InburgeringPrep
Last updated · 2 May 2026

Privacy policy

This policy explains how Aprutikotto (operating the InburgeringPrep brand) processes personal data under the EU General Data Protection Regulation (GDPR) and the Dutch Implementation Act (UAVG). Short version: we collect the minimum we need to run the app, store it in the EU, never sell it, and let you delete or export everything from your Account page.

See also our Terms of service and Cookie policy.

1. Who we are (controller)

For the personal data described below, the data controller is Aprutikotto, established in Amsterdam, the Netherlands ("Aprutikotto", "we", "us"). Aprutikotto operates the InburgeringPrep brand.

Email: hello@inburgeringprep.com.

We have appointed a Data Protection Officer (DPO). You can reach the DPO directly at hello@inburgeringprep.com.

2. Scope

This policy applies to the inburgeringprep.com website, the in-app product, and any associated emails or notifications. It does not apply to third-party websites we link to (including DUO).

3. What we process and why

We collect and process the following categories of personal data on the legal bases and for the retention periods listed below.

Account data
Name, display name, email, city, target exam level, exam dates — provided by you on signup or in your Account page.
Performance of the contract with you (Art. 6(1)(b) GDPR).
For the lifetime of your Account, then 30 days in encrypted backups before final deletion.
Authentication data
Hashed password, session tokens, security logs.
Performance of the contract (Art. 6(1)(b)) and our legitimate interest in keeping accounts secure (Art. 6(1)(f)).
For the lifetime of your Account; security logs kept up to 12 months.
Study data
Questions answered, scores, mock-exam runs, time on task, streaks. Used to populate your dashboard and improve content.
Performance of the contract (Art. 6(1)(b)).
For the lifetime of your Account; aggregated, anonymised stats may be kept indefinitely.
Speaking & Writing submissions
Audio recordings and typed answers, processed by automated systems to generate scores and feedback.
Performance of the contract (Art. 6(1)(b)).
Audio recordings are automatically deleted after 90 days (configurable in Account settings). Text answers and scores stay with your Account history.
Payment data
Plan, billing period, invoices, last 4 digits of card, billing country. Card details themselves are processed by Stripe and never reach our servers.
Performance of the contract (Art. 6(1)(b)) and legal obligation for tax records (Art. 6(1)(c)).
Invoices retained for the period required by Dutch tax law.
Customer support correspondence
Emails you send to support / privacy / legal addresses, plus our replies.
Legitimate interest in handling your request (Art. 6(1)(f)).
Up to 24 months after the last message.
Technical data
IP address, user agent, request path, error reports — used for security, abuse prevention and debugging.
Legitimate interest in keeping the Service secure and reliable (Art. 6(1)(f)).
30 days, then deleted.
Cookies and similar storage
See the separate Cookie Policy.
Strictly-necessary: Art. 6(1)(b) / Art. 11.7a Telecommunicatiewet. Optional categories: consent (Art. 6(1)(a)).
See Cookie Policy.

4. Consent management

We track and respect your consent preferences for:

  • Marketing communications — product updates, study tips, and promotional content.
  • Analytics tracking — usage patterns to improve the service (anonymized).
  • Cookies and local storage — see our separate Cookie Policy for details.

You can manage all consent preferences from your Account → Privacy Settings. We record the timestamp and IP address when consent is given for legal compliance. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

5. Marketing communications

We send transactional emails (account, billing, security) under contract. We send marketing emails — for example product updates and study tips — only with your explicit consent (Art. 6(1)(a) GDPR; Art. 11.7 Telecommunicatiewet).

Every marketing email contains a one-click unsubscribe link, and you can withdraw consent any time from your Account → Privacy Settings.

6. Recipients and processors

We share personal data only with carefully selected processors who help us run the Service, under EU-standard data processing agreements:

  • Hosting and database — provider in the EU (Frankfurt region).
  • Transactional email — EU-based email provider.
  • Payments — Stripe Payments Europe Ltd (Ireland) for processing card payments and subscription billing.
  • Speech and text processing — EU-resident inference services for AI-assisted scoring of Speaking and Writing answers.
  • Error monitoring — EU-based service that receives technical error reports stripped of personal data.

We do not sell or rent personal data, and we do not share it with advertising networks.

7. International transfers

All processing currently takes place inside the European Economic Area (EEA). If we ever need to transfer personal data outside the EEA, we will rely on an adequacy decision or the EU Standard Contractual Clauses with appropriate supplementary measures, and we will update this policy.

8. AI-assisted assessment (automated decision-making)

Speaking and Writing answers are scored by machine-learning models. The result is informational and used by you to gauge progress; it has no legal or similarly significant effect on you in the sense of Article 22 GDPR. You can request human review of any score by emailing hello@inburgeringprep.com — we will reply within 14 days.

9. Your rights under the GDPR

You have the following rights with respect to your personal data:

  • Access (Art. 15) — request a copy of the data we hold about you. You can self-serve a JSON export from your Account page.
  • Rectification (Art. 16) — correct inaccurate or incomplete data.
  • Erasure (Art. 17) — delete your data ("right to be forgotten") via Account → Delete account or by emailing hello@inburgeringprep.com.
  • Restriction (Art. 18) — limit processing while a complaint is investigated.
  • Portability (Art. 20) — receive your data in a structured, commonly-used machine-readable format.
  • Objection (Art. 21) — object to processing based on legitimate interests.
  • Withdraw consent (Art. 7) — for any processing based on consent, you can withdraw at any time without affecting the lawfulness of processing prior to withdrawal.

We respond to verified requests within one month (extendable by two months for complex requests). If you are not satisfied, you can lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl, or with your local supervisory authority.

10. Data retention and deletion

We retain personal data only as long as necessary for the purposes described in this policy. Key retention periods:

  • Account data — for the lifetime of your account, then up to 30 days in encrypted backups before those expire.
  • Audio recordings — automatically deleted after 90 days (configurable in Account settings).
  • Study progress — kept with your account unless you request deletion.
  • Technical logs — 30 days for debugging, 12 months for security logs.
  • Deleted account data — removed immediately from active systems when you click Delete Account; remaining backup copies expire within 30 days.

You can delete your account and all associated data via Account → Delete Account. The action is immediate and irreversible — we cannot restore a deleted account. For GDPR deletion requests, email hello@inburgeringprep.com.

11. Children

InburgeringPrep is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16 without parental consent. If you believe we hold such data, contact hello@inburgeringprep.com and we will delete it.

12. Security

We protect personal data with appropriate technical and organisational measures, including TLS encryption in transit, encryption of database backups at rest, role-based access control, audit logs, and regular review of access. Despite our safeguards, no online service is 100% secure; we will notify you and the supervisory authority of any data breach in line with Articles 33 and 34 GDPR.

13. Cookies

We use cookies and similar local storage to keep you signed in and to remember your preferences. Optional categories — functional, analytics, marketing — are used only with your explicit consent.

Read our separate Cookie policy and manage your preferences any time from the cookie banner or the "Cookie settings" link in the footer.

14. Changes to this policy

We will update this policy as the Service evolves. For material changes affecting how we process personal data, we will email all active Accounts at least 30 days before the change takes effect.

15. Contact

Privacy or GDPR question? Email hello@inburgeringprep.com or the DPO at hello@inburgeringprep.com.

Aprutikotto · Amsterdam, the Netherlands.