Summary (plain language): Cyber Prep stores your study progress only on your device. We do not have user accounts, we do not collect your name or email, we do not sell your data, and we do not use third-party advertising or analytics SDKs. The only external connection the app makes is to download new exam questions from our question database (Supabase). Payments are handled entirely by Apple.
The data controller responsible for your personal data in connection with Cyber Prep is:
Ana Maria Albarca Becerra
Individual developer — Spain (European Union)
Email: gh@sanjemi.com
Support page: sjm025.github.io/cyberprep/support.html
As an individual developer based in the EU, Ana Maria Albarca Becerra is not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. For any privacy-related enquiries please use the email address above.
Cyber Prep is designed with a privacy-first, local-first architecture. The table below describes every category of data involved when you use the app.
| Category | What it includes | Where it is stored | Shared externally? |
|---|---|---|---|
| Study performance | Questions answered, correct/incorrect flags, session timestamps, adaptive theta score, domain-level scores | Your device only (SwiftData / Core Data) | NO |
| App preferences | Selected certification, study goal (hours/week), notification preferences, optional display name you set yourself | Your device only (iOS UserDefaults) | NO |
| Question sync (network request) | When the app fetches updated questions from our Supabase database, your IP address and standard HTTP request headers are transmitted as part of the connection. No user identifier is sent — the request is fully anonymous. | Supabase server access logs (see §5) | IP ONLY |
| Subscription and purchases | Your subscription tier (active / inactive), transaction receipt data held by Apple. Cyber Prep reads only whether a subscription is active — we never see your payment details. | Apple's servers + your device (StoreKit) | APPLE ONLY |
| Local notifications | If you enable daily study reminders, the iOS notification system schedules them locally on your device. No data is sent to any server. | Your device only (iOS notification scheduler) | NO |
Apple's App Privacy manifest (PrivacyInfo.xcprivacy) accompanying the app confirms NSPrivacyTracking = false and zero collected data types declared. The app accesses iOS UserDefaults (reason CA92.1 — app functionality) and file timestamps (reason C617.1 — app functionality) only.
We do not use your data for advertising, marketing profiling, or any purpose beyond delivering and improving the Cyber Prep service.
| Processing activity | Legal basis | Article |
|---|---|---|
| Storing study performance and preferences on-device | Performance of contract — necessary to deliver the core exam-preparation service | Art. 6(1)(b) |
| Transmitting IP address to Supabase during question sync | Performance of contract — technically necessary to deliver updated content; and legitimate interests (maintaining a reliable, abuse-free question database) | Art. 6(1)(b) / Art. 6(1)(f) |
| Processing subscription status via Apple StoreKit | Performance of contract — necessary to provide paid Pro features | Art. 6(1)(b) |
| Scheduling local study reminder notifications | Consent — you explicitly enable reminders in Settings and can withdraw at any time | Art. 6(1)(a) |
Legitimate interests balancing test (Art. 6(1)(f)): Where we rely on legitimate interests (IP logging for question sync), we have assessed that this interest is not overridden by your interests or fundamental rights, given that: (i) IP addresses in server access logs are not actively used to identify individuals; (ii) the data is retained for a short period as part of standard server infrastructure; (iii) the processing is limited to what is technically inherent in any HTTPS connection.
We rely on the following third-party data processors. Each has been assessed to maintain appropriate technical and organisational security measures and, where applicable, offers a Data Processing Agreement (DPA) under GDPR Art. 28.
Role: Data processor — hosts the read-only question database that the app syncs from.
Data received: Standard HTTPS server access logs, which include IP addresses and request timestamps. No personal identifiers from the app are sent.
DPA: Supabase offers a GDPR Data Processing Addendum. See supabase.com/privacy.
Transfers: Supabase is a US company. See §6 for transfer safeguards.
Role: Separate data controller for App Store distribution, payment processing, and device platform services.
Data received: Subscription transactions, receipt data, App Store analytics (if opted in by user at iOS level). Cyber Prep reads only a boolean "is active subscriber" from StoreKit — Apple retains the full transaction records.
Privacy policy: apple.com/legal/privacy.
We have no other third-party integrations. There are no advertising networks, analytics SDKs, social login providers, CDNs for user content, or cloud backup services beyond those listed above.
As the data controller is based in Spain (EU), any transfer of personal data outside the European Economic Area (EEA) must comply with Chapter V of the GDPR.
Your study performance data, preferences, and notification settings never leave your device and therefore involve no international transfers.
| Data | Retention period | How to delete |
|---|---|---|
| Study progress, sessions, analytics | Until you delete the app (stored locally on device) | Delete the app from your iPhone/iPad |
| App settings and preferences | Until you delete the app or reset settings within the app | Delete the app, or use Settings → Reset in-app |
| IP addresses in Supabase server access logs | Up to 30 days per Supabase's default log retention; not stored by us as controller | Contact us at gh@sanjemi.com to request deletion from our side; for Supabase's logs, see Supabase privacy policy |
| Apple subscription and transaction records | Per Apple's retention policy (typically 10 years for financial records) | Contact Apple; outside our control |
| Local notification schedule | Until notifications are disabled or app is deleted | Toggle off in app Settings, or revoke notification permission in iOS Settings |
If you are located in the European Economic Area (or other jurisdictions with equivalent data protection laws), you have the following rights regarding your personal data. Given that almost all data is stored locally on your device, most of these rights are exercisable directly by you without needing to contact us.
You have the right to obtain confirmation of whether we process personal data concerning you and to receive a copy of that data. Since your study data lives on your device, you can view it directly in the app (Analytics, Profile). For the limited data processed by Supabase (server access logs), contact us at gh@sanjemi.com.
You may correct inaccurate personal data. Your display name is editable within the app. Other on-device data (session scores) can be reset via the Reset function in Settings.
You may request deletion of your personal data. Deleting the app from your device immediately and permanently erases all locally stored data. For server-side access logs processed by Supabase, email us at gh@sanjemi.com and we will pass the request to Supabase under our DPA obligations where technically feasible. Apple transaction records are outside our control and subject to Apple's own retention obligations (financial records laws).
You may request that we restrict processing in certain circumstances (e.g., while a rectification request is pending). Contact us at gh@sanjemi.com.
You have the right to receive your personal data in a structured, machine-readable format. Your study data is stored in SwiftData on your device; we do not hold a server-side copy. We are not currently able to provide an automated export. If you require an export for portability purposes, contact us and we will endeavour to assist.
Where we rely on legitimate interests (Art. 6(1)(f)) for question-sync IP logging, you may object to that processing. If you do, we will cease the processing unless we can demonstrate compelling legitimate grounds. In practice, the app requires network access to download updated questions; if you object you may continue using the app in offline-only mode (the bundle of questions included at install-time remains available).
Where processing is based on consent (local notifications), you may withdraw consent at any time without affecting the lawfulness of prior processing. Disable notifications in iOS Settings → Cyber Prep → Notifications, or within the app's Settings screen.
See §10 (Automated Decision-Making) below. No decision with significant legal effect is made solely by automated means.
How to exercise your rights: Email gh@sanjemi.com with the subject "GDPR Rights Request" and describe your request. We will respond within 30 days as required by Art. 12(3) GDPR. We may ask you to verify your identity before acting on the request. There is no fee for submitting a request.
You have the right to lodge a complaint with the supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement. The lead supervisory authority for this controller (Spain) is:
Agencia Española de Protección de Datos (AEPD)
Website: www.aepd.es
Address: C/ Jorge Juan, 6, 28001 Madrid, Spain
Phone: +34 901 100 099
We would, however, appreciate the opportunity to address your concern before you contact a supervisory authority.
Cyber Prep is rated 4+ on the App Store. The app does not contain content inappropriate for minors, and its subject matter (professional IT certification) primarily targets adults.
We do not knowingly collect personal data from children under 16 (or the applicable age of digital consent in the user's jurisdiction under Art. 8 GDPR). As the app does not collect any personal data requiring an account, parental consent is not a practical requirement for installation. If you believe a child has provided personal data to us, contact gh@sanjemi.com and we will investigate and delete such data promptly.
Cyber Prep uses an Item Response Theory (IRT) 3-Parameter Logistic (3PL) model to adaptively select questions tailored to your current ability level (theta). This constitutes automated profiling of your learning performance within the meaning of Art. 4(4) GDPR.
However, this processing:
Art. 22(1) GDPR does not apply because no automated decision produces legal or similarly significant effects. Nonetheless, we believe in transparency about how the engine works: the higher your theta score, the harder the questions selected; the lower, the easier. You can view your current theta in the Analytics tab.
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) may grant you additional rights.
Cyber Prep does not sell or share personal information for cross-context behavioural advertising purposes. The categories of personal information we collect are limited to those described in §2 above — primarily IP address in transit to Supabase, which we do not control or use for any business purpose.
California residents may request disclosure of categories of personal information collected, the business purpose of collection, and categories of third parties with whom information is shared. To submit a request, email gh@sanjemi.com with subject "CCPA Request". We will respond within 45 days.
We may update this Privacy Policy to reflect changes to the app, applicable law, or our data practices. When we make material changes, we will update the "Last updated" date at the top of this page and, where required by law, seek fresh consent or provide in-app notice. We encourage you to review this page periodically.
Continued use of Cyber Prep after a revised policy has been posted constitutes your acceptance of the revised terms, to the extent permitted by applicable law.
Data Controller — Privacy enquiries
Ana Maria Albarca Becerra
Email: gh@sanjemi.com
Response time: within 30 days (Art. 12(3) GDPR)
Please include "Privacy" or "GDPR" in the subject line and, where relevant, describe which right you wish to exercise and which data category your request concerns.