Privacy Policy

1. Information We Collect

Account Information

When you create an account, we collect your first name, last name, and email address. If you sign in with Google, we receive your name and email from Google's authentication service.

Study Profile

To help you find compatible study partners, we collect information you provide during onboarding and profile editing, including:

• Target exam and study level
• Location (city and state)
• University or school (optional)
• Exam date and target score (optional)
• Study duration and material completion percentage
• Study preferences (in-person, online, or flexible)
• Bio and personal interests (optional)
• Profile photo (optional upload)
• Profile accent color

Verification Email

If you choose to verify your student or professional status, we collect an additional email address (.edu or work domain) solely for the purpose of sending a verification link. This email is displayed on your profile as a verified badge once confirmed.

Messages & Connections

We store the content of direct messages sent between matched users, connection requests (including any optional message), and your connection status with other users.

Usage Data

Our server logs standard technical data including IP addresses, browser type, device type, and request timestamps. This data is used for security monitoring, abuse prevention, and debugging. It is not sold or used for advertising.

2. How We Use Your Information

• Matching: Display your profile to other users so they can find study partners with compatible exam goals, locations, and schedules.
• Messaging: Deliver direct messages between connected users in real time.
• Notifications: Send transactional emails — including email verification links and new message notifications — when you have opted in.
• Safety & Security: Detect and prevent fraud, abuse, harassment, and violations of our Terms of Service.
• Service Improvement: Understand how the platform is used in aggregate to improve features and fix bugs.

We do not use your information to serve targeted advertising, and we do not sell or rent your data to any third party for marketing purposes.

3. How We Store Your Data

All user data — including profiles, messages, and connections — is stored in a SQLite database hosted on Railway's cloud infrastructure in the United States. Profile photos are stored on Railway's persistent volume storage.

Passwords are never stored in plain text. If you registered with a password (legacy accounts), it is stored as a bcrypt hash with 12 rounds of hashing. Google Sign-In accounts have no stored password.

We take reasonable technical and organizational measures to protect your data from unauthorized access, alteration, or disclosure. However, no system is completely secure, and we cannot guarantee absolute security.

4. Cookies & Sessions

Prep Pairing uses a single cookie named token to maintain your login session. This cookie:

• Is httpOnly — inaccessible to JavaScript on the page
• Uses SameSite=Lax — sent on same-site requests and top-level navigations, but not on cross-site requests
• Is Secure in production — transmitted only over HTTPS
• Expires after 7 days

We do not use advertising cookies, third-party tracking pixels, analytics cookies, or any persistent tracking technology beyond this authentication cookie.

Deleting the token cookie logs you out of the platform.

5. Google Sign-In

If you choose to sign in with Google, we use Google's OAuth 2.0 service to verify your identity. During this process, we receive the following information from Google:

• Your email address
• Your first and last name
• Your Google profile picture URL (if available)

We do not receive access to your Google account, Gmail, Google Drive, or any other Google service. We do not receive your Google password. The Google token is verified server-side and discarded — we do not store it.

Your profile picture URL is stored in your Prep Pairing profile and displayed to other users. For more information on how Google handles your data, see Google's Privacy Policy.

6. Transactional Emails (Brevo)

We use Brevo (formerly Sendinblue) to deliver transactional emails. These are non-marketing, service-related emails that include:

• Email verification links — sent when you request student or professional verification during onboarding
• New message notifications — sent when you receive a direct message and don't yet have unread messages from that sender (to avoid spam)

To send these emails, we share your email address and first name with Brevo. Brevo acts as a data processor on our behalf and does not use your data for its own marketing purposes.

You can opt out of message notification emails at any time from your Settings → Notifications page. Verification emails cannot be opted out of, as they are required to complete the verification process you initiated.

For more information, see Brevo's Privacy Policy.

7. Hosting & Infrastructure

Prep Pairing runs on Railway (railway.app), a cloud hosting platform based in the United States. Our application server, database, and file storage are all hosted on Railway's infrastructure.

Railway may have access to server infrastructure but does not access application-level data (your profile content, messages, or personal information) in the ordinary course of operations.

For more information, see Railway's Privacy Policy.

8. Data Sharing

We do not sell, rent, trade, or otherwise share your personal data with third parties for their own commercial use.

We share data only with the following service providers, and only to the extent necessary to operate the platform:

• Brevo — email delivery (your email address and first name for transactional emails)
• Railway — cloud hosting (server infrastructure; no application data access)
• Google — authentication only (we receive your identity from Google; we do not send your data to Google)

We may disclose your information if required to do so by law, or in the good-faith belief that such action is necessary to comply with a legal obligation, protect the rights or safety of Prep Pairing or its users, or respond to a government or law enforcement request.

9. Your Rights & Data Deletion

Accessing Your Data

You can view and edit your profile information at any time by opening your profile from the browse page.

Deleting Your Account

You may permanently delete your account and all associated data at any time from your Settings page. Account deletion removes:

• Your user account and login credentials
• Your public profile and all profile information
• All messages and conversations
• All connections and connection requests

Certain data (such as server access logs) may be retained for up to 30 days for security purposes before being automatically purged.

Requesting Deletion via Email

If you are unable to delete your account through the app, you may request deletion by emailing [email protected]. We will process your request within 30 days.

California & Other Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we have collected and the right to request deletion. To exercise these rights, contact us at [email protected].

10. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us:

• Email: [email protected]
• Website: preppairing.com

We will respond to all privacy-related inquiries within 30 days.