Privacy Policy

Last Updated: May 1, 2026

This Privacy Policy explains how Easy Nail Pass™ ("we", "us", "our") collects, uses, shares, and protects personal information when you use our test-preparation Service. It describes your rights under the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA) and the U.S. Children's Online Privacy Protection Act (COPPA).

Service region. Easy Nail Pass™ is intended for users physically located in the United States who are preparing for a US state nail technician licensing exam. We do not serve traffic from the European Economic Area, the United Kingdom, or Switzerland — those visitors receive a "Service Not Available" page (HTTP 451) and we do not collect or process their personal data through this Service.

1. Data Controller and Acceptance

The data controller responsible for the personal information processed through this Service is the operator of Easy Nail Pass™, contactable at aiswingx.com@gmail.com. By using the Service you agree to this Privacy Policy and our Terms of Service. If you do not agree, please discontinue use immediately.

2. Information We Collect

Account information: name, email address, username, and password (stored only as a one-way salted hash — we never store plain-text passwords).
Profile information: first/last name, preferred display language, and any optional profile fields you provide.
Learning data: mock-exam attempts, answers submitted, scores, time spent, category-level progress (Sanitation, Nail Anatomy, Disorders, Procedures, Enhancements, State Laws), starred questions. Used to provide personalized study recommendations.
Payment information: processed exclusively through Stripe. We retain only the transaction ID, amount, currency, and date for record-keeping and tax purposes. We do not see or store your card number, CVV, or full card details.
Technical data: IP address, browser type and version, device type, operating system, access timestamps, referring URL, and pages visited. Used for security, fraud prevention, analytics, and Service improvement.
Communications: support emails, feedback, and any messages you send us.
AI interaction data: when an AI-powered explanation is requested, the question text, your selected answer, and the correct answer are sent to the AI provider (currently Anthropic). We do not send your name, email address, or other directly identifying information.

We do not knowingly collect biometric identifiers, precise geolocation, government-issued ID numbers, or financial account numbers (Stripe processes payment data separately).

3. How We Use Your Information

Operating, maintaining, and improving the Service.
Processing payments and managing your purchase history.
Generating personalized study recommendations and progress reports.
Generating AI-powered explanations.
Communicating about your account, purchases, support requests, or material Service changes.
Detecting and preventing fraud, abuse, and security incidents.
Complying with legal obligations and enforcing our Terms.

4. Legal Basis for Processing

We process personal information primarily on the basis of (a) contract performance — to deliver the Service you purchased and provide your account; (b) legitimate interests — security, fraud prevention, analytics, and Service improvement; (c) legal obligation — tax, accounting, and government requests; and (d) consent for cookies and any optional marketing communications. As described in the introduction, we do not serve EU/UK/EEA traffic and have not appointed an Article 27 GDPR representative, because we do not process personal data of data subjects located in those regions through this Service.

5. Third-Party Service Providers

We share personal data only with the following providers, each acting as a data processor on our behalf under written agreements that include the EU Standard Contractual Clauses where applicable:

Stripe, Inc. — payment processing. Privacy: stripe.com/privacy.
Anthropic, PBC — AI-powered explanations (Claude API). Question text and answer choices are shared; identifying information is not. Privacy: anthropic.com/privacy.
Google LLC — if you choose to sign in with Google, we receive your name and email from Google. Privacy: policies.google.com/privacy.
Vultr (Constant Company, LLC) — application hosting (US data centers). Privacy: vultr.com/legal/privacy.
Email infrastructure — used to send transactional account email (password resets, purchase receipts).

We are not responsible for the independent privacy practices of third-party services.

6. We Do Not Sell or "Share" Personal Information

We do not sell your personal information. We do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We do not knowingly sell or share the personal information of consumers under 16. Disclosures to service providers under contract for the limited purposes described above do not constitute a "sale" or "share" under the CCPA/CPRA.

7. Cookies and Tracking

Strictly necessary cookies. We use first-party cookies for session management, authentication, language preference, and CSRF protection. These are essential for the Service to function and do not require consent.

Analytics — Google Analytics 4 (GA4). We use Google Analytics 4 to understand aggregated usage patterns (pages visited, broad geographic region, device type) and improve the Service. GA4 only loads after you accept analytics cookies through our consent banner. If you decline, GA4 will not load and we will not record analytics events for your visit. Your choice is stored in a first-party cookie and you can change it any time via the Cookie Settings link in the footer. We do not enable Google Signals or remarketing features in GA4 (no ads-personalization). You may also opt out across all sites using the Google Analytics Opt-out Browser Add-on.

No third-party advertising or cross-context behavioral cookies.

You may further restrict cookies through your browser settings; some features may not work properly if strictly necessary cookies are blocked.

8. Data Security

SSL/TLS encryption (HTTPS) for all data in transit.
Passwords stored using PBKDF2-SHA512 with per-user salt.
Sensitive configuration values encrypted at rest (Fernet/AES-128).
Database access restricted by authentication, role, and network rules.
Regular automated database backups; principle of least privilege for staff access.

No method of electronic transmission or storage is completely secure. We cannot guarantee absolute security; the Service is provided "as is" with respect to security as further described in our Terms.

9. Data Retention

Profile and learning data: retained while your account is active. Deleted within 30 days of account closure (subject to backup deletion below).
Payment transaction records: retained for the period required by U.S. federal and state tax law (typically 7 years).
Anonymized or aggregated analytics not linked to your identity: may be retained indefinitely.
Backup copies: routinely overwritten; residual data may persist in encrypted backups for up to 30 days before automatic deletion.
Records related to fraud, security incidents, or legal claims: retained as long as reasonably necessary to investigate or assert legal rights.

10. Children's Privacy (COPPA)

The Service is not directed to and not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe a child under 13 has provided personal information to us, please contact aiswingx.com@gmail.com and we will delete the information and terminate the account promptly. State nail-technician licensure typically requires applicants to be 16 or 17 years of age or older, depending on the state, so the Service is designed for use by older teenagers and adults preparing for licensure.

11. Your Privacy Rights — All Users

Subject to applicable law, you have the following rights regarding your personal information:

Access: a copy of personal data we hold about you.
Correction: correction of inaccurate or incomplete data.
Deletion: deletion of your account and personal data (subject to legal retention obligations).
Portability: your learning data exported in a common machine-readable format.
Objection / restriction (GDPR): object to or restrict certain processing.
Withdraw consent (GDPR): withdraw consent for any processing based on consent.
Opt-out of marketing email: at any time, via the unsubscribe link or by writing to us.

To exercise these rights, email aiswingx.com@gmail.com from the address associated with your account. We will respond within 30 days (45 days for CCPA requests, with one 45-day extension if reasonably necessary). We will verify your identity before fulfilling a request.

12. California Privacy Rights (CCPA / CPRA) — Do Not Sell or Share

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

Right to know the categories and specific pieces of personal information we have collected about you, the sources, the business purpose, and the categories of third parties to whom it is disclosed (covered in Sections 2–6 above).
Right to delete personal information we have collected, subject to legal exceptions.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing for cross-context behavioral advertising. We do not sell or share personal information for advertising — see Section 6 — so there is nothing to opt out of, but you may submit a request to confirm.
Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes beyond providing the Service.
Right to non-discrimination for exercising any of the above rights — we will not deny service, charge a different price, or provide a different level of quality.
Authorized agent: you may use an authorized agent to submit a request, with verifiable proof of authorization.

Submit requests to aiswingx.com@gmail.com with the subject "California Privacy Request". We will verify your identity (typically by confirming the email address on file plus one additional data point) before responding.

13. International Users and Data Location

Our servers are located in the United States. The Service is designed for users physically located in the United States and is not made available to traffic from the European Economic Area, the United Kingdom, or Switzerland. If you choose to access the Service from outside the United States via a VPN or other means, you do so on your own initiative and are responsible for compliance with local law; you consent to the transfer and processing of your personal data in the United States.

14. California "Shine the Light" (Cal. Civ. Code §1798.83)

California residents may request information about how we have shared their personal information with third parties for the third parties' own direct-marketing purposes during the prior calendar year. We do not share personal information with third parties for their direct-marketing purposes. To make a written request, email aiswingx.com@gmail.com with the subject "California Shine the Light Request"; we will respond within 30 days.

15. Email and SMS Communications (CAN-SPAM / TCPA)

We send transactional email (account, password reset, purchase receipts, material Service-change notices) to all account holders — these are required to operate your account and cannot be opted out of without closing the account. Any marketing or promotional email is sent only with your consent and includes an unsubscribe link in every message in compliance with the CAN-SPAM Act. We do not currently send SMS messages; if we add them, we will obtain prior express consent for any marketing SMS in compliance with the Telephone Consumer Protection Act (TCPA).

16. Accessibility

We aim to make the Service accessible to people with disabilities consistent with the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. If you encounter an accessibility barrier or need information in an alternative format, please contact aiswingx.com@gmail.com.

17. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and a prominent notice on the platform. The "Last Updated" date above indicates the latest revision. Continued use of the Service after changes constitutes acceptance of the revised Policy.

18. Limitation of Liability

To the fullest extent permitted by applicable law, Easy Nail Pass™ shall not be liable for any damages arising from data breaches, unauthorized access, loss or disclosure of data, or third-party security failures, except where caused by our willful misconduct or gross negligence. Nothing in this Policy limits liability for fraud or for any liability that cannot be excluded under applicable law.

19. Governing Law

This Privacy Policy is governed by the laws of the State of Texas, USA, except where superseded by applicable consumer-protection or data-protection laws of your jurisdiction (e.g. CCPA/CPRA for California residents, GDPR for EU/UK residents).

20. Contact

Privacy questions and data-rights requests: aiswingx.com@gmail.com
Legal notices and arbitration opt-outs: aiswingx.com@gmail.com
Website: https://easynailpass.com
Postal address: available upon written request via the email addresses above.