Privacy Policy

Your privacy matters to us at Texas CBE™.

Privacy Policy

Last Updated: May 2, 2026

0. Geographic Scope (United States Only)

Texas CBE™ is offered exclusively to users physically located in the United States and U.S. territories (Puerto Rico, Guam, U.S. Virgin Islands, American Samoa, Northern Mariana Islands). The Service is not directed to, and is not intended for use by, residents of any other country.

We do not knowingly collect, process, or store personal data of individuals located outside the United States. We use IP-based geolocation to block access from non-U.S. jurisdictions (HTTP 451 response). Accordingly, we do not act as a "controller" or "processor" under the EU GDPR (Regulation 2016/679), the UK GDPR, the Swiss FADP, the Canadian PIPEDA, the Brazilian LGPD, China's PIPL, or any other non-U.S. privacy regime, and we make no representations of compliance with such regimes.

If you believe you are seeing the Service from outside the United States, or that your data has been processed in violation of this restriction, contact us at [email protected] and we will investigate and, where appropriate, delete the data and terminate any associated account.

1. Acceptance of This Policy

By using Texas CBE™ ("the Service"), you agree to this Privacy Policy and our Terms of Service. If you do not agree, please discontinue use immediately.

2. Information We Collect

We collect the following information to provide and improve our Service:

  • Account Information: Name, email address, username, and password (stored as a secure hash — we never store plain-text passwords).
  • Profile Information: First name, last name, and other optional profile details you choose to provide.
  • Learning Data: Exam attempts, answers submitted, scores, progress tracking, and TEKS category performance. This data is used to provide personalized study recommendations and track your improvement.
  • Payment Information: Payment transactions are processed securely through Stripe. We do not store your credit card number, CVV, or full card details on our servers. We may retain transaction IDs, purchase amounts, and purchase dates for record-keeping.
  • Technical Data: IP address, browser type and version, device type, operating system, access timestamps, and pages visited. This data is collected for security, analytics, and service improvement purposes.
  • AI Interaction Data: When you request AI-powered explanations, your question context and selected answers are sent to the Anthropic Claude API to generate explanations. We do not send your personal identity information to AI providers.
3. How We Use Your Information

We use collected information for the following purposes:

  • Providing and operating the test preparation service.
  • Processing payments and managing your purchases.
  • Generating personalized study recommendations and progress reports.
  • Providing AI-powered explanations for practice questions.
  • Communicating with you about your account, purchases, or service updates.
  • Improving our content, features, and user experience.
  • Ensuring security and preventing fraud or abuse.
  • Complying with legal obligations.
4. Third-Party Services

We use the following third-party services to operate the platform:

  • Stripe (payments): Stripe processes all payments. Stripe receives your card data, billing address, and IP address directly; we never see or store your raw card number, expiration date, or CVV. Visit stripe.com/privacy.
  • Anthropic (Claude API — AI explanations): When you request an AI explanation, the question text, available answer choices, and your selected answer are sent to Anthropic. We do not transmit your name, email, or account ID. Visit anthropic.com/privacy.
  • Google (OAuth sign-in): Optional. If you choose "Sign in with Google", Google shares your name, email, and Google account ID with us. Visit Google's Privacy Policy.
  • Google Analytics 4 (analytics — consent-gated): Loaded only after you click "Accept" on the cookie banner. GA places client-side cookies (typically _ga, _ga_*) and collects pseudonymous identifiers, page paths, referrers, device/browser metadata, and (anonymized) IP. We do not enable Google Signals, advertising features, or remarketing. Property ID: G-E6SS490ZP4. See Section 6 for consent controls. Visit policies.google.com/privacy.
  • Let's Encrypt (TLS certificates): Issues SSL/TLS certificates that secure traffic to texascbe.com. No personal data is shared.
  • Vultr (hosting): Our application servers run on Vultr infrastructure in U.S. data centers. Vultr does not have access to application data.

We are not responsible for the privacy practices or security of third-party services. You should review their policies independently.

5. Information Sharing

We do not sell, rent, or trade your personal information to third parties. We may share information only:

  • With service providers necessary to operate the platform (Stripe, Anthropic) as described above.
  • When required by law, court order, or government request.
  • To protect our rights, safety, or property, or that of our users.
  • With your explicit consent.
6. Cookies, Analytics, and Consent

We use the following categories of cookies and similar technologies:

  • Strictly Necessary (always on): Session, authentication ("remember-me"), CSRF protection, language preference, theme preference, and the cookie-consent record itself. These cannot be disabled if you want to use the Service.
  • Analytics (consent-gated): Google Analytics 4 (measurement ID G-E6SS490ZP4) is used to understand aggregate site usage. GA does not load until you click "Accept" on our cookie banner. We enable IP anonymization on the GA tag. We do not enable Google Signals, advertising features, or remarketing.
  • No advertising / no tracking-for-ads cookies. We do not run third-party advertising, retargeting, or affiliate-tracking pixels.

Managing your consent. If you previously accepted analytics cookies and want to revoke consent, click the "Cookie Settings" link in the page footer or clear the cc_consent cookie in your browser. After revocation, GA will not load on subsequent page loads.

Browser controls. Most browsers let you block or delete cookies via their settings. Doing so may impair authentication and language preferences.

Do Not Track / GPC. We treat Global Privacy Control (GPC) signals as a refusal of analytics consent. We do not currently respond to legacy "Do Not Track" headers, which lack a uniform standard.

6a. Notice to California Residents (CCPA / CPRA)

If you are a California resident, you have the right to: (i) know what personal information we collect about you and the purposes of collection; (ii) request access to and deletion of your personal information; (iii) correct inaccurate personal information; (iv) opt out of the "sale" or "sharing" of your personal information; and (v) limit the use of sensitive personal information. We do not sell personal information for monetary consideration, and we do not engage in cross-context behavioral advertising. To exercise any CCPA/CPRA right, contact [email protected]. We will not discriminate against you for exercising these rights.

6b. Notice to Other U.S. State Residents

Residents of states with comprehensive consumer-privacy laws — including Texas (Texas Data Privacy and Security Act, eff. July 1, 2024), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon (OCPA), Montana (MTCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (INCDPA), Delaware (DPDPA), and others — generally have the right to: access, correct, and delete personal data; obtain a portable copy of personal data; and opt out of targeted advertising and "sales" of personal data (we do neither). Some states also grant the right to appeal a denied request.

To exercise any state-law privacy right, email [email protected] from the email address on your account, with the subject line "Privacy Request" and a description of which right you are exercising. We will verify your identity and respond within the timeframe required by the applicable state law (typically 30–45 days, with one possible extension where allowed).

If you have authorized an agent to make a request on your behalf, we may require written proof of authorization and verification of your identity directly. We will not retaliate or discriminate against you for exercising any privacy right.

7. Data Security

We implement reasonable security measures to protect your data, including:

  • SSL/TLS encryption for all data in transit (HTTPS).
  • Passwords stored using secure one-way hashing (PBKDF2-SHA512).
  • Sensitive configuration values encrypted at rest (Fernet/AES).
  • Database access restricted by authentication and network rules.
  • Regular automated database backups.

However, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security and the Service is provided "as is" with respect to security.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Upon account deletion:

  • Your profile information and learning data will be deleted promptly.
  • Payment transaction records may be retained as required by tax and financial regulations.
  • Anonymized or aggregated analytics data (not linked to your identity) may be retained indefinitely.
  • Backup copies may persist for up to 30 days before automatic deletion.
9. Children's Privacy (COPPA)

Texas CBE™ is intended for users 13 years of age or older. We do not knowingly collect personal information from children under 13 in compliance with the Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506) and the FTC's Children's Online Privacy Protection Rule (16 C.F.R. Part 312):

  • Account creation requires the user to confirm they are at least 13. We do not currently provide a verifiable parental-consent flow and therefore do not knowingly accept under-13 registrations.
  • If you are a parent or legal guardian and believe your child under 13 has provided us with personal information, please email [email protected]. We will promptly delete the account and any associated data.
  • For minors aged 13–17, we recommend parental supervision of account use and purchases.
  • We collect only the minimum information necessary to provide the Service (email, username, learning progress) and do not condition participation on providing more than is reasonably necessary.
10. Your Rights

You have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your account and personal data.
  • Data Portability: Request your learning data in a machine-readable format.
  • Opt-Out: Unsubscribe from marketing emails at any time.

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

11. International Users

Our servers are located in the United States. The Service is intended exclusively for U.S. residents (see Section 0). If you are accessing the Service from outside the United States despite our geographic restriction, you do so on your own initiative and responsibility, and you acknowledge that your data will be transferred to and processed in the United States, where data-protection laws differ from those in your country of residence. We do not represent that the Service complies with non-U.S. privacy regimes (including the EU GDPR, UK GDPR, Swiss FADP, Brazilian LGPD, or any other foreign law).

12. Limitation of Liability

To the fullest extent permitted by applicable law, Texas CBE™, its owners, operators, and affiliates shall not be liable for any direct, indirect, incidental, consequential, special, exemplary, or punitive damages arising from or related to: (a) data breaches, unauthorized access, or loss or disclosure of data, except where caused by our willful misconduct or gross negligence; (b) the acts, omissions, or security failures of any third-party service provider (including Stripe, Anthropic/Claude, Google, or any infrastructure provider); (c) inaccurate, outdated, or incomplete records; or (d) your inability to exercise a privacy right due to a technical failure beyond our reasonable control. Our aggregate liability under this Privacy Policy shall not exceed the greater of US$100 or the amount you paid to us in the twelve (12) months preceding the event giving rise to the claim. These limitations are in addition to, and do not replace, the broader limitations in our Terms of Service.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the platform. The "Last Updated" date at the top indicates the most recent revision. Continued use of the Service after changes constitutes acceptance of the revised policy.

14. Governing Law

This Privacy Policy is governed by the laws of the State of Texas, United States. If any provision is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.

15. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us: