Legal
Privacy Policy
Last updated: April 3, 2026 · Effective: April 3, 2026
SGrade (“we”, “our”, “us”) operates sgrade.ai and is committed to protecting your privacy. This policy explains what data we collect, why we collect it, and how we use it.
1. Information we collect
1.1 Information you provide directly
- Account registration: email address, display name (optional), profile photo (optional)
- Payment information: processed entirely by Stripe; we never store raw card data
- Support messages and feedback you send us
1.2 Information collected automatically
- Log data: IP address, browser type, operating system, referring URL, pages visited, time spent
- Device data: screen resolution, device type, language preference
- Cookies and similar technologies: session cookies (authentication), persistent cookies (preferences), analytics cookies (Google Analytics), advertising cookies (Google AdSense)
- Usage data: exam attempts, question responses, scores, streaks, study session length
1.3 Information from third parties
- If you sign in with Google OAuth: name, email, and profile picture as provided by Google
- Aggregate analytics data from Google Analytics
2. How we use your information
- Provide, maintain, and improve the SGrade platform
- Authenticate your account and maintain session security
- Send transactional emails (sign-in magic links, exam result summaries) — you can opt out of non-essential emails at any time
- Personalise your learning experience (adaptive difficulty, recommended topics)
- Analyse usage trends to improve question quality and platform performance
- Serve relevant advertisements through Google AdSense (see Section 5)
- Comply with legal obligations and enforce our Terms of Use
- Respond to support requests
3. Legal basis for processing (GDPR)
For users in the European Economic Area and UK, we rely on the following legal bases:
- Contract: processing necessary to deliver the service you signed up for
- Legitimate interests: analytics, fraud prevention, platform improvement
- Consent: advertising cookies and optional marketing communications — you may withdraw consent at any time via our cookie preference centre
- Legal obligation: compliance with applicable law
4. Cookies
We use cookies and similar tracking technologies. You can control non-essential cookies via your browser settings or our cookie consent banner.
| Cookie type | Purpose | Duration |
|---|---|---|
__Secure-next-auth.session-token | Authentication session | Session |
sgrade_valuebar_dismissed | Hides the value bar after dismissal | 30 days |
_ga, _gid | Google Analytics — usage statistics | 2 years / 24 hours |
_gads, IDE, test_cookie | Google AdSense — interest-based ads | Up to 2 years |
To opt out of Google Analytics tracking, visit tools.google.com/dlpage/gaoptout. To opt out of personalised Google ads, visit adssettings.google.com.
5. Google AdSense & third-party advertising
SGrade uses Google AdSense to display advertisements. Google, as a third-party vendor, uses cookies to serve ads based on your prior visits to this website and other sites on the internet.
Google's use of advertising cookies enables it and its partners to serve ads to you based on your visit to our site and/or other sites on the internet.
Users may opt out of personalised advertising by visiting www.aboutads.info or optout.networkadvertising.org.
We do not control the content of third-party advertisements served through AdSense.
For more information about how Google uses data when you use our site, visit policies.google.com/technologies/partner-sites.
Ads served may be based on content relevance, geographic location, or inferred interests. We never pass personally identifiable information to Google AdSense advertisers.
6. Data sharing & disclosure
We do not sell your personal data. We share data only:
- Service providers: hosting (AWS), email delivery (Resend), payment processing (Stripe), analytics (Google Analytics), advertising (Google AdSense) — each bound by data processing agreements
- Legal requirements: if required by law, court order, or to protect the rights and safety of SGrade or its users
- Business transfers: in connection with a merger, acquisition, or sale of assets, with advance notice to users
- With your consent: any other sharing requires your explicit opt-in
7. Data retention
- Active account data: retained while your account is active plus 90 days after a deletion request
- Exam attempt history: retained for 2 years to support learning progress tracking
- Server log data: 30 days rolling
- Anonymised, aggregated analytics: retained indefinitely (cannot be linked back to you)
- You may request deletion at any time (see Section 9)
8. International data transfers
SGrade is operated from India. If you access our service from the EEA, UK, or other regions with data transfer restrictions, your data may be transferred to and processed in countries that may not provide the same level of data protection. We use Standard Contractual Clauses and equivalent safeguards where required.
9. Your rights
Depending on your location you may have the right to:
- Access: request a copy of the personal data we hold about you
- Rectification: correct inaccurate or incomplete data
- Erasure (“right to be forgotten”): request deletion of your account and associated data
- Restriction: restrict how we process your data in certain circumstances
- Portability: receive your data in a structured, machine-readable format
- Objection: object to processing based on legitimate interests or for direct marketing
- Withdraw consent: where processing is based on consent, withdraw it at any time
To exercise any right, email legal@sgrade.ai. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
10. Children's privacy
SGrade is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal information, contact legal@sgrade.ai and we will delete it promptly. Users between 13–18 should use the platform only with parental consent.
11. Security
We implement industry-standard security measures including TLS encryption in transit, bcrypt-hashed credentials, database access controls, and regular security reviews. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.
12. Changes to this policy
We may update this policy periodically. Material changes will be communicated by updating the “Last updated” date at the top of this page and, where required, by email notification. Your continued use of SGrade after the effective date constitutes acceptance of the revised policy.
13. Contact us
SGrade Legal
Email: legal@sgrade.ai
Address: [Your registered business address]
Data Controller: [Your registered entity name]
For GDPR enquiries specifically, you may also contact our representative at the same email with subject line “GDPR Request”.