Last updated: 8 May 2025
• PrepMate is the mobile and web platform that lets GIMPA students browse, download and share past examination questions.
• Aydat, Inc. ("Aydat," "we," "our") is the Delaware-registered software company that owns and operates PrepMate. Our Ghanaian operating entity is Aydat Ventures.
All references to "PrepMate," "we," "us," or "our" in this policy cover both the app and the aydat.org domain and any sub-domains (e.g., prepmate.aydat.org).
Account data: Name, GIMPA e-mail address, hashed password, program details. Why we collect it: Authenticate you and personalise the catalogue.
Content you upload: PDFs of past papers, filenames, metadata you type (course code, year, semester). Why we collect it: Make the documents available to other students; create search indexes.
Usage data: Pages viewed, search terms, favourites, recents, clicks, error logs. Why we collect it: Improve search relevance, identify bugs, generate anonymous usage metrics.
Device data: Device model, OS version, app version, IP address, coarse location (city level). Why we collect it: Debug crashes, safeguard against spam uploads and abuse.
Payment data (future feature): Last four digits of card, expiration month/year, Stripe customer ID. Why we collect it: Process optional premium features—not stored on our servers.
Cookies / local storage: Session tokens, preference flags. Why we collect it: Keep you signed in, remember filters.
1. Provide the service – log you in, show you relevant past papers, let you download PDFs.
2. Moderation & anti-abuse – verify that uploads are legitimate GIMPA materials, detect spam and copyright violations.
3. Product analytics – aggregate, anonymised statistics to answer questions like "Which courses need more past papers?"
4. Security – monitor failed log-ins, suspicious IP activity, and generate audit trails for admin actions.
5. Legal & compliance – comply with Ghanaian, US, and EU data-protection laws where applicable (GDPR, CCPA).
We do not sell or rent your personal data to advertisers or third parties.
GDPR (EU/EEA students abroad): Legitimate interest (Art 6 (1)(f)) to operate an educational archive; Contract (Art 6 (1)(b)) for account creation; Consent (cookies).
CCPA/CPRA (California): "Service provider" exception – Aydat uses data only to provide PrepMate features.
Ghana Data Protection Act 2012: We are the "data controller"; we process data for educational purposes with appropriate security measures.
Supabase, Inc. (EU & US regions): Managed Postgres, Storage, Auth, Edge Functions. Safeguards: EU Standard Contractual Clauses; encryption at rest & transit.
Cloudflare: CDN, DDoS protection, signed URL delivery. Safeguards: Data cached at edge nodes for 24 h max.
Stripe (future): Payments for optional premium features. Safeguards: PCI-DSS Level 1 certification.
Slack: Internal admin alerts on pending uploads & moderation. Safeguards: Only paper IDs & course codes—no personal identifiers.
Law-enforcement: When legally required (court order, subpoena). Safeguards: We verify validity before disclosure.
Account data: As long as your account is active. Delete within 30 days after you close your account.
PDFs & metadata: Indefinitely, unless takedown requested or course removed.
Favourites / recents: Purged from database after 24 months of inactivity; you can clear them at any time in the app.
Logs & analytics: Raw logs 90 days; aggregated stats indefinitely.
Back-ups are kept for 30 days, then automatically purged.
Data is hosted primarily in eu-central-1 (Frankfurt) for database and us-east-1 (Virginia) for object storage. We rely on Standard Contractual Clauses and Supabase's DPA to protect EU/UK personal data.
• TLS 1.3 everywhere.
• Database row-level security (RLS) – each query checked against JWT claims.
• PDF uploads restricted to authenticated users; file-type and virus scan enforced.
• Bcrypt password hashing (12 rounds).
• Sentry & Supabase Audit Logs to detect suspicious admin actions.
Depending on your jurisdiction, you can:
Access / Export: E-mail [email protected]; we'll send a JSON export within 30 days.
Rectification: Edit your profile in the app or request via e-mail.
Deletion ("Right to be forgotten"): Use "Delete Account" in the app (immediate) or e-mail us.
Opt-out of analytics cookies: Adjust cookie banner on prepmate.aydat.org or set "Do Not Track" in your browser.
Lodge a complaint: Contact your local data-protection authority (e.g., DPC Ghana, ICO UK, CNIL France).
PrepMate is intended for university students aged 18 +. We do not knowingly collect data from children under 16. If you believe a minor has created an account, e-mail [email protected] and we will delete it.
We publish the revision date at the top. Major changes → 14-day notice via in-app banner and e-mail. Continued use after the effective date = acceptance of the new terms.
• Data Controller: Aydat, Inc., 651 N. Broad St., Suite 206, Middletown, DE 19709, USA
• Ghana Office: Aydat Ventures, Hse No. 14, Nsawam Rd., Accra
• E-mail: [email protected]
• Phone: +233 (0)54 075 5223
This privacy policy applies exclusively to PrepMate and all Aydat-owned sub-domains, effective as of 8 May 2025.