Privacy Policy

We collect what we need to deliver the Service, nothing more. Your uploads and the exams we generate for you are never used to train AI models. You can export your data, you can delete your account, and you can ask us questions at privacy@exampull.com. The rest of this policy is the longer version of those commitments.

Account information

Email address, password (hashed via Firebase Authentication, or authenticated through Google OAuth), phone number (verified by SMS), and any optional profile fields you provide such as your name. We collect phone numbers because they are our primary safeguard against credit-farming abuse — one phone number maps to one account.

Study materials you upload

PDFs, slide decks, Word and PowerPoint files, photos of notes and whiteboards, plain text, and the content fetched from web links you provide. We process this material to extract topics and generate exams. We retain it as part of your library so you can reuse it for future exams.

Exams, attempts, and grading

The exam PDFs we generate, the answer keys, the rendered page images, your scanned or typed attempts when you ask us to grade them, and the resulting per-question feedback and scores.

Billing and transaction data

Subscription tier, plan history, credit balances, and a record of your purchases. Payment card data is collected and stored by Stripe; we receive only a customer ID and the last four digits of the card for display.

Device and usage data

IP address, browser and device type, operating system, language, screen resolution, referring URL, and a device fingerprint derived from these signals (used solely to enforce one preview exam per device per 24 hours, per our anti-abuse policy). Page views, feature interactions, and error reports are collected through PostHog and Sentry. Test accounts and synthetic test data are flagged at the database level and excluded from product analytics by default.

We use the data described above to:

• Deliver the core Service — extract topics, generate exams, render PDFs, grade your attempts, host your library
• Authenticate you, verify your phone, prevent duplicate accounts, and enforce abuse safeguards
• Process payments, fulfill credit purchases, and manage subscriptions through Stripe
• Send transactional notifications (account, billing, exam-ready alerts) by email through Resend and by SMS through Twilio
• Investigate errors, measure feature usage in aggregate, and improve the product through PostHog analytics and Sentry error tracking
• Respond to your support requests, refund inquiries, and DMCA notices
• Comply with applicable law and protect the rights, safety, and property of ExamPull, our users, and the public

We do not sell your data, share it with advertisers, or use the contents of your uploads for any purpose other than delivering the Service to you.

ExamPull is built on top of large language models. We route requests through OpenRouter, with primary models including Google Gemini, OpenAI GPT, and OpenAI's GPT Image 2 for visual annotation rendering, plus dedicated models for grading and topic extraction. Specific routing and providers may change as we tune for quality and cost.

When we send your uploads or exam content to a model provider:

• Each request includes provider data-policy headers that opt your content out of training. Providers we use have contractual terms that exclude training use of API content.
• Your content is transmitted over TLS 1.3 and processed in the provider's region per their data-residency commitments.
• Content sent for one exam is not pooled across other users. Caching at the provider level is short-lived and per-account.
• Topic extraction caches we maintain ourselves are scoped to your account and are never shared across users.

In short: your materials and your exams are not used to train any AI model. If a provider's policies were ever to change in a way we found incompatible with this commitment, we would migrate off that provider.

ExamPull is a direct-to-student tool, not a service contracted by a school district. Where students upload their own education-record materials (notes, returned tests, course documents), we handle those uploads with the same access restrictions and retention controls FERPA expects of school officials: per-account isolation, encryption in transit and at rest, and prompt deletion on request. We do not disclose your education records to third parties without your consent except as required by law.

For users in the European Economic Area, the United Kingdom, and other GDPR-aligned jurisdictions, we act as the data controller for account information and as a processor for the materials you upload. You have the right to access, correct, port, and erase your data, and to object to or restrict certain processing. To exercise these rights, email privacy@exampull.com. We respond within 30 days. Our legal bases for processing are the performance of our contract with you (Article 6(1)(b)), our legitimate interests in operating and securing the Service (Article 6(1)(f)), and your consent for marketing-style communications you opt into.

For active accounts, we retain your uploaded materials, generated exams, attempts, and grading results indefinitely so you can return to them whenever you study. You can delete individual items at any time from the library; deletion is immediate and irreversible.

When you delete your account, we trigger a full data wipe: all exams, materials, page images, attempts, grading data, and profile information are removed from our primary databases and storage within seven days. Encrypted off-site backups, used only for disaster recovery, expire on a 30-day rolling cycle; your data will not be restored from backups except in a catastrophic failure scenario, and any restoration will re-trigger the deletion within 24 hours.

Anonymous preview sessions — when a visitor generates a sample exam without creating an account — are retained for 30 days as a single bundle (uploads plus the generated exam) so the visitor has time to sign up and claim them. After 30 days the entire anonymous bundle is purged automatically.

Billing records and tax-required transaction data are retained for the period required by applicable tax and accounting law, typically seven years, even after account deletion. Audit-log entries about administrative actions are retained in an isolated project for security and forensic purposes.

You can:

• Access and download a complete export of your account data — exams, materials, attempts, grading feedback, and metadata — from the Settings page. Exports are delivered as a downloadable archive.
• Correct any account information from your profile.
• Delete individual exams, materials, or your entire account.
• Opt out of marketing emails and SMS at any time. Transactional notifications (security alerts, billing receipts, exam-ready notifications) cannot be turned off while the account is active.
• Object to specific processing activities — contact privacy@exampull.com and we will respond within 30 days.

We use cookies and equivalent browser storage for three purposes:

• Essential: session cookies that keep you logged in, CSRF protection, theme preference, and a hash of your device fingerprint for preview-abuse prevention. These are required for the Service and cannot be disabled while you use the site.
• Analytics: PostHog uses a first-party cookie to attribute a session to a stable anonymous identifier so we can understand how features are used. We honor Do Not Track and Global Privacy Control signals.
• Error tracking: Sentry uses minimal storage to attach a session ID to error reports.

We do not run advertising cookies, and we do not embed third-party trackers from social platforms.

We rely on a focused set of vendors to operate the Service. Each receives only the data necessary for its function:

• Google Firebase & Google Cloud — authentication, Firestore database, Cloud Storage for files, Cloud Tasks for background jobs, hosting via Firebase App Hosting
• OpenRouter — gateway to language model providers (Google Gemini, OpenAI, etc.) for topic extraction, exam generation, and grading
• Stripe — subscription billing, credit pack payments, refunds, and tax handling
• Resend — transactional and account-related email delivery
• Twilio — phone verification and account recovery via SMS
• Sentry — application error monitoring
• PostHog — product analytics, restricted to first-party hosting
• Featurebase — public roadmap, feedback, and changelog tooling (only the content you choose to post is shared)

Each provider is bound by its own privacy commitments and a data processing agreement with ExamPull where applicable.

All data is encrypted at rest using Google Cloud's default AES-256 and in transit via TLS 1.3. Access to user data within our systems is restricted by Firebase Security Rules to the owning account, and administrative access requires passkey-based authentication plus step-up verification for destructive operations. Worker endpoints that process your materials run under isolated service accounts with the minimum permissions required.

No system is perfectly secure. If we ever experience a breach that is reasonably likely to affect you, we will notify you without undue delay, in any case within 72 hours of confirming the breach, and will report to regulators where required.

ExamPull is not directed to children under 13. We do not knowingly collect personal information from a child under 13 without verifiable parental consent. If you are a parent and believe your child has created an account without consent, email privacy@exampull.com and we will delete the account and associated data promptly.

Users between 13 and 17 may use the Service with the involvement of a parent or legal guardian, who is bound by these Terms on the user's behalf.

We will update this policy as the Service evolves. Material changes (anything that broadens how we use your data) will be announced by email and on the changelog, with at least 14 days' notice before the change takes effect. Smaller clarifications will be reflected here with an updated effective date.

For privacy questions, requests under GDPR or comparable laws, or any concern about how your data is handled, write to privacy@exampull.com. For general account or product support, use the support portal.