examnomad.
Tilmeld

Privacy Policy

Last updated: 19 May 2026

1. Who we are

ExamNomad ("ExamNomad", "we", "us") is the operator of this website and the related practice platform. We can be reached at [email protected]. For users in the EU/UK, the controller within the meaning of the GDPR is ExamNomad. For users in Türkiye, the data controller within the meaning of KVKK Article 3 is ExamNomad.

2. What we collect

  • Account data: name, email address, country code, UI language, bcrypt-hashed password.
  • Subscription data: Stripe customer ID, plan, billing period, invoice metadata. We never see or store your card number; Stripe holds it.
  • Usage data: practice sessions (questions answered, scores, time spent), vocabulary you save, AI feature usage counts and costs.
  • AI inputs: when you press "Translate" or "AI explain", the question text + your selected answer are sent to OpenAI. We do not send your name or email. Audio recordings for speaking practice are sent to OpenAI Whisper for transcription and deleted from our servers immediately after.
  • Audit log: security-relevant events (login, password reset, plan change) with IP address.

3. Why we process it (legal bases · GDPR Art. 6 / KVKK Art. 5)

  • Contract: running your account and the practice platform.
  • Legitimate interest: preventing abuse, debugging, improving service quality.
  • Consent: optional product updates by email; you can withdraw at any time.
  • Legal obligation: tax and accounting records related to paid subscriptions.

4. Sub-processors

  • Railway — application hosting + PostgreSQL + Redis (EU/US regions).
  • Stripe — payment processing.
  • OpenAI — chat, embeddings, Whisper STT, TTS for AI features.
  • Yandex SMTP — outbound transactional email (verify address, password reset, invoices).
All sub-processors are bound by data-processing terms. Cross-border transfers from the EU/UK rely on Standard Contractual Clauses.

5. How long we keep it

  • Active accounts: as long as your account exists.
  • Hard-deleted accounts: 30 days in encrypted backups, then irreversibly removed.
  • Invoices: 10 years for tax compliance after account deletion.
  • Audit log: 180 days for security investigation.

6. Your rights

Under GDPR (EU/UK) and KVKK (Türkiye) you have the right to access, rectify, port, restrict, object to processing of, and delete your personal data. We respond within 30 days.
Self-service inside ExamNomad:
  • Export your data as JSON from Settings → Data & privacy
  • Delete your account permanently from the same page (irrevocable after 30 days).

7. Cookies

We use the minimum cookies needed for ExamNomad to function:
  • authjs.session-token — keeps you signed in. Strictly necessary, exempt from consent under GDPR.
  • en-consent — remembers your cookie banner choice.
We do not use third-party advertising cookies or trackers.

8. Children

ExamNomad is intended for users 13 and over. If you believe a younger child has registered, email [email protected] and we will remove the account.

9. Complaints

EU/UK users can complain to their local supervisory authority. Türkiye users can complain to KVKK Kurulu (kvkk.gov.tr).

10. Changes

We will publish material changes on this page and notify subscribed users by email at least 14 days before they take effect.