§
ccaf.ai
Field Manual · Independent prep
§02·Legal · Privacy Policyv2026-05-17

Privacy Policy

Last updated 2026-05-17. This Privacy Policy describes how ccaf.ai collects, uses, and shares information when you use our Service. It applies alongside our Terms of Service.

§1Information we collect

We collect only what we need to operate the Service:

  • Account data — your email address and password hash, stored and managed by Clerk Authentication on our behalf.
  • Payment data — your payment method, billing address, and transaction history, processed and stored by Stripe, Inc. We receive only a tokenized customer ID, payment status, and the last four digits of the card (for receipts). We never see your card number.
  • Exam data — your mock exam attempts, selected answers, flag state, timestamps, raw and scaled scores, and per-domain breakdown. Stored in our Postgres database (Neon).
  • Device fingerprint— a stable hash of your browser's configuration (computed by FingerprintJS, open-source) and your User-Agent string. Stored per account for forensic purposes only, as described in the Terms § Enforcement.
  • Technical logs — server-side request logs (timestamp, route, response status), retained for up to 30 days for operational purposes.

We do not collect: contact lists, biometric data, precise geolocation, advertising identifiers, or any data from children under 16.

§2Why we collect it (legal basis)

For users in the EEA, UK, and similar jurisdictions, our legal bases are: contract (to provide the Service you signed up for), legitimate interests (fraud prevention, content protection via watermarking/fingerprinting, service improvement), and legal obligation (payment record-keeping). We do not rely on consent for essential cookies, but we do for optional analytics where applicable.

§3Third-party processors

The Service relies on the following processors, who are contractually bound to handle your data only as needed to provide their service to us:

  • Clerk (authentication) — clerk.com
  • Stripe (payments) — stripe.com
  • Neon (database hosting) — neon.tech
  • Vercel (application hosting) — vercel.com
  • FingerprintJS open-source (browser fingerprinting) — runs entirely in your browser; only the resulting hash is sent to our server.

§4Cookies

We use the minimum set of cookies needed to run the Service:

  • Essential — session cookies set by Clerk and Stripe to keep you signed in and to prevent payment fraud. These cannot be disabled without breaking the Service.
  • Preferences — a localStorage entry recording whether you accepted our cookie banner.

We do not use advertising or third-party analytics cookies. If we add analytics later (e.g., privacy- respecting tools like Plausible or Vercel Analytics with IP anonymization), we will update this section and re-prompt consent where required by law.

§5Data retention

We keep your account data, exam attempts, and payment records for as long as your account is active. After account deletion, we retain payment records for the period required by tax and accounting law (typically 7 years) and delete all other personal data within 30 days. Server logs are rotated out after 30 days.

§6Sharing

We do not sell your personal data. We share data only with the processors listed in Section 3, and we may disclose information when required by law, subpoena, or to protect the rights, property, or safety of ccaf.ai, our users, or others.

§7International transfers

Our processors operate primarily in the United States. Where data is transferred from the EEA, UK, or Switzerland to the United States, transfers rely on the Standard Contractual Clauses or equivalent safeguards offered by each processor.

§8Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Delete your account and associated data.
  • Export your data in a portable format.
  • Object to or restrict processing based on our legitimate interests.
  • Withdraw consent for any processing that relied on it.
  • Lodge a complaint with a supervisory authority in your country (EEA/UK), or under CCPA (California) with the California Privacy Protection Agency.

To exercise any of these rights, email info@ccaf.ai from the address associated with your account. We will respond within 30 days.

California residents (CCPA/CPRA):in the preceding 12 months we have collected the categories of personal information listed in Section 1; we do not "sell" or "share" that information for cross-context behavioral advertising as those terms are defined under California law. You may exercise your rights using the contact method above.

§9Security

We rely on industry-standard protections: TLS for all traffic, hashed credentials (handled by Clerk), tokenized payments (Stripe), encrypted database at rest (Neon), and strict server- side authorization checks on every API endpoint. No system is perfectly secure; please report any suspected vulnerability to info@ccaf.ai.

§10Children

The Service is not directed to children under 16, and we do not knowingly collect personal data from anyone under that age. If you believe a child has provided us personal data, please contact us and we will delete it.

§11Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above. Material changes will be highlighted on the landing page or via email to your account address.

§12Contact

For any privacy question or data-rights request, contact us at info@ccaf.ai or use the form at /contact.

← Back to home
Terms of ServiceContact us