Privacy Policy

IELTS International (“we”, “us”, or “our”) operates the website www.ielts.international (“Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our Service.

By using the Service, you consent to the practices described in this policy. If you do not agree, please do not use the Service.

Account data: When you create an account, we collect your name, email address, and password (stored as a secure hash). Authentication is managed by Supabase.

Subscription & payment data: When you subscribe to a paid plan, payment is processed by Stripe, Inc. We receive your Stripe customer ID, subscription status, plan type, and billing period. We do not receive or store your full credit card number, CVV, or bank account details — these are handled entirely by Stripe.

Level test & practice data: Your level test answers, band scores, essay submissions, and practice session data are stored in our database to provide personalised feedback and track your progress.

Email subscription: If you sign up for our newsletter, we collect your email address and optionally your target IELTS band.

Usage data: We automatically collect information such as your IP address, browser type, operating system, pages visited, time spent on pages, and referring URLs.

Device data: We may collect information about your device, including device type, screen resolution, and language preference.

We use the data we collect to:

• Provide, maintain, and improve the Service
• Process payments and manage your subscription
• Deliver personalised preparation feedback and track your progress
• Send you IELTS preparation tips and updates (if subscribed)
• Respond to your support requests
• Analyse usage patterns to improve content and features
• Detect and prevent fraud, abuse, or security issues
• Comply with legal obligations

We share data with the following third-party service providers, each with their own privacy policies:

• Supabase — Authentication and database hosting. Stores your account data and practice history.
• Stripe — Payment processing. Receives your payment information directly. See Stripe’s Privacy Policy.
• Google Analytics / Google Tag Manager — Website analytics. Collects anonymised usage data.
• Vercel — Website hosting. Processes requests and may log IP addresses.

We do not sell, rent, or trade your personal data to any third party for marketing purposes.

We use the following types of cookies:

• Essential cookies: Required for the Service to function (authentication session, locale preference).
• Analytics cookies: Google Analytics cookies to understand how users interact with the Service.
• Payment cookies: Stripe may set cookies during the checkout process for fraud prevention.

You can disable non-essential cookies in your browser settings. Disabling essential cookies may affect the functionality of the Service.

Active accounts: We retain your data for as long as your account is active and you are using the Service.

Deleted accounts: If you delete your account, we remove your personal data within 30 days. Anonymised analytics data may be retained indefinitely.

Cancelled subscriptions: Account data is retained for 12 months after cancellation in case you wish to reactivate. After 12 months of inactivity, data may be deleted.

Email subscriptions: Your email is retained until you unsubscribe. You can unsubscribe at any time using the link in any email we send.

Payment records: Transaction records are retained for 5 years as required by Brazilian tax law.

We implement industry-standard security measures to protect your data:

• All data transmitted over HTTPS (TLS encryption)
• Passwords stored using secure hashing (bcrypt via Supabase)
• Payment data handled exclusively by PCI-compliant Stripe
• Database access restricted by Row Level Security (RLS) policies
• Security headers (CSP, HSTS, X-Frame-Options) on all pages

No method of transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately.

Depending on your jurisdiction, you may have the right to:

• Access — Request a copy of the personal data we hold about you
• Correction — Request correction of inaccurate data
• Deletion — Request deletion of your personal data
• Portability — Request your data in a machine-readable format
• Objection — Object to processing of your data for certain purposes
• Withdraw consent — Withdraw consent for data processing at any time

To exercise any of these rights, email us at hello@ielts.international. We will respond within 30 days.

The Service is not intended for children under 16. We do not knowingly collect data from children under 16. If we learn that we have collected data from a child under 16, we will delete it promptly. If you believe a child has provided us with personal data, please contact us.

Your data may be processed in countries outside your own, including the United States (Supabase, Stripe, Vercel) and the European Union. We ensure that appropriate safeguards are in place for international data transfers.

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the right to access, correct, delete, and port your data. The data controller is IELTS International, contactable at hello@ielts.international.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Service at least 14 days before they take effect. The “Effective Date” at the top indicates when the policy was last revised.

If you have questions about this Privacy Policy or want to exercise your data rights, contact us at:

Email: hello@ielts.international

We typically respond within 24 hours.