Privacy Policy

Last Updated: December 26, 2025

At Nex Arc Learning ("we", "our", or "us"), we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard information when you visit our website nex-arc-learning.com (the "Site").

1. Information We Collect

We collect minimal information from visitors to our Site:

• Analytics Data: We use Google Analytics to collect anonymous usage data, including pages visited, time spent on pages, browser type, device type, and general geographic location (country/region level).
• No Personal Information: We do not collect names, email addresses, or any personally identifiable information directly through this Site.
• Local Storage: Our practice exams may use browser local storage to save your exam progress locally on your device. This data never leaves your browser.

Data Protection Impact Assessment (DPIA): We have conducted a Data Protection Impact Assessment under Article 35 GDPR. Our assessment determined that this service presents minimal privacy risks due to our data minimization approach, use of local storage for user preferences, and pseudonymized analytics. No high-risk data processing activities are performed.

Privacy by Design and by Default (Article 25 GDPR): We implement privacy by design principles throughout our service. This includes: data minimization (collecting only essential information), local-first storage (exam progress stored in your browser, not our servers), pseudonymized analytics (IP anonymization enabled), and granular cookie consent controls. Default settings prioritize your privacy.

2. How We Use Information

The information we collect is used solely to:

• Understand how visitors interact with our Site
• Improve our content and user experience
• Track which practice exams are most popular
• Measure the effectiveness of our educational materials

3. Cookies and Tracking Technologies

We use cookies and similar tracking technologies for:

Analytics Cookies:

• Google Analytics: To collect anonymous usage statistics. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

Functional Cookies (for paid course platform):

• Session Cookies: Store your login state when accessing paid courses
• Authentication Cookies: Essential for accessing purchased courses (required cookies, cannot be opted out while using paid platform)
• Expiration: Session cookies expire after 1 hour of inactivity
• Security: Secure, HttpOnly, SameSite=Strict flags for enhanced security

CloudFront Signed Cookies (for content protection):

• Used to protect paid course content from unauthorized access
• Expire after 1 hour
• Required for accessing premium content
• No personal data stored in cookies (only access tokens)

Local Storage:

• To save your exam progress locally on free practice exams (optional functionality)
• Data never leaves your browser
• Can be cleared at any time through browser settings

Detailed Cookie Information

Cookie Name	Type	Purpose	Expiration	Provider
CognitoIdentityServiceProvider.*	Essential	Authentication session management	Session	AWS Cognito (First-party)
CloudFront-Signature, CloudFront-Key-Pair-Id, CloudFront-Policy	Essential	Signed cookies for premium content access	1 hour	AWS CloudFront (First-party)
_ga	Analytics	Google Analytics user identification	2 years	Google Analytics (Third-party)
_ga_*	Analytics	Google Analytics session tracking	2 years	Google Analytics (Third-party)

Cookie Categories:

• Essential Cookies: Required for site functionality (authentication, access control). Cannot be disabled.
• Analytics Cookies: Optional. Help us understand usage patterns. Requires your consent.

4. Payment Processing and Lemon Squeezy

When you purchase a course through our platform, payment processing is handled by Lemon Squeezy, LLC ("Lemon Squeezy"), our Merchant of Record. This means:

• You contract directly with Lemon Squeezy for purchases
• Lemon Squeezy processes your payment information (credit card, PayPal, etc.)
• Lemon Squeezy handles all payment-related data according to their Privacy Policy: https://www.lemonsqueezy.com/privacy
• Lemon Squeezy shares limited information with us (name, email, purchase details) for order fulfillment under legitimate interest (Art. 6(1)(f) GDPR)

Data shared by Lemon Squeezy with us:

• Email address
• Name (if provided)
• Course purchased
• Order ID
• Purchase date and amount
• Country/region

We use this data solely for:

• Granting access to purchased courses
• Providing customer support
• Sending purchase confirmations and receipts
• Legal compliance and fraud prevention

Important: We do NOT receive your full payment card details - these remain securely with Lemon Squeezy.

Legitimate Interest for Order Fulfillment (Art. 6(1)(f) GDPR):

We receive your email, name, and course ID from Lemon Squeezy via webhooks to fulfill your purchase. Our legitimate interest is providing the digital course you paid for. This minimal data sharing is necessary, expected by customers, and poses minimal privacy risk. Our interests do not override your rights, as you receive the purchased service and can exercise your GDPR rights at any time.

5. User Accounts and Authentication

When you create an account to access paid courses, we collect and process the following information:

Account Information:

• Email address (required, used as username)
• Password (hashed and encrypted, never stored in plain text)
• Given name and family name (optional)
• Account creation date
• Last login date

Authentication is managed through AWS Cognito, a service provided by Amazon Web Services (AWS):

• AWS processes authentication data on our behalf (data processor under Art. 28 GDPR)
• Data is stored in AWS data centers in the EU region (eu-central-1, Frankfurt, Germany)
• AWS complies with GDPR through their Data Processing Addendum
• AWS Privacy Notice: https://aws.amazon.com/privacy/

You may enable optional multi-factor authentication (MFA) using time-based one-time passwords (TOTP) for enhanced security.

Account Data Retention:

• Active accounts: Retained while account is active
• Inactive accounts: Retained for 3 years after last login
• Deleted accounts: Personal data purged within 30 days

6. Purchase History and Course Entitlements

We store the following information in our secure database (AWS DynamoDB) to manage your course access:

Course Entitlement Records:

• User ID (internal identifier)
• Course IDs you have purchased
• Order IDs from Lemon Squeezy
• Access grant date
• Purchase amount and currency

Note: These records indicate which courses you own (entitlement), not when you access them (usage logs).

Transaction History:

• Transaction ID (internal and Lemon Squeezy)
• Course purchased
• Transaction date and time
• Transaction status (pending, completed, refunded)
• Amount paid

Data Storage:

• Hosted by Amazon Web Services (AWS) in Frankfurt, Germany (eu-central-1)
• Encrypted at rest using AWS-managed encryption keys
• Access restricted to authorized personnel only
• Backed up daily for disaster recovery

Data Retention:

• Active course access: Retained indefinitely (lifetime access promised)
• Transaction records: Retained for 10 years (German tax law requirement § 147 AO)
• Refunded transactions: Marked as refunded, retained for 10 years

7. Third-Party Services

Our Site uses the following third-party services:

• Google Analytics: For website analytics. Google Privacy Policy
• Content Delivery Networks (CDNs): We use the following CDN services for faster site loading:
  • Bootstrap (via cdn.jsdelivr.net) - UI framework, no personal data shared
  • Font Awesome (via cdnjs.cloudflare.com) - Icons, no personal data shared
  • Google Fonts (via fonts.googleapis.com) - Typography. Note: When loading fonts, your IP address and the URL of the page you're visiting may be shared with Google. This is necessary for the font delivery service to function. Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) in providing an optimal user experience. Google Privacy Policy

We are not responsible for the privacy practices of third-party websites or services.

7a. Subprocessors

We use the following subprocessors to provide our services:

Subprocessor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure (Cognito, DynamoDB, CloudFront, Lambda)	EU (Frankfurt, Germany) & US (Northern Virginia)
Amazon Web Services (AWS) - CloudWatch	Log aggregation and monitoring (data processor)	EU (Frankfurt, Germany)
Lemon Squeezy (Lemonsqueezy Inc.)	Payment processing (Merchant of Record)	USA (Utah) - Protected by SCCs
Google LLC	Analytics (Google Analytics)	USA - Protected by adequacy decision

Subprocessor Changes: We will notify you of any new subprocessors via email at least 30 days before the change takes effect. You have the right to object to new subprocessors.

Data Processing Agreements: We have executed Data Processing Agreements (DPAs) with all subprocessors as required by GDPR Article 28. Copies are available upon request by contacting info@nex-arc-learning.com.

8. Data Security

Our Site is hosted on AWS infrastructure with industry-standard security measures. Since we collect minimal data and store exam progress locally in your browser, there is minimal risk to your personal information.

8a. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

1. Authority Notification: Notify the relevant data protection authority (German BfDI for EU users, ICO for UK users) within 72 hours of becoming aware of the breach (GDPR Article 33).
2. User Notification: If the breach poses a high risk to your rights and freedoms, we will notify you directly without undue delay via email (GDPR Article 34).
3. Information Provided:
   • Nature of the breach (what happened)
   • Categories and approximate number of affected users
   • Likely consequences
   • Measures taken to address the breach
   • Contact information for further inquiries

Reporting a Breach to Us: If you suspect unauthorized access to your account, immediately contact us at info@nex-arc-learning.com with subject "Security Breach Report".

9. Children's Privacy

Our Site is not directed to children under the age of 13. We do not knowingly collect information from children under 13. If you believe we have inadvertently collected such information, please contact us.

10. Your GDPR Rights

Under the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

1. Right of Access (Art. 15 GDPR)

• Request a copy of all personal data we hold about you
• View your purchase history and account information
• Access application logs: Request logs containing your user ID from the last 30 days (older logs are automatically deleted)
• Response time: Within 30 days of your request

2. Right to Rectification (Art. 16 GDPR)

• Correct inaccurate personal data
• To update your email address or name, contact us at info@nex-arc-learning.com

3. Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

• Request deletion of your account and associated data
• Exception: Transaction records must be retained for 10 years for tax compliance (§ 147 AO German tax law)
• Anonymized data may be retained for statistical purposes

4. Right to Data Portability (Art. 20 GDPR)

• Request your data by emailing info@nex-arc-learning.com
• We will provide your data in JSON format within 30 days
• Includes: Account info, purchase history, course entitlement records

5. Right to Restriction of Processing (Art. 18 GDPR)

• Temporarily restrict processing while disputes are resolved

6. Right to Object (Art. 21 GDPR)

• Object to processing based on legitimate interest
• We will stop processing unless we have compelling legitimate grounds

7. Right to Withdraw Consent (Art. 7(3) GDPR)

• Withdraw consent for optional data processing at any time
• Does not affect past processing based on consent
• You can clear browser local storage to remove saved exam progress
• You can opt out of Google Analytics using the opt-out browser add-on

How to Exercise Your Rights:

To exercise any of these rights, contact us at: info@nex-arc-learning.com

Response Timeline:

• Standard response: Within 30 days of receiving your request
• Complex requests: May be extended to 90 days if the request is particularly complex or we receive multiple requests from you
• If we need additional time, we will inform you within the initial 30 days and explain the reason for the extension
• All responses will be provided free of charge unless your request is manifestly unfounded or excessive

Right to Lodge a Complaint:

If you believe we are not complying with GDPR, you may lodge a complaint with:

• Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
• Website: https://www.bfdi.bund.de
• Email: poststelle@bfdi.bund.de

EU Representative:

Our data controller is established in the EU (Germany). For EU GDPR matters:
Nico Wichmann
c/o flexdienst
Kurt-Schumacher-Straße 76
67663 Kaiserslautern, Germany
Email: info@nex-arc-learning.com

10a. California Consumer Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Categories of Personal Information Collected:

• Identifiers: Email address, name (optional), IP address (anonymized via Google Analytics)
• Commercial Information: Purchase history, courses accessed
• Internet Activity: Browsing behavior (Google Analytics, anonymized)

Your California Rights:

• Right to Know: Request disclosure of personal information collected
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate information
• Right to Opt-Out of Sale/Sharing: We do NOT sell or share your personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

How to Exercise Your Rights:

Email: info@nex-arc-learning.com with subject "California Privacy Rights Request"
We will respond within 45 days (extendable to 90 days if complex).

Disclosure of Sale/Sharing:

We do NOT sell or share your personal information as defined by CCPA/CPRA.

Do Not Sell or Share My Personal Information: Not applicable - we do not sell or share your data.

California Regulatory Authority:

If you have a complaint about our CCPA compliance, you may contact:

• California Privacy Protection Agency: https://cppa.ca.gov
• California Attorney General: https://oag.ca.gov/privacy

10b. UK Data Protection Rights

If you are a UK resident, you have specific rights under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018:

Your UK Rights:

• Right of Access (Article 15 UK GDPR)
• Right to Rectification (Article 16 UK GDPR)
• Right to Erasure (Article 17 UK GDPR)
• Right to Data Portability (Article 20 UK GDPR)
• Right to Restrict Processing (Article 18 UK GDPR)
• Right to Object (Article 21 UK GDPR)

UK Data Controller:

Nico Wichmann, c/o flexdienst, Kurt-Schumacher-Straße 76, 67663 Kaiserslautern, Germany
Contact: info@nex-arc-learning.com

UK Supervisory Authority:

If you are in the UK, you can file a complaint with the Information Commissioner's Office (ICO):

• Website: https://ico.org.uk
• Phone: 0303 123 1113

International Data Transfers from UK:

Your data is primarily processed in the EU (AWS Frankfurt). The UK considers the EU an adequate jurisdiction for data protection. For any transfers outside the UK/EU, we use Standard Contractual Clauses approved by the UK ICO.

10c. Automated Decision-Making and Profiling

We do NOT use automated decision-making or profiling that produces legal effects or similarly significantly affects you (GDPR Article 22).

Exam Scoring: Our practice exam scoring is a transparent, rule-based algorithm for educational purposes only. It does not affect your legal rights, certification status, or have any binding effect.

Access Control: Course access is determined by a simple binary rule: paid users have access, unpaid users do not. This is a transparent business rule, not an automated decision with legal effects.

11. Data Retention Periods

We retain different types of data for specific periods based on legal requirements and business needs:

Analytics Data (Google Analytics):

• Anonymous usage data: 26 months (Google's default setting)
• Cookie consent records: 12 months

Account Data (AWS Cognito):

• Active accounts: Duration of account + 30 days after deletion
• Email verification data: 7 days after verification
• Password reset tokens: 1 hour

Purchase and Transaction Data (DynamoDB):

• Transaction records: 10 years (German tax law: § 147 AO)
• Course entitlement records: Lifetime (perpetual access promised to customers)
• Refund records: 10 years

Customer Support Communications:

• Support emails: 3 years after last correspondence

System Logs (AWS CloudWatch):

• Application logs (payment, course access, authentication): 1 month
• Health check logs: 1 week
• Performance metrics (aggregated, anonymous): Retained indefinitely

Legal Basis for Retention:

• Tax compliance: § 147 Abgabenordnung (AO) - 10 years
• Contractual obligations: BGB § 195 - 3 years limitation period
• Legitimate interest: Fraud prevention, dispute resolution

12. Email Communications

Transactional Emails (Required):

• Order confirmations and receipts
• Course access instructions
• Password reset requests
• Account security notifications

Legal Basis: Contract performance (Art. 6(1)(b) GDPR) - These emails cannot be opted out of as they are essential to providing our service.

Marketing Emails (Optional):

We do NOT currently send marketing emails. If we introduce a newsletter in the future, you will have the right to opt-out via an unsubscribe link in every message.

Email Retention:

Support emails: Retained for 3 years for customer service quality and dispute resolution.

13. International Data Transfers

Your data may be transferred outside the European Economic Area (EEA) under the following circumstances:

AWS Infrastructure:

• Primary storage: EU (Frankfurt, Germany - eu-central-1)
• No routine transfers outside EU
• AWS complies with EU-US Data Privacy Framework

Lemon Squeezy Payment Processing:

• Lemon Squeezy operates globally but maintains GDPR compliance
• Lemon Squeezy's servers are located in the US
• Data transfers protected by Standard Contractual Clauses (SCCs)
• Lemon Squeezy complies with applicable data protection frameworks

Google Analytics:

• Data may be transferred to US
• Google Analytics 4 complies with GDPR
• You can opt out using Google's opt-out add-on

We ensure all data transfers comply with GDPR Chapter V requirements through:

• Standard Contractual Clauses (EU Commission approved)
• Adequacy decisions where available
• Data Processing Agreements with all processors

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this policy periodically.

15. External Links

Our Site may contain links to external websites and services. We are not responsible for the privacy practices or content of these external sites. We encourage you to read their privacy policies before providing any information.

16. Operational Logging and Monitoring

To ensure platform security, diagnose technical issues, and prevent fraud, we maintain system logs. This section explains what we log, why, and how long we keep it.

What We Log

Application Logs (AWS CloudWatch):

• Purpose: Troubleshooting, security monitoring, fraud prevention
• Data logged:
  • User ID (anonymized UUID - not your name or email directly)
  • Course IDs you access or purchase
  • Transaction IDs (internal reference numbers)
  • Timestamps of actions (login, purchase, course access)
  • Error messages (if something goes wrong)
  • Payment processor order IDs (Lemon Squeezy references)
• Retention: 1 month (automatically deleted after)
• Access: Only authorized technical staff for troubleshooting
• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) for system security and fraud prevention

Performance Metrics (AWS CloudWatch Metrics):

• Purpose: Monitor system performance, detect outages
• Data logged: Aggregated, anonymous metrics (request counts, error rates, response times)
• Retention: Retained indefinitely (no personal data)
• Legal basis: Legitimate interest (Art. 6(1)(f) GDPR) for service reliability

Why We Log

We use logs for:

• Troubleshooting: When you report an issue (e.g., "My payment failed"), logs help us find and fix the problem
• Security: Detecting unauthorized access attempts, preventing fraud
• Performance: Identifying slow pages, fixing errors
• Legal compliance: Investigating violations of our Terms of Service

Who Can Access Logs

Internal Access:

• Technical support team (for troubleshooting only)
• Platform administrators (for security monitoring)
• All access is audited

Third-Party Processors:

• Amazon Web Services (AWS) - Processes logs as a data processor (Art. 28 GDPR)
• AWS does not use our logs for their own purposes
• AWS complies with GDPR via Data Processing Addendum

Data Minimization

We practice data minimization in our logging:

• No sensitive data: We do NOT log passwords, full payment card numbers, or social security numbers
• Pseudonymization: User IDs are anonymized UUIDs (e.g., "***0000"), not your name or email
• Automatic deletion: Logs auto-delete after 1 month
• Need-to-know access: Only staff who need logs for their job can access them

Your Rights Regarding Logs

Under GDPR, you have the right to:

• Access: Request copies of logs containing your personal data (email info@nex-arc-learning.com)
• Explanation: Ask what specific data about you is logged and why
• Objection: Object to logging based on legitimate interest (we'll evaluate if we have overriding grounds for security)

Note: We cannot delete logs retroactively (they are immutable for security/audit purposes), but they auto-delete after 1 month. For account deletion (Right to Erasure), historical logs expire automatically.