ExamDuck

Privacy Policy

Last updated: August 23, 2025

1. Data Controller

Examduck (a sole proprietorship), operated by Linus Hasselkvist, is the data controller for the processing of personal data that takes place within our service.

If you have questions about our processing of your personal data, or if you wish to exercise any of your rights, you can contact us at:

  • Email: privacy@examduck.com
  • Address: Linus Hasselkvist, Stockholms Brevboxar 549, 116 74 Stockholm, Sweden

2. What Personal Data Do We Collect?

We collect and process the following categories of personal data:

Information you provide to us:

When you create an account or communicate with us, we collect the information you provide, such as:

  • Account information (first name, last name, email address)
  • Password (stored in encrypted, unreadable format)
  • Profile information including subscription tier and credit balance

Information created when you use the service:

When you use our service to create educational content, we process:

  • Document content (exams, solution guides, and related educational materials)
  • Document metadata (course names, topics, difficulty levels, language preferences)
  • File uploads (PDF documents for content extraction - files are processed but not permanently stored)
  • Custom instructions and generation parameters
  • User feedback and ratings on generated content

Technical information:

When you visit our website and use our service, we automatically collect:

  • IP address and device information
  • Browser type and version
  • Usage patterns and interaction data
  • Authentication tokens and session information
  • Error logs and performance metrics

3. Why and on What Legal Basis Do We Process Your Data?

We process your personal data for the following purposes, based on the following legal grounds:

To provide our service:

We process your account information and user content to fulfill our agreement with you. This includes:

  • Account creation and authentication
  • Document generation and storage
  • Credit system management
  • File processing and content extraction

Legal Basis: Performance of a contract (GDPR Article 6.1 b)

To communicate with you:

We use your email address to send important information about the service, such as:

  • Account confirmation and security notices
  • Service updates and maintenance notifications
  • Password reset and account recovery

Legal Basis: Performance of a contract (GDPR Article 6.1 b)

To improve and secure our service:

We analyze technical information and usage patterns to:

  • Monitor system performance and identify issues
  • Track AI model usage and costs
  • Analyze user feedback and content ratings
  • Protect against fraud and abuse
  • Improve user experience and service quality

Legal Basis: Legitimate interest (GDPR Article 6.1 f)

For marketing:

With your explicit consent, we may use your email address to send newsletters and marketing materials about new features or offers.

Legal Basis: Consent (GDPR Article 6.1 a)

You can withdraw your consent at any time by clicking the unsubscribe link in our mailings.

4. Who Do We Share Your Data With?

We never sell your personal data. However, to provide and operate our service, we share your personal data with the following categories of subprocessors (data processors), who process data on our behalf:

Infrastructure and hosting:

  • Google Cloud (USA): Cloud infrastructure and hosting services
  • Vercel (USA): Frontend hosting and deployment

Database and authentication:

  • Supabase (USA): Database, authentication, and user management

AI and content generation:

  • Google Gemini (USA): AI content generation for exams and solution guides

Customer relationship management:

  • HubSpot (USA): CRM and marketing services (with consent)

We have entered into data processing agreements (DPAs) with all these suppliers to ensure that your data is handled securely and in accordance with GDPR.

5. Transfers to Third Countries

As our subprocessors are based in the USA, your personal data is transferred to a country outside the EU/EEA. To ensure your data has adequate protection even outside the EU/EEA, we take special protective measures.

These transfers are based on the EU Commission's adequacy decision (the EU-U.S. Data Privacy Framework) and/or the EU Commission's Standard Contractual Clauses (SCCs). This ensures a level of protection for your data equivalent to that guaranteed within the EU.

6. How Long Do We Keep Your Data?

We only store your personal data for as long as is necessary for the purposes for which it was collected.

Account data:

We store your account information (name, email, profile data) as long as you have an active account with us. If you choose to delete your account, the data will be permanently deleted after a 90-day security period.

User content:

Your created content (exams, solution guides) is stored as long as you have an active account. You can delete specific content from your account at any time.

File uploads:

Uploaded PDF files are processed to extract text content but are not permanently stored. The extracted text is used for content generation and may be temporarily cached for processing efficiency.

Technical logs:

Technical information and logs are saved for 30 days for troubleshooting and security analysis.

Usage analytics:

Usage patterns, AI model performance data, and user feedback are retained for up to 2 years for service improvement and analytics purposes.

7. Your Rights

Under GDPR, you have several rights regarding the processing of your personal data:

  • Right of access: You have the right to request a copy of the personal data we hold about you.
  • Right to rectification: You have the right to have inaccurate information about you corrected.
  • Right to erasure ("the right to be forgotten"): You have the right to request that your personal data be deleted if it is no longer necessary for the purpose for which it was collected.
  • Right to restriction of processing: You have the right to request that the processing of your personal data be restricted.
  • Right to data portability: You have the right to receive the data you have provided to us in a structured, machine-readable format.
  • Right to object: You have the right to object to processing that is based on legitimate interest.

To exercise your rights, please contact us at privacy@examduck.com.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten - IMY) if you believe our processing violates the law.

8. Data Security

We implement industry-standard security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction:

  • Encryption of data in transit and at rest
  • Secure authentication and session management
  • Database security and access controls
  • Regular security audits and monitoring
  • Secure file processing with automatic cleanup
  • Input validation and abuse prevention measures

9. Special Clause: Children's Data

Our service is designed to be used by adults, such as teachers, guardians, and educators. According to our terms of service, you must be at least 18 years old to create an account with us. This is due to technical limitations from our subprocessors.

We do not knowingly collect personal data directly from children under the age of 13 without verifiable parental consent. If you, as an adult user, use our service to create content (exams) that is then used by children, you as the account holder are responsible for ensuring your use complies with applicable laws and regulations.

The service is not intended for children to create accounts themselves or to interact directly with our service's AI features. If we discover that an account has been created by a person under the age of 18, we will terminate the account and delete the associated data.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

  • Email: privacy@examduck.com
  • Address: Linus Hasselkvist, Stockholms Brevboxar 549, 116 74 Stockholm, Sweden