, and we do not store your Google access or refresh tokens.

Bot protection (Cloudflare Turnstile)

Our sign-in, sign-up, and password-reset forms use Cloudflare Turnstile, a privacy-preserving CAPTCHA alternative, to block automated abuse. Turnstile runs a challenge in your browser and may read signals such as your IP address and browser characteristics to tell humans from bots. It does not use tracking cookies and is not used to profile you or serve ads. The challenge token is sent to our authentication provider (Supabase) for one-time server-side verification and is then discarded.

Legal basis for processing

Under GDPR, we process your data under the following lawful bases:

  • - Contract performance: processing your account data and study progress is necessary to provide the service you signed up for.
  • - Legitimate interests: we use anonymised, aggregated analytics (Umami) to understand how the app is used and improve it. This does not identify you personally.

How we use your data

Your data is used entirely to improve your study experience:

  • - Personalising which questions appear in Domain Practice sessions (spaced repetition)
  • - Showing your domain mastery progress on the certification landing page
  • - Displaying your exam attempt history

We do not use your data for advertising, profiling, or any purpose beyond running the app.

Data retention

We retain your account data for as long as your account is active. If you request deletion, we will remove all your personal data within 30 days. Anonymised, aggregated statistics (e.g., total exams passed) may be retained indefinitely as they cannot identify you.

We will never sell your data

Your data is never sold, shared with third parties for marketing, or used for any commercial purpose. This is a free tool built for learners, not a data business.

Where data is stored

Authentication and database are handled by Supabase, hosted on AWS infrastructure in the EU West region (Ireland). All data is encrypted at rest and in transit. Your data does not leave the European Economic Area.

Your rights under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • - Right of access: request a copy of your personal data
  • - Right to rectification: request correction of inaccurate data
  • - Right to erasure: request deletion of your data ("right to be forgotten")
  • - Right to data portability: receive your data in a structured, machine-readable format
  • - Right to object: object to processing based on legitimate interests

To exercise any of these rights, email alex@cloudcertprep.io. We will respond within 30 days.

Right to complain

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO). Visit ico.org.uk/make-a-complaint for more information. If you are in the EU/EEA, you may also complain to your local supervisory authority.

Cookies and local storage

We use browser local storage to:

  • - Keep your authentication session active
  • - Remember your theme preference (light or dark mode)

We do not use any tracking cookies. Our analytics (Umami) is cookieless, so the site sets no analytics or advertising cookies at all.

Analytics

We use a single, privacy-friendly analytics tool, and it requires no consent banner because it sets no cookies:

  • - Umami (cookieless, no consent required): an open-source, privacy-focused analytics tool. Umami sets no cookies, collects no personally identifiable information, and does not track users across sites. We use it under the GDPR "legitimate interests" basis to understand which pages are visited and which features are used. You cannot opt out of Umami because it does not identify you in the first place.

Changes to this policy

If we make material changes, we will update the "last updated" date at the top of this page. Continued use of the app after changes constitutes acceptance.

Questions? Email alex@cloudcertprep.io or read our Terms of Service.