PRIVACY POLICY

This policy does not apply to third-party websites or services linked from our platform. We encourage you to review their privacy policies independently.

• Personal Information Protection and Electronic Documents Act ("PIPEDA") — Canada's federal private-sector privacy law, applicable to our processing of Canadian users' data in the course of commercial activity
• Applicable provincial privacy legislation (including Quebec's Law 25 / Bill 64, where relevant)

• General Data Protection Regulation ("GDPR") — applies to processing of EEA residents' data
• UK GDPR and Data Protection Act 2018 — applies to processing of UK residents' data

• Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APPs") — applies to processing of Australian residents' data where we are a regulated entity under the Act

Where applicable laws conflict, LetsQualifly applies the standard most protective of users' privacy rights.

• Account registration data: name, email address, and password (stored in bcrypt-hashed form — never in plaintext)
• Profile information: country of origin, target immigration country, exam preference (IELTS, CELPIP, PTE Academic)
• Practice scores and results you enter, or that are generated and recorded during practice sessions
• Communications you send us: support requests, feedback, and grievance submissions

Speaking Practice & Audio Recording: If and when LetsQualifly introduces speaking practice modules, the platform may request access to your device microphone to record audio samples for scoring. Audio recordings are processed locally on your device where technically possible. Where recordings are transmitted to our servers for AI-based pronunciation or fluency analysis, you will be informed at the point of use and asked for explicit, separate consent. Audio recordings are retained only for the duration of the session unless you expressly consent to longer retention for personal progress tracking. You may withdraw microphone permission at any time through your device or browser settings.

• Log data: IP address, browser type and version, operating system, referring URL, pages visited, and timestamps
• Device information: device type, unique device identifiers, screen resolution, and language settings
• Usage data: features accessed, time spent on practice modules, score history, session activity, and navigation paths
• Cookies and similar technologies (see Section 10 for full details)

• Google OAuth / Social Login: if you sign in via Google, we receive your name, email address, and profile photo from Google. We do not receive your Google password. See Section 4.4 for how to disconnect your Google account.
• Public information you make available through linked accounts

If you registered using Google OAuth and later delete your LetsQualifly account, your LetsQualifly data is deleted per our retention schedule in Section 7. To also revoke LetsQualifly's access to your Google account:

• Visit myaccount.google.com → Security → Third-party apps with account access → LetsQualifly → Remove access
• Revoking Google access does not delete your LetsQualifly account or data. To delete your LetsQualifly account and data, contact privacy@letsqualifly.app separately.

LetsQualifly does not retain any Google OAuth tokens beyond the active session. We do not use social login tokens to access any Google data beyond name and email at the point of registration.

• Payment card numbers or bank account details (we do not currently process payments)
• Government identification numbers (passport, Aadhaar, SIN, etc.)
• Health or medical records
• Biometric data
• Racial or ethnic origin, political opinions, religious or philosophical beliefs
• Audio recordings without explicit, separate, in-context consent (see Section 4.1 above)

• Create and manage your account
• Deliver practice content, score comparisons, and CLB conversion results
• Track and display your learning progress over time
• Personalise your experience based on exam preference and target country
• Develop new features and improve platform performance

• Send transactional emails (account confirmation, password reset, security alerts)
• Notify you of material changes to our policies or terms (14-day advance notice)
• Respond to your support requests and grievances
• Send product updates or immigration-related content, where you have consented

• Authenticate users and prevent unauthorised access
• Detect and prevent fraud, abuse, or policy violations
• Monitor platform performance and troubleshoot technical issues
• Comply with IT Rules 2021 obligations for intermediary due diligence

• Score conversion and CLB calculation using rule-based equivalency logic (not machine learning)
• If speaking practice is introduced: audio analysis for pronunciation/fluency scoring (with separate consent)
• If predictive improvement suggestions are introduced: analysis of your practice patterns to suggest study focus areas

• Comply with applicable laws including the IT Act, IT Rules 2021, DPDP Act (when operative), PIPEDA, and GDPR
• Respond to lawful requests from public authorities or courts
• Enforce our Terms of Service and other legal agreements

• Consent: for collection of Personal Data, we obtain consent as required by IT Rules 2021, Rule 5. Consent will be obtained in the manner prescribed under the DPDP Act once operative.
• Contract performance: processing necessary to provide the services you have agreed to receive
• Legitimate purpose / legal obligation: processing required to comply with Indian law, including responding to lawful government requests

• Knowledge and consent: collection, use, and disclosure is based on your knowledge and consent, consistent with PIPEDA Principle 3
• Implied consent: for processing that is necessary and obvious from the nature of the service

• Article 6(1)(a) — Consent: for marketing communications and optional analytics
• Article 6(1)(b) — Contract: for account creation and service delivery
• Article 6(1)(c) — Legal obligation: for compliance with EU/UK law
• Article 6(1)(f) — Legitimate interests: for platform security, fraud prevention, and service improvement, where your interests do not override ours

Upon account deletion, we will delete or anonymise your Personal Data within 30 days, except where retention is required by law or for the resolution of ongoing disputes.

We engage the following third-party sub-processors to operate our platform. Each is bound by a data processing agreement obligating them to protect your data to at least the standard described in this policy:

Appendix Note: Where vendors are marked [INSERT REGION], you must confirm the hosting region before publishing. Sub-processors for future features (e.g. payment processors such as Razorpay or Stripe, or AI speech-scoring providers) will be added to this table before those features go live. The full, current list of sub-processors is available on request at privacy@letsqualifly.app.

We may disclose your information to law enforcement, courts, or government agencies where required by law, including under the IT Act and IT Rules 2021, or in response to a valid legal process. We will notify you of such disclosures unless prohibited from doing so by law.

In the event of a merger, acquisition, or sale of assets, your Personal Data may be transferred. We will provide at least 14 days' notice by email before your data becomes subject to a different privacy policy, and you will have the option to delete your account before the transfer takes effect.

We may share aggregated or anonymised data that cannot reasonably be used to identify you, for research, product improvement, or reporting purposes.

• Access: request a copy of the Personal Data we hold about you
• Correction: request correction of inaccurate or incomplete data
• Deletion / Erasure: request deletion of your Personal Data, subject to legal obligations
• Portability: receive your data in a structured, machine-readable format
• Objection: object to processing based on legitimate interests
• Withdraw Consent: withdraw previously given consent at any time; withdrawal does not affect lawfulness of prior processing

• Right to information about Personal Data being processed (Rule 5(6), IT Rules 2021)
• Right to correction, completion, updating, and erasure of Personal Data (DPDP Act, s.12–13)
• Right to grievance redressal through our Grievance Officer (see Section 21)
• Right to nominate a person to exercise rights on your behalf in case of death or incapacity (DPDP Act, s.14)
• Right to withdraw consent at any time; we will cease processing within a reasonable period and may need to close your account where processing is essential to service delivery

• Right to access your personal information held by us
• Right to challenge its accuracy and completeness
• Right to withdraw consent, subject to legal and contractual restrictions
• Right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC)

• All rights under Articles 15–22 GDPR, including access, rectification, erasure, restriction, portability, and objection
• Right not to be subject to solely automated decision-making with legal or similarly significant effects (Article 22)
• Right to lodge a complaint with your national supervisory authority (e.g. ICO in the UK, DPA in your EEA member state)

• Right to access and correction of personal information under APPs 12 and 13
• Right to complain to the Office of the Australian Information Commissioner (OAIC)

To exercise any right, email privacy@letsqualifly.app with your full name, registered email, and the right you are exercising. We will verify your identity before processing requests and respond within 30 days.

• Essential cookies: required for authentication, session management, and security. These cannot be disabled without breaking core functionality.
• Preference cookies: remember your settings (exam type, target country, language). Functional but non-essential.
• Analytics cookies: pseudonymised usage data to understand feature engagement and diagnose issues (e.g. PostHog or equivalent). No advertising profiling.

You may browse the LetsQualifly public information pages (homepage, exam guides, CLB calculator) without creating an account. In this mode, only essential cookies and server logs (IP, timestamp) are collected. You cannot access personalised score tracking or your practice history without logging in.

Registered users may request pseudonymisation of their account display name at any time by contacting privacy@letsqualifly.app. Core account records (email, login logs) will still be retained as described in Section 7.

You may manage non-essential cookies through your browser settings or through our cookie preference panel (available in the site footer). Disabling analytics cookies will not prevent you from using the platform.

We do not use cookies for advertising, behavioural profiling for third-party ad targeting, or cross-site tracking.

LetsQualifly does not currently embed Meta Pixel, Google Ads tags, LinkedIn Insight Tag, TikTok Pixel, or any other social media advertising tracker on any page of the platform. We do not share your behavioural data with social media platforms for retargeting.

If this changes (e.g. if we introduce a marketing website with analytics), we will update this section, add the relevant vendor to our sub-processor table in Section 8.1, and notify users in advance.

Our CLB calculator and band-to-score conversion tools use deterministic, rule-based logic applied to publicly available equivalency tables published by IRCC and official examination bodies (British Council, IDP, CELPIP Testing, Pearson). These tools:

• Do not use machine learning or AI models for their core logic
• Produce informational estimates only — not official assessments or immigration determinations
• Are not affiliated with or validated by IRCC, British Council, IDP, CELPIP, or Pearson
• May not reflect the most recent changes to official equivalency tables; always verify results at official sources

LetsQualifly is developing AI-assisted features including:

• Predictive improvement suggestions: analysis of your practice history to recommend focus areas. This is advisory only and does not affect your account status.
• Pronunciation and fluency scoring (planned, for speaking practice modules): AI-assisted audio analysis with separate opt-in consent
• Text-to-score alignment analysis: AI comparison of written practice responses against band descriptors

AI Limitation Notice: All AI-generated scores, suggestions, and predictions on LetsQualifly are estimates for study guidance purposes only. They do not guarantee performance on official examinations, do not constitute immigration advice, and carry no legal weight. No automated processing on our platform produces legally binding outcomes. You are entitled to request human review of any AI-generated output that affects how you use the platform by contacting privacy@letsqualifly.app.

We may build a practice profile for each registered user based on their session history, score trends, and feature usage. This profile is used only to personalise your experience within LetsQualifly. We do not sell, license, or share individual profiles with third parties.

No transmission over the Internet is 100% secure. In the event of a data breach likely to result in risk to your rights and freedoms, we will notify you and relevant regulatory authorities within 72 hours of becoming aware of the breach (or as required by applicable law).

A summary of transfer mechanisms for each sub-processor is available on request at privacy@letsqualifly.app.

If you believe we have collected data from a minor, please notify us immediately at privacy@letsqualifly.app.

This section will be updated before any phone-number collection feature is launched.

If you do not agree with the updated policy, you should stop using the platform and request account deletion before the effective date.

This section will be updated with full PCI-DSS compliance details before any paid feature is introduced.

If you require confirmation of the specific encryption configuration for compliance purposes (e.g. SOC 2 or ISO 27001 assessments), please contact privacy@letsqualifly.app.

To file a grievance, email the above address with your full name, registered email address, a description of your concern, and any relevant details. You may also reference your specific right under Section 9 of this policy.