bumate.ai
Effective Date: March 22, 2026 · Version 1.0
Welcome to BuMate, an AI-native language exam preparation and fluency platform (“we,” “us,” “our”). Our platform is available at bumate.ai.
This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our service, including our website, mobile applications, and related features. It applies to all users — students, teachers, and administrators — regardless of subscription tier.
We are committed to protecting your privacy and handling your data transparently. We comply with the Australian Privacy Act 1988 (including the Australian Privacy Principles), and we extend protections consistent with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA) to all users, regardless of location.
By creating an account or using our service, you agree to the practices described in this policy. If you do not agree with this policy, please do not use our service.
We collect information in several categories depending on how you use BuMate. We only collect what is necessary to provide and improve our service.
When you create an account, we collect:
You can update your display name, preferred language, and target test date at any time through your account settings.
When you use our exam preparation features, we collect:
When you subscribe to a paid plan, we collect:
When you participate in the BuMate community, we collect:
When you contact support, we collect:
We automatically collect limited technical information when you use our service:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide exam preparation services | Account info, practice data, audio recordings | Contractual necessity |
| Score and provide feedback on your practice | Audio recordings, AI transcriptions | Consent + contractual necessity |
| Manage your subscription and billing | Account info, Stripe customer mapping | Contractual necessity |
| Enforce usage quotas | Subscription details, session counts | Contractual necessity |
| Display your community contributions | Posts, comments, reactions | Contractual necessity |
| Moderate community content | Posts, reports, moderation logs | Legitimate interest |
| Improve AI scoring accuracy | Anonymized, aggregate scoring patterns | Legitimate interest |
| Protect against fraud and abuse | Technical logs, authentication data | Legitimate interest |
| Comply with legal obligations | Billing records, moderation logs | Legal obligation |
We do not use your personal data for advertising, profiling for marketing purposes, or selling to third parties.
All your data is stored within Google Cloud Platform (GCP) infrastructure located in the australia-southeast1 region (Sydney, Australia).
We use separate database schemas to isolate different categories of data. Core data (accounts, billing) is stored separately from exam-specific content and community content. This limits the scope of any data access and supports the principle of least privilege.
We use the following third-party services to operate BuMate. We only share the minimum data necessary for each service to perform its function.
Purpose: Account creation and login (Google SSO, magic link email login, and planned Apple SSO)
Data shared: Email address, display name, profile photo URL, Firebase user ID
Provider privacy policy →Purpose: Payment processing and subscription management
Data shared: Your email address is sent to Stripe when creating a customer record. Billing address and payment method details are collected directly by Stripe during checkout — these never pass through our servers.
Provider privacy policy →Purpose: AI-powered scoring, transcription, and feedback for your practice sessions
Data shared: Your audio recordings are sent as base64-encoded data to Google's AI services for speech-to-text transcription and scoring.
Provider privacy policy →Purpose: Secure storage of audio files in the australia-southeast1 region
Data shared: Audio files with associated metadata (format, size, duration, checksum)
Provider privacy policy →Purpose: Translation of vocabulary terms for language learning features
Data shared: Vocabulary words and phrases (not user-identifying information)
Provider privacy policy →This section provides detailed information about how we handle your voice recordings, as audio data is considered sensitive personal information.
We obtain your explicit consent for:
We process data as necessary to deliver the service you signed up for: account management, practice sessions, scoring delivery, subscription management, and quota enforcement.
We process data based on our legitimate interests for service improvement (anonymized aggregate patterns), security (monitoring for unauthorized access), and community moderation (reviewing reported content).
We retain certain data to comply with legal requirements, including tax records and content moderation obligations.
You have the following rights regarding your personal data. These rights apply regardless of your subscription tier.
You have the right to request a copy of all personal data we hold about you, including your profile, practice history, scores, audio recordings, community content, and billing history.
How to exercise: Submit a data access request to support@bumate.ai. We will provide your data in a structured, machine-readable format (JSON) within 30 days.
You can update your display name, preferred language, and target test date at any time through the app's Settings page. For corrections to other data, contact us at support@bumate.ai.
You have the right to request deletion of your personal data. When you request account deletion:
Soft-deleted data is permanently purged within 90 days, except where legally required.
How to exercise: Submit a deletion request to support@bumate.ai. We will confirm deletion within 30 days.
You have the right to receive your personal data in a structured, commonly used, machine-readable format.
How to exercise: Submit a portability request to support@bumate.ai. We will provide a downloadable archive within 30 days.
Where we process your data based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
You have the right to object to processing where we rely on legitimate interests. Contact support@bumate.ai.
You have the right to request that we restrict (pause) processing of your personal data in certain circumstances. When processing is restricted, we will store your data but not actively process it.
We encourage you to contact us first at support@bumate.ai so we can attempt to resolve your concern.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account information | Until you delete your account | Required to provide the service |
| Learning and practice data | Until you delete your account | Needed for your learning history |
| Audio recordings | Until you delete your account | Score review and playback |
| AI transcriptions and feedback | Until you delete your account | Part of your practice history |
| Actual exam scores | Until you delete your account | Progress tracking and study recommendations |
| Reviews | Until you delete them or your account | Publicly displayed; editable and deletable |
| Community posts and comments | Until you delete them or your account | Visible to community |
| Support tickets | Until resolved + reasonable retention | Support continuity |
| Payment and billing records | 5-7 years as required by law | Legal and regulatory compliance |
When you delete content, the item is soft-deleted — marked as deleted and hidden from all users. After the retention window (90 days), data is permanently purged.
If you want soft-deleted data permanently removed before the 90-day window, contact support@bumate.ai. Permanent deletion requests will be honoured except where we are legally required to retain certain records.
In the event of a data breach, we will notify affected users within 72 hours of becoming aware, in accordance with the Australian Privacy Act 1988 (Notifiable Data Breaches scheme) and applicable international regulations.
Security concerns: support@bumate.ai
BuMate is designed for adults preparing for professional language certification exams. You must be at least 16 years old to create an account and use our services.
We do not knowingly collect personal information from anyone under 16 years of age. If we discover or are informed that a user is under 16, the account will be reviewed and appropriate action taken, which may include suspension and deletion of personal data.
If you believe a user under 16 is using our service, please contact us at support@bumate.ai.
All primary data storage is in Australia (GCP australia-southeast1, Sydney). Your data may transit internationally in limited circumstances:
Where data is transferred outside Australia, we rely on Google's and Stripe's Data Processing Agreements, which include Standard Contractual Clauses (SCCs) approved by the European Commission.
Teachers who use BuMate to manage student learning have access to student data within their assigned classrooms/cohorts. Teachers can view student practice session history, scores, and progress analytics.
Teachers cannot access student data outside their assigned scope, student payment information, or students' private practice data.
When an educational institution purchases managed seats for students, the institution is a data controller alongside BuMate for student data created under managed accounts. A Data Processing Agreement (DPA) between BuMate and the institution governs the handling of student data.
Student rights (access, deletion, portability) still apply. If an arrangement ends, student accounts are converted to standard accounts and students retain access to their own data.
We may update this Privacy Policy from time to time. For material changes, we will notify you by email and by posting a prominent notice on our website at least 30 days before the changes take effect. For minor, non-material changes, we will post an updated “Last Updated” date.
If you disagree with a material change, you may delete your account before the new policy takes effect. Continuing to use the service after the effective date constitutes your acceptance of the updated policy.
For privacy inquiries, security concerns, or to exercise any of your data rights, please contact us at support@bumate.ai.
We aim to respond to all privacy inquiries within 30 days. If your request is complex, we will inform you within 30 days and provide a revised timeline (not to exceed an additional 60 days).
This Privacy Policy is governed by the laws of the Commonwealth of Australia, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).
Any disputes shall be subject to the exclusive jurisdiction of the courts of New South Wales, Australia, except where you are located in the EEA (you may bring proceedings in your local courts under GDPR Article 79) or California (your CCPA/CPRA rights are preserved).
We are bound by the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).
Voice recordings may be considered biometric data in certain jurisdictions. We collect voice recordings solely for AI-powered exam scoring and do not use them for biometric identification. We do not create voiceprints or use voice data to identify individuals. See Section 7 for full details.