Préparez vos concours avec des exercices ciblés
This policy applies to the Exam Arena mobile app (iOS and Android) and the web service v2.examarena.com, both operated by ARENA, registered in France under SIREN 934 277 344, with its registered office at 229 rue de Solférino, 59000 Lille, France.
ARENA is the data controller under the GDPR.
For any privacy-related question:
Email: contact@examarena.com
Mail: ARENA, 229 rue de Solférino, 59000 Lille, France
Article 1 – What data do we collect?
We only collect data needed to run the service and improve your experience. We never sell your data.
1.1 Identity and contact data
First name, last name (provided at signup or via Sign In with Apple / Google).
Email address.
Profile picture (optional).
1.2 Authentication data
Password (stored hashed and salted by Supabase, never accessible in clear text).
Apple / Google identifier if you use Sign In with Apple or Google.
1.3 Technical identifiers
Internal user ID (randomly generated UUID).
Device token for push notifications (Firebase Cloud Messaging), only if you accept notifications.
1.4 Product usage data
Exercise attempts (questions, answers, scores, time spent).
Lessons read and completion status.
Sport sessions completed.
Selected preparation, priority subjects, exam date entered during onboarding.
1.5 Payment data
Subscription status (free, premium, expiration dates).
Stripe (web) or RevenueCat (iOS / Android) technical identifiers.
Payment history (amount, currency, date, status, billing country).
We never store credit card numbers on our servers. They are processed directly by Stripe, Apple, or Google depending on the payment channel.
1.6 Preference data
Selected language.
Email notification preferences.
1.7 Marketing and attribution data
Acquisition source (UTM parameters: utm_source, utm_medium, utm_campaign, utm_term, utm_content).
Landing page, referrer.
Ad click identifiers: gclid (Google Ads), gbraid / wbraid (Google iOS).
Apple Search Ads attribution (campaign and ad identifiers, no Apple user identifier).
Article 2 – Why we collect this data
Email, name, password: account creation, authentication. Legal basis: performance of the contract.
User ID, Apple / Google identifiers: link your data to your account. Legal basis: performance of the contract.
Product usage data: save and display your progress. Legal basis: performance of the contract.
Payment data: manage your subscription, support, accounting obligations. Legal basis: contract and legal obligation.
Push device token: notify you about free credits and active offers. Legal basis: consent (OS-level prompt).
Email and subscription status: send transactional emails (welcome, receipts, password reset). Legal basis: performance of the contract.
Email and payment behavior: reminder email if you started a payment without completing it. Legal basis: legitimate interest (help you resume your purchase).
Aggregated usage data: understand how the service is used, prioritize improvements. Legal basis: legitimate interest.
UTM, click IDs, Apple Search Ads attribution: measure the effectiveness of our marketing campaigns. Legal basis: legitimate interest.
Language, preferences: personalize your interface. Legal basis: performance of the contract.
No automated decision producing legal effects is made from your data. There is no advertising profiling.
Article 3 – Who we share data with
Your data is hosted and processed by providers selected for their GDPR compliance. Each acts as a data processor under the GDPR, bound to us by a Data Processing Agreement (DPA).
Supabase Inc. – Database, authentication, file storage. France (Paris, eu-west-3). DPA and Standard Contractual Clauses.
Vercel Inc. – Web application hosting. United States (global edge network). DPA and Standard Contractual Clauses.
Stripe Payments Europe Ltd – Web payment processing. Ireland and United States. Stripe DPA and Standard Contractual Clauses.
RevenueCat Inc. – In-app purchase management (iOS and Android). United States. Standard Contractual Clauses.
Apple Inc. – Sign In with Apple, App Store, Apple Search Ads, iOS push notifications. United States. Apple DPA.
Google LLC – Sign In with Google, Firebase Cloud Messaging, Google Ads, Google Play. United States. Standard Contractual Clauses.
Resend Inc. – Transactional email delivery. United States. Standard Contractual Clauses.
Umami – Cookieless web analytics, self-hosted instance operated by ARENA. United States (Vercel). Standard Contractual Clauses.
We never sell your data to third parties for advertising purposes.
Transfers outside the European Union
Some of our providers are based in the United States. These transfers are governed by the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) and, where applicable, by the EU-US Data Privacy Framework for certified providers.
Article 4 – How long we keep your data
Active account: as long as your account is open.
Deleted account: permanently erased within 30 days of your deletion request.
Payment data: 10 years from invoicing (French accounting and tax obligation).
Technical logs (sent emails, push notifications): 12 months.
Marketing attribution data (UTM, click IDs): 13 months.
Exercise attempts and progress: for the duration of your account, deleted with the account.
Article 5 – Your rights
Under the GDPR, you have the following rights regarding your personal data:
Right of access: get a copy of your data. By request to contact@examarena.com.
Right to rectification: update your data via My account > Profile.
Right to erasure: delete your account via My account > Account > Delete my account. Your data is then erased within 30 days, except for data we are required to keep by law (payments).
Right to data portability: receive your data in a structured format. By request to contact@examarena.com.
Right to object: object to processing based on our legitimate interest by emailing contact@examarena.com.
Right to restrict processing: restrict the use of your data, by emailing the same address.
Right to withdraw consent: for push notifications, from your device settings. For marketing emails, via My account > Notifications.
We respond to any request within one month at the latest.
If you disagree with our response, you can lodge a complaint with the CNIL (3 place de Fontenoy, 75007 Paris, France, www.cnil.fr) or with your local supervisory authority.
Article 6 – Cookies and trackers
On v2.examarena.com
Session cookies (Supabase): strictly necessary for authentication. Exempt from consent under CNIL guidance 2020-091.
Umami Analytics: anonymous audience measurement, no cookies, no fingerprinting, self-hosted instance operated by ARENA. Compliant with the CNIL audience measurement exemption.
In the mobile app
No third-party cookies. No advertising SDK (no Facebook Pixel, no Google Analytics, no Hotjar).
On iOS, the Apple AdServices framework is used once at install time to measure the effectiveness of our Apple Search Ads campaigns, anonymously and without any advertising identifier (no IDFA).
Push notifications are enabled only with your explicit consent via the iOS / Android system prompt.
We do not use any advertising tracking cookies, so no cookie consent banner is shown on the v2 app.
Article 7 – Security
Encrypted connections in HTTPS / TLS 1.3.
Passwords hashed and salted by Supabase Auth (bcrypt).
Strong authentication available via Sign In with Apple or Google.
Data access protected by PostgreSQL Row Level Security.
Daily encrypted backups at Supabase.
In case of a data breach posing a risk to your rights, we will notify you without delay, as required by Article 34 of the GDPR.
Article 8 – Minors
The service is open from age 15, the minimum digital consent age in France. For users between 15 and 18, registration is under the responsibility of their legal guardians.
Article 9 – Changes
We may update this policy from time to time. Any substantial change will be notified by email and / or in the app. The last update date appears at the top of this page.
Article 10 – Contact
For any question:
Email: contact@examarena.com
Mail: ARENA, 229 rue de Solférino, 59000 Lille, France