Privacy Policy

Imtihan is an AI-powered exam generation service for teachers in Lebanon and internationally. We are operated by an independent developer based in Beirut, Lebanon. We are committed to protecting your personal data and being transparent about how we use it.

No student data. Imtihan is a tool for teachers only. We do not collect, process, or store any data about students. Student exam papers are generated as documents and delivered to the teacher — we never see the student results.

• Account data — your name, email address, and authentication credentials when you register. Passwords are never stored in plain text (Firebase handles authentication with bcrypt hashing).
• Exam data — the exam descriptions and parameters you enter (subject, level, duration, etc.), and the exercises generated for your library.
• Uploaded documents — course notes or past exams you upload to ground AI generation. These are processed in memory and never stored on our servers after the request completes.
• Usage data — anonymised analytics (pages visited, feature usage, error logs) for debugging and product improvement.
• Device data — browser type, OS, and IP address for security logging.

• To generate, save, and export your exams.
• To send transactional emails (password reset, subscription renewal reminders).
• To detect and prevent abuse, fraud, or API quota violations.
• To improve the product based on aggregated, anonymised usage patterns.

We never sell your data. We do not share your personal data with advertisers, data brokers, or any third party for commercial purposes.

All data is stored on servers in the European Union and United States via the following infrastructure providers:

• Firebase / Google Cloud (EU/US) — user accounts, exam library, subscription data. Google Cloud is GDPR-compliant and ISO 27001 certified.
• Vercel (US/Edge) — application hosting and serverless functions. Vercel is SOC 2 Type II certified.
• AI providers (US) — your exam description and any uploaded document are sent to our AI provider during generation only. They are not retained by the AI provider after the response is returned. Refer to their respective privacy policies for details.

No data is stored locally in Lebanon in a way that would be subject to Lebanese data access requests beyond what Lebanese law already permits for any internet service.

For schools using Imtihan as an institution, we process only the teacher account data described above. We do not require, collect, or process any student personal data (names, grades, ID numbers). The exams generated are Word/PDF documents delivered to the teacher — no student data passes through our systems at any point.

Schools can request a Data Processing Agreement (DPA) by emailing admin@imtihan.live. We will co-sign a DPA that clarifies our role as a data processor under GDPR Article 28.

• Account data — retained while your account is active, deleted within 30 days of a deletion request.
• Exam library — retained until you delete individual exams or your account.
• Uploaded documents — not retained; purged from memory immediately after generation completes.
• Usage logs — retained for 90 days for security and debugging, then automatically deleted.

As a user, you have the right to:

• Access — request a copy of all personal data we hold about you.
• Correction — correct inaccurate data in your profile.
• Erasure — request deletion of your account and all associated data ("right to be forgotten").
• Portability — receive your exam data in a machine-readable format (JSON/docx).
• Restriction — restrict processing while a dispute is resolved.
• Objection — object to processing based on legitimate interests.

To exercise any right, email admin@imtihan.live with subject line "Data Request". We will respond within 30 days.

We use only essential session cookies to keep you signed in. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. The only cookie we set is __session (a secure, HttpOnly, SameSite=Lax Firebase session token).

All data is transmitted over HTTPS/TLS. Passwords are managed by Firebase Authentication (bcrypt). Our database uses Firebase Security Rules to ensure users can only access their own data. We conduct periodic security audits using GitHub's CodeQL static analysis.

If you discover a security vulnerability, please disclose it responsibly to admin@imtihan.live before public disclosure. We will acknowledge within 48 hours.

We will notify registered users by email of any material changes at least 14 days before they take effect. Minor clarifications may be made without notice. The date at the top of this page always reflects the last update.

Questions or requests regarding your privacy can be sent to: admin@imtihan.live