Privacy
Last updated: 2026-07-01 · Question Bank HubThis is a practice tool for Red Seal exam preparation — anonymous by default. We built it so you don't have to hand over personal information to use it — and this page tells you exactly what does and doesn't happen when you do.
1. What we collect
From you directly
- An optional username and passphrase — if you want your progress to follow you across devices. No name or phone number is ever required or accepted. The passphrase is stored only as a one-way hash; we cannot read it.
- Optionally, a verified email — for passwordless sign-in. Instead of a passphrase, you can choose to sign in with a one-time link sent to your email. If you do, we store that email on your account so the link can sign you in and your progress can follow you across devices. This is entirely optional — username + passphrase still works, and you never need an email to practise. We never sell or share it, and you can delete your account (and the email) yourself at any time (Section 7).
- Practice progress — which questions you've answered, per-topic accuracy, mock-exam scores.
- Optional question ratings (1–5 stars) and a short answer to one engagement question ("what would help you feel confident about passing your exam?"). These are anonymous.
Your email — only if you choose to give it
You can optionally leave your email to hear from us when there's something genuinely worth your attention for your Red Seal — a new feature, something for your trade, or anything that helps you pass. This is entirely your choice: you never need an email to practise, and giving one unlocks nothing extra. If you opt in, we store your email, your trade (if known), and the time you consented. We never sell or share it; we only email about Red Seal–related updates; and every email has a one-click unsubscribe — or write to info@questionbankhub.com to be removed at any time.
Automatically — analytics (only if you consent)
If you click "Yes, help improve it" on the consent bar, two third-party tools load:
- Google Analytics 4 — anonymous usage events: screens visited, buttons tapped, mock exams started and completed. IP addresses are anonymised. No personal identity is passed to Google.
- Microsoft Clarity — heatmaps and session recordings showing where people tap and how they move through the app. Anything you type — including your username and passphrase fields — is automatically masked and never recorded. For example: if a button doesn't work or a screen layout confuses people, this is how we'd spot it.
If you click "No thanks," neither tool loads. Nothing from Google or Microsoft runs.
First-party event log (always, anonymous)
We keep a small server-side log of anonymous usage signals (e.g. "a mock exam was started," "consent choice recorded") tied only to an internal session id — never to a name or email. This helps us understand aggregate usage without any third-party cookie.
Payment information — only if you buy an unlock
If you purchase a trade unlock, payment is handled by Stripe. You enter your card details directly on Stripe's hosted checkout — QBH never receives or stores your full card number. From the transaction we receive a confirmation that you paid, the amount, the trade you unlocked, and a Stripe customer/charge reference; if you provide an email or billing name at checkout, Stripe processes it to send your receipt and prevent fraud. We use this only to grant your unlock, provide receipts and refunds, and keep records.
2. Why we collect it
- To improve the app — understand which topics are hardest, where the flow breaks, what to build next.
- To understand how apprentices study — so the tool gets better for everyone working toward their Red Seal.
- Not for ads. Not sold. Not shared with anyone except the service providers listed in Section 4 — the optional analytics tools and the infrastructure that runs the app (hosting, database, email) — strictly to operate the service.
3. Consent and how to withdraw it
Analytics are opt-in. Nothing loads until you say yes. You can change or withdraw your choice at any time:
- Clear the consent cookie — open your browser's site data settings, clear storage for this site, and reload. The consent bar will reappear.
- Browser controls — block third-party cookies or use a content blocker (e.g. uBlock Origin). Clarity and GA4 will not load even if you previously accepted.
Withdrawing consent does not affect your practice progress, which is stored separately under your account.
4. Third-party processors
| Processor | What they receive | Their privacy policy |
|---|---|---|
| Google (Analytics) | Anonymised usage events, approximate location, device/browser info. IP anonymised before processing. | Google Privacy Policy |
| Microsoft (Clarity) | Session recordings (input fields masked), heatmap data, click/scroll patterns, approximate location, device/browser info. | Microsoft Privacy Statement |
| Vercel (hosting) | Serves the app and its functions. Receives standard web-request data (IP address, device/browser) needed to deliver pages. Always active — it runs the site. | Vercel Privacy Policy |
| Neon (database) | Stores your account (username + one-way-hashed passphrase, and — only if you choose passwordless sign-in — your verified email), practice progress, and — only if you give it — your email opt-in. No analytics data. | Neon Privacy Policy |
| Resend (email) | Sends our emails — your passwordless sign-in links (if you choose that) and any updates you opt in to. Receives your email address and message content. Not used unless you give an email. | Resend Privacy Policy |
| Stripe (payments) | Processes your payment. Receives your card details directly (never via QBH), plus the amount, currency, and a customer/transaction reference — and a billing email/name if you provide them. Used only if you buy an unlock. | Stripe Privacy Policy |
Google and Microsoft load only with your analytics consent. Vercel, Neon, and Resend are infrastructure needed to run the app and your account — Vercel always (it serves the site), Neon only if you create an account, Resend only if you opt in to email. We do not use any advertising networks, social-media pixels, or data brokers.
5. International data transfers
Google and Microsoft operate servers primarily in the United States. When you accept analytics, data is transferred to and processed in the US. Under Quebec Law 25 and PIPEDA (Canada's federal privacy law), we are required to tell you this. Google and Microsoft participate in the EU–US Data Privacy Framework for transfers from the European Economic Area.
Our infrastructure providers — Vercel (hosting), Neon (database), and Resend (email) — also operate primarily in the United States, so the app, your account data (if you create one), and any email you opt into are processed in the US.
Payments (Stripe). If you make a purchase, your payment information is processed by Stripe, primarily in the United States. Before relying on Stripe, we conducted an assessment of this cross-border transfer as required under Quebec Law 25, and we rely on Stripe's contractual safeguards.
6. How long data is kept
| Data | Retention |
|---|---|
| Microsoft Clarity session recordings | ~13 months (Microsoft default) |
| Google Analytics data | 14 months (GA4 default; data-deletion requests honoured) |
| Your practice progress (server) | Kept until you delete your account or we shut the service down |
| First-party anonymous event log | Rolled at 90 days |
7. Your rights
Under PIPEDA and Quebec Law 25 (Law 25), you have the right to:
- Access the personal information we hold about you.
- Correct inaccurate information.
- Withdraw consent for analytics at any time (see Section 3).
- Delete your account and data — do it yourself anytime via the Delete account button in your account (we ask you to confirm; it can't be undone), or email us.
EU/EEA visitors also have rights under the GDPR: data portability, erasure, restriction of processing, and the right to lodge a complaint with a supervisory authority.
Automated processing in payments. To prevent fraud, our payment processor (Stripe Radar) may use automated processing to assess the risk of a transaction. If a decision affecting you is made solely by automated means, you may contact us to request information about it and to ask that it be reviewed by a person.
To exercise any of these rights, email info@questionbankhub.com. We respond within 30 days.
8. Cookies and tracking technologies used
| Name / type | Purpose | Set by | How to block |
|---|---|---|---|
qbh-cookie-consent localStorage |
Stores your consent choice so the bar doesn't reappear every visit. | Question Bank Hub | Clear site data in your browser. |
GA4 cookies (_ga, _ga_*) |
Anonymous session tracking for usage analytics. | Google (consent-gated) | Decline on the consent bar, clear cookies, or use a content blocker. |
Clarity cookies (_clck, _clsk, MUID) |
Session recording and heatmap analytics. | Microsoft (consent-gated) | Decline on the consent bar, clear cookies, or use a content blocker. |
qbh_mock_inprogress_v1 localStorage |
Saves your in-progress mock exam so you can resume it. | Question Bank Hub | Clear site data. Clearing this loses your current mock exam. |
9. Contact
Privacy questions or requests: info@questionbankhub.com
This service is operated by Barron Systems Engineering Inc. (operating as Question Bank Hub), a Canadian corporation. We operate from Canada and follow PIPEDA and Quebec Law 25.
10. Who's responsible & breach response
Person in charge (Privacy Officer). The person accountable for QBH's handling of personal information is our Privacy Officer, reachable at info@questionbankhub.com (subject: "Privacy").
Breach response. We maintain a process to detect and respond to security incidents. If a breach of security safeguards creates a real risk of significant harm to you, we will report it to the Office of the Privacy Commissioner of Canada (and, for Quebec residents, to the Commission d'accès à l'information), notify you, and keep a record of the breach as required.