Privacy Policy

StudyAce is a New Zealand-based online NCEA practice platform for Year 10–13 students. This policy explains what personal information we collect, how we use it, who we share it with, how we protect it, and your rights under the New Zealand Privacy Act 2020.

In plain English: we collect the minimum we need to run the service, we never sell your data, and you can ask us to show you or delete what we hold about you at any time.

StudyAce (“we”, “us”) operates the website at studyace.co and is based in New Zealand. We are the agency that collects and holds your personal information for the purposes of the Privacy Act 2020.

Privacy Officer contact: ffeon.io@gmail.com

We collect the following personal information:

• Account information — your email address and (optionally) your first name when you sign up. Managed by Clerk, our authentication provider.
• Study data — your practice exam answers, marks, grades, study plans, subject selections, and review history.
• Usage data — the features you use, how often, and anonymised performance metrics used to keep the service fast and accurate.
• Payment information — if you subscribe to a paid tier, Stripe processes your card on our behalf. We receive only a customer ID and subscription status. We never see or store your card details.
• Messages you send us — the content of any contact form submission or email you send, including name, email, and message body.
• School enquiries — school name, your role, and contact details if you enquire on behalf of a school.

We do not collect device fingerprints, advertising identifiers, or track you across other websites.

• To provide the practice service — generating exams, marking answers, tracking progress, and running spaced-repetition review.
• To personalise your experience — adaptive difficulty, study plans, weak-topic suggestions.
• To operate paid subscriptions — processing payments, managing your tier, and supporting refunds.
• To respond to contact form messages and school enquiries.
• To keep the platform secure — detecting abuse, rate-limiting API calls, preventing account takeover.
• To improve the service — analysing anonymised usage patterns (e.g. which subjects are most used).
• To meet legal obligations — complying with tax, accounting, and privacy law in New Zealand.

We will not sell your data, share it with advertisers, or use it for marketing by third parties.

We rely on a small number of trusted service providers to operate the platform. Each has their own privacy policy which governs how they handle your data:

• Clerk (USA) — authentication, account management, and transactional email (e.g. email verification, password resets).
• Supabase (USA) — database for your study data, progress, and review queue.
• Anthropic (USA) — AI exam generation, answer marking, and tutor chat. Your answers and questions are sent to Anthropic for processing but are not used to train their models under our API terms.
• Stripe (USA, with NZ operations) — subscription billing and payment processing.
• Vercel (USA) — website hosting and infrastructure.

Most of our service providers store data on servers located outside New Zealand, primarily in the United States. When we transfer your information to an overseas provider, we are required by the Privacy Act 2020 (Information Privacy Principle 12) to make sure that provider offers comparable privacy protections to New Zealand law.

All the providers listed above contractually commit to enterprise-grade security and data protection standards (SOC 2 Type II, ISO 27001, or equivalent). If you are not comfortable with data being processed overseas, please do not use the service.

• Account data — kept while your account is active, and for up to 90 days after you delete it (so we can handle refund disputes and chargebacks).
• Study data — deleted when you delete your account.
• Payment records — kept for 7 years as required by IRD tax law.
• Contact form messages — kept for up to 2 years, then deleted.
• Local browser data — stored on your device only. Clearing your browser storage removes it instantly.

StudyAce stores some study data (exam progress, custom papers, review queue, study plan) in your browser's local storage so the site works quickly and continues to function if your internet drops briefly. This data stays on your device and is only synced to our server to back up your progress and let you pick up on another device.

• All traffic to studyace.co is encrypted with TLS (HTTPS).
• Your password is managed by Clerk — we never see or store it. Passwords are hashed using industry-standard algorithms.
• Database access is restricted to authenticated server code via short-lived credentials; it is not exposed publicly.
• Payments are handled entirely by Stripe (PCI DSS Level 1 certified). Card data never touches our systems.
• Admin access is restricted to a short, named allowlist.

If we become aware of a privacy breach that is likely to cause you serious harm, we will notify you and the Office of the Privacy Commissioner as required by the Privacy Act 2020, without unreasonable delay.

StudyAce is designed for NCEA students, many of whom are under 18. We take extra care with younger users:

• We only collect what we need to run the service. We do not build marketing profiles of students.
• We don't knowingly sign up users under 13. If we discover a user is under 13, we will close the account and delete the data unless we hold verifiable consent from a parent or guardian.
• If you are under 16, we recommend reviewing this policy with a parent, guardian, or teacher before signing up.
• If you are a parent or guardian and are concerned about an account or data held by us, email us at ffeon.io@gmail.com and we will respond promptly.

You have the right to:

• Access the personal information we hold about you.
• Request correction of any inaccurate information.
• Request deletion of your data (subject to the retention rules above for payments/tax).
• Withdraw consent for any processing that relies on it, and cancel your subscription.
• Export your data in a portable format.

To exercise any of these rights, email ffeon.io@gmail.com. We will respond within 20 working days, as required by law.

If you believe we have mishandled your personal information, please contact us first so we can try to resolve it. If you remain unsatisfied, you have the right to make a complaint to the Office of the Privacy Commissioner:

• Website: privacy.org.nz
• Phone: 0800 803 909
• Email: enquiries@privacy.org.nz

We use essential cookies only — session cookies set by Clerk to keep you signed in, and a small amount of site-functionality storage. We do not use advertising cookies, cross-site tracking, or third-party analytics trackers beyond privacy-friendly aggregate traffic counts (Vercel Analytics, which does not use cookies or collect personal identifiers).

We may update this policy from time to time — typically to reflect new features, providers, or legal requirements. If we make material changes, we will notify signed-in users by email or by a prominent notice on the site before the change takes effect. The “Last updated” date above is always current.

Questions about this policy, or want to exercise your rights? Email ffeon.io@gmail.com and we'll respond within 20 working days.