Privacy Policy

Effective date: October 19, 2025

Welcome to DeutschExam.ai, an AI-powered German exam preparation platform for TELC A1/B1 and Goethe exams. This Privacy Policy explains how we collect, use, share, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable data protection laws.

      Our Commitment to GDPR Principles (Article 5 GDPR):
      Lawfulness, Fairness, Transparency: We process your data legally, fairly, and in a transparent manner
Purpose Limitation: We collect data for specific, explicit purposes and don't use it for incompatible purposes
Data Minimization: We only collect data that is necessary and relevant
Accuracy: We keep your data accurate and up-to-date; you can correct it anytime
Storage Limitation: We don't keep your data longer than necessary
Integrity & Confidentiality: We protect your data with appropriate security measures
Accountability: We can demonstrate our compliance with these principles

    

1. Controller (Data Controller)

The responsible party (controller) for the processing of your personal data is:

Balram Chavan
(Operating as sole proprietor)
Holsteinstr.
55118 Mainz, Germany
Email: support@deutschexam.com
Website: https://deutschexam.ai

1.1 Data Protection Officer (DPO)

Under Article 37 GDPR, we are not required to appoint a Data Protection Officer because:

We operate as a sole proprietor without large-scale systematic monitoring
We do not process special categories of personal data (e.g., health data, political opinions) on a large scale
We are not a public authority
We employ fewer than 250 persons and processing is occasional (Art. 30(5) GDPR exemption for records of processing activities)

For all data protection inquiries, you can contact the controller directly at support@deutschexam.com.

1.2 Transparency Note

DeutschExam.ai is operated by Balram Chavan as a sole proprietor side project. The controller is employed full-time in Germany and operates this service independently with all necessary permissions. This ensures:

Personal commitment to quality and user support
Direct accountability - you can contact the controller directly for any concerns
Full compliance with German data protection and business regulations

2. What Personal Data We Collect

We collect and process the following categories of personal data:

Data Minimization Principle (Art. 5(1)(c) GDPR): We only collect personal data that is necessary and relevant for the purposes outlined in this policy. We do not collect excessive or unnecessary data. For example, we do not collect your physical address unless required for billing, we do not track your precise location, and we do not request sensitive personal data (race, religion, health, political opinions, etc.).

2.1 Account and Profile Information

Identification data: Full name, email address, username
Exam details: Exam level (A1, B1), exam provider (TELC, Goethe), target exam date
Account preferences: Language preferences, notification settings
Profile photo: If you choose to upload one

2.2 Learning and Exam Progress Data

Practice activity: Questions answered, exercises completed, time spent on each section
Performance metrics: Scores, accuracy rates, progress tracking across reading, listening, writing, speaking, and grammar sections
AI-generated assessments: Automated feedback on writing and speaking exercises
Study patterns: Login frequency, learning streaks, preferred study times
Saved content: Bookmarked exercises, notes, custom study sets

2.3 Payment and Subscription Information

Billing data: Name, billing address (collected and processed by our payment processor Stripe)
Payment method: Last 4 digits of card, card brand, expiration date (we do NOT store full credit card numbers)
Transaction history: Subscription plans, payment dates, amounts, invoice numbers
Subscription status: Active, cancelled, trial period, renewal dates

2.4 Device and Technical Data

IP address: For security, fraud prevention, and geo-location (country/region level)
Browser information: Browser type, version, operating system
Device data: Device type (desktop, mobile, tablet), screen resolution
Technical logs: Error logs, access timestamps, API request logs
Session data: Authentication tokens, session duration

2.5 Communications

Support requests: Messages sent via email or in-app chat, including attachments
Survey responses: Feedback on features, satisfaction surveys
Marketing communications: Email open rates, click-through rates (only with your explicit consent)

2.6 Cookies and Similar Technologies

Essential cookies: Authentication tokens, session identifiers, security cookies
Analytics cookies: User behavior, page views, navigation patterns (only with consent)
Marketing cookies: Ad performance, campaign effectiveness (only with consent)
Local storage: User preferences, UI state, offline data caching

For detailed information, please see our Cookie Policy.

3. Purposes of Processing and Legal Bases

We process your personal data for the following purposes, based on the legal grounds specified below under GDPR Article 6:

Purpose	Legal Basis (GDPR)
Account creation and management: Register and maintain your account, authenticate users, manage your profile	Performance of contract (Art. 6(1)(b) GDPR)
Platform services: Provide access to exam preparation materials, AI-powered feedback, progress tracking, personalized learning recommendations	Performance of contract (Art. 6(1)(b) GDPR)
Payment processing: Process subscriptions via Stripe, manage billing, issue invoices	Performance of contract (Art. 6(1)(b) GDPR)
Customer support: Respond to inquiries, troubleshoot technical issues, provide assistance	Performance of contract (Art. 6(1)(b) GDPR) and legitimate interests (Art. 6(1)(f) GDPR)
Security and fraud prevention: Protect against unauthorized access, detect suspicious activity, prevent abuse	Legitimate interests (Art. 6(1)(f) GDPR) and legal obligations (Art. 6(1)(c) GDPR)
Service improvement: Analyze usage patterns, test new features, optimize performance	Legitimate interests (Art. 6(1)(f) GDPR)
Transactional emails: Send account confirmations, password resets, subscription notifications, important service updates	Performance of contract (Art. 6(1)(b) GDPR) and legitimate interests (Art. 6(1)(f) GDPR)
Analytics and insights: Understand user behavior, measure engagement, track conversion rates (using analytics tools)	Consent (Art. 6(1)(a) GDPR)
Marketing communications: Send promotional emails about new features, study tips, special offers (you can opt out anytime)	Consent (Art. 6(1)(a) GDPR)
Legal compliance: Comply with tax, accounting, and other legal obligations	Legal obligation (Art. 6(1)(c) GDPR)

Note on Legitimate Interests: When we process data based on legitimate interests, we have assessed that our interests (e.g., improving service quality, preventing fraud) do not override your fundamental rights and freedoms. You have the right to object to such processing at any time by contacting us.

3.1 Purpose Limitation and Data Use

Important commitment: In accordance with Article 5(1)(b) GDPR (purpose limitation principle), we will NOT use your personal data for purposes other than those explicitly listed in the table above without:

Obtaining your explicit consent for the new purpose, OR
Having a legal obligation that requires such processing, OR
The new purpose being compatible with the original purpose (we will assess compatibility based on GDPR criteria)

If we intend to process your data for a new purpose, we will inform you in advance and, where required, seek your consent.

4. Data Retention Periods

We retain your personal data only as long as necessary for the purposes outlined above:

Data Category	Retention Period
Account and profile data	Duration of your account + 30 days after deletion request (to allow for accidental deletion recovery)
Learning progress and exam data	Duration of your account or until you request deletion
Payment and transaction records	10 years after the transaction (as required by German tax and accounting laws §147 AO, §257 HGB)
Support communications	3 years after the last interaction or account closure
Technical logs and IP addresses	1 year (for security and troubleshooting purposes)
Backups	Up to 90 days (automatic deletion from backup systems)
Marketing consent records	Duration of consent + 3 years (to prove compliance)
Analytics data (anonymized)	26 months (standard retention period)

After the retention period expires, we securely delete or anonymize your data so it can no longer be associated with you.

5. Security Measures

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it from unauthorized access, loss, or misuse, in accordance with Article 32 GDPR (Security of Processing):

5.1 Technical Security Measures

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (HTTPS)
Encryption at rest: Sensitive data stored in databases is encrypted using industry-standard AES-256 encryption
Secure authentication: Passwords are hashed using bcrypt with salt; we do NOT store passwords in plain text
Secure payment processing: Payment data is handled by PCI-DSS compliant processor (Stripe); we never store full credit card numbers
Regular security updates: Servers, libraries, and dependencies are regularly patched and updated
Firewall protection: Network-level firewalls and intrusion detection systems
Regular security audits: Periodic vulnerability assessments and penetration testing

5.2 Organizational Security Measures

Access controls: Role-based access restrictions; personal data is accessed only on a need-to-know basis
Data processing agreements: All third-party processors sign GDPR-compliant data processing agreements (DPAs)
Incident response plan: Procedures in place to detect, respond to, and report data breaches within 72 hours as required by GDPR Article 33
Data minimization: We collect only the data necessary for the specified purposes
Regular backups: Automated backups with secure, encrypted storage (deleted after 90 days)

5.3 Proportionate Security

Our security measures are designed to be appropriate to the risk, taking into account:

The state of the art in security technology
The costs of implementation
The nature, scope, and purposes of processing
The risks to your rights and freedoms (e.g., identity theft, fraud, financial loss)

We regularly review and update our security measures to address new threats and vulnerabilities.

      Data Breach Notification: In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the relevant supervisory authority without undue delay and within 72 hours of becoming aware of the breach, as required by GDPR Articles 33 and 34. We maintain an incident response plan and conduct regular security drills.
    

6. Processors and Recipients

We engage carefully selected third-party service providers to help us operate our platform. All processors are bound by GDPR-compliant data processing agreements (DPAs) and are required to implement appropriate security measures:

6.1 Infrastructure and Hosting

Google Cloud Platform (GCP) / Firebase:
- Service: Application hosting, database storage (Firestore), file storage, authentication
- Location: EU region (Frankfurt and Belgium data centers where applicable)
- Data shared: All application data, user accounts, uploaded files
- Safeguards: GDPR-compliant DPA, ISO 27001, SOC 2 certified, Standard Contractual Clauses (SCCs)

6.2 Payment Processing

Stripe, Inc.:
- Service: Payment gateway, subscription management, invoice generation
- Location: USA (data may be transferred internationally)
- Data shared: Name, email, billing address, payment method (tokenized - we never see full card numbers)
- Safeguards: PCI-DSS Level 1 certified, GDPR-compliant DPA, Standard Contractual Clauses (SCCs)

6.3 Communication Services

SendGrid (Twilio):
- Service: Transactional email delivery (account confirmations, password resets, subscription notifications)
- Location: USA
- Data shared: Email address, name, email content
- Safeguards: GDPR-compliant DPA, Standard Contractual Clauses (SCCs)
Crisp:
- Service: Customer support chat (only if you choose to use it)
- Location: France (EU)
- Data shared: Name, email, chat messages, IP address
- Safeguards: GDPR-compliant DPA
- Consent required: Yes (via cookie banner)

6.4 Analytics (Consent Required)

Smartlook:
- Service: Session recording and analytics (to understand user behavior and improve UX)
- Location: EU region (data stored in EU)
- Data shared: Anonymized user interactions, page views, clicks (sensitive data like passwords is automatically masked)
- Safeguards: GDPR-compliant DPA, ISO 27001 certified
- Consent required: Yes (via cookie banner)
Google Analytics (if used):
- Service: Website traffic analysis
- Location: USA
- Data shared: IP address (anonymized), page views, referrer information
- Safeguards: IP anonymization enabled, GDPR-compliant settings, Standard Contractual Clauses
- Consent required: Yes (via cookie banner)

6.5 Content Delivery and Security

Cloudflare (if used):
- Service: CDN, DDoS protection, SSL/TLS termination
- Location: Global network with EU data centers
- Data shared: IP addresses, request logs (anonymized after 24 hours)
- Safeguards: GDPR-compliant DPA, Standard Contractual Clauses (SCCs)

6.6 AI and Language Processing

OpenAI:
- Service: AI-powered feedback on writing and speaking exercises
- Location: USA
- Data shared: Your exercise responses (anonymized where possible - no account identifiers shared in prompts)
- Safeguards: Data Processing Agreement, Standard Contractual Clauses (SCCs), OpenAI does not use API data for training models

Important: We do NOT sell, rent, or trade your personal data to third parties for their own marketing purposes.

7. International Data Transfers

Some of our service providers (e.g., Stripe, SendGrid, OpenAI) are located outside the European Economic Area (EEA) or may transfer data internationally. For such transfers, we ensure adequate protection through:

Standard Contractual Clauses (SCCs): EU Commission-approved contract terms (Decision 2021/914) that provide GDPR-level protection for data transfers to third countries (GDPR Article 46(2)(c))
Transfer Impact Assessment: We assess the laws and practices of destination countries to ensure SCCs can be effective in practice (Schrems II compliance)
Additional safeguards: Encryption in transit (TLS 1.3) and at rest (AES-256), access controls, contractual obligations for processors
Data localization preference: Where possible, we store data in EU regions (e.g., Google Cloud Frankfurt for hosting, Smartlook EU region)

Accessing transfer safeguards: You can request copies of the relevant Standard Contractual Clauses, Data Processing Agreements, and transfer impact assessments by emailing us at support@deutschexam.com with subject line "SCC Request". We will provide these within 30 days.

8. Automated Decision-Making and AI Assessments

We use automated processing and artificial intelligence to enhance your learning experience:

8.1 AI-Powered Letter and Exercise Feedback

What we do: When you submit writing or speaking exercises (e.g., letter writing practice), our AI system (powered by OpenAI) analyzes your responses and provides automated feedback on grammar, vocabulary, coherence, task fulfillment, and alignment with TELC/Goethe exam criteria
Purpose: To give you instant, personalized feedback to help you identify areas for improvement and practice more effectively
No purely automated decisions with legal effects: AI assessments are for learning and practice purposes only. They do NOT determine your eligibility for services, subscription access, or have any legal consequences. No decisions with legal or similarly significant effects (as defined in GDPR Article 22) are made solely by automated means
Human oversight and review option: Our content team regularly reviews AI feedback quality. You can always request clarification or human review of any AI assessment by contacting support at support@deutschexam.com
Your right to object: You can object to AI processing of your exercises at any time by contacting us

8.2 Personalized Study Recommendations

What we do: Based on your progress, performance, and study patterns, we may suggest exercises, topics, or study plans that could benefit you
Purpose: To optimize your study time and help you focus on areas where you need improvement
Transparency: Recommendations are clearly marked as suggestions, and you always have full control to choose your own study path

GDPR Article 22 compliance: You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects. Our AI assessments do not fall into this category, but if you have concerns or questions, please contact us at support@deutschexam.com.

9. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights regarding your personal data:

9.1 Right of Access (Art. 15 GDPR)

Request a copy of all personal data we hold about you
Receive information about how we process your data (purposes, categories, recipients, retention periods)
How to exercise: Use the "Download My Data" feature in your User Profile settings, or email us at support@deutschexam.com with subject line "Data Access Request"

9.2 Right to Rectification (Art. 16 GDPR)

Request correction of inaccurate or incomplete personal data
Data Accuracy Commitment: We strive to keep your data accurate and up-to-date. If you notice any errors, please inform us so we can correct them without undue delay
How to exercise: Update your profile information directly in the app under User Profile → Edit Profile, or email us at support@deutschexam.com with subject "Data Correction Request" if you need help or need us to correct data you cannot edit yourself
Response time: We will correct verified inaccuracies within 5 business days

9.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

Request deletion of your personal data when there's no legal reason for us to continue processing it
How to exercise: Go to User Profile → Danger Zone → "Delete Account" button, or email us at support@deutschexam.com with subject line "Account Deletion Request"
Note: Some data may need to be retained for legal obligations (e.g., payment records must be kept for 10 years under German tax law). We will delete all other data within 30 days

9.4 Right to Restriction of Processing (Art. 18 GDPR)

Request that we limit how we use your data in certain circumstances (e.g., while we verify data accuracy after you contest it)
How to exercise: Email us at support@deutschexam.com with subject line "Restriction Request" and explain your reason

9.5 Right to Data Portability (Art. 20 GDPR)

Receive your personal data in a structured, commonly-used, and machine-readable format (we provide JSON, which is an open standard)
Transmit this data to another service provider where technically feasible
Covers: Account data, profile information, learning progress, exam scores, bookmarked exercises, and study statistics that you provided or that were generated based on your use of the service
How to exercise: Use the "Download My Data" feature in your User Profile (provides complete JSON export), or email us at support@deutschexam.com with subject "Data Portability Request"

9.6 Right to Object (Art. 21 GDPR)

Object to processing based on legitimate interests or for direct marketing purposes
For other objections: Email us at support@deutschexam.com with subject line "Objection to Processing"

⚠️ Special Right to Object to Direct Marketing (Art. 21(2) GDPR)
You have the absolute right to object to direct marketing at any time, free of charge. When you object, we will stop processing your data for marketing purposes immediately. This right is presented separately as required by GDPR.

How to stop marketing:

Click "Unsubscribe" in any promotional email (instant effect)
Log in → User Profile → Notification Settings → toggle marketing emails OFF
Email us at support@deutschexam.com with subject "Stop Marketing"

9.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on consent (e.g., analytics cookies, marketing emails), you can withdraw consent at any time
For cookies: Click "Cookie Settings" in the footer to adjust preferences
For marketing: Click "Unsubscribe" in emails or adjust settings in your profile
Note: Withdrawal does not affect the lawfulness of processing before withdrawal

9.8 Step-by-Step: How to Exercise Your Rights

Option 1: In-App Actions (Fastest)

Download your data: Log in → User Profile → "Download My Data" button → receive JSON file
Delete account: Log in → User Profile → scroll to "Danger Zone" → "Delete Account" → confirm
Update profile: Log in → User Profile → Edit fields → Save
Cookie preferences: Scroll to footer → "Cookie Settings" → adjust categories → Save
Marketing emails: User Profile → Notification Settings → toggle marketing emails OFF, or click "Unsubscribe" in any promotional email

Option 2: Contact Us via Email

Email: support@deutschexam.com
Subject line format: "GDPR Request: [Your Request Type]" (e.g., "GDPR Request: Data Access" or "GDPR Request: Account Deletion")
Include in your email:

Your registered email address (to verify your identity)
Clear description of your request
If applicable, proof of identity (e.g., copy of ID if we need to verify for security)

Response Timeline:

We will acknowledge your request within 5 business days
We will fulfill your request within 1 month (30 days) of receipt
If your request is complex, we may extend this by an additional 2 months and will notify you with the reason for the delay

10. Right to Lodge a Complaint with a Supervisory Authority

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with a data protection supervisory authority.

Competent Authority for Rhineland-Palatinate (Mainz):

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz
(The State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate)
Postfach 3040
55020 Mainz, Germany
Phone: +49 6131 208-2449
Email: poststelle@datenschutz.rlp.de
Website: https://www.datenschutz.rlp.de

Note: Users may also lodge a complaint with the supervisory authority in their country of residence or workplace if different from Germany. Find your local authority at EDPB Member List.

11. Cookies and Similar Technologies

We use cookies and similar technologies (local storage, session storage) to provide and improve our services. Our cookie practices comply with GDPR and the German Telecommunications Telemedia Data Protection Act (TTDSG), which requires prior consent for non-essential cookies.

11.1 Essential Cookies (No Consent Required - TTDSG § 25(2))

These are strictly necessary for the website to function and are exempt from consent requirements:

Authentication tokens (to keep you logged in securely)
Security cookies (CSRF protection, session security)
Session identifiers (to maintain your session state)
User preferences (language selection, UI settings)
Cookie consent preferences (to remember your choice)

Legal basis: These cookies are technically necessary to provide the service you requested (TTDSG § 25(2), GDPR Art. 6(1)(b)).

11.2 Non-Essential Cookies (Consent Required - TTDSG § 25(1))

We only use these cookies if you give us explicit consent via our cookie banner (opt-in, not pre-checked):

Analytics Cookies: Smartlook session recordings, page views, user journey tracking (helps us understand which features are useful and improve UX)
Marketing Cookies: Campaign effectiveness tracking, email open/click tracking (only if you also consent to marketing emails)

Legal basis: Your explicit consent (GDPR Art. 6(1)(a), TTDSG § 25(1)).

11.3 Managing Your Cookie Preferences

Change settings anytime: Click "Cookie Settings" in the footer to adjust or withdraw consent
Browser settings: You can configure your browser to reject all cookies (note: this will disable login and other essential features)
Effect of withdrawal: If you withdraw consent, we will stop using non-essential cookies immediately, but we cannot delete cookies already placed by third parties (you can delete these via browser settings)

Important: We use a strict opt-in approach compliant with TTDSG. Non-essential cookies are NOT activated until you explicitly consent. Rejecting cookies will not affect your ability to use core exam preparation features.

For more details, including cookie lifetimes and third-party cookie policies, see our Cookie Policy.

12. Children's Privacy

DeutschExam.ai is not directed to children under 16 years of age. We do not knowingly collect personal data from children under 16 without parental consent, as required by GDPR Article 8.

If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us immediately at support@deutschexam.com with subject line "Minor Data Removal Request" and we will delete the information promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features.

Notification: If we make material changes that significantly affect your rights, we will notify you via email (to the address on your account) and/or through a prominent notice in the Service at least 30 days before the changes take effect
Minor changes: For non-material changes (e.g., clarifications, updated contact details), we will update the "Effective date" at the top of this page
Your continued use: By continuing to use DeutschExam.ai after changes take effect, you accept the updated policy
Historical versions: You can request previous versions of this policy by contacting us at support@deutschexam.com

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Contact:

Balram Chavan
Holsteinstr.
55118 Mainz, Germany
Email: support@deutschexam.com
Website: https://deutschexam.ai

Response time: We aim to respond to all inquiries within 5 business days.