ANNUAL PRO PLAN, BEST VALUE

Save 33% with annual billing - only $5.99/mo

Annual Pro: $5.99/mo

Legal

Privacy Policy

Effective date: June 2, 2026 · Operator: Webgic

1. Information We Collect

We collect the following categories of personal information:

Account Information

  • Name, email address, avatar, account ID, subscription plan, and account timestamps associated with your JS Exercises account.
  • Student verification information, including academic email address, verification timestamps, access expiry dates, and hashed verification token records where you request student access.
  • GitHub OAuth profile data (display name, email, GitHub user ID) if you choose to sign in via GitHub.
  • Google OAuth profile data (display name, email, Google account ID) if you choose to sign in via Google.
  • Authentication metadata managed through Better Auth, including provider identifiers, session records, session expiry dates, IP address, user agent, OAuth scopes, and OAuth tokens where required to operate sign-in.

Communications and Email Preferences

  • When you create an account, where permitted by applicable law, we may enroll your account email address to receive product updates, learning resources, newsletters, and other marketing communications about JS Exercises.
  • We store your email preference categories, subscription status, consent or enrollment timestamps, unsubscribe timestamps, source of the preference change, Brevo list IDs, Brevo sync status, and related sync errors so we can honor your choices.
  • You can opt out of optional marketing communications at any time using the unsubscribe link in our emails or the email preferences in your profile. Account, billing, security, legal, student verification, and other service-related transactional emails may still be sent where necessary to operate the Platform.
  • If you contact us or submit a bug report, we may process the information you provide, such as your email address, message contents, bug category, title, description, reproduction steps, and related correspondence.

Payment Information

  • Payment processing is handled entirely by Stripe, Inc. We do not store your credit card number, CVV, or full payment details on our servers.
  • We retain Stripe customer IDs, subscription IDs, price plan identifiers, and subscription status to manage your access tier.

Learning Activity

  • Completed lessons and stages.
  • Exercise attempts, test results, code submissions, saved code, quiz responses, and timestamps.
  • Progress state across the curriculum.
  • Sandbox project titles, files, file contents, share codes, and related timestamps if you save or share a sandbox project.
  • Published exercise solutions or shared sandbox projects, which may be visible to other users together with limited profile information such as your display name.

Technical and Usage Data

  • IP address and approximate geographic location (country/region level).
  • Browser type, operating system, and device type.
  • Pages visited, referral source, route paths, session identifiers, and performance or request metadata processed through Cloudflare and, where optional analytics is enabled, PostHog.
  • Product analytics events sent to PostHog where optional analytics is enabled, including sign-in provider, exercise runs, exercise completion, abandoned exercises, stage starts and completions, paywall interactions, pricing plan selections, checkout starts, and pricing FAQ interactions.
  • PostHog identification properties for signed-in users where optional analytics is enabled, including user ID and plan, so that product analytics and account diagnostics can be tied to the correct account. We configure PostHog to mask personal data properties and avoid sending email addresses as analytics properties where possible.
  • Session diagnostic data where PostHog session recording is enabled after optional analytics consent, which may include page interactions, visible page content, clicks, navigation, viewport information, and other browser behaviour needed to reproduce product issues. We configure PostHog to mask inputs and block code editor surfaces where possible. Full payment card details are not collected by us and are processed by Stripe-hosted payment flows.

We use PostHog for product analytics and limited session diagnostics where optional analytics is enabled. We do not use Google Analytics, advertising cookies, or third-party advertising pixels, and we do not sell personal information.

2. How We Use Your Information

  • To create and manage your account and authenticate your identity.
  • To deliver the e-learning content and features of the Platform.
  • To process payments and manage your subscription or lifetime access.
  • To track and display your learning progress.
  • To communicate with you regarding your account, billing, student verification, support requests, bug reports, or material changes to this policy.
  • To send product updates, learning resources, newsletters, and other marketing communications where permitted by applicable law, and to manage unsubscribe or email preference requests.
  • To detect and prevent fraudulent or abusive use of the Platform (including account sharing).
  • To analyze feature usage, diagnose bugs, improve Platform performance, improve content quality, and understand where users encounter friction.
  • To comply with applicable legal obligations.

We do not sell, rent, or trade your personal information to third parties for marketing purposes. We do not use your data for behavioural advertising or cross-context targeted advertising.

3. Legal Basis for Processing (GDPR)

If you are located in the EEA or UK, our legal bases for processing your personal data are:

  • Contract performance: processing necessary to deliver the service you have subscribed to.
  • Legitimate interests: fraud prevention, security, account abuse detection, support, analytics, product diagnostics, platform improvement, and product communications where permitted by applicable law.
  • Legal obligation: compliance with applicable laws and regulations.
  • Consent: where we rely on consent, you may withdraw it at any time, including for marketing communications and any optional cookies, analytics, or session diagnostics where consent is required by law or requested through a consent control. For EEA and UK visitors, optional analytics and session diagnostics are not enabled unless accepted.

4. Third-Party Services

Stripe, Inc. - Payment processing

Stripe processes all payment transactions. Your payment data is governed by Stripe's Privacy Policy. Stripe is certified to PCI DSS Level 1.

GitHub, Inc. - OAuth authentication (optional)

If you sign in with GitHub, we receive your GitHub profile data as described in Section 1. This is governed by GitHub's Privacy Statement.

Google LLC - OAuth authentication (optional)

If you sign in with Google, we receive your Google profile data as described in Section 1. This is governed by Google's Privacy Policy.

Brevo - Email delivery and contact management

We use Brevo to send transactional emails, manage marketing email lists, synchronize email preferences, and process unsubscribe events. Brevo may process your email address, message delivery metadata, list membership, unsubscribe status, and email engagement events.

Neon - Database hosting

Your account and progress data is stored in a PostgreSQL database hosted by Neon, Inc. Data is encrypted at rest and in transit.

Cloudflare, Inc. - Infrastructure, security, and observability

The Platform is served via Cloudflare Workers. Cloudflare may process request metadata, security signals, logs, and performance data as part of normal infrastructure operation.

PostHog, Inc. - Product analytics

Where optional analytics is enabled, we use PostHog to understand Platform usage, diagnose product issues, measure conversion events, and improve the learning experience. PostHog may process analytics events, identifiers, device and browser metadata, page paths, and session diagnostic data as described in Section 1.

Better Auth - Authentication software

We use Better Auth as the authentication framework for sessions and social sign-in. Better Auth stores authentication records in our database and is not used as a separate hosted processor for production user data.

5. Data Retention

  • Account data is retained for as long as your account is active.
  • Session records are retained for the life of the session and for a reasonable period thereafter for security, fraud prevention, and troubleshooting.
  • If you request account deletion, we will delete or anonymize your personal data within 30 days, subject to legal retention obligations.
  • Saved code, learning progress, exercise solutions, and sandbox projects are retained while your account remains active or until you delete the relevant content, subject to backups and legal retention obligations.
  • Payment records may be retained for up to 7 years in accordance with Canadian tax law.
  • Email preference, consent, enrollment, unsubscribe, and Brevo sync records may be retained for as long as needed to honor your communication choices, maintain suppression records, and demonstrate compliance.
  • Anonymized or aggregated data that cannot identify you may be retained indefinitely for product improvement.
  • Analytics and diagnostic records are retained according to our PostHog project settings and may be aggregated or anonymized for longer-term product analysis.

6. Your Rights

All users (PIPEDA)

  • Right to access the personal information we hold about you.
  • Right to correct inaccurate or incomplete information.
  • Right to withdraw consent where processing is consent-based.
  • Right to request deletion of your data, subject to legal obligations.

EEA and UK users (GDPR)

  • All rights listed above, plus right to data portability.
  • Right to object to processing based on legitimate interests.
  • Right to restrict processing in certain circumstances.
  • Right to lodge a complaint with your local supervisory authority.

To exercise any of these rights, contact us at privacy@jsexercises.com. We will respond within 30 days.

7. Cookies and Tracking

  • Session cookies: used by Better Auth to maintain your authenticated session. Strictly necessary.
  • Cloudflare cookies: used for security and performance (e.g., __cf_bm).
  • PostHog cookies and local storage: used, when optional analytics is enabled, to maintain analytics identifiers, session identifiers, event attribution, opt-in or opt-out state, and product diagnostic state.
  • Local browser storage: used to remember theme preferences, recently viewed resources, sandbox files, sandbox introduction state, unsent learning-stage code drafts, and local project-stage code drafts.

We do not use advertising cookies, third-party advertising pixels, or data brokers. For EEA and UK visitors, optional analytics and session diagnostics are not enabled unless accepted. Outside those regions, optional analytics may be enabled by default where permitted by applicable law, and you can opt out through Cookie preferences in the footer or profile. You may also disable cookies or local storage through your browser settings, but doing so may affect authentication, saved drafts, preference state, and Platform functionality.

8. Children's Privacy

The Platform is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact us at privacy@jsexercises.com and we will delete it promptly.

9. Data Security

  • Encrypted data transmission via HTTPS/TLS on all connections.
  • Encrypted data at rest in our database.
  • Secrets management via Cloudflare Workers encrypted secrets.
  • Payment data isolation - full payment details are never transmitted to or stored on our servers.

10. International Data Transfers

jsexercises.com is operated from Canada. Your data may be processed and stored in Canada, the United States, and other countries where our service providers operate, including Cloudflare, Stripe, Neon, GitHub, Google, PostHog, and Brevo infrastructure. We use PostHog's United States cloud endpoint. Brevo may process email delivery and contact management data in countries where its services operate. We ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses (SCCs) where required under GDPR.

11. U.S. State Privacy Disclosures

We do not sell personal information and do not share personal information for cross-context behavioural advertising. We do not intentionally collect sensitive personal information and ask that you do not submit secrets, payment card numbers, health information, government identifiers, or other sensitive personal information in exercise code, sandbox projects, or support messages.

Depending on your state of residence, you may have rights to know, access, correct, delete, port, or opt out of certain processing of your personal information. You may exercise those rights by contacting privacy@jsexercises.com.

12. Changes to This Policy

If we make material changes, we will notify you by email at least 14 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.

13. Contact

For privacy-related inquiries, requests, or complaints:

Webgic - jsexercises.com
Email: privacy@jsexercises.com

If you are an EEA resident and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Last updated: June 2, 2026