Durham Lex, Inc.
Effective Date: April 24, 2026 · Last Updated: April 26, 2026
Durham Lex, Inc. (the "Company," "we," "us," or "our") is committed to protecting the privacy of users of our bar exam preparation service. This Privacy Policy ("Policy") explains how we collect, use, disclose, and safeguard personal information when you visit or use ShepBarPrep.com (the "Site") and our associated services (collectively, the "Services").
This Policy is designed to comply with the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA"), and extends equivalent privacy rights to all United States residents. This Policy also addresses requirements under other applicable state privacy laws, including those of Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Iowa, Delaware, Tennessee, and Indiana.
By accessing or using our Site or Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Use. If you do not agree with this Policy, please do not access or use the Site or Services.
This Privacy Policy applies to Personal Information collected from individuals located in the United States who visit or use ShepBarPrep.com and any associated Services described in our Terms of Use. This Policy does not apply to information collected by third parties, including through any application or content that may link to or be accessible from our Services.
We collect the following categories of Personal Information. This section constitutes our "Notice at Collection" under applicable state privacy laws.
Name, email address, account username, and similar identifiers you provide during registration or use of Services. To create an account, we require only your email address. You may optionally provide your name.
Password (stored in encrypted form) for account authentication.
Bar jurisdiction, planned bar exam administration date, exam track (NextGen UBE or MEE), and other educational background you voluntarily provide to personalize your study experience.
Records of subscriptions purchased, transaction history, and payment information. Full payment card numbers are processed directly by our PCI-compliant third-party payment processor (Stripe) and are not stored by us; we may retain only the last four digits of your payment card for identification purposes.
IP address, device type, browser type and version, operating system, referring/exit URLs, pages viewed, links clicked, date and time stamps, and other usage data collected automatically when you access the Services.
Coarse geolocation derived from your IP address (city or regional level) to customize content and comply with jurisdictional requirements.
Inferences drawn from your study performance, practice question responses, and usage patterns to personalize study plans, identify areas for improvement, and enhance your learning experience.
Practice submissions, notes, feedback, and other content you create or submit through the Services.
Communications with our support team, including email correspondence.
We collect limited Sensitive Personal Information ("SPI") consisting of: (i) account login credentials combined with password; and (ii) the last four digits of payment card numbers retained by payment processors for transaction identification. We do not store full payment card numbers. We do not collect other categories of SPI such as Social Security numbers, precise geolocation, racial or ethnic origin, religious beliefs, genetic data, biometric data, health information, or sexual orientation.
We collect and use Personal Information for the following business and commercial purposes:
We do not "sell" or "share" your Personal Information as those terms are defined under California law (CCPA/CPRA). We do not process Personal Information for "targeted advertising" as defined under applicable state privacy laws. We do not disclose Personal Information to third parties in exchange for monetary or other valuable consideration, and we do not engage in cross-context behavioral advertising.
We use SPI only for the following permitted purposes: (a) to perform services reasonably expected by an average consumer (account security and authentication); (b) to detect and prevent security incidents; and (c) to process payments through PCI-compliant processors. We do not use SPI to infer characteristics about you beyond these limited purposes.
We may disclose Personal Information to the following categories of third parties, each bound by contractual confidentiality and data protection obligations:
We retain Personal Information for the periods described below, or as otherwise required by law:
Regardless of your state of residence, we extend the following privacy rights to all users located in the United States, based on the CCPA/CPRA and aligned with similar rights under Virginia, Colorado, Connecticut, Utah, and other applicable state laws:
To exercise any of the privacy rights described above, please contact us by email at legal@shepbarprep.com. Please include your name and the email address associated with your account.
Verification: To protect your privacy and security, we will take reasonable steps to verify your identity before fulfilling your request by matching information you provide with information we already have on file.
Authorized Agents: You may designate an authorized agent to submit a request on your behalf by providing written authorization signed by you and proof of the agent's identity.
Response Timing: We will acknowledge receipt of your request within ten (10) business days and will respond to your verifiable request within forty-five (45) days of receipt. If we require more time (up to an additional 45 days), we will inform you of the reason and extension period in writing.
If we deny your privacy rights request, you have the right to appeal that decision by emailing us at legal@shepbarprep.com with the subject line "Privacy Rights Appeal." We will respond to your appeal within forty-five (45) days. If your appeal is denied and you remain dissatisfied, you may have the right to file a complaint with your state's Attorney General or other applicable regulatory authority.
The Services are designed for bar exam candidates who are generally adults. The Services are not directed to children under the age of thirteen (13), and we do not knowingly collect Personal Information from children under 13. If we learn that we have inadvertently collected Personal Information from a child under 13, we will take steps to delete that information as quickly as possible. If you believe we may have collected information from a child under 13, please contact us immediately at legal@shepbarprep.com.
We do not "sell" or "share" Personal Information, and we do not engage in "targeted advertising" as those terms are defined under applicable state privacy laws. In the unlikely event that we become aware that a user is under the age of sixteen (16) and we engage in any of these activities in the future, we will obtain the required consent before doing so.
We use cookies, pixels, and similar tracking technologies to collect information about your use of the Services.
Most web browsers allow you to control cookies through their settings. You may set your browser to refuse cookies, delete cookies, or alert you when cookies are being sent. Please note that if you disable cookies, some features of the Services may not function properly.
We honor the Global Privacy Control (GPC) signal as a valid opt-out preference signal under applicable state privacy laws. If your browser or device transmits a GPC signal, we will treat it as a request to opt out of the "sale" or "sharing" of Personal Information and "targeted advertising" to the extent we engage in these activities.
We do not currently respond to browser "Do Not Track" (DNT) signals, but we do honor GPC signals as described above.
We implement reasonable and appropriate administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, alteration, disclosure, or destruction. Our security measures include: encryption of data in transit and at rest; secure access controls and authentication; regular security assessments and testing; employee training on data protection; and incident detection and response procedures.
While we strive to protect your Personal Information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for any activity under your account.
In the event of a security incident affecting your Personal Information, we will investigate and take appropriate remedial measures and provide notification as required by applicable law.
The Services are intended for use in the United States. If you are located outside the United States and choose to use the Services, please be aware that your Personal Information will be transferred to, stored, and processed in the United States. The data protection and privacy laws of the United States may differ from those in your country. By using the Services, you consent to the transfer of your information to the United States.
We do not currently offer financial incentives, price differences, or service differences in exchange for the collection, retention, sale, or sharing of Personal Information. If we introduce any financial incentive programs in the future, we will update this Privacy Policy to include the required disclosures.
The Services may contain links to third-party websites, applications, or services that are not owned or controlled by us. This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party site you visit.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. When we make material changes, we will update the "Last Updated" date at the top of this Policy and notify you by email or by posting a prominent notice on the Site at least thirty (30) days before the changes take effect. Non-material changes or clarifications will take effect immediately upon posting. We encourage you to periodically review this Privacy Policy.
If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:
Durham Lex, Inc.