🔒 Privacy Policy

Your privacy matters

We believe in being transparent about how we collect and use data. This policy explains exactly what we collect, why, and how you can control it.

Last updated: April 11, 2026 · Effective immediately

1. Information We Collect

We collect information in two ways: information you give us directly, and information collected automatically.

What you provide

Email addressUsed for account creation, login, and service emails (verification, password resets). Required to create an account.

Display name & usernameShown on your profile. You choose these when you sign up.

Google account infoIf you sign in with Google, we receive your name, email address, and Google profile picture from Google's OAuth service. We do not receive your Google password.

Question reportsIf you report a question, we store the question ID, reason, and your user ID so we can review and improve content.

Collected automatically

Practice dataQuestions you answer, whether you answered correctly, and your bookmarks. Used to power your progress dashboard.

Session dataYour browser type, operating system, and timestamps of when you access the service. Collected by our hosting and authentication providers.

Anonymous page analyticsWe track which pages you visit and how you navigate between them using a random session ID generated in your browser. This ID is not linked to your account. See Section 4 for details.

2. How We Use Your Information

Provide the service — authenticate you, store your progress, power your dashboard, and let you bookmark and practice questions.
Improve the platform — understand which questions are difficult or confusing, and use navigation analytics to improve the site structure.
Send transactional emails — account verification, password resets, and important service announcements. We do not send marketing emails.
Safety & moderation — review reported questions and detect abuse.
Comply with law — respond to lawful requests from authorities when legally required.
Display ads — serve advertisements through Google AdSense to support the free service. See Section 5.

We do not sell your personal information. We do not use your data for automated decision-making that produces legal or similarly significant effects.

3. Third-Party Services

We rely on the following trusted providers to operate SuperAP. Each processes data only as necessary to provide their service.

Provider	Purpose	Data shared
Supabase	Database, authentication, session management	Email, hashed password, profile data, progress
Google OAuth	Optional sign-in with Google	Email, name, Google profile picture (if you use Google sign-in)
Vercel	Website hosting and edge delivery	IP address, request logs (retained briefly per Vercel policy)
Vercel Analytics	Performance and usage metrics	Anonymized page load data — no personal identifiers
Google AdSense	Display advertising	Cookies and browsing context — see Section 5

4. Anonymous Analytics

To understand how users navigate SuperAP and improve the site, we collect anonymous page-view events. Here is exactly how it works:

When you visit the site, your browser generates a random 128-bit session ID (a UUID) and stores it in sessionStorage. It is deleted when you close the tab.
Each page navigation sends the current path, the previous path (referrer), and the session ID to our database.
No personal information is included — not your user ID, IP address, name, or email.
Analytics data cannot be linked back to any individual user.
This tracking fires on every page regardless of login status.

We also use Vercel Analytics and Vercel Speed Insights, which collect anonymized performance metrics. See Vercel's Privacy Policy.

5. Advertising & Cookies

SuperAP is free and supported by advertising. We use Google AdSense to display ads. Google and its partners may use cookies to serve ads based on your prior visits to this site and other sites.

Cookie types we use:

Essential — Authentication session cookies set by Supabase. Required for login. Cannot be disabled.
Preference — Stores your dark/light theme choice.
Advertising — Set by Google AdSense to deliver and measure targeted ads. Only active if you accept cookies via our consent banner.

You can opt out of personalised advertising:

Use our cookie consent banner to decline advertising cookies.
Visit aboutads.info/choices (DAA – US)
Visit youronlinechoices.eu (EDAA – EU/UK)
Use your browser's built-in cookie controls.

6. Data Retention & Deletion

Account data — retained while your account is active.
Practice progress — retained to power your dashboard. Exported or deleted with your account.
Anonymous analytics events — retained for up to 12 months, then automatically purged.
Question reports — retained until reviewed by our team, then anonymised or deleted.
Server logs — retained per Vercel's standard log retention policy (typically a few days).

You can delete your account and all associated data at any time from your account settings. Deletion is permanent and irreversible.

7. Your Rights

Depending on where you live, you may have some or all of the following rights. We honour these for all users regardless of jurisdiction.

Access — Request a copy of the personal data we hold about you.
Correction — Update your display name and username any time from account settings.
Deletion — Delete your account and all personal data from account settings.
Portability — Request an export of your data by emailing us.
Opt-out of advertising — Decline advertising cookies via our consent banner or the links in Section 5.
California (CCPA) — You have the right to know, delete, and opt out of sale of personal information. We do not sell personal information.
EU/UK (GDPR) — You have the right to restrict processing, object to processing, and lodge a complaint with your local supervisory authority.

To submit a request, email privacy@superap.org. We will respond within 30 days.

8. Children's Privacy

SuperAP is designed for students preparing for AP exams, a program generally taken by students aged 14 and up.

We do not knowingly collect personal information from children under 13 years old (or under 16 in the EU/UK).
If you are under 13, do not create an account or submit any personal information.
If a parent or guardian believes their child has provided us with personal data, please contact us at privacy@superap.org and we will delete it promptly.

9. Security

We take reasonable steps to protect your data:

All connections are encrypted in transit via TLS/HTTPS.
Passwords are never stored — authentication uses Supabase's secure token system.
Database access is restricted by row-level security (RLS): you can only access your own data.
Login and signup endpoints are rate-limited to prevent brute-force attacks.

No method of transmission over the internet is 100% secure. If you discover a security issue, please contact us at security@superap.org.

10. Changes to This Policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top. For material changes, we will make reasonable efforts to notify you (e.g., via a banner on the site). Continued use of SuperAP after changes take effect constitutes acceptance of the updated policy.

11. Contact Us

If you have questions, requests, or concerns about this Privacy Policy or your data, please reach out:

General privacy: privacy@superap.org

Security issues: security@superap.org

Legal: legal@superap.org

We aim to respond to all privacy requests within 30 days.