Privacy Policy

Effective date: June 8, 2026

NPPE Vault ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL), and applicable provincial privacy legislation.

By using the NPPE Vault website and services (the "Service"), you consent to the collection, use, and disclosure of your personal information as described in this Privacy Policy.

1. Information We Collect

1.1 Information You Provide

Data type	When collected	Purpose
Name	Account creation	Personalize your experience, display in your account
Email address	Account creation	Passwordless authentication (magic links), account identification, essential service communications

1.2 Information Collected Automatically

Data type	Purpose
Exam results and answers	Display your score history and category performance on your dashboard
Bookmarks and progress	Allow you to resume and track your study progress
Server logs (IP address, browser type, pages visited, timestamps)	Security monitoring, abuse prevention, service reliability

1.3 Payment Information

Payment processing is handled entirely by Stripe, Inc. When you purchase Pro access, your payment card details are collected and processed directly by Stripe. We do not receive, store, or have access to your full card number. We receive only:

Confirmation that payment was successful
Stripe customer ID (a reference identifier)
Payment amount and date

Stripe's handling of your data is governed by Stripe's Privacy Policy.

1.4 Information We Do Not Collect

We do not collect:

Passwords (we use passwordless authentication)
Government-issued identification numbers
Demographic information (age, gender, ethnicity)
Location data beyond what is present in server logs
Information from social media accounts

2. How We Use Your Information

We use your personal information only for the following purposes:

Provide the Service: Authenticate your identity, deliver practice exams, track your scores and progress.
Process payments: Complete Pro tier purchases and maintain purchase records.
Send essential communications: Magic link sign-in emails, payment confirmations, and critical service notifications (such as security alerts or material changes to our Terms or Privacy Policy).
Maintain security: Detect and prevent fraud, abuse, and unauthorized access through rate limiting and server log analysis.
Improve the Service: Analyze aggregated, de-identified usage data to improve content quality and user experience.

We do not use your information for:

Marketing emails or newsletters (unless you explicitly opt in to a future offering)
Profiling or automated decision-making
Selling or renting to third parties
Targeted advertising

3. Consent

Under PIPEDA, we collect and use your personal information based on the following forms of consent:

Express consent: When you create an account, you expressly consent to us collecting your name and email address for the purpose of providing the Service.
Implied consent: When you use the Service, we collect usage data (exam results, server logs) as reasonably necessary to deliver and secure the Service.

You may withdraw your consent at any time by deleting your account (see Section 7). Withdrawal of consent may result in our inability to provide some or all of the Service to you.

4. Disclosure of Information

We do not sell, trade, or rent your personal information. We disclose your information only in the following limited circumstances:

4.1 Service Providers

We share personal information with the following third-party service providers who process data on our behalf:

Provider	Purpose	Data shared	Location
Stripe	Payment processing	Payment details (collected directly by Stripe)	United States
Resend	Transactional email delivery	Email address, name	United States
Railway / Render	Application hosting	All Service data (encrypted at rest and in transit)	United States / Canada

Each provider is contractually obligated to protect your information and use it only for the specified purpose.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order, subpoena, or government regulatory request).

4.3 Business Transfers

If NPPE Vault is involved in a merger, acquisition, or sale of assets, your personal information may be transferred as part of that transaction. We will notify you via email or a prominent notice on our Service before your information becomes subject to a different privacy policy.

5. International Data Transfers

Some of our service providers (Stripe, Resend) are located in the United States. When your personal information is transferred outside of Canada, it may be subject to the laws of the jurisdiction in which it is stored, including the laws of the United States, which may permit government or law enforcement access in certain circumstances.

We take reasonable steps to ensure that our service providers maintain appropriate safeguards for the protection of personal information transferred outside Canada, including contractual protections.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

Data type	Retention period
Account information (name, email)	Until account deletion
Exam results and answers	Until account deletion
Payment records	7 years after transaction (as required by Canadian tax law)
Magic link tokens	Deleted after use or expiry (15 minutes)
Server logs	90 days

When data is no longer needed, we delete or de-identify it using industry-standard methods.

7. Your Rights Under PIPEDA

Under PIPEDA and applicable provincial privacy legislation, you have the following rights:

Right to access: You may request a copy of the personal information we hold about you.
Right to correction: You may request that we correct any inaccurate or incomplete personal information.
Right to deletion: You may request that we delete your account and associated personal information.
Right to withdraw consent: You may withdraw your consent to our collection and use of your personal information at any time.
Right to complain: If you believe we have not handled your personal information appropriately, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada.

To exercise any of these rights, contact us at support@nppevault.com. We will respond to your request within 30 days, as required by PIPEDA.

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
Encryption at rest: Database data is encrypted at rest by our hosting provider.
Passwordless authentication: We do not store passwords, eliminating a common attack vector.
Token security: Magic link tokens are hashed (not stored in plain text) and expire after 15 minutes.
Session security: JWT session tokens expire after 7 days.
Rate limiting: API endpoints are rate-limited to prevent abuse.
Access controls: Administrative access is restricted and logged.

While we take reasonable measures to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. Cookies and Tracking

NPPE Vault uses minimal client-side storage:

localStorage: We store your session token in your browser's localStorage to keep you signed in. This is not a cookie and is not sent to third parties.

We do not use:

Tracking cookies
Third-party analytics services (e.g., Google Analytics)
Advertising pixels or trackers
Social media tracking widgets

10. Canada's Anti-Spam Legislation (CASL)

In compliance with CASL, we only send you electronic messages that are:

Transactional: Magic link sign-in emails, payment confirmations, and account-related notifications. These are exempt from CASL consent requirements as they facilitate a transaction you requested or provide information about an ongoing service.
Service-critical: Notifications about material changes to our Terms of Service or Privacy Policy, or security alerts affecting your account.

We do not send marketing or promotional emails. If we introduce optional marketing communications in the future, we will obtain your express consent (opt-in) before sending them, and every such message will include a clear unsubscribe mechanism.

All our electronic messages include:

Our identity and contact information
A clear description of why you are receiving the message

11. Children's Privacy

The Service is not directed to individuals under the age of 18 (or the age of majority in their jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice on the Service at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. The "Effective date" at the top indicates when it was last updated.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us:

Email: support@nppevault.com

If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada.