Privacy Policy

At Grind1600 (“Company,” “we,” “us,” or “our”), we are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect information about users (“you” or “User”) of the Grind1600 platform, including our website and all related services (collectively, the “Services”). This policy is designed in compliance with the Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018), the Marco Civil da Internet (Law No. 12,965/2014), and other applicable data protection regulations.

1Information We Collect

We collect the following categories of personal data when you use our Services:

Information you provide directly:

• Account information: your name, email address, and password when you create an account using email and password. If you sign up via Google OAuth, we receive your name, email address, and profile picture URL from your Google account, along with authentication tokens necessary to maintain your sign-in session.
• Terms and consent records: the timestamp and version number of the Terms of Use and Privacy Policy you accepted at signup, and your email notification opt-in preference.
• Academic data: your current SAT scores, target scores, planned test date, self-assessed skill levels across eight SAT domains (Information and Ideas, Craft and Structure, Expression of Ideas, Standard English Conventions, Algebra, Advanced Math, Problem-Solving and Data Analysis, Geometry and Trigonometry), and study preferences including your weekly study schedule (hours per day for each day of the week), practice test frequency, and preferred practice test day.
• Study activity: your answers to practice questions (selected option and time spent per question), practice test submissions (per-module and per-domain scores), daily challenge attempts (answer, correctness, time spent), lesson completion status, and personal study notes written within lessons.
• Progress and streak data: daily progress statistics (questions attempted, questions correct, minutes studied), study streaks (current and longest), daily challenge streaks, and study day completions.
• Profile information: any additional information you choose to add to your profile, such as your display name.
• Newsletter subscription: if you subscribe to our newsletter, we collect your email address and the source of your subscription (e.g., exit popup). An unsubscribe token is generated for each subscriber.
• Communications: messages, feedback, or support requests you send to us.

Information collected automatically:

• Internal analytics: we log page views (page path and your user ID), feature usage events, and API call metrics (endpoint, HTTP status code, and response time) as analytics events in our database. We do not use any third-party analytics services such as Google Analytics.
• Security events: we log security-related events including failed login attempts (with email and reason), account lockout events, and successful logins (with authentication method used). These logs are used to detect and prevent unauthorized access.
• IP address: your IP address is used transiently for rate limiting purposes (to prevent abuse of authentication and API endpoints). IP addresses are passed to our rate limiting service with short time-to-live windows and are not stored permanently in our database.
• Cookies: we use a single essential authentication cookie set by our authentication system (NextAuth). See Section 5 for details.

2How We Use Your Information

We process your personal data for the following purposes, in accordance with the legal bases established by the LGPD:

• Service delivery: to create and manage your account, authenticate your identity, provide access to practice questions and tests, and track your progress across the platform.
• Personalization and adaptive learning: to calculate your skill level across eight SAT domains (on a 1–7 scale) based on your question performance, generate a personalized study plan using our algorithm (based on your scores, target scores, test date, and weekly schedule), and adapt question difficulty to your current level.
• Leaderboard and community features: to display your name, daily challenge results, and response time on the daily challenge leaderboard, which is visible to all authenticated users.
• Platform improvement: to analyze internal usage analytics (page views, feature usage, API performance), diagnose technical issues, and improve existing features.
• Communication: to send you email verification codes, account security notifications, and — if you opted in — newsletter campaigns and product updates via email.
• Security: to protect against unauthorized access through account lockout after repeated failed login attempts, rate limiting, security event logging, and email verification requirements.
• Legal compliance: to comply with applicable laws, regulations, and legal processes.

3Data Storage & Security

Your data is stored in a PostgreSQL database hosted by Supabase on Amazon Web Services (AWS) infrastructure. We implement appropriate technical and organizational measures to protect your personal data, including:

• Password encryption: passwords are hashed using bcrypt (cost factor 12) and are never stored in plain text.
• Token security: email verification tokens are stored as SHA-256 hashes, not in plaintext. Verification codes expire after 15 minutes.
• Secure authentication: we use JSON Web Token (JWT) based sessions with a 24-hour maximum age, managed by NextAuth.
• Account lockout: after 5 consecutive failed login attempts, accounts are automatically locked for 15 minutes to prevent brute-force attacks.
• Rate limiting: authentication and API endpoints are protected by rate limiting (via Upstash Redis, when configured) to prevent abuse.
• Access controls: only authorized personnel have access to personal data, and access is limited to what is necessary for their role.

While we take reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your information.

4Data Sharing & Third-Party Services

We do not sell, rent, or trade your personal data to third parties. Your data is shared with the following service providers, which are necessary for operating the platform:

• Supabase (database hosting): all user data described in this policy is stored in a Supabase-hosted PostgreSQL database on AWS infrastructure. Supabase acts as a data processor on our behalf.
• Google (authentication): if you sign in with Google OAuth, authentication data (your name, email, profile picture, and OAuth tokens) is exchanged with Google Identity Platform. If you sign in with Google using an email that matches an existing email/password account, the accounts may be linked automatically.
• Resend (email delivery): your email address and name are shared with Resend for delivering transactional emails, including email verification codes, account security notifications, and newsletter campaigns (if you subscribed).
• Upstash Redis (rate limiting): when configured, IP addresses and user identifiers are shared with Upstash as rate-limit keys with short time-to-live windows. This service is optional and may not be active at all times.

We may also share your information in these circumstances:

• Leaderboard visibility: if you participate in the daily challenge, your display name, whether your answer was correct, and your response time are visible to all authenticated users on the daily challenge leaderboard (top 50 entries).
• Legal requirements: we may disclose your data when required by law, court order, or governmental authority, or when necessary to protect our legal rights or the safety of our users.
• Business transfers: in the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction, with prior notice and in compliance with the LGPD.
• Aggregated and anonymized data: we may share aggregated, de-identified statistics about platform usage that cannot be used to identify any individual user.

5Cookies & Tracking Technologies

We use a minimal number of cookies, limited to what is essential for the platform to function:

• Authentication cookie: a single session cookie is set by our authentication system (NextAuth) to maintain your signed-in state. This cookie contains a JSON Web Token (JWT) and has a maximum age of 24 hours. It is HttpOnly and Secure in production. This cookie is essential and cannot be disabled while using the platform.

We do not use:

• Third-party analytics cookies (e.g., Google Analytics, Mixpanel)
• Advertising or tracking cookies
• Browser fingerprinting techniques

All analytics data is collected internally through our own server-side logging and stored in our database. Your preferences and settings are stored server-side in your account, not in browser cookies.

6Your Rights Under the LGPD

In accordance with the Lei Geral de Proteção de Dados (LGPD), you have the following rights regarding your personal data:

• Right to confirmation and access: you may request confirmation of whether we process your personal data and access the data we hold about you.
• Right to correction: you may request the correction of incomplete, inaccurate, or outdated personal data.
• Right to anonymization, blocking, or deletion: you may request the anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in violation of the LGPD.
• Right to data portability: you may request the transfer of your personal data to another service provider, in accordance with regulations established by the Autoridade Nacional de Proteção de Dados (ANPD).
• Right to deletion: you may request the deletion of personal data processed with your consent, except where retention is legally required.
• Right to information about sharing: you may request information about the public and private entities with which we have shared your data.
• Right to revoke consent: you may revoke your consent at any time, without affecting the lawfulness of processing carried out prior to the revocation.
• Right to information about algorithmic decisions: you may request information about how our algorithms use your data to personalize your experience, including domain level calculations and study plan generation.

To exercise any of these rights, please contact us at support@grind1600.com. We will respond to your request within the timeframe established by applicable law.

7Children's Privacy

Our Services are available to users aged 13 and older. For users under the age of 18, we require parental or legal guardian consent before the collection and processing of personal data, in compliance with the LGPD and the Estatuto da Criança e do Adolescente (ECA).

We take special care to collect only the minimum amount of personal data necessary to provide the Services to minor users. We do not knowingly collect personal data from children under the age of 13. If we become aware that a child under 13 has provided us with personal data without appropriate parental consent, we will take steps to delete that information promptly. If you believe we have inadvertently collected data from a child under 13, please contact us at support@grind1600.com.

8Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with the Services. After account deletion, we may retain certain data for the following purposes:

• Legal obligations: to comply with legal, regulatory, or tax requirements that mandate data retention for specified periods.
• Dispute resolution: to resolve disputes, enforce our agreements, and protect our legal rights.
• Aggregated analytics: anonymized and aggregated data may be retained indefinitely for statistical analysis and platform improvement purposes.

9International Data Transfers

Your data is processed and stored on servers located outside of Brazil through the following services: Supabase (database hosting on AWS infrastructure), Google (OAuth authentication), Resend (email delivery), and Upstash Redis (rate limiting, when configured). In all cases, we ensure that appropriate safeguards are in place to protect your data in accordance with the LGPD, including standard contractual clauses or other approved transfer mechanisms recognized by the Autoridade Nacional de Proteção de Dados (ANPD). We will only transfer your data to countries or organizations that provide an adequate level of data protection or under legally approved conditions.

10Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. We will notify you of any material changes by posting the updated policy on our platform and updating the “Last Updated” date at the top of this page. For significant changes that affect how we process your personal data, we may also notify you through email or an in-platform notification. We encourage you to review this policy periodically to stay informed about how we protect your data.

11Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

• Email: support@grind1600.com
• Data Protection Officer: dpo@grind1600.com

You also have the right to file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) if you believe your data protection rights have been violated.