1. Data Controller
NextPrep Academy (βwe,β βour,β or βusβ) operates the website nextprepacademy.com and is the data controller responsible for your personal information.
Contact: privacy@nextprepacademy.com
Last updated: April 13, 2026
Privacy Policy
NextPrep Academy is committed to protecting your privacy. This policy explains what data we collect, why we collect it, and how you can control it.
2. Data We Collect
2.1 Account & Registration Data
- Full name and email address (required to create an account)
- Password (stored as a salted hash β we never see it in plain text)
- Profile photo (optional, if you choose to upload one)
2.2 Purchase & Transaction Data
- Order history and download records
- Billing address (collected by our payment processors β Stripe and PayPal β and passed to us in summary form)
- We do not store your full card number, CVV, or bank account details
- Transaction IDs and payment status
2.3 Usage & Technical Data
- IP address and approximate geographic location (country/city level)
- Browser type, operating system, and device type
- Pages visited, links clicked, and session duration
- Referrer URL (the page that brought you to our site)
2.4 Communications
- Messages you send via our Contact form
- Email newsletter subscriptions (opt-in only)
- Support ticket content and history
2.5 User-Generated Content
- Book reviews and ratings you submit
- Blog comments (if enabled)
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and deliver digital products you purchase | Contract performance |
| Authenticate your account and maintain security | Contract performance / Legitimate interest |
| Process payments and prevent fraud | Contract performance / Legal obligation |
| Send transactional emails (order confirmations, download links) | Contract performance |
| Send promotional newsletters (with your consent) | Consent |
| Respond to support requests and contact form submissions | Legitimate interest |
| Improve our platform (analytics, A/B testing) | Legitimate interest |
| Comply with legal obligations (tax records, GDPR requests) | Legal obligation |
| Enforce our Terms of Service | Legitimate interest |
We will never sell, rent, or trade your personal data to third parties for their own marketing purposes.
4. Cookies & Tracking Technologies
We use cookies and similar technologies to operate our website and improve your experience. You can control cookies through your browser settings; however, disabling essential cookies may break certain features.
Essential Cookies
Required for login sessions, shopping cart, and security. Cannot be disabled.
Examples: Session token, CSRF token
Analytics Cookies
Help us understand how visitors use the site (e.g., Google Analytics). Anonymised where possible.
Examples: _ga, _gid
Payment Cookies
Set by Stripe and PayPal during the checkout process for fraud detection and session management.
Examples: __stripe_mid, __paypal_storage__
Preference Cookies
Remember your settings such as theme or language preference.
Examples: theme, locale
6. Data Retention
- βAccount data: Retained as long as your account is active. Deleted within 30 days of a verified account-deletion request, except where required by law.
- βPurchase and transaction records: Retained for 7 years to comply with tax and accounting regulations.
- βDownload tokens: Expire after 7 days or 5 download attempts (whichever comes first).
- βSupport communications: Retained for 2 years to help us improve our service and resolve disputes.
- βAnalytics data: Aggregated and anonymised after 26 months.
7. Your Rights
Depending on your country of residence, you may have the following rights regarding your personal data:
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Correct inaccurate or incomplete data.
Right to Erasure
Request deletion of your data ("right to be forgotten"), subject to legal retention obligations.
Right to Restrict Processing
Ask us to limit how we use your data in certain circumstances.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or for direct marketing.
Withdraw Consent
Withdraw consent at any time where we rely on it (e.g., marketing emails).
CCPA Rights (California)
California residents may opt out of any sale of personal information (we do not sell personal data).
To exercise any of these rights, contact us at privacy@nextprepacademy.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
8. Children's Privacy
Our platform is not directed at children under the age of 16. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal data, please contact us immediately at privacy@nextprepacademy.com and we will promptly delete it.
9. International Data Transfers
Your data may be transferred to and processed in countries outside your country of residence, including the United States. When we transfer data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place β such as Standard Contractual Clauses (SCCs) approved by the European Commission β to protect your information in accordance with this Privacy Policy.
10. Security Measures
We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:
- TLS/SSL encryption for all data in transit
- Encrypted storage for sensitive data at rest
- Passwords stored as salted bcrypt hashes
- Payment data handled solely by PCI-DSS-certified processors
- Regular security audits and dependency updates
- Role-based access controls for staff
Despite our efforts, no system is 100% secure. If you discover a security vulnerability, please disclose it responsibly to security@nextprepacademy.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the features we offer. When we make material changes, we will notify you by email (to the address associated with your account) and by updating the βLast updatedβ date at the top of this page. Continued use of the platform after the effective date constitutes acceptance of the revised policy.
12. Contact & Data Requests
For any privacy-related questions, data-access requests, or complaints, please reach out to our Data Protection contact:
- Email: privacy@nextprepacademy.com
- Website: nextprepacademy.com/contact
We aim to respond to all privacy-related requests within 30 calendar days.