Privacy Policy

Last updated: May 5, 2026

We keep this short and human. We collect the minimum data needed to run CBLE Ace, never sell it, and let you export or delete it anytime.

Privacy PolicyTerms of ServiceRefund Policy

1. Who we are

CBLE Ace is operated by an independent study-platform team (the “Service”). We are not affiliated with U.S. Customs and Border Protection (CBP) or any government agency. Our website is www.cbleace.com.

2. What we collect

Account information

  • Email address — required to sign in and recover your account.
  • Display name (optional) — shown in your profile.
  • Hashed password — managed by Supabase Auth; we never see your raw password.

Study data

  • Practice answers, mock-exam results, wrong-answer book, and bookmarks.
  • This data is stored locally first (in your browser) and synced to the cloud only when you are signed in.

Payment information

When you subscribe to Pro, payment is processed by Stripe. We never see or store your card number, CVV, or banking credentials. Stripe sends us only a tokenized customer ID, the plan you bought, and the renewal date.

Device & analytics data

  • Anonymous device fingerprint (used for the 2-device limit on Pro accounts only).
  • Aggregated usage statistics via Google Analytics (page views, anonymized IP, broad geography). We do not link this to your personal account.

3. What we do NOT collect

  • Government IDs, social security numbers, or tax IDs.
  • Banking or credit card numbers (handled by Stripe).
  • Precise GPS location, contacts list, or files outside the app.
  • Microphone, camera, or biometric data.

4. How we use your data

  1. Run the Service: authenticate you, sync progress, deliver mock exams.
  2. Process your subscription and send transactional emails (receipts, password reset, renewal reminders).
  3. Improve product quality through aggregated, anonymous statistics.
  4. Detect abuse (e.g., account sharing beyond the 2-device limit).

We never sell your data, and we never share it with advertisers.

5. Where your data lives

  • Account & study data: Supabase (Postgres) hosted in the United States.
  • Static site & edge functions: Vercel global edge network.
  • Payment data: Stripe (PCI-DSS Level 1 certified).

6. How long we keep your data

  • Active accounts: as long as you keep your account.
  • Inactive accounts (no sign-in for 24 months): we email you 30 days before deletion.
  • Deleted accounts: study data wiped within 30 days; backup retention up to 60 days.
  • Payment receipts: retained 7 years for tax compliance (Stripe).

7. Your rights

Regardless of your country of residence, we extend GDPR / CCPA-grade rights to all users:

  • Access — download a JSON export of your data anytime.
  • Correction — edit your profile or contact us for help.
  • Deletion — delete your account and data permanently.
  • Portability — receive your data in machine-readable format.
  • Opt-out — disable analytics (we honor “Do Not Track” signals).

To exercise any right, email support@cbleace.com. We respond within 30 days, free of charge.

8. Cookies

  • Essential cookies: keep you signed in, remember your language preference. These cannot be disabled.
  • Analytics cookies (Google Analytics): can be opted out via your browser's Do Not Track setting.
  • We do not use third-party advertising or tracking cookies.

9. Children

CBLE Ace is intended for users 13 and older. The CBLE itself requires test-takers to be 21+. We do not knowingly collect data from children under 13. If you believe a child has created an account, contact us immediately and we will delete it.

10. International data transfers

Your data is processed in the United States. By using CBLE Ace, you consent to this transfer. We rely on standard contractual clauses with our processors (Supabase, Stripe, Vercel).

11. Security

  • All connections use TLS 1.2+ (HTTPS only).
  • Passwords are hashed with bcrypt by Supabase Auth.
  • Database access is restricted via Row-Level Security (RLS) policies.
  • No system is 100% secure; if a breach occurs that affects you, we will notify you within 72 hours.

12. Changes to this policy

If we make material changes (e.g., new categories of data collected, new third-party processors), we will email all active users at least 30 days before the change takes effect. Minor wording updates may happen without notice but will be reflected in the “Last updated” date above.

13. Contact

Privacy questions, requests, or complaints: support@cbleace.com.

Questions about this policy?

We answer every message. Email support@cbleace.com — we typically respond within 1–2 business days.