Privacy Policy

Last updated: March 2026

1. Data Controller

EPSO Genius is a service operated by FACT21 SRL (BCE 0783.640.828), a company registered in Belgium. For all data protection matters, you can reach us at hello@epsogenius.com. As the data controller, we determine the purposes and means of processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR).

2. Data We Collect

When you create an account, we collect your name, email address, and authentication credentials. During your use of the platform, we collect your test results, question responses, and performance metrics to power adaptive training features. If you subscribe to a paid plan, Stripe processes your payment details on our behalf β€” we do not store card numbers.

3. How We Use Your Data

We use your data to operate the platform, deliver and improve your study experience through adaptive recommendations, process subscription payments via Stripe, and send transactional emails (e.g. welcome emails, payment confirmations). We do not sell your personal data to third parties.

4. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Article 6): (a) Contract performance β€” account data, test results, and subscription management are necessary to deliver the service you signed up for. (b) Legitimate interest β€” we use anonymised, aggregated analytics to improve the platform, provided this does not override your rights. (c) Consent β€” analytics cookies (PostHog, Vercel Analytics) are only activated after you give explicit consent via our cookie banner. You may withdraw consent at any time by clearing your cookies or changing your browser settings. (d) Legal obligation β€” we retain certain billing records as required by Belgian and EU tax law.

5. AI Question Generation

Questions are generated using a third-party AI service. Your test responses are stored in our database (EU-hosted) and are not shared with any third party for model training purposes.

6. Cookies

We use essential cookies for authentication and session management. Analytics cookies (PostHog and Vercel Analytics) are only set after you consent via our cookie banner. For full details, see our Cookie Policy.

7. Sub-Processors

We share personal data with the following third-party processors, each under appropriate data processing agreements:

  • Supabase β€” Database hosting and authentication (EU region β€” Frankfurt, Germany).
  • Stripe β€” Payment processing. Stripe acts as an independent data controller for payment data. See Stripe's privacy policy.
  • PostHog β€” Product analytics (EU instance β€” Frankfurt, Germany). Only activated with your consent.
  • Vercel β€” Website hosting and web analytics. Vercel may process minimal request data (IP addresses, user agent) on servers in the EU and US under Standard Contractual Clauses.
  • Resend β€” Transactional email delivery (e.g. welcome emails, password resets). Email address and message content are processed in the US under Standard Contractual Clauses.

8. International Data Transfers

Your core data (account, test results) is stored in the EU (Supabase, Frankfurt). Where data is processed outside the EEA (Vercel for hosting, Resend for email), transfers are protected by EU Standard Contractual Clauses (SCCs) as required by GDPR Chapter V. Stripe processes payment data under its own SCCs and certifications.

9. Your Rights (GDPR)

Under GDPR, you have the right to: access your personal data (Art. 15), rectify inaccurate data (Art. 16), erase your data β€” you can delete your account from your profile settings (Art. 17), restrict processing (Art. 18), data portability (Art. 20), object to processing based on legitimate interest (Art. 21), and lodge a complaint with the Belgian Data Protection Authority (AutoritΓ© de protection des donnΓ©es). To exercise any of these rights, contact us at hello@epsogenius.com. We will respond within 30 days.

10. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we erase your personal data within 30 days, except where retention is required by law (e.g. billing records retained for 7 years under Belgian tax law). Analytics data collected by PostHog is retained for 12 months and is automatically purged thereafter.

11. Contact

For privacy-related enquiries: hello@epsogenius.com