Privacy Policy
Last updated: 23 June 2026
ScoreUp respects your privacy. This Policy explains what personal data we collect, why we collect it, how we use it, and the rights you have under Thailand's Personal Data Protection Act B.E. 2562 (2019) ("PDPA").
1. What we collect
For the operation of ScoreUp we collect: your email address, your password, your display name, your country (optional), your target SAT date (optional), and your preferred UI language. While you use ScoreUp we record your practice sessions: the questions you saw, the answers you chose, your time taken, your scaled score, and which topics you got right or wrong. We do not collect your real name, address, phone number, government ID, or payment card details.
2. Why we collect it
We process this data to deliver the service you signed up for. We use aggregated, non-identifying usage data to improve ScoreUp. We will never share your data and we do not use it for behavioural advertising.
3. Who we share it with
We share your data only with the specific service providers listed in Sections 5–9 below, each operating under a Data Processing Agreement with ScoreUp: Sentry (error monitoring), Resend (transactional email), ImprovMX (email forwarding), Omise (payment processing), Google (analytics, via your consent), and Meta (advertising measurement, via your consent). We do not sell your data. We do not share your data with any party outside that list for marketing or any other purpose.
4. How long we keep it
We keep your account and session history for as long as your account is active. When you delete your account from the Profile page, we delete your profile and all linked records (sessions, answers, quota, streaks, reports) immediately.
4.5 Where your data is stored and how we protect it
Your account data (email, display name, practice sessions, scores) is stored in Supabase Postgres, under a Data Processing Agreement. Payment records are processed and stored by Omise in Thailand. All data in transit between your browser and ScoreUp is encrypted with HTTPS (TLS 1.2 or higher). Your password is hashed with bcrypt before storage, we cannot recover it for you. Payment card details never touch our servers; they go directly to Omise.
5. Connection logs
Thai law, the Computer Crime Act B.E. 2550 (2007), requires online service providers to keep traffic logs. When you sign in, sign up, sign out, or start a test, ScoreUp records your IP address, the date and time, and your browser's user-agent string. We use these connection logs only to meet this legal obligation and to investigate security incidents; we do not use them to profile you or for advertising. Access is limited to ScoreUp administrators. We keep connection logs for 6 months and then delete them automatically. Your IP address is personal data under PDPA, so the rights in Section 8 apply to it, except that we cannot delete a connection log before its legal retention period ends.
6. Error monitoring (Sentry)
To find and fix bugs quickly, ScoreUp uses Sentry, a third-party error-monitoring service. When the app encounters an unexpected error in your browser or on our server, we send Sentry: your ScoreUp user ID, your IP address, your browser's user-agent, the URL you were on, and a short trail of the actions that led to the error (clicks, navigation). We do not send your email, your name, your answers, or the content of any question. Sentry retains this data for 30 days and then deletes it. Sentry processes data in the United States under a Data Processing Agreement. Your PDPA rights in Section 8 apply to data sent to Sentry; to exercise them with respect to Sentry, email support@scoreup.asia.
7. Email service providers (Resend, ImprovMX)
ScoreUp uses two third-party email services. (a) Resend, sends transactional emails to you (signup confirmation, password reset). When the app needs to send one of these, we hand Resend your email address, your ScoreUp user ID (used only by the signup confirmation template), and the email content; Resend retains delivery logs for around 30 days. (b) ImprovMX, receives email you send to support@scoreup.asia and forwards it to our support inbox. We hand ImprovMX the headers and content of any message you send to that address. Both services process data in the United States under a Data Processing Agreement. Your PDPA rights in Section 8 apply to data sent to either provider; to exercise them, email support@scoreup.asia.
13. Payment processing (Omise)
When you subscribe to the Paid plan, ScoreUp uses Omise (a Thai payment gateway regulated by the Bank of Thailand) to process your credit or debit card or PromptPay transaction. We send Omise your ScoreUp user ID, your email, the amount, and a short description of what you're paying for. Omise collects your card details or PromptPay payment information directly through their own secure systems — ScoreUp's servers never see your full card number, CVC, or bank account details. For card payments we use Omise.js, an embedded payment form that Omise hosts on their domain, so card data is sent directly from your browser to Omise (PCI DSS SAQ-A scope). Omise processes payment data in Thailand under PDPA. Your PDPA rights in Section 9 apply to data sent to Omise; to exercise them with respect to Omise, email support@scoreup.asia.
8. Your rights under PDPA
You have the right to: access the personal data we hold about you; correct inaccurate data; delete your data; restrict or object to processing; receive your data in a portable format; withdraw consent at any time. To exercise any of these rights, email support@scoreup.asia. We respond within 30 days.
9. Cookies and similar technologies
We use essential cookies to keep you signed in and to remember your language choice. With your consent (see the banner on first visit), we also load: (a) Google Tag Manager and Google Analytics 4 to measure aggregate usage, how many visitors complete sign-up, finish a diagnostic, start checkout, and so on. These cookies (_ga, _ga_*) do not contain your name, email, or test answers. Google LLC processes this data in the United States under a Data Processing Agreement. (b) Meta Pixel (operated by Meta Platforms, Inc., Menlo Park, CA) to measure ad conversions on Facebook and Instagram and to build retargeting audiences. Meta Pixel sets _fbp and _fbc cookies that store an anonymous browser ID and any Facebook click ID, so Meta can match your visit back to an ad you clicked. Meta processes this data in the United States under a Data Processing Agreement. For paid purchases specifically, we also send Meta a server-side Conversions API event from our backend containing your hashed email, IP address, browser user-agent, and any _fbc/_fbp values, so we can measure whether the purchase came from an ad even when browser-side tracking is blocked; this contains the same categories of data described above and is governed by the same Meta agreement. You can reject either or both on first visit, change your mind any time by clearing your browser's site data, and we will respect your choice. We do not currently load TikTok or other ad pixels.
10. Users under 18
ScoreUp is for students preparing for university admissions, most of whom are 16–18. If you are under 18, please ask a parent or guardian to review this Policy with you. We do not knowingly collect data from anyone under 13.
11. Changes to this Policy
We will post any changes here and update the "Last updated" date.
14. Contact
Questions, requests, or complaints: support@scoreup.asia. For PDPA-related requests, use the same email and put "PDPA request" in the subject line.

