CruxSign in

Cruxprep

Privacy Notice

Last updated: May 2026

This Privacy Notice describes how Cruxprep ("Cruxprep", "we", "us") collects, uses, shares, and protects personal data when you use our study companion service (the "Service"). Cruxprep acts as the data controller for personal data processed in connection with your use of the Service.

1. Personal data we collect

  • Account data: email address, hashed password, account preferences.
  • Study data: exam date, weekly hour goals, timer sessions, topic progress, confidence ratings, quiz and mock-exam results, notes you write.
  • Support messages: anything you send us through in-app or email support.
  • Usage and device data: basic telemetry such as pages viewed, feature interactions, browser and device type, and IP address (used for security and abuse prevention).
  • Payment data: processed by Paddle (see "Sharing" below). We receive a confirmation that you have an active subscription, the plan, the renewal date, and an internal identifier — we do not see or store your card details.

2. Why we use your data

  • To create and operate your account (contract performance).
  • To provide and personalise the study tools (contract performance).
  • To prevent fraud, abuse, and security incidents (legitimate interests).
  • To improve the Service and fix bugs (legitimate interests).
  • To respond to your support requests (contract performance).
  • To send essential service emails such as verification, billing, and security alerts (contract performance, legal obligation).
  • To comply with applicable laws and respond to lawful requests (legal obligation).

3. Sharing

We share personal data only with:

  • Hosting and infrastructure: our managed cloud platform, which stores the database, runs the backend, and serves the application.
  • Paddle (Merchant of Record): for sale of paid plans, subscription management, payments, tax compliance, invoicing, and refunds. Paddle is the data controller for payment data it collects directly from you at checkout.
  • Email delivery: our transactional email provider, used to send verification codes, billing receipts, and service notices.
  • Professional advisers: legal, accounting, or compliance advisers where strictly necessary.
  • Authorities: where we are required to disclose by law or valid legal process.

We do not sell your personal data and do not share it for cross-context behavioural advertising.

4. International transfers

Some of our service providers may process data outside your country of residence, including in the United States and the European Economic Area. Where data leaves the UK or EEA, we rely on appropriate safeguards such as Standard Contractual Clauses or adequacy decisions.

5. Retention

We keep account and study data for as long as your account is active. If you delete your account, we delete or anonymise your data within a reasonable period, except where we must keep records to meet legal, accounting, or fraud-prevention obligations (for example, billing records kept by Paddle).

6. Your rights

Depending on your location you may have the right to access, correct, delete, restrict, or port your personal data, to object to processing based on legitimate interests, and to withdraw consent where processing is based on consent. UK and EEA residents may also lodge a complaint with their local data-protection supervisory authority. We respond to verified rights requests within one month.

To exercise any of these rights, contact us through the in-app support flow or by replying to any account email we send you.

7. Security

We use appropriate technical and organisational measures to protect personal data, including encryption in transit, encryption at rest for the database, hashed passwords, role-based access to production systems, and audit logging. No system is perfectly secure, so we encourage you to use a strong, unique password and keep your email account secure.

8. Cookies and similar technologies

We use only essential cookies and local-storage entries needed to keep you signed in, remember your preferences, and run the Service. We do not use advertising cookies. If we add analytics or other non-essential cookies in future, we will update this notice and ask for your consent where required.

9. Children

The Service is intended for adults preparing for the CFA exam and is not directed at children under 16. We do not knowingly collect data from children.

10. Changes

We may update this Privacy Notice from time to time. We will notify you of material changes by email or in-app notice and update the "Last updated" date above.

11. Contact

For privacy questions, data-rights requests, or to report a concern, reach us through the in-app support flow or by replying to any account email we send you.