Privacy Policy

Last updated: 2026-06-22

Kyvernitikos is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what personal data we collect about you, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and applicable Cypriot law.

1. Who We Are (Data Controller)

Kyvernitikos ("we", "us", "our") operates the exam-preparation platform available at kyvernitikos.com. We are the data controller responsible for your personal data.

Our registered company details and Data Protection Officer (DPO) contact are listed at the end of this policy. You may reach our privacy team at the contact details below.

2. What Personal Data We Collect

Account data: When you register, we collect your email address and the password you create (stored as a salted hash). You may optionally provide a display name.

Quiz and usage data: We record your quiz attempts, answer choices, scores, study-set contents, and time spent on each activity. This data is essential to the service and enables personalised analytics.

Payment data: Payments are processed by Stripe, Inc. We do not store your card number, CVC, or full payment details. We receive only a transaction reference, subscription status, and billing email from Stripe.

Technical and cookies data: We automatically collect your IP address, browser type, operating system, referring URL, and session identifiers. We also set cookies and similar technologies as described in our Cookie Policy.

3. How and Why We Use Your Data (Legal Bases)

Performance of contract (Art. 6(1)(b) GDPR): We use your account data, quiz data, and subscription data to provide the platform, manage your account, process payments, and deliver the service you signed up for.

Legitimate interests (Art. 6(1)(f) GDPR): We use technical data, aggregated analytics, and session identifiers to maintain the security and reliability of our platform, prevent fraud, and improve our product.

Consent (Art. 6(1)(a) GDPR): Where required by law (e.g., for non-essential cookies or marketing communications), we rely on your freely given consent, which you may withdraw at any time.

Legal obligation (Art. 6(1)(c) GDPR): We may process data to comply with applicable law, such as retaining billing records for tax and accounting purposes.

4. Who We Share Your Data With

We do not sell your personal data. We share data only with service providers (data processors) who act on our instructions under appropriate data processing agreements:

Stripe, Inc. — payment processing. Stripe operates under its own privacy policy and is certified under applicable data protection frameworks.

Mailgun Technologies, Inc. — transactional email delivery (e.g., account verification, password reset).

Our cloud hosting provider — infrastructure and database hosting. Data is stored in EU data centres wherever possible.

We may also disclose data to law enforcement or regulatory authorities where required by law.

5. International Transfers

Some of our processors (such as Stripe and Mailgun) may transfer your data outside the European Economic Area (EEA). Where this occurs, we ensure an adequate level of protection through the use of Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms.

6. How Long We Keep Your Data

Account and quiz data: We retain your data for as long as your account is active and for up to 3 years after account closure, unless you request earlier erasure.

Payment records: We retain billing records for 7 years to comply with tax and accounting obligations.

Technical logs: Server logs are retained for up to 90 days for security and debugging purposes.

You may request deletion of your data at any time (see 'Your Rights' below), subject to our legal retention obligations.

7. Your Rights Under the GDPR

You have the following rights regarding your personal data, which you may exercise by contacting us at the details below:

Right of access (Art. 15): You may request a copy of the personal data we hold about you.

Right to rectification (Art. 16): You may ask us to correct inaccurate or incomplete data.

Right to erasure (Art. 17): You may ask us to delete your personal data ('right to be forgotten'), subject to our legal retention obligations.

Right to restriction of processing (Art. 18): You may ask us to restrict how we use your data in certain circumstances.

Right to data portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format.

Right to object (Art. 21): You may object to processing based on legitimate interests or for direct marketing purposes.

Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. In Cyprus, the competent authority is the Commissioner for Personal Data Protection (www.dataprotection.gov.cy). You may also contact the supervisory authority in your EU country of residence.

8. Cookies

We use cookies and similar technologies as described in our Cookie Policy. Please read that policy to understand what cookies we use and how to manage them.

9. Children

Our platform is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the 'Last updated' date at the top of this page and, where changes are material, notify you by email or a prominent notice on our platform. We encourage you to review this policy periodically.

11. Contact Us

If you have questions about this Privacy Policy, want to exercise your rights, or wish to contact our Data Protection Officer, please use the contact details provided at the top of this document or email us at the address listed below. We aim to respond to all requests within 30 days.

Company: Kyvernitikos Ltd

Address: [Registered address]

Privacy / DPO contact: [email protected]