PrepCCAT

Privacy Policy

Effective date: 30 March 2026

1. Data Controller

The data controller for personal data collected through this website ("Service") is RM SOFTWARE LTD, a company registered in England and Wales ("we", "us", "our"). For any privacy-related enquiries, contact us at [email protected].

2. Data We Collect

We collect and process the following categories of personal data:

  • Account data: your name and email address, obtained from your third-party authentication provider (Google) when you sign in.
  • Usage data: test results, practice history, and performance metrics generated through your use of the Service.
  • Transaction data: if you make a purchase, our payment processor (Stripe) handles the transaction. We receive and store only a payment reference identifier and your payment status. We never receive, process, or store your payment card details.
  • Technical data: data automatically transmitted by your browser when you access the Service, such as IP address, browser type, and referring URL. This data is processed by our infrastructure providers and is not stored by us in an individually identifiable form.

3. Lawful Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

  • Contract (Art. 6(1)(b)): processing necessary to provide the Service to you, including account creation, delivering test content, and recording your results.
  • Legitimate interest (Art. 6(1)(f)): processing necessary for the security, maintenance, and improvement of the Service, including fraud prevention and abuse detection.
  • Legal obligation (Art. 6(1)(c)): processing required to comply with applicable laws, such as financial record-keeping obligations.

4. How We Use Your Data

We use your personal data exclusively to:

  • Authenticate your identity and operate your account.
  • Provide the Service, including displaying your test history and progress.
  • Verify your payment status and grant access to paid features.
  • Facilitate transactional communications (e.g. payment receipts) via our payment processor.
  • Detect and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations.

We do not sell, rent, or trade your personal data. We do not use your data for advertising, profiling, or marketing purposes.

5. Third-Party Processors

We engage a limited number of third-party service providers to operate the Service. These processors act on our instructions and are contractually bound to process your data only for the purposes we specify. Categories of processors include:

  • Authentication provider — to verify your identity via third-party sign-in.
  • Cloud infrastructure provider — for hosting, data storage, and authentication services.
  • Payment processor — for processing transactions securely. Subject to its own privacy policy and PCI DSS compliance obligations.
  • Content delivery network — for serving the website. May process anonymised request metadata.

We do not share your personal data with any third party for their own independent purposes.

6. International Data Transfers

Your personal data may be transferred to and processed in countries outside the United Kingdom, including the United States, where our infrastructure providers operate. Where such transfers occur, we ensure appropriate safeguards are in place in accordance with UK GDPR, which may include reliance on adequacy decisions, standard contractual clauses, or other approved transfer mechanisms.

7. Data Retention

We retain your account data and usage data for as long as your account remains active. If you request deletion of your account, we will erase your personal data within 30 days, except where retention is required by law (for example, financial records must be retained for a minimum of 6 years under UK tax legislation). Transaction data associated with purchases may be retained for the duration required by applicable financial regulations.

8. Your Rights

Under UK GDPR, you have the following rights with respect to your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate or incomplete data.
  • Erasure — request deletion of your data where there is no compelling reason for continued processing.
  • Restriction — request that we restrict processing of your data in certain circumstances.
  • Objection — object to processing based on legitimate interests.
  • Data portability — receive your data in a structured, commonly used, machine-readable format.

To exercise any of these rights, email [email protected]. We will respond to your request within one month, as required by law.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection.

9. Children

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16 without appropriate consent, we will take steps to delete that data promptly.

10. Cookies and Local Storage

The Service does not use tracking cookies, advertising cookies, or analytics cookies. We use browser local storage solely to store authentication tokens on your device. These tokens are transmitted only to authenticate your requests to our servers and are not shared with any third party.

11. Automated Decision-Making

The Service performs automated scoring of test responses. This scoring is based solely on objective comparison of your answers against predetermined correct answers. No profiling or automated decision-making with legal or similarly significant effects is carried out on the basis of your personal data.

12. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit, secure authentication mechanisms, and access controls. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The effective date at the top of this page indicates when the policy was last revised. Where changes are material, we will use reasonable efforts to notify you (for example, by email or by a prominent notice on the Service). Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

14. Contact

For any questions, concerns, or requests relating to this Privacy Policy or our data processing practices, contact us at: [email protected]