Privacy Policy

1) Who we are (Controller)

Controller: GradUnlimited AB — Ranvagen 1, Taby, Sweden . Org. no: 559555-4949 · VAT: .

Support/DPO (if appointed): info@gradunlimited.com. We handle personal data according to this Policy and applicable law.

2) Data we collect

• Account data: email, password hash, country of residence.
• Optional phone number: used to help determine VAT region (and, if enabled, for 2FA/support). We do not use phone numbers for marketing.
• Purchase & billing: plan, timestamps, invoice/receipt identifiers. We do not store full card or bank details; our payment providers (Stripe) process these directly.
• Usage & performance: practice attempts, answers, timing, mock tests, estimated scores, review activity (to provide analytics and estimated GMAT score).
• Device & logs: IP address, browser/device info, language, and basic diagnostics for security and reliability.
• Support: messages you send us (email/forms).
• Cookies: essential cookies for security/session; any analytics/marketing cookies are loaded only after consent (see Cookie Policy).

3) Why we use it & lawful bases

• Contract: run your account, provide practice content and test simulations, generate analytics/estimated score, and handle billing.
• Legal obligation: VAT/moms compliance (e.g., storing country and transaction records for tax and accounting).
• Legitimate interests: keep the service secure and reliable (fraud prevention, diagnostics, abuse prevention), improve quality, and defend legal claims. You can object where this basis applies.
• Consent: marketing emails (where required) and any non-essential cookies/analytics. You can withdraw consent anytime.

4) Children

In Sweden, children aged 13+ can consent to the processing of personal data for information-society services. If you are under 13, a parent/guardian must provide or approve consent. We may limit features for children and take reasonable steps to verify parental consent when needed. If it comes to our knowledge that the account was created by a child under the age of 13, and no consent from parent/guardian, the accound will be deleted.

5) Cookies & consent

We use essential cookies for security and to operate the site (e.g., session and CSRF). These do not require consent. If we enable analytics or marketing, those are off by default and load only after you choose Accept in our banner; you can also choose Reject and can change your choice anytime via Cookie settings. Details: Cookie Policy.

6) Sharing & processors

We do not sell personal data. We use service providers (processors) under data-processing agreements to run the service:

• Hosting & database: Render (EU region/Frankfurt for primary data).
• Payments: Stripe (processor; and independent controller for some activities).
• Email/notifications: Strato, for transactional emails (verification, receipts, support).
• Analytics (if enabled): loaded only after your consent (see Cookie Policy).

Where legally required, we may disclose data to authorities (e.g., tax authorities) or to protect our rights or users’ safety.

7) Hosting & international transfers

Your account data is hosted in the EU (primary database in Frankfurt). If personal data is transferred outside the EEA/UK (for example, by a payment or email provider), we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and additional measures where needed. You can request a copy of relevant safeguards by contacting us.

8) Retention

• Account: for the life of your account, then up to 24 months after closure (support/fraud logs).
• Billing: kept as required by accounting/tax law.
• Practice/analytics: 12–24 months for product improvement; earlier if you delete your account.
• Support: typically 24 months.

Aggregated, non-identifiable statistics may be retained longer.

9) Payments & roles (Stripe)

We share only the data needed to process your payment (e.g., email, order ID, amount, billing country). Stripe generally acts as our processor for merchant services but may be an independent controller for its own fraud/financial obligations. Review Stripe’s privacy resources for details on how they handle your data:

• Stripe DPA/Privacy: stripe.com/legal/dpa

10) Your GDPR rights

• Access to your data and a copy in a portable format.
• Rectification of inaccurate or incomplete data.
• Erasure (“right to be forgotten”) in certain cases.
• Restriction and objection to certain processing (e.g., legitimate interests, direct marketing).
• Withdraw consent anytime, without affecting prior processing.

To exercise these rights, contact us at info@gradunlimited.com. We will verify your identity and respond within the time limits set by law.

11) How to contact us or IMY

Contact us (Controller): GradUnlimited AB; Ranvagen 1, Taby, Sweden · Email: info@gradunlimited.com

Supervisory Authority: Swedish Authority for Privacy Protection (IMY). You have the right to lodge a complaint with IMY or with your local supervisory authority in the EU/EEA.

• IMY complaint portal: imy.se/en/complaint
• IMY contact: +46 (0)8 657 61 00 · Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden

12) Changes to this Policy

We will update this page when we make material changes (and notify you by email or in-app where appropriate). The “Last updated” date shows the latest version.