Skip to main content
Back to home

Privacy Policy

Last updated: 2026-04-09.

Introduction

German B1 Exam Trainer ("the service") is operated by Zeronext. This Privacy Policy explains what data we collect when you use our website and services, how we use it, and your rights regarding that data.

Data we collect

We collect and process the following data:

  • Account data: When you register, we store your email address, name, chosen exam type (Goethe or TELC B1), and exam date. We process this data on the legal basis of contract performance (Art. 6(1)(b) GDPR).
  • Progress data: Your exercise attempts, answers, scores, and completion status for each lesson. We process this data on the legal basis of contract performance (Art. 6(1)(b) GDPR).
  • Exercise issue reports: If you are signed in and use "Report a problem" on a lesson, we store your account ID, the exercise reference, a snapshot of the lesson title, your chosen category, and any optional text you provide, so we can review content and fix mistakes. We process this data on the legal basis of contract performance (Art. 6(1)(b) GDPR).
  • Avatar: If you upload a profile photo, it is stored and linked to your account. We process this data on the legal basis of contract performance (Art. 6(1)(b) GDPR).
  • Speaking and writing: When you use the Sprechen (speaking) or Schreiben (writing) modules, your audio recordings and written text are sent to our AI provider to generate feedback. This data is processed solely for that purpose. We process this data on the legal basis of contract performance (Art. 6(1)(b) GDPR).
  • AI usage logs and rate limiting: For Sprechen and Schreiben AI features, we log user IDs, timestamps, and call counts to enforce rate limits and prevent abuse. We process this data on the legal basis of legitimate interest (Art. 6(1)(f) GDPR) in platform stability, security, and abuse prevention.
  • Abuse protection (IP-based request limits): For certain public actions (e.g. support form submission, account sign-up, password login), we derive a client IP from platform-controlled request headers and store short-lived counters in our infrastructure (Upstash Redis) to limit excessive requests. We do not use this for marketing profiling. We process this data on the legal basis of legitimate interest (Art. 6(1)(f) GDPR) in security, fraud prevention, and service availability.
  • Abuse protection (per-user report limits): For signed-in "Report a problem" submissions, we store short-lived counters in our infrastructure (Upstash Redis) keyed to your user ID to limit excessive reports. We process this data on the legal basis of legitimate interest (Art. 6(1)(f) GDPR) in security, fraud prevention, and service availability.
  • Website analytics: When we enable Cloudflare Web Analytics on our production deployment, Cloudflare collects aggregate traffic information (e.g. page views, referrers, and coarse technical information such as device type and country) to help us understand how the site is used. This product is designed to work without analytics cookies and without building individual profiles for advertising. We process this data on the legal basis of legitimate interest (Art. 6(1)(f) GDPR) in operating and improving our website. Details are described in Cloudflare's documentation and privacy policy.

How we use it

We use your data to deliver the service: to personalise your experience (e.g. showing exercises for your chosen exam type and suggesting the next lesson), to provide AI-based feedback on speaking and writing, to process payments for the Pro subscription, and to send service emails (welcome email after signup, exam date reminder emails, and a one-time follow-up after your recorded exam date). We do not sell your data to third parties.

Legal basis for processing

For transparency, we summarise the legal basis (Art. 6 GDPR) for each type of processing:

  • Art. 6(1)(b) — contract performance: Account, progress, avatar, payments, AI feedback, session cookies, local storage, and service emails (welcome, exam reminders, post-exam follow-up).
  • Art. 6(1)(f) — legitimate interest: AI usage logs, rate limiting, IP-based abuse prevention (including Upstash counters for selected public endpoints), per-user limits on exercise issue reports (Upstash counters), and (where enabled) privacy-preserving website analytics via Cloudflare (aggregate usage; not used for advertising profiling).
  • Art. 6(1)(a) — consent: Non-essential cookies or tools where we explicitly ask for your consent (e.g. optional marketing or advanced tracking), if we add them in the future.

Third parties

We rely on the following service providers, each of which has its own privacy policy:

  • Supabase: Authentication, database, and file storage (e.g. avatars, audio files). Processed on the legal basis of contract performance (Art. 6(1)(b) GDPR).
  • Stripe: Payment processing for Pro subscriptions. Processed on the legal basis of contract performance (Art. 6(1)(b) GDPR).
  • OpenAI: Whisper for speech-to-text and GPT for evaluating and correcting your writing and speaking. Your audio and text are sent to OpenAI solely to generate feedback. Per OpenAI's API data usage policy, OpenAI does not use API data for model training, and your data is not retained by OpenAI for training purposes. Processed on the legal basis of contract performance (Art. 6(1)(b) GDPR).
  • Cloudflare: Content delivery and security for our website, and (where we turn it on) Web Analytics for aggregate, privacy-oriented usage metrics. Web Analytics is processed on the legal basis of legitimate interest (Art. 6(1)(f) GDPR). See Cloudflare's privacy policy.
  • Upstash: Managed Redis used to enforce short-lived, per-IP request limits on selected public endpoints (abuse prevention). Processed on the legal basis of legitimate interest (Art. 6(1)(f) GDPR). See Upstash's privacy policy.

We recommend reviewing their privacy policies for details on how they process data.

International transfers

Data may be transferred to the United States or other regions where Supabase, OpenAI, Stripe, Cloudflare, and Upstash may process it (including Web Analytics when that feature is enabled for our site, and Redis-backed abuse counters). We ensure appropriate safeguards: Standard Contractual Clauses (SCCs) approved by the European Commission per Art. 46(2)(c) GDPR, and where applicable, the EU-US Data Privacy Framework (DPF) under the adequacy decision of July 2023 (Art. 45 GDPR). Stripe, OpenAI, and Cloudflare are certified under the DPF. You may request a copy of the relevant safeguards by contacting us at the email below.

Cookies and local storage

We use session and authentication cookies so you can stay logged in. If you use the service without an account (guest mode), we store your progress in your browser's local storage so you can continue later or import it when you sign up. This is processed on the legal basis of contract performance (Art. 6(1)(b) GDPR). We do not use tracking or advertising cookies. When Cloudflare Web Analytics is enabled on our deployment, it is designed to operate without analytics cookies; see Cloudflare's documentation for what their beacon sends.

Retention

We keep your account and progress data for as long as your account is active. If you delete your account or request deletion, we will remove or anonymise your data within a reasonable period (e.g. 30 days), except where we must retain it for legal or regulatory reasons. Where Web Analytics is enabled, related metrics are retained according to Cloudflare's policies (see their privacy policy).

Your rights

If you are in the EEA, you have the following rights under the GDPR:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right not to be subject to solely automated decisions (Art. 22)
  • Right to lodge a complaint with the Autoriteit Persoonsgegevens

To exercise these rights, contact us at the email below.

Contact

For privacy-related questions or requests: [email protected].

Changes

We may update this Privacy Policy from time to time. The current version will always be on this page. For material changes, we may notify you by email or through the service where appropriate.