Skip to content

Privacy Policy

Last updated: May 2026

1. Information We Collect

We collect the following categories of information: (a) Account information you provide when signing up, including your name, email address, and password (or Google account details if you use OAuth sign-in). (b) Practice data generated through your use of the platform, including your writing and speaking submissions, reading and listening answers, scores, feedback, and session history. (c) Device and usage information collected automatically, including your browser type, operating system, IP address, pages visited, session duration, and interaction patterns. (d) Device fingerprint data (a browser-derived identifier) collected at sign-up solely for free-tier abuse prevention. (e) Attribution data captured via first-party cookies when you first visit the platform, including the referring website, UTM campaign parameters, and landing page URL.

2. How We Use Your Information

Your information is used to: (a) provide personalised exam preparation, track your progress, and generate AI-powered scoring and feedback; (b) process payments and manage your subscription; (c) analyse platform usage to improve our service and identify technical issues; (d) prevent abuse and enforce our free-tier usage limits; (e) communicate with you about your account, service updates, and (with your consent) promotional materials; and (f) comply with legal obligations. We do not sell your personal information to third parties.

3. Lawful Basis for Processing (EEA/UK Users)

If you are located in the European Economic Area or the United Kingdom, we process your personal data on the following legal bases under the GDPR: (a) Contract performance — to provide the platform, process your practice sessions, and manage your account and subscription. (b) Legitimate interests — to analyse usage patterns (including product analytics and session replay), improve the platform, attribute referral sources, prevent fraud and abuse, and ensure platform security, where these interests are not overridden by your rights. (c) Consent — for any optional marketing communications; you may withdraw consent at any time. (d) Legal obligation — to comply with applicable laws, regulations, or court orders. You may object to processing based on legitimate interests at any time by contacting us at hello@zoju.app.

4. Data Storage and Security

Your data is stored securely using industry-standard encryption and security practices. We implement appropriate technical and organisational measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. Data is primarily stored on servers in the United States and Australia. By using the platform, you acknowledge that your data may be transferred to and processed in countries outside your country of residence. Where required by law, we rely on appropriate transfer mechanisms such as Standard Contractual Clauses to safeguard cross-border data transfers.

5. Third-Party Services

Zoju uses the following third-party services to operate the platform. Each processes data only as necessary for its stated purpose and in accordance with its own privacy policy: (a) Anthropic (Claude AI) and OpenAI — process your writing and speaking submissions to generate scores and feedback; submissions are sent via API and are not used to train AI models. (b) Deepgram — transcribes speaking-practice audio so we can score and analyse your responses. (c) Supabase — provides authentication and database hosting for your account and practice data. (d) Stripe — processes subscription payments; Zoju does not store your payment card details. (e) Vercel — hosts the web application. (f) PostHog — provides product analytics and session replay to help us understand how the platform is used. (g) Sentry — captures error reports to help us identify and fix technical issues; error reports may include limited context about the action that triggered the error. (h) FingerprintJS — generates a browser-derived device identifier at sign-up for free-tier abuse prevention. (i) Google — provides OAuth sign-in for users who choose to authenticate with their Google account. (j) Resend — sends transactional emails such as account verification and password resets. (k) Google Cloud Text-to-Speech — generates audio recordings used in listening practice materials.

6. Cookies and Tracking

Zoju uses cookies and similar technologies. Essential cookies (authentication session, CSRF protection) are required for the platform to function. Analytics cookies (PostHog) and attribution cookies (referral source, UTM parameters) are set under legitimate interest to help us understand how the platform is used and where visitors come from. Attribution cookies are first-write-wins and expire after 90 days. You can clear or block cookies at any time through your browser settings. For full details on the cookies we use, please see our Cookie Policy at zoju.app/cookies.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data: (a) Access — request a copy of the personal data we hold about you. (b) Rectification — request correction of inaccurate or incomplete data. (c) Erasure — request deletion of your data (you can self-delete your account via Settings; a 30-day security cooldown applies before the same email can be re-used). (d) Portability — request your data in a structured, machine-readable format. (e) Restriction — request that we limit processing of your data in certain circumstances. (f) Objection — object to processing based on legitimate interests. (g) Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. To exercise any of these rights, contact us at hello@zoju.app. We will respond within 30 days (or sooner where required by law).

8. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act. You have the right to know what personal information we collect and how it is used, the right to request deletion of your personal information, and the right to opt out of the sale of your personal information. Zoju does not sell personal information. To exercise your rights, contact us at hello@zoju.app. We will not discriminate against you for exercising your privacy rights.

9. Australian Privacy (APPs)

If you are located in Australia, your personal information is handled in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth). If you believe we have breached the APPs, you may contact us at hello@zoju.app. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

10. Data Retention

We retain your data as follows: (a) Account and practice data — retained for as long as your account is active. (b) After account deletion — personal data is removed within 30 days; a 30-day cooldown period applies before the same email address can be re-used. (c) Attribution cookies — expire after 90 days. (d) Payment records — retained as required by tax and financial regulations (typically 7 years). (e) Anonymised, aggregated analytics data may be retained indefinitely as it cannot identify you.

11. Children's Privacy

Zoju is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@zoju.app and we will delete the information promptly.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users without undue delay and, where required by the GDPR, within 72 hours of becoming aware of the breach. We will also notify the relevant supervisory authority as required by applicable law.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on the platform at least 14 days before changes take effect. Your continued use after the effective date constitutes acceptance of the revised policy.

14. Contact Information

If you have questions about this Privacy Policy, our data practices, or wish to exercise your data protection rights, please contact us at hello@zoju.app.