passd
Log inGet started
SECURITY

How we handle your data.

Students trust us with their practice history, exam dates, and study patterns. That trust is load-bearing for the product. This page is what we do about it — not a checkbox exercise.

Authentication

We use magic-link email authentication. You never create a password. Each login sends a time-limited link to your email; clicking it signs you in. No password database, no password reuse risk, no phishing surface tied to a password you might reuse elsewhere.

Auth is implemented via Supabase Auth, which issues short-lived session tokens and handles refresh securely in HTTP-only cookies. Sessions expire after extended inactivity.

What we store

  • Account: email address, display name (optional).
  • Profile: your declared state, exam date, exam history, weekly study hours.
  • Practice data: your answers, session scores, Passd Score history, topic breakdown, time per question.
  • Preferences: email opt-ins, daily plan intensity, voice tutor mode.
  • Billing: Stripe customer ID and subscription status only. We never store your card number, bank account, or full payment details. Stripe holds those directly.

What we don’t store

  • Your credit card number (Stripe).
  • Your bank account details (Stripe).
  • Your home address (we don’t ask for it).
  • Your phone number (we don’t ask for it).
  • Your SSN, driver’s license, or government ID (we don’t ask for any of them).

Data residency and transport

Your data is stored in Supabase, which runs on AWS in the United States. All traffic between your browser and our servers is encrypted in transit via TLS 1.2+. Row-level security policies restrict access at the database layer — application bugs cannot expose another student’s practice data.

Third parties we use

Every third party gets the minimum data needed to do its job. No advertising trackers. No data broker integrations.

  • Supabase — authentication and database (hosted in US).
  • Stripe — payment processing. Stripe receives only what’s needed to process your subscription.
  • Vercel — application hosting.
  • Anthropic (Claude) — AI inference for the Voice Tutor, question generation, and study guides. Prompts never include your email or billing data.
  • OpenAI — voice synthesis (text-to-speech), transcription, and Voice Tutor speech-to-speech sessions for the Tutor tier.
  • Resend — transactional email delivery (magic links, daily study plan emails if opted in).
  • Inngest — background job scheduling (daily plan generation, subscription webhooks).

Payments

Payment processing runs entirely through Stripe. We do not see or store your card number. When you subscribe, you’re handed off to Stripe Checkout (their hosted UI, their PCI scope). When you manage billing, you’re handed off to the Stripe Customer Portal. Stripe is PCI-DSS Level 1 certified.

Deletion and export

Email privacy@passd.ioto request account deletion or a full data export. We honor deletion requests within 30 days, with the exception of records we’re required to retain for tax, fraud-prevention, or legal compliance (typically billing records for 7 years). Exports include all practice data, account profile, and preference settings in a machine-readable format (JSON).

Reporting a vulnerability

If you’ve discovered a security issue, email security@passd.iowith enough detail to reproduce it. We respond within two business days. We don’t yet run a formal bug bounty program, but we acknowledge serious reports publicly (with your permission) and appreciate responsible disclosure.

Status

This page is updated when our practices change, not on a fixed cadence. Current revision: April 2026.

Questions about data?

Privacy or data questions: privacy@passd.io

Security reports: security@passd.io