Privacy Policy
Last updated on 01 July 2026
Our Data Philosophy
Ace Level is built for students, not advertisers. Your data is not our product. We collect as little as possible, only what is needed to run the site. Creating an account is optional; you can use most of Ace Level without signing in. If you do sign in, everything you share with us is opt-in.
We will never sell your data to advertisers, brokers, or anyone else. Your information is processed only by a small number of service providers who help us run the platform, listed below.
Our privacy principles:
- We collect as little data as possible, only what is needed to run the site.
- Creating an account is optional. You can use most of Ace Level without signing in.
- We will never sell your data. No ads, no trackers, no brokers.
- You are in control: access, correct, or delete your data at any time.
- We take extra care with younger learners.
What We Collect
If you visit without an account
If you browse Ace Level without signing in, we collect minimal technical data through PostHog: pages visited, time spent, device type, browser, and country-level location. We use this to understand how people use the site and improve it. No personally identifiable information is collected from anonymous visitors.
If you create an account
Signing in is optional. If you create an account through Discord or Google OAuth, we receive from the provider:
- Your display name
- Your email address
- Your profile picture
We do not receive your password. Authentication is handled by the OAuth provider, and we never see or have the ability to store it.
Bookmarks
If you save a bookmark on a course page, we store the page URL and its title alongside your account. You can delete individual bookmarks at any time, or delete your entire account to remove all of them.
Session cookies
When you sign in, we set one first-party session cookie to keep you signed in. That is the only cookie we set for authentication. We do not use third-party cookies, advertising cookies, or fingerprinting techniques.
Waitlist
If you join our waitlist, we collect your email address through Brevo. You can unsubscribe at any time using the link in any email we send.
What We Don’t Collect
- Passwords: we never see or store your password. Authentication is handled by Discord or Google.
- Sensitive personal data: we do not collect health data, biometric data, financial information, or any special category data.
- Location beyond country level: analytics data is aggregated at country level. We do not track your precise location.
- Browsing across other sites: we do not track you outside of Ace Level.
Service Providers
We share limited data with the following providers, each processing it only to help us run the platform:
| Provider | What they process | Purpose |
|---|---|---|
| Cloudflare | IP address, request metadata | CDN, DDoS protection, security, TLS termination |
| Amazon Web Services (EU) | Account data, bookmarks, sessions, email addresses | Database hosting and email delivery |
| PostHog (EU) | Pages visited, device type, country-level location | Product analytics |
| Brevo (EU) | Email address | Waitlist email collection |
| GitHub | Code and content (no user PII) | Source code hosting and content management |
| Discord | Name, email, avatar (only if you sign in with Discord) | OAuth authentication |
| Name, email, avatar (only if you sign in with Google) | OAuth authentication |
No data is sold to any of these providers. Each is contractually required to process your data only for the purpose described above, in line with their own privacy policies (linked in the table).
Data Storage & Security
- Database: your account data and bookmarks are stored on AWS infrastructure in the EU (Ireland region).
- Application servers: self-hosted in the United Kingdom and Singapore, behind Cloudflare for security and performance.
- Encryption: all data in transit is encrypted via TLS 1.2+. Data at rest on our servers is encrypted with AES-256-GCM. Cloudflare provides TLS termination at the edge.
- Access controls: access to personal information is restricted to authorised personnel on a need-to-know basis. Administrative accounts are protected with strong passwords and multi-factor authentication.
- Software updates: we keep our infrastructure and server software up to date with security patches.
- Incident response: we maintain procedures for identifying, containing, and reporting personal data breaches. If a breach occurs that poses a risk to your rights, we will notify you and the relevant authorities without undue delay.
We use strong security measures, but no system is perfect. We encourage you to protect your account too: use a strong password with your OAuth provider and be mindful of what you share. For details on our security practices and responsible vulnerability disclosure, see our Security page.
International Data Transfers
Ace Level is based in Pakistan with an international readership. Your personal information may be transferred to and processed in countries outside Pakistan, including the United Kingdom, Singapore, the United States, and countries within the European Union. These transfers occur because our third-party service providers (Cloudflare, AWS, PostHog, GitHub, Discord, Google) operate servers and infrastructure in those jurisdictions.
We take the following measures to protect your information during international transfers:
- Contractual clauses requiring service providers to maintain equivalent privacy protections
- Selection of service providers that maintain industry-recognized security certifications (SOC 2, ISO 27001, or equivalent)
- Encryption of data in transit (TLS 1.2+) and at rest where applicable
- Regular review of third-party data handling practices
By using Ace Level, you acknowledge and consent to the transfer of your personal information to jurisdictions outside Pakistan as described in this section.
Your Rights
You have the following rights over your personal data:
- Access: you can request a copy of all personal data we hold about you.
- Rectification: you can ask us to correct inaccurate data.
- Erasure: you can request deletion of your personal data.
- Objection: you can object to processing of your data for specific purposes.
- Portability: you can request your data in a structured, machine-readable format.
We want you to feel confident about how your data is handled. These rights are yours; do not hesitate to use them.
For EU/UK residents, these rights are provided under GDPR and UK GDPR. For other jurisdictions, we honour the same rights voluntarily.
To exercise any of these rights, contact us at [email protected].
Account Deletion
You can delete your account at any time from your account settings. When you do:
- Your user profile, sessions, connected accounts, and bookmarks are permanently deleted.
- Deletion is completed within 7 days.
- Deletion is irreversible: if you create a new account later, it will have no connection to your previous data.
If you have trouble accessing your account, email us at [email protected].
Cookies
We use a single first-party session cookie to keep you signed in. This cookie expires after 7 days. We do not use third-party cookies, advertising cookies, or fingerprinting techniques.
When you first visit Ace Level, you will see a cookie consent banner asking whether you would like to enable analytics. Your choice is remembered for future visits. You can change your preference at any time from the cookie settings.
Our analytics provider (PostHog) uses consent mode. No analytics cookies are set until you choose to accept. If you reject, PostHog runs in cookieless mode and does not set any cookies at all.
Children’s Privacy
Ace Level does not knowingly collect personal information from children under 13. If you are under 13, do not create an account or provide any personal information to us. If we find that we have collected data from a child under 13, we will delete it.
Our content is educational and designed for HSC/HSSC students (typically 14–19), but it is accessible to anyone regardless of age.
Third-Party Links
Our website may contain links to third-party sites, including Discord, Google, and others. This privacy policy applies only to Ace Level. We are not responsible for third-party privacy practices. Read their policies when you visit them.
Changes to This Policy
We may update this privacy policy from time to time. When we do, the "Last updated" date at the top of this page will change. Review this page periodically. Your continued use of Ace Level after changes means you accept the updated policy.
If we make material changes, we will notify you by email or a notice on the site.
Contact
If you have questions about this privacy policy or your data, contact us at [email protected].