Privacy Policy

CSE Exam Review is a Civil Service Exam mock examination platform operated by GENETRIFY INFORMATION TECHNOLOGY SERVICES, a sole proprietorship registered with the Philippine Department of Trade and Industry under DTI Business Name Registration No. 8072131. Registered address: Poblacion, Polomolok, South Cotabato, Region XII (SOCCSKSARGEN).

For the purposes of the Philippine Data Privacy Act (RA 10173), GENETRIFY INFORMATION TECHNOLOGY SERVICES is the personal information controller. Our Data Protection Officer can be reached at [email protected].

When you create an account or use CSE Exam Review, we collect:

• Account data: email address, display name, and a password (stored only as a salted hash by our auth provider, Supabase). If you sign in with Google, we receive your email and name from Google, plus a stable Google account identifier used internally to recognize you on future logins (see “Google user data” below). There is no password in that case.
• Usage data: exam attempts, answers, timestamps, scores, drill progress, and study activity. This is how the product works.
• Payment metadata: purchase records, plan, amount, currency, and a reference ID from our payment processor (PayMongo). We never see or store your card number, CVV, or full bank details.
• Device signals: user agent, screen size, and timezone. Used only as soft anti-cheat signals on timed exams.
• Diagnostic logs: server error traces and request metadata (route, status, latency). PII is scrubbed before logs are persisted.

Phone number. Home address. Birthdate. Government-issued IDs. Precise geolocation. Contact lists. Calendar entries. Files from your device. Browsing activity on other sites.

If you choose “Continue with Google” on the sign-in or sign-up screen, CSE Exam Reviewaccesses a strictly limited set of Google user data through Google's OAuth 2.0 flow, brokered by our authentication provider (Supabase). This section is our disclosure under the Google API Services User Data Policy, including its Limited Use requirements.

Data we access from Google

We request only the standard OpenID Connect scopes openid, email, and profile. From the resulting ID token, CSE Exam Review actively reads and uses:

• Your Google account email address.
• Whether Google has verified that email address (boolean flag).
• Your display name as set on your Google account.
• A stable Google account identifier (the OIDC sub claim) used internally to recognize you on subsequent logins.

Google's standard profile scope also returns a profile picture URL. Our auth provider (Supabase) caches the raw token contents server-side for the session, but CSE Exam Review does not read, display, copy, or otherwise process that picture URL. It is discarded when the account is deleted.

We do not request, access, read, or store data from any other Google service. Specifically, we do not access your Gmail, Google Drive, Google Calendar, Google Contacts, Google Photos, YouTube, Google Search history, or any other Google-hosted user content. We do not request any sensitive or restricted OAuth scopes.

How we use Google user data

• Account creation and sign-in. The email and Google account identifier are used to create your CSE Exam Reviewaccount or sign you back into an existing one. The display name pre-fills your profile so you don't have to retype it.
• Account recovery and support. The email is the address we use to contact you about your account (verification, password resets if you later add a password, billing receipts, and security notices).
• Anti-abuse. The verified-email flag helps us enforce the one-account-per-person rule.

How we do not use Google user data

• We do not sell Google user data. We do not transfer it for advertising purposes, targeted advertising, retargeting, or credit-worthiness scoring.
• We do not use Google user data to train, develop, fine-tune, or evaluate generalized or large-language AI models. Question generation in CSE Exam Review does not consume any account or Google-derived data.
• We do not let humans read your Google user data except in the narrow cases the Google API Services User Data Policy permits: you have given specific consent, it is needed for security (e.g., investigating an account takeover), it is required by law, or the data has been aggregated and de-identified for internal operations.

Storing Google user data

Your email, name, and the Google account identifier are stored in our Supabase-managed Postgres database in the Singapore (ap-southeast-1) region, encrypted in transit (TLS 1.2+) and at rest. Supabase additionally retains the raw ID token claims it received from Google (which include the profile picture URL) on our behalf for the lifetime of your account; we do not request Google's offline access mode, so no long-lived Google refresh token is issued to us. Sessions are managed by short-lived Supabase JWTs that expire and rotate automatically.

Disconnecting and deleting

You can revoke CSE Exam Review's access to your Google account at any time at myaccount.google.com/permissions. Revoking access prevents future Google sign-ins; it does not delete your CSE Exam Review account. To delete the account and the Google-derived data we hold (email, name, Google account identifier, and the cached ID token contents stored by Supabase), follow /legal/data-deletion.

We use the data described above only to:

• Provide the CSE Exam Review service (exams, drills, results, study guides).
• Authenticate you and keep your account secure.
• Process payments and issue official receipts.
• Send transactional email: verification, receipts, password resets, and account or security notices. We do not send marketing email unless you opt in.
• Improve the product by analyzing aggregated, de-identified performance signals (e.g., average score on a topic).
• Comply with our legal obligations under Philippine law.

We do not sell your personal data and we do not share it for third-party advertising. We share specific data only with the sub-processors listed below, each acting under written terms and only for the purpose stated:

• Supabase, Inc.: authentication and database hosting (Singapore region). Receives all account and usage data needed to run the service.
• Vercel Inc.: application hosting and cookieless web analytics (Singapore and Tokyo regions). Receives request metadata; no individual content of your exams.
• PayMongo Philippines, Inc.: payment processing. Receives the data needed to charge your card and issue a receipt (name, email, amount). Card details go directly to PayMongo and never touch our servers.
• Resend, Inc.: transactional email delivery. Receives your email address and the message content for verification, receipts, and security notices.
• Sentry (Functional Software, Inc.): server error monitoring. Receives diagnostic traces with PII scrubbed before transmission.

We may also disclose data when required by Philippine law, a lawful court order, or to protect the rights, property, or safety of CSE Exam Review, our users, or the public.

Account and usage data are stored in our Supabase Postgres database in the Singapore (ap-southeast-1) region. All traffic between your browser, our application, and our sub-processors is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted on disk by Supabase and Vercel.

Passwords are never stored in plaintext. Supabase hashes them with bcrypt and a per-user salt. Database access is gated by row-level security policies, and admin access requires two-factor authentication. We log administrative actions and review logs for anomalous access.

No system is perfectly secure. If we discover a personal-data breach affecting you, we will notify you and the National Privacy Commission within the timelines required by RA 10173.

We keep data only as long as we need it:

• Account data (including data received from Google): until you delete your account. Deletion is initiated from /legal/data-deletion or by emailing the DPO, and is completed within 30 days.
• Exam attempts: kept while your account is active, then deleted with the account. Anonymized statistics (no link to you) may be retained indefinitely for product analytics.
• Payment records and official receipts: retained for 10 years as required by the Philippine Bureau of Internal Revenue.
• Server logs: retained up to 90 days, then rotated and deleted.

You can request deletion at any time. We confirm receipt within 5 business days and complete deletion within 30 days, in line with NPC guidance under RA 10173. Deletion is permanent and cannot be undone.

We use only the cookies we need to run the service: a session cookie set by Supabase to keep you signed in, and a load-balancing cookie set by Vercel. We use Vercel Web Analytics for cookieless, aggregated marketing analytics. It does not track you across sites and does not build an advertising profile. When the site is proxied through Cloudflare, Cloudflare may also serve its own cookieless Web Analytics beacon for performance metrics.

Under the Philippine Data Privacy Act you have the right to:

• Be informed about how your data is processed (this policy).
• Access the data we hold about you.
• Correct inaccurate or outdated data.
• Object to specific processing.
• Erase or block unlawful processing.
• Request a portable copy of your data.
• Be compensated for damages caused by unlawful processing.
• File a complaint with the National Privacy Commission.

To exercise any of these rights, use the in-app form at /legal/data-deletion or email the DPO at [email protected].

The third parties listed in “Data sharing” above are our current sub-processors. Some of these providers store or process data outside the Philippines (Singapore, Tokyo, United States). We rely on standard contractual clauses and the providers' own data-processing terms; under RA 10173 the same protections you have in the Philippines apply to these transfers. Email the DPO if you want a copy of the relevant terms.

CSE Exam Review is intended for users aged 18 and older preparing for the Civil Service Exam. We do not knowingly collect data from children under 13. If you believe a minor has created an account, email the DPO and we will delete the account and associated data.

We may update this policy as the service evolves. Material changes will be announced by email to your account address and posted here at least 14 days before they take effect. The date at the top of this page always reflects the latest version.

Privacy questions, data-subject requests, and complaints: [email protected].

General support: [email protected].

Postal address: GENETRIFY INFORMATION TECHNOLOGY SERVICES, Poblacion, Polomolok, South Cotabato, Region XII (SOCCSKSARGEN).