Privacy Policy

Last updated: 2 May 2026

This Privacy Policy describes how Muhammad Hammam (sole proprietor) ("we", "us", "our") collects, uses, and protects information when you use the CISA Mock practice exam service (the "Service"), reachable at cisamock.com.

We respect your privacy. We collect only the data we need to deliver the Service. We do not sell your personal data to anyone, ever.

1. Who we are

Muhammad Hammam (sole proprietor) Perum Pesona Renjana Asri No. 5, Semarang, Jawa Tengah, Indonesia privacy@cisamock.com

If you are in the European Economic Area (EEA) or the United Kingdom, we are the data controller of your personal data for the purposes of the General Data Protection Regulation (GDPR) and the UK GDPR.

2. Data we collect

2.1 Information you provide

• Email address — required at checkout to deliver your access link and result report. Stored against your purchase record.
• Payment information — processed directly by our third-party payment provider (Lemon Squeezy). We do not see, store, or have access to your full payment card or bank details. We receive only a transaction reference and confirmation of payment.

2.2 Information collected automatically

When you take a mock exam, we collect data necessary to deliver the Service and produce your result report:

• Your answers — recorded against your attempt record so we can score the exam and produce your result.
• Per-question timing — when you viewed each question and how long you spent, used to produce the pacing diagnostic on your result page.
• Submission timestamp — when you started and submitted the exam.

We may also automatically collect basic technical information when you visit the Service website, such as IP address, browser type, and pages visited. This information is used solely for security, analytics, and Service improvement, and is retained only for the periods stated below.

2.3 Cookies

We use a small number of strictly necessary cookies to operate the Service (for example, to keep your timed exam state during a session). We do not use advertising or third-party tracking cookies.

3. How we use your data

We use your data only to:

• Deliver the Service you purchased (deliver your access link, run the timed exam, produce your result and email report).
• Communicate with you about your purchase (transactional emails: receipts, access link, result report, link resends).
• Comply with legal obligations (tax records, fraud prevention, regulatory requests).
• Improve the Service (aggregate analysis of question difficulty, pacing patterns, etc. — never tied to identifiable individuals).
• Respond to your support requests.

We do not use your data for marketing without your explicit opt-in consent. We do not sell or rent your data to any third party.

4. Legal basis (GDPR and UK GDPR)

Where GDPR or UK GDPR applies, we rely on the following legal bases:

• Performance of a contract — to deliver the Service you purchased.
• Legitimate interests — to keep the Service secure, improve it, and prevent fraud, where these interests do not override your rights.
• Legal obligation — to retain transaction records as required by tax and accounting law.
• Consent — for any optional communications you opt in to (none currently).

5. Data sharing

We share your data only with the following parties, and only as needed to deliver the Service:

• Payment processor (Lemon Squeezy) — for processing your payment. Subject to their own privacy policy at https://www.lemonsqueezy.com/privacy.
• Email delivery provider (Resend) — for delivering transactional emails (access link, result report). Subject to their own privacy policy.
• Hosting provider (Vercel) — for running the Service infrastructure.
• Database provider (Supabase) — for storing your purchase, attempt, and result records.
• Legal authorities — where required by law, court order, or to protect our rights.

We do not share your data with advertisers, data brokers, or any other third parties.

6. International transfers

Some of our service providers (e.g., hosting, email) may be located outside your country. Where we transfer data outside the European Economic Area or the United Kingdom, we rely on appropriate safeguards required by law (Standard Contractual Clauses, adequacy decisions, etc.).

If you are in Indonesia, transfers are conducted in accordance with Law No. 27 of 2022 concerning Personal Data Protection (UU PDP) and any implementing regulations.

7. Data retention

We retain your data only as long as needed to deliver the Service and meet legal obligations:

• Email and purchase record — retained for 7 years from purchase, for tax and accounting compliance, then deleted.
• Exam attempts, answers, timings, results — retained for 2 years from the attempt date. After that, individual records are deleted; aggregate, de-identified statistics may be retained indefinitely for Service improvement.
• Support correspondence — retained for 2 years from the last interaction.
• Server logs and technical data — retained for 90 days from collection.

You may request earlier deletion of your data subject to the rights described in Section 8, except where retention is required by law.

8. Your rights

You have the following rights regarding your personal data. To exercise any of these rights, email privacy@cisamock.com with your request and the email address used at purchase. We will respond within 30 days (and may extend by up to 60 days for complex requests, with notice).

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure — request deletion of your data, subject to our legal retention obligations.
• Restriction — request that we limit our processing of your data.
• Portability — request your data in a structured, machine-readable format.
• Objection — object to our processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time.

If you are in the EEA or UK, you also have the right to lodge a complaint with your local data protection supervisory authority. If you are in Indonesia, you may lodge a complaint with the Ministry of Communication and Informatics (Kementerian Komunikasi dan Informatika) or the future Indonesian Personal Data Protection Authority once established.

9. Children's privacy

The Service is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, contact us at privacy@cisamock.com and we will delete the data.

10. Security

We implement commercially reasonable technical and organizational measures to protect your data, including:

• Encryption of data in transit (TLS 1.2+).
• Encryption of payment data by our payment processor (we never store card details).
• Access controls limiting who on our team can access your data.
• Regular security review of dependencies and infrastructure.

No system is perfectly secure. If we become aware of a personal data breach affecting your data, we will notify you and the relevant supervisory authority within the timeframes required by applicable law (72 hours under GDPR).

11. Third-party links

The Service may contain links to third-party websites (such as our payment processor). We are not responsible for the privacy practices of those third parties. We recommend you review their privacy policies before providing any data.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top indicates when changes were last made. Material changes will be notified to active users by email where reasonably practicable. Continued use of the Service after changes take effect constitutes acceptance.

13. Contact

For privacy questions or to exercise your rights, contact us at privacy@cisamock.com or:

Muhammad Hammam (sole proprietor) Perum Pesona Renjana Asri No. 5, Semarang, Jawa Tengah, Indonesia