Privacy Policy

Last updated: March 21, 2026

1. Introduction

Education Services Unlimited Inc. ("Company," "we," "us," or "our") operates PassEPPP (the "Service"), an online platform for Examination for Professional Practice in Psychology (EPPP) preparation. This Privacy Policy describes how we collect, use, disclose, retain, and safeguard your personal information when you visit our website, create an account, or use any aspect of the Service. It also explains your rights regarding your personal information and how you can exercise those rights.

By accessing or using the Service, you acknowledge that you have read, understood, and consent to the data practices described in this Privacy Policy. If you do not agree with these practices, please discontinue use of the Service immediately. This Privacy Policy is incorporated into and subject to our Terms of Service.

We encourage you to read this Privacy Policy in its entirety. If you have any questions, please contact us at privacy@passeppp.com.

2. Information We Collect

2.1 Information You Provide Directly

  • Account registration information: Full name, email address, and authentication credentials when you register for an account through our identity provider (Auth0)
  • Profile information: Any optional details you add to your account profile, such as a display name, professional title, or study goals
  • Payment and billing information: Billing name, billing address, and payment card details, all processed and stored securely by our payment processor, Stripe, Inc. We do not store your full credit card number, CVV, or payment credentials on our servers
  • Communications: Information you provide when you contact customer support, submit feedback, respond to surveys, report issues, or otherwise communicate with us
  • Cancellation feedback: Reason for cancellation and optional comments when you cancel a subscription
  • User preferences: Study settings, notification preferences, language selections, and display preferences you configure within the Service

2.2 Information Collected Automatically

  • Usage and learning data: Pages visited, features used, exam attempts and scores, quiz attempts and scores, flashcard interactions (correct/incorrect/skipped), study session duration and frequency, lecture viewing progress and completion, mastery module performance, remediation activity, and other learning interactions
  • Device and technical information: Browser type and version, operating system and version, screen resolution and color depth, device type (desktop, tablet, mobile), hardware concurrency, language preferences, timezone, and platform identifier
  • Log data: IP address, access times and dates, referring URLs, pages viewed, click patterns, error logs, and request metadata
  • Browser fingerprint: A unique pseudonymous identifier generated from a combination of your device and browser characteristics (described in detail in Section 3)
  • Geolocation data: Approximate geographic location derived from your IP address, including city, region, country, and approximate coordinates. We do not collect precise GPS location data
  • Session data: Session identifiers, session duration, entry and exit pages, navigation paths within the Service, and session-level engagement metrics

2.3 Information from Third Parties

  • Authentication providers: When you log in through Auth0, we may receive your email address, name, and authentication status
  • Payment processor: Stripe may provide us with transaction status, payment method type, billing address, and subscription status information
  • IP geolocation services: We use third-party IP geolocation services to derive approximate location data from your IP address for analytics, personalization, and fraud prevention purposes

3. Analytics, Device Fingerprinting, and Tracking

3.1 Browser Fingerprinting

We automatically generate a browser fingerprint when you visit our website. This fingerprint is a pseudonymous identifier created by hashing a combination of your device and browser characteristics, including but not limited to: user agent string, screen resolution, color depth, timezone offset, hardware concurrency, platform identifier, language setting, and a canvas rendering hash. The resulting fingerprint is a one-way hash (SHA-256) that cannot be reversed to recover the individual characteristics used to generate it.

We use browser fingerprinting for the following purposes:

  • Recognizing returning visitors and personalizing their experience (e.g., landing page variant assignment)
  • Linking pre-registration anonymous activity to your account when you create an account or log in
  • Analyzing visitor traffic patterns and conversion funnels to improve our marketing and product
  • Detecting and preventing fraudulent or abusive activity, including bot detection, account sharing, and unauthorized access
  • A/B testing and landing page optimization

No personal information (such as your name or email) is derived from the fingerprint itself. Fingerprint data is collected automatically upon visiting our site, prior to account creation. If you would like your fingerprint data deleted, please contact us at privacy@passeppp.com.

3.2 Visitor and Session Tracking

We track visitor sessions to understand how users interact with our website. For each session, we record: entry page, pages viewed, session duration, referral source, UTM campaign parameters, and device/browser information. Session data is linked to your browser fingerprint and, if you are logged in, to your user account. This data is used to improve the Service, optimize our marketing efforts, and provide personalized experiences.

3.3 Competitor Detection

We may use technical signals, including but not limited to ISP identification, email domain analysis, and behavioral patterns, to identify visitors who may be affiliated with competing services. This detection is used solely for internal business intelligence and does not result in discrimination against individual users. Visitors identified as potential competitors may be shown alternative landing page content.

4. How We Use Your Information

We use the information we collect for the following purposes:

PurposeLegal Basis (GDPR)
Provide and operate the Service: Deliver practice exams, quizzes, lectures, flashcards, and other study tools; manage your account and subscriptionPerformance of contract
Personalize your experience: Tailor content recommendations, adaptive learning features, spaced repetition algorithms, and study plans based on your performance and preferencesLegitimate interest
Track and display progress: Generate analytics dashboards, score histories, domain breakdowns, streaks, and performance trendsPerformance of contract
Process payments: Manage subscriptions, process charges, handle billing inquiries, issue refunds, and prevent payment fraudPerformance of contract
Improve the Service: Analyze aggregate usage patterns, identify areas for improvement, develop new features, test changes (A/B testing), and optimize existing functionalityLegitimate interest
Communicate with you: Send account-related notifications, subscription updates, payment receipts, security alerts, study reminders, and respond to your inquiriesPerformance of contract
Marketing: Send promotional emails about new features, content updates, or special offers (with your consent where required)Consent / Legitimate interest
Security and fraud prevention: Monitor for suspicious activity, detect account sharing, prevent unauthorized access, and enforce our Terms of ServiceLegitimate interest
Legal compliance: Comply with legal obligations, respond to legal process, and protect our legal rightsLegal obligation
Adaptive learning and AI: Use anonymized and aggregated learning data to train and improve our adaptive algorithms, question difficulty calibration, and personalization models (see Section 5)Legitimate interest

5. Artificial Intelligence and Adaptive Learning

The Service uses algorithmic and machine learning techniques to provide adaptive learning features, including but not limited to:

  • Spaced repetition: Flashcard scheduling algorithms that optimize review intervals based on your performance history
  • Adaptive quiz difficulty: Algorithms that select question difficulty based on your demonstrated mastery level
  • Performance predictions: Models that estimate exam readiness based on your study activity and assessment scores
  • Content recommendations: Systems that suggest study materials, domains, or chapters based on your identified strengths and weaknesses
  • Question classification: AI-assisted categorization and tagging of questions to content domains and textbook sections

These systems process your individual learning data (quiz scores, flashcard responses, study patterns) to provide personalized recommendations. We may also use anonymized and aggregated learning data from all users to improve these algorithms. Individual learning data is never shared with third parties for their own purposes. You have the right to request information about the logic involved in these automated processes and their significance to you by contacting privacy@passeppp.com.

6. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We may share your information only in the following limited circumstances:

6.1 Service Providers

We share data with trusted third-party service providers who assist us in operating and delivering the Service. These providers are contractually obligated to use your data only for the specific purposes of providing their services to us, are required to maintain appropriate security measures, and may not use your data for their own independent purposes. Our current service providers include:

  • Stripe, Inc. — Payment processing, subscription management, and billing (PCI DSS Level 1 compliant)
  • Auth0 (Okta, Inc.) — User authentication, identity management, and single sign-on
  • Supabase, Inc. — Database hosting, serverless functions, and backend infrastructure
  • Vercel, Inc. — Website hosting, content delivery, and edge computing
  • Zoom Video Communications, Inc. — Live lecture hosting and video conferencing
  • ipapi / IP geolocation services — IP-based approximate location lookup for analytics and personalization

6.2 Legal Requirements

We may disclose your information if we believe in good faith that such disclosure is reasonably necessary to: (a) comply with any applicable law, regulation, legal process, or governmental request, including court orders and subpoenas; (b) enforce our Terms of Service or other agreements; (c) protect the safety, rights, or property of the Company, our users, or the public; (d) detect, prevent, or address fraud, security, or technical issues; or (e) respond to an emergency involving danger of death or serious physical injury to any person.

6.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, dissolution, reorganization, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or control of your personal information, as well as any choices you may have regarding your personal information, at least thirty (30) days before such transfer takes effect.

6.4 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you for purposes such as industry analysis, research, benchmarking, and marketing. For example, we may publish aggregate statistics about exam preparation trends or platform usage patterns.

6.5 With Your Consent

We may share your information for any other purpose with your explicit prior consent.

We do not share your individual exam scores, study progress, learning data, or any information that could identify your professional licensure status with any third parties for their own marketing or commercial purposes.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, analyze usage, and support the operation of the Service. The types of cookies we use include:

7.1 Essential Cookies

Required for authentication, session management, security, and core functionality of the Service. These cookies cannot be disabled without impairing the Service. They include authentication tokens, session identifiers, and security cookies.

7.2 Functional Cookies

Remember your preferences and settings, such as selected study options, display theme, language preferences, and notification settings. These cookies enable enhanced personalization and functionality.

7.3 Analytics Cookies

Help us understand how visitors interact with our website so we can measure and improve the user experience. These cookies collect information about pages visited, time spent on pages, click patterns, error encounters, and conversion events.

7.4 Local Storage and Session Storage

In addition to cookies, we use browser local storage and session storage to store authentication state, user preferences, cached content, visitor fingerprints, and session-level tracking data. These storage mechanisms function similarly to cookies but are managed through the browser's Web Storage API.

You can control cookie preferences through your browser settings. Most browsers allow you to refuse new cookies, receive notification when a new cookie is set, or disable cookies altogether. Note that disabling certain cookies or storage mechanisms may limit your ability to use some features of the Service and may result in a degraded experience.

8. Do Not Track Signals

Some web browsers may transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how to interpret DNT signals, the Service does not currently respond to or alter its practices when it receives DNT signals from your browser. We will continue to monitor developments around DNT browser technology and the applicable legal standards and may update this policy if a standard is established. Regardless of any DNT setting, we collect and use information as described in this Privacy Policy.

9. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:

Data CategoryRetention Period
Account registration data (name, email)Duration of active account + 12 months after deletion request
Study progress, scores, and performance dataDuration of active account; anonymized or deleted within 90 days of account deletion
Payment and billing recordsUp to 7 years as required for tax, accounting, and legal compliance
Analytics and browser fingerprint dataUp to 24 months from collection, then automatically purged
Session and visitor tracking dataUp to 24 months from collection
Geolocation data (IP-derived)Up to 24 months from collection
Customer support communicationsUp to 3 years from the date of communication
Cancellation feedbackUp to 3 years, then anonymized
Server logsUp to 90 days

You may request early deletion of your data by contacting privacy@passeppp.com. We will process your request within thirty (30) days, subject to any legal obligations that require us to retain certain data for longer periods. When data is no longer needed, it is securely deleted or irreversibly anonymized.

10. Data Security

We implement reasonable administrative, technical, and physical security measures designed to protect your personal information from unauthorized access, use, alteration, disclosure, and destruction. These measures include:

  • Encryption of all data in transit using TLS 1.2 or higher (SSL/HTTPS)
  • Encryption of sensitive data at rest within our database infrastructure
  • Secure, tokenized authentication through Auth0 with support for multi-factor authentication (MFA)
  • Row-level security (RLS) policies in our database that restrict data access to authorized queries only
  • Regular security reviews, vulnerability assessments, and dependency updates
  • Restricted access to personal data on a strict need-to-know basis among our team
  • Secure, PCI DSS-compliant payment processing through Stripe
  • Automated monitoring and alerting for suspicious activity

While we take commercially reasonable precautions to protect your information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security and are not responsible for the security of information you transmit to us over networks that we do not control, including the Internet and wireless networks. In the unlikely event of a data breach involving your personal information, we will notify you in accordance with applicable law (see Section 11).

11. Data Breach Notification

In the event of a security breach that results in the unauthorized access to, acquisition of, or disclosure of your personal information, we will:

  • Investigate the breach promptly and take reasonable steps to contain it and mitigate its impact
  • Notify affected users via email within seventy-two (72) hours of becoming aware of the breach, or as otherwise required by applicable law
  • Notify relevant regulatory authorities as required by applicable data protection laws, including the GDPR (within 72 hours of awareness), CCPA, and applicable state breach notification laws
  • Provide a description of the nature of the breach, the types of data affected, the likely consequences, and the measures taken or proposed to address the breach

12. Your Rights and Choices

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal information:

  • Right of Access: Request a copy of the personal information we hold about you, including the categories of data collected, the purposes of processing, and the third parties with whom data has been shared
  • Right to Rectification: Request correction of inaccurate, incomplete, or outdated personal information
  • Right to Erasure (Right to be Forgotten): Request deletion of your personal information, subject to legal retention requirements and legitimate business needs
  • Right to Restriction of Processing: Request that we restrict or limit the processing of your personal information under certain circumstances
  • Right to Data Portability: Request an export of your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON)
  • Right to Object: Object to the processing of your personal information for certain purposes, including direct marketing and profiling
  • Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal
  • Right to Opt-Out of Marketing: Unsubscribe from promotional emails at any time using the unsubscribe link in the email or by contacting us
  • Right to Opt-Out of Sale/Sharing: We do not sell your personal information. If this practice changes, we will provide a clear opt-out mechanism
  • Right Against Automated Decision-Making: Request information about any automated decision-making processes that significantly affect you and, where applicable, request human review of such decisions
  • Right to Non-Discrimination: You will not be discriminated against for exercising any of your privacy rights
  • Fingerprint Deletion: Request deletion of your browser fingerprint data specifically

To exercise any of these rights, contact us at privacy@passeppp.com. We will verify your identity before processing your request and will respond within thirty (30) days (or within the timeframe required by applicable law). If we need additional time, we will inform you of the reason and extension period. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.

If you are unsatisfied with our response, you have the right to lodge a complaint with a supervisory authority in your jurisdiction.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA"):

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business or commercial purpose for collecting the information, the categories of third parties with whom we share the information, and the categories of information we have sold or disclosed for a business purpose in the preceding 12 months
  • Right to Delete: You have the right to request that we delete the personal information we have collected about you, subject to certain exceptions provided by law
  • Right to Correct: You have the right to request correction of inaccurate personal information that we maintain about you
  • Right to Opt Out of Sale/Sharing: We do not sell your personal information as defined by the CCPA. We do not share your personal information for cross-context behavioral advertising
  • Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those permitted under the CCPA
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights, including by denying services, charging different prices, providing a different level of service, or suggesting that you will receive a different price or level of service

Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

  • Identifiers (name, email address, IP address, account ID)
  • Commercial information (subscription history, purchase records)
  • Internet or other electronic network activity (browsing history, search history, interactions with the Service)
  • Geolocation data (approximate location derived from IP address)
  • Professional or employment-related information (only if voluntarily provided)
  • Education information (study performance, exam scores within the Service)
  • Inferences drawn from the above (study patterns, content preferences, predicted readiness)

To submit a CCPA request, email privacy@passeppp.com with the subject line "CCPA Request." You may also designate an authorized agent to submit a request on your behalf by providing written authorization. We will verify your identity using a two-step verification process (email confirmation and account verification) before processing your request.

14. Virginia, Colorado, Connecticut, and Other State Privacy Rights

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or another state with a comprehensive consumer privacy law, you may have similar rights to those described in Sections 12 and 13 above, including the right to access, correct, delete, and obtain a copy of your personal data, the right to opt out of targeted advertising, and the right to appeal our decision regarding your privacy request.

To exercise any of these rights or to appeal a decision, contact us at privacy@passeppp.com. We will respond within the timeframe required by applicable state law (typically 45 days, with a possible extension of an additional 45 days). If we decline your request, we will provide the reasons for the denial and information about how to appeal.

15. European Economic Area, United Kingdom, and Swiss Users (GDPR)

If you are located in the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland, the General Data Protection Regulation ("GDPR") and/or the UK GDPR provides you with additional rights regarding your personal data.

15.1 Legal Bases for Processing

We process your personal data only when we have a valid legal basis, including: (a) your consent; (b) the performance of a contract with you; (c) compliance with a legal obligation; and (d) our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. The specific legal basis for each processing activity is described in the table in Section 4.

15.2 International Data Transfers

Your personal data is transferred to and processed in the United States, where our servers and service providers are located. The United States may not provide the same level of data protection as your home jurisdiction. We rely on the following safeguards for international data transfers:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with our service providers that include appropriate technical and organizational security measures
  • Where applicable, adequacy decisions by the European Commission or the UK Secretary of State

You may request a copy of the safeguards we use for international data transfers by contacting privacy@passeppp.com.

15.3 Your GDPR Rights

In addition to the rights listed in Section 12, EEA, UK, and Swiss users have the right to:

  • Lodge a complaint with your local data protection authority (Supervisory Authority)
  • Request information about the safeguards used for international data transfers
  • Withdraw consent at any time where processing is based on consent
  • Object to processing based on legitimate interests, including profiling

15.4 Data Protection Contact

For all GDPR-related inquiries, requests, or complaints, please contact: privacy@passeppp.com with the subject line "GDPR Request."

16. Nevada Privacy Rights

Under Nevada law (SB 220), Nevada residents may opt out of the sale of their personally identifiable information. We do not currently sell the personal information of Nevada residents as defined by Nevada law. If you are a Nevada resident and wish to submit an opt-out request, please contact us at privacy@passeppp.com with the subject line "Nevada Opt-Out."

17. Children's Privacy

The Service is not intended for, directed to, or designed to attract individuals under the age of eighteen (18). We do not knowingly collect, use, or disclose personal information from anyone under 18 years of age. If we become aware that we have inadvertently collected personal information from an individual under 18, we will take prompt steps to delete that information from our systems. If you believe that a minor has provided us with personal information, please contact us immediately at privacy@passeppp.com.

18. International Users

The Service is hosted in the United States and is primarily intended for users in the United States and Canada. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from and may not provide the same level of protection as those of your home jurisdiction. By using the Service, you expressly consent to such transfers and processing. For users in the EEA, UK, or Switzerland, please see Section 15 for additional information about data transfer safeguards.

19. Automated Decision-Making and Profiling

The Service uses automated processing, including profiling, to provide adaptive learning features and personalized content recommendations (as described in Section 5). These automated processes do not produce legal effects or similarly significantly affect you. They are used solely to enhance your educational experience by tailoring study materials to your demonstrated knowledge and learning patterns.

You have the right to request information about the logic involved in any automated decision-making process, to contest the outcome, and to request human review. To exercise this right, contact privacy@passeppp.com.

20. Sensitive Personal Information

We do not intentionally collect sensitive personal information (also known as "special categories of data" under the GDPR), such as racial or ethnic origin, political opinions, religious beliefs, health information, sexual orientation, or biometric data. The Service is an educational exam preparation tool, and the information we collect is limited to what is necessary to provide and improve the Service as described in this Privacy Policy.

If you voluntarily disclose sensitive personal information in communications with us (e.g., in a support ticket), we will treat that information with heightened care and use it only for the purpose for which it was provided.

21. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify registered users via email at least fourteen (14) days before material changes take effect
  • Where required by applicable law, obtain your consent to the revised Privacy Policy before continuing to process your personal information under the new terms

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

22. Contact Us

If you have questions, concerns, complaints, or requests regarding this Privacy Policy, our data practices, or your personal information, please contact us through any of the following channels:

  • Privacy inquiries: privacy@passeppp.com
  • General support: support@passeppp.com
  • Legal inquiries: legal@passeppp.com
  • CCPA requests: privacy@passeppp.com (subject line: "CCPA Request")
  • GDPR requests: privacy@passeppp.com (subject line: "GDPR Request")

We aim to respond to all privacy-related inquiries within thirty (30) days of receipt.