Privacy Policy

NerdExam ("we," "our," or "us"), a service operated by WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and protect your information when you use our website and services.

1. Information We Collect

We collect information you provide directly: name, email address, and profile information via Clerk authentication (email, Google, or GitHub sign-in). We also collect usage data including practice session scores, bookmarks, and study progress. Payment information is processed exclusively by Stripe-we never store card numbers.

2. How We Use Your Information

We use your information to: provide and improve our services, track your study progress and analytics, process payments, send transactional emails (purchase confirmations, password resets), and communicate product updates (with your consent). We do not sell your data to third parties.

2.1 Lawful Basis for Processing (GDPR)

For users subject to the EU General Data Protection Regulation (GDPR), we process personal data on the following lawful bases under Article 6: (a) Contract - to provide the services you have purchased, including account management, exam access, and payment processing; (b) Legitimate Interests - to improve our services, prevent fraud, maintain security, and analyze aggregate usage patterns; (c) Consent - for optional marketing communications and non-essential communications; (d) Legal Obligation - to comply with applicable laws, including tax, accounting, and consumer protection requirements.

2.2 International Data Transfers

As a Hong Kong-based company serving users globally, your personal data may be transferred to and processed in countries outside your country of residence, including the United States (where several of our sub-processors operate) and other regions. Where such transfers occur from the European Economic Area, United Kingdom, or Switzerland, we rely on appropriate safeguards under GDPR Articles 44-49, including: Standard Contractual Clauses (SCCs) approved by the European Commission, and adequacy decisions where applicable. Our sub-processors (Clerk, Supabase, Stripe, PayPal, Resend, Cloudflare) maintain their own GDPR-compliant transfer mechanisms. You may request a copy of the relevant safeguards by contacting [email protected].

3. Data Storage & Security

Your data is stored securely using Supabase with Row Level Security (RLS) ensuring each user can only access their own data. We use zero-trust architecture with Clerk authentication. All data is transmitted over HTTPS with 256-bit encryption.

4. Third-Party Services

We use the following third-party services: Clerk (authentication), Supabase (database), Stripe (payments), PayPal (payments), Resend (transactional emails), and Cloudflare (CDN and security). Each service has its own privacy policy.

4.1 GDPR Rights (EU/EEA Users)

If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR): (a) right of access to your personal data; (b) right to rectification of inaccurate data; (c) right to erasure ("right to be forgotten"); (d) right to restriction of processing; (e) right to data portability; (f) right to object to processing; (g) right to withdraw consent at any time; (h) right to lodge a complaint with a supervisory authority in your country of residence or place of alleged infringement. To exercise these rights, contact [email protected].

4.2 CCPA Rights (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA): (a) right to know what personal information is collected; (b) right to delete personal information; (c) right to opt out of the sale of personal information (we do not sell personal information); (d) right to non-discrimination for exercising your privacy rights. To exercise these rights, contact [email protected].

5. Cookies

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. You can control cookie settings in your browser.

6. Your Rights

You have the right to: access your personal data, correct inaccurate data, delete your account and all associated data, export your data, and opt out of marketing communications. To exercise these rights, visit Settings or contact [email protected].

7. Data Retention

We retain your data for as long as your account is active. When you delete your account, all personal data is permanently removed within 30 days. Anonymized usage statistics may be retained for analytics.

8. Hong Kong PDPO

Under the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486), you have the right to request access to and correction of your personal data held by us. Requests should be sent to [email protected]. We aim to respond within 40 days of receiving a valid request, as required by the PDPO.

9. Data Controller and Contact

The data controller responsible for your personal data is WADL Solutions Limited, a company incorporated in Hong Kong (CR# 80143234), with registered office at Unit 2904-05, 29/F, Universal Trade Centre, 3 Arbuthnot Road, Central, Hong Kong. For privacy-related questions, to exercise your rights, or to raise any concerns, contact [email protected].