Legal
Privacy Policy
Effective date — June 14, 2026
Who We Are
MockDPE (“we,” “us,” “our”) operates MockDPE, an AI-powered FAA Instrument Rating oral exam simulator, accessible at mockdpe.org. This Privacy Policy describes how we collect, use, and protect your information when you use our service.
Information We Collect
Account Information
When you create an account, we collect your email address and display name; sign-in is verified via one-time email codes (no password is stored). If you sign in with Google or Discord, we receive your name, email, and profile image from those services.
Practice Session Data
We store your questions, AI-generated responses, and performance evaluations from practice checkride sessions. This data is used to provide the service and track your progress.
Payment Information
Payments are processed entirely by Stripe (our merchant of record). We do not store your credit card number, expiration date, or CVC. We store only your Stripe customer ID and subscription status.
Technical Data
We collect IP addresses for rate limiting and abuse prevention. We use a session cookie for authentication, a consent cookie (mockdpe_consent) to remember your cookie preferences, and — if you accept — advertising cookies set by Microsoft Advertising, Google Ads, and Meta (Facebook). We use the following tools to understand site usage, verify search-engine reachability, and measure ad performance:
- Plausible Analytics — a cookieless, GDPR-friendly analytics service. Records aggregate page views and visit data; does not set cookies, does not collect personal data, does not share data with third parties.
- Google Search Console and Bing Webmaster Tools — free webmaster tools used to verify domain ownership and monitor search performance. Do not place tracking on visitors.
- IndexNow — when we publish or update a page, we notify Bing’s crawler so search results stay fresh. Sends only URL strings; no visitor data involved.
- Microsoft Advertising (UET) — for visitors who accept cookies, we load Microsoft’s Universal Event Tracking pixel to measure the performance of our ads on Bing and other Microsoft properties. UET sets first-party cookies (
MUID,_uetsid,_uetvid) and reports pageviews and signup/subscription conversions to Microsoft. EU/UK visitors are asked for consent before this loads; everyone can opt out via Microsoft’s ad-personalization settings. See Microsoft’s Privacy Statement. - Google Ads — for visitors who accept cookies, we load Google’s site tag (
gtag.js) to measure the performance of our ads on Google and report signup/subscription conversions. Google Ads sets cookies (such as_gcl_au) used for conversion measurement and remarketing. EU/UK visitors are asked for consent before this loads (via Google Consent Mode, which starts denied until you accept); everyone can opt out via Google’s Ads Settings. See Google’s Privacy Policy. - Meta Pixel (Facebook) — for visitors who accept cookies, we load Meta’s Pixel to measure the performance of our ads on Facebook and Instagram and report pageviews. The Pixel sets a first-party cookie (
_fbp) and may set a third-party cookie (fr) used for ad delivery and measurement. EU/UK visitors are asked for consent before this loads (the Pixel starts with consent revoked until you accept); everyone can manage ad personalization through Meta’s Ad Preferences. See Meta’s Privacy Policy.
Device Fingerprinting
To enforce free-tier limits and prevent abuse, we generate a device fingerprint using ThumbmarkJS, an open-source library that derives a hash from browser and hardware signals (e.g. screen resolution, installed fonts, graphics capabilities). This hash does not identify you personally and cannot be reversed to reconstruct the underlying signals.
The hash is cached in your browser’s localStorage for up to 30 days to avoid re-computing it on every visit. Server-side, we store the hash alongside associated IP addresses and account identifiers for up to one year. This data is used solely to enforce per-device limits and detect coordinated abuse — it is never sold or shared with third parties.
How We Use Your Information
- Provide, operate, and improve the MockDPE service
- Process your payments and manage your subscription
- Send transactional emails (sign-in codes, account notifications)
- Prevent abuse, enforce rate limits, and maintain platform security
- Improve the AI examiner based on aggregated, anonymized session data
MockDPE developers, employees, or contractors may access individual session data to operate the service, investigate issues, respond to support requests, review service quality, and improve the AI examiner. We do not share individual session content with third parties or use it for marketing without your explicit consent.
Third-Party Services
We share data with the following third-party services as necessary to operate MockDPE:
- Google Cloud (Vertex AI / Gemini) — Your practice exchanges (questions and responses) are sent to Google Cloud Vertex AI for AI processing. Google’s data usage is governed by the Google Cloud Data Processing Addendum and Google’s Privacy Policy.
- DeepInfra — When text-to-speech is enabled, the text of AI-generated responses is sent to DeepInfra’s inference API to synthesize audio using the Kokoro model. DeepInfra’s handling of this data is governed by their Privacy Policy.
- Stripe — Payment processing (merchant of record under Stripe Managed Payments). Stripe’s handling of your payment data is governed by their Privacy Policy.
- Google & Discord — OAuth authentication, if you choose to sign in with these providers.
- Cloudflare — Turnstile CAPTCHA for signup verification.
- Resend — Transactional email delivery (sign-in codes, account notifications).
- MongoDB Atlas — Account, session, and progress data are stored in a MongoDB Atlas database hosted in the United States. MongoDB, Inc. acts as a data sub-processor; their handling of stored data is governed by their Privacy Policy.
- Microsoft Advertising — for visitors who accept cookies, we send pageview and conversion events to Microsoft’s UET service to measure ad performance. Governed by Microsoft’s Privacy Statement.
- Google Ads — for visitors who accept cookies, we send pageview and conversion events to Google to measure ad performance and build remarketing audiences. Governed by Google’s Privacy Policy.
- Meta (Facebook) — for visitors who accept cookies, we send pageview events to Meta via the Meta Pixel to measure ad performance and build remarketing audiences on Facebook and Instagram. Governed by Meta’s Privacy Policy.
- Vercel — Application hosting and serverless compute. Request metadata (IP, user-agent, request paths) may be processed by Vercel as part of normal operation.
Data Retention
Your account data and session history are retained for as long as your account is active. If you request account deletion, we will delete your personal data and session records within 30 days. Anonymized, aggregated data may be retained for service improvement.
Your Rights
You may request access to, correction of, or deletion of your personal data at any time by emailing [email protected]. We will respond within 30 days.
California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), gives you the following rights regarding your personal information:
- Right to know — request the categories and specific pieces of personal information we have collected about you, and how we use and disclose it.
- Right to delete — request deletion of the personal information we hold about you (see Data Retention above).
- Right to correct — request correction of inaccurate personal information.
- Right to opt out — opt out of the “sale” or “sharing” of your personal information (see below).
- Right to non-discrimination — we will not deny you service, charge a different price, or provide a different level of service for exercising any of these rights.
Do Not Sell or Share My Personal Information.We do not sell your personal information for money. However, when advertising cookies are active, we share online identifiers (such as cookie IDs) with Google, Microsoft, and Meta so they can measure ad performance and build remarketing audiences. Under California law, this cross-context behavioral advertising may be considered a “sale” or “sharing” of personal information. You can opt out at any time by:
- Declining advertising cookies when prompted, or withdrawing consent through the Google, Microsoft, and Meta ad-settings links in the “Technical Data” section above; or
- Emailing [email protected] with the subject line “California — Do Not Sell or Share.”
To exercise any of these rights, email [email protected]. We verify requests using your account email address and will respond within 45 days, as required by law. You may designate an authorized agent to submit a request on your behalf.
Children
MockDPE is not directed at individuals under 18 years of age. We do not knowingly collect personal information from children.
Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the site. Your continued use of MockDPE after changes constitutes acceptance of the updated policy.
Contact
Questions about this policy? Contact us at [email protected].