← Back to home

Privacy Policy

Last updated: 24 March 2026

1. Controller of Personal Data

This Privacy Policy explains how personal data are processed in connection with the EPSO Practice website and services.

Controller / Trader:
Mariusz Grabowski ePaper DTP
ul. Milenijna 43 lok. 2
03-130 Warszawa
Poland
NIP: 8761938209
REGON: 870466549

Contact regarding privacy matters: contact@epsopractice.eu

If you contact us in relation to personal data, please describe your request in sufficient detail so we can verify and handle it properly.

2. Scope of this Privacy Policy

This Privacy Policy applies to personal data processed when you:

  • visit our website,
  • create or use an account,
  • sign in using Google,
  • purchase access to our paid services,
  • use practice questions, quizzes, explanations and progress features,
  • contact us,
  • request support, refunds, or exercise your legal rights.

3. What We Do

EPSO Practice is an online educational platform providing practice materials for candidates preparing for European Personnel Selection Office (EPSO) competitions and similar assessments.

The service is provided for educational and practice purposes only. We are not affiliated with EPSO, the European Commission, or any EU institution.

4. Categories of Personal Data We Process

Depending on how you use the service, we may process the following categories of personal data:

4.1 Account and identity data

  • email address,
  • name or profile data received from your Google account, if made available by you through Google OAuth,
  • internal user ID,
  • authentication-related identifiers.

4.2 Login and authentication data

  • information necessary to authenticate you,
  • records that your account was created or accessed through Google sign-in,
  • session identifiers and security tokens.

We do not receive or store your Google password.

4.3 Service usage and learning data

  • questions answered,
  • results and scores,
  • answer history,
  • progress information,
  • explanations displayed,
  • seen/not-seen question status,
  • data used for platform features such as repetition avoidance, session history, and learning progress.

4.4 Order and payment-related data

  • purchased plan or access type,
  • purchase status,
  • transaction and subscription/access metadata,
  • billing status,
  • invoice or tax-related information where legally required.

Payments are processed by Stripe. We do not store full payment card details on our own systems. Stripe acts under its own privacy and compliance framework, including EU-U.S. Data Privacy Framework commitments publicly described by Stripe.

4.5 Technical and device data

  • IP address,
  • browser type and version,
  • device type,
  • operating system,
  • approximate technical location derived from IP where necessary for security,
  • referring pages,
  • timestamps,
  • logs relating to requests, errors, abuse prevention, and service integrity.

4.6 Communication data

  • messages sent to us,
  • support inquiries,
  • complaint or refund correspondence,
  • records of our responses.

4.7 Legal and compliance data

  • records required to establish, exercise, or defend legal claims,
  • records needed to comply with tax, accounting, and consumer law obligations.

5. Sources of Personal Data

We collect personal data:

  • directly from you,
  • from your device/browser when you use the website,
  • from Google when you choose Google sign-in,
  • from Stripe and related payment systems in connection with purchases,
  • from service providers who host or support our platform.

6. Purposes and Legal Bases for Processing

Under the GDPR, we process personal data only where a valid legal basis applies. The main legal bases are performance of a contract, compliance with legal obligations, legitimate interests, and consent where required.

We process your personal data for the following purposes:

6.1 To provide the service and your account

This includes account creation, authentication, providing access to questions and explanations, saving progress, and enabling paid access.

Legal basis: Article 6(1)(b) GDPR - performance of a contract.

6.2 To process orders and payments

This includes verifying payment status, granting purchased access, handling invoices, and managing refunds or charge-related issues.

Legal basis: Article 6(1)(b) GDPR - performance of a contract; and where necessary Article 6(1)(c) GDPR - compliance with legal obligations.

6.3 To maintain security, prevent fraud and abuse

This includes monitoring logs, protecting accounts, preventing unauthorized access, debugging, and ensuring service integrity.

Legal basis: Article 6(1)(f) GDPR - legitimate interests in securing the service and preventing abuse.

6.4 To provide support and respond to inquiries

This includes answering emails, handling requests, complaints, and assisting users.

Legal basis: Article 6(1)(b) GDPR where related to the service contract; or Article 6(1)(f) GDPR for general support and communication.

6.5 To comply with legal obligations

This includes tax, accounting, consumer protection, and legal recordkeeping duties.

Legal basis: Article 6(1)(c) GDPR - compliance with legal obligations.

6.6 To establish, exercise, or defend legal claims

This includes storing necessary evidence in case of disputes, complaints, chargebacks, or enforcement matters.

Legal basis: Article 6(1)(f) GDPR - legitimate interests.

6.7 To send service-related communications

This includes important messages about access, purchases, technical issues, material changes to the service, or legal documents.

Legal basis: Article 6(1)(b) GDPR and/or Article 6(1)(f) GDPR.

7. Whether Providing Data Is Mandatory

Providing some data is necessary to create an account, log in, purchase access, and use core service features. If you do not provide the required data, we may not be able to provide the service or process your order.

Providing data in other cases, such as general contact inquiries, is voluntary, but without some data we may not be able to respond effectively.

8. Automated Decision-Making and Profiling

We do not make decisions producing legal or similarly significant effects based solely on automated processing within the meaning of Article 22 GDPR.

Certain automated service functions may be used, such as progress tracking, content access control, or no-repeat logic for questions, but these are used to operate the educational service and do not produce legal or similarly significant effects.

9. Recipients of Personal Data

We may share personal data only where necessary, including with:

  • hosting and infrastructure providers,
  • authentication and login providers (such as Google),
  • payment processors (such as Stripe),
  • email or support tools,
  • IT/security service providers,
  • accountants, legal advisors, or public authorities where required by law.

We do not sell your personal data.

10. International Transfers

Some of our service providers may process personal data outside the European Economic Area (EEA). Where this happens, we use a lawful transfer mechanism under the GDPR, such as:

  • an adequacy decision,
  • the EU-U.S. Data Privacy Framework where applicable,
  • Standard Contractual Clauses, together with supplementary safeguards where required.

Stripe publicly states that it participates in the EU-U.S. Data Privacy Framework. Supabase also documents EU region availability and contractual data-protection arrangements.

11. Data Retention

We retain personal data only for as long as necessary for the purposes for which they were collected, including legal, tax, accounting, security, and dispute-resolution needs.

Typical retention periods may include:

  • Account data: for as long as the account remains active and for a limited period after deletion where necessary for legal, security, or evidentiary purposes.
  • Purchase and billing records: for the period required by tax and accounting law.
  • Support correspondence: for as long as reasonably necessary to handle the matter and protect against future disputes.
  • Technical logs: for a limited period necessary for security, fraud prevention, debugging, and operational integrity.
  • Question repetition/no-repeat status: for the period necessary for the relevant platform feature.

12. Your Rights Under the GDPR

Subject to applicable law, you have the right to:

  • request access to your personal data,
  • request rectification of inaccurate data,
  • request erasure of your data,
  • request restriction of processing,
  • object to processing based on legitimate interests,
  • request portability of data where applicable,
  • withdraw consent at any time where processing is based on consent,
  • lodge a complaint with a competent supervisory authority.

In Poland, the supervisory authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych - UODO).

To exercise your rights, contact: contact@epsopractice.eu

We may need to verify your identity before fulfilling your request.

13. Cookies and Similar Technologies

We use only those cookies and similar technologies that are necessary for the proper functioning and security of the website and user authentication.

Necessary technologies may include:

  • session/authentication cookies,
  • security-related cookies,
  • technical storage required to keep you logged in or maintain service functionality.

We do not currently use advertising cookies or non-essential analytics cookies.

14. Children

The service is not directed to children under the age at which they may lawfully consent to online services under applicable law, and is intended primarily for adult users preparing for EPSO-related competitions.

We do not knowingly collect personal data from children in violation of applicable law.

15. Data Security

We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, unlawful processing, accidental loss, destruction, or damage.

These measures may include access controls, authentication safeguards, secure hosting arrangements, restricted administrative access, logging, and other security controls appropriate to the nature of the service.

16. Third-Party Services and Links

Our website or service may integrate or link to third-party services, including Google and Stripe. Their services are subject to their own terms and privacy policies, and we encourage you to review them.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect legal, operational, or technical changes.

The latest version will always be published on this page with the updated date. If changes are material, we may also provide additional notice through the website or by email where appropriate.

18. Contact

For any questions relating to this Privacy Policy or personal data processing, contact:

Mariusz Grabowski ePaper DTP
ul. Milenijna 43 lok. 2
03-130 Warszawa
Poland
NIP: 8761938209
REGON: 870466549
Email: contact@epsopractice.eu