Legal

California Consumer Privacy Act Notice

Last updated: May 13, 2026

This notice applies to California residents and supplements the information in our Privacy Policy. It describes the categories of personal information Passd collects, the purposes we use it for, who we share it with, and the rights California residents have under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

1. Categories of Personal Information We Collect

Over the past twelve months, Passd has collected the following categories of personal information from California residents who use the Service:

  • Identifiers: email address, account ID, IP address, and (if you opt to share it) display name.
  • Commercial information: records of paid subscriptions and one-time pack purchases, processed by Stripe. Passd does not store full card or bank-account numbers.
  • Internet activity: pages visited on passd.io, features used, session duration, and interaction patterns. Session replays are recorded with full input masking — every form field, text node, and image is masked at the recording layer.
  • Geolocation (coarse): approximate region derived from IP address. We do not collect precise (GPS-level) location.
  • Inferences: your Passd Score (a prediction of exam-pass likelihood), topic-level performance breakdowns, and your Passd Ready status when earned. These inferences are derived from your practice activity on Passd.
  • Education-related information: the state you have declared for licensing, your declared exam date, your practice answers and session scores, and your wrong-answer review queue.
  • Audio (Voice Tutor only): if you speak to the Voice Tutor, your audio is uploaded to our servers and forwarded to our voice provider for transcription. Passd does not retain the audio file after transcription completes. You can avoid all audio processing by typing instead — every Voice Tutor mode supports text input.

2. Sources of Personal Information

  • Directly from you: when you create an account, answer practice questions, edit your profile, or talk to the Voice Tutor.
  • Automatically: when you interact with the Service, our analytics processor (PostHog, US region) records page-level events and a masked session replay.
  • From service providers: Stripe sends us subscription and payment-status events. Our authentication provider (Supabase) issues magic-link tokens we use to sign you in.

3. Business or Commercial Purposes for Collection

  • Deliver the Service — authenticate you, calculate your Passd Score, deliver state-calibrated practice questions, run the Voice Tutor, send your daily study plan email (if enabled).
  • Process payments and manage subscriptions via Stripe.
  • Improve question quality, identify weak content areas, and prioritize features using aggregate usage analytics.
  • Detect and prevent fraud, abuse, or unauthorized access.
  • Communicate with you about the Service through transactional email.

4. Categories of Third Parties We Share With

We share personal information with the service providers (also called subprocessors) who help us run the Service. Each subprocessor receives only the personal data necessary to perform its function and acts as our data processor under a written agreement. The current list of subprocessors by name is published at passd.io/subprocessors.

Categories include:

  • Payment processing
  • Database and authentication
  • Hosting and content delivery
  • AI model inference (for Voice Tutor and study-guide generation)
  • Text-to-speech and speech-to-text (for Voice Tutor and Audio Mode)
  • Transactional email delivery
  • Product analytics and session replay
  • Background job execution and rate limiting

5. Sale or Sharing of Personal Information

Passd does not sell your personal information. We also do not share your personal information for cross-context behavioral advertising — we do not use advertising cookies, do not embed third-party tracking pixels, and do not transmit personal information to advertising networks.

6. Sensitive Personal Information

We do not collect or process the categories of sensitive personal information defined under CPRA (such as government identifiers, financial-account credentials, precise geolocation, contents of non-Passd communications, race or ethnicity, religious beliefs, sexual orientation, union membership, biometric data, or health information) beyond what your Voice Tutor audio reveals incidentally while you study. Voice Tutor audio is not retained on our servers after transcription.

7. Retention Periods

We retain account and practice data for as long as your account is active. If you delete your account, we make commercially reasonable efforts to delete your personal information within 30 days, except where retention is required by law (for example, payment records for tax purposes). Anonymized, aggregate data may be retained indefinitely for Service improvement.

8. Your Rights as a California Resident

You have the following rights under the CCPA, free of charge and without retaliation:

  • Right to know. Request the categories and specific pieces of personal information we have collected about you, the sources we collected from, the purposes we collected for, and the categories of third parties we shared with.
  • Right to delete. Request that we delete the personal information we collected from you, subject to exceptions required by law.
  • Right to correct. Request that we correct inaccurate personal information we hold about you.
  • Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising, so there is nothing for you to opt out of in this category. If our practices change, we will provide a clear mechanism on this page.
  • Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes beyond providing the Service, so this right has no practical effect on our processing today.
  • Right to non-discrimination. Exercising any of these rights will not affect your access to the Service, the price you pay, or the quality of what you receive.

9. How to Exercise Your Rights

Self-serve analytics deletion

For analytics data (PostHog events and session replay), visit passd.io/settings/privacy and click Delete my analytics data. The request is rate-limited to once per 24 hours. We pass it to PostHog within seconds; PostHog completes the deletion asynchronously, typically within 30 days. Your account, payments, study sessions, and Passd Score are not affected by an analytics deletion.

Full account deletion and other CCPA requests

For full account deletion or any other right above, email support@passd.io with the subject line CCPA Request. Include the email address associated with your Passd account so we can verify the request. We respond within 45 days, or up to 90 days if the request is complex (we'll tell you in advance if an extension is needed).

Authorized agents

You may designate an authorized agent to make a CCPA request on your behalf. Send written authorization signed by you, along with proof of the agent's identity, to support@passd.io. We may contact you directly to verify the request.

10. Verification

We verify CCPA requests by matching the email address on the request to an active Passd account, by asking you to confirm via a magic link sent to that email, and (for deletion requests specifically) by asking you to confirm one additional account detail. Verification protects you against unauthorized deletion or disclosure of your data.

11. Children Under 16

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. We do not sell or share the personal information of California residents under 16.

12. Notice at Collection

This notice is provided to California residents at or before the point of collection. The categories of personal information we collect and the purposes we collect for are stated in sections 1 and 3 above. We do not sell or share personal information.

13. Changes to This Notice

We may update this notice from time to time. Material changes will be communicated by email at least 14 days before taking effect. Your continued use of the Service after the effective date constitutes acceptance of the updated notice.

14. Contact

Questions about this notice or your California privacy rights: support@passd.io · subject line CCPA Request.