Privacy Policy

We collect information you provide directly when you create an account, use our platform, make purchases, or contact support. We also collect certain information automatically when you use the service.

Account & Profile Data

• Name, email address, and encrypted password
• Profile photo (optional, if provided via OAuth)
• Selected subjects, curriculum preferences, and learning goals
• Preferred language and accessibility settings

Learning & Usage Data

• Study sessions, quiz results, flashcard performance, and mastery scores
• AI-generated content you request (flashcards, quizzes, explanations)
• Progress through guided lessons and learning paths
• Streak data, XP, achievements, and gamification statistics
• Time spent on specific topics and features

Payment Information

Payment details (card number, billing address) are processed directly by Stripe and never stored on our servers. We retain only transaction IDs, subscription status, and credit balance information.

Technical Data

• IP address, browser type, and operating system
• Device identifiers and session tokens
• Pages visited, features used, and navigation patterns
• Error logs and performance diagnostics

We use the information we collect to operate, improve, and personalise Student Study. Specifically, we use your data to:

• Create and manage your account and authenticate your identity
• Deliver AI-generated educational content tailored to your curriculum and level
• Power spaced-repetition scheduling and personalised learning paths
• Track your mastery progress and surface topics that need review
• Process subscription payments and manage your credit balance
• Send transactional emails (account verification, receipts, password resets)
• Provide customer support and respond to enquiries
• Detect and prevent fraud, abuse, and security incidents
• Analyse aggregate usage patterns to improve the platform (anonymised)
• Comply with legal obligations

We do not sell your personal data to third parties, and we do not use your data to serve targeted advertising on third-party platforms.

We share your data only in limited circumstances and always with appropriate safeguards in place.

Service Providers

We work with trusted third-party vendors who process data on our behalf under strict data processing agreements:

• Stripe — payment processing and subscription management
• OpenAI / Anthropic — AI content generation (prompts and responses only, no PII in prompts)
• Infrastructure providers — hosting, database, and CDN services
• Email providers — transactional email delivery

Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Business Transfers

In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of that transaction. You will be notified before your data is subject to a materially different privacy policy.

Protecting your data is fundamental to our service. We implement industry-standard security practices including:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for sensitive data at rest
• Bcrypt hashing for passwords — we never store plaintext passwords
• Regular security audits and vulnerability assessments
• Role-based access controls limiting staff data access to the minimum necessary
• Automated anomaly detection and rate limiting

No transmission over the internet is 100% secure. While we take all reasonable measures, we cannot guarantee absolute security. If you suspect a security issue, please contact [email protected] immediately.

We retain your personal data for as long as your account is active or as needed to provide services. Specific retention periods:

• Account data — retained until you delete your account, then purged within 30 days
• Learning and progress data — retained for the life of the account
• Payment records — retained for 7 years for tax and legal compliance
• Server logs — retained for 90 days for security and debugging
• Support correspondence — retained for 3 years

You may request deletion of your account and all associated personal data at any time via your account settings or by emailing [email protected]. Note that some data may be retained in anonymised, aggregated form.

Depending on your location, you have rights over your personal data. We honour these rights regardless of where you are located.

• Right of Access — request a copy of all personal data we hold about you
• Right to Rectification — correct inaccurate or incomplete data
• Right to Erasure (Right to be Forgotten) — request deletion of your data
• Right to Restriction — limit how we process your data in certain circumstances
• Right to Data Portability — receive your data in a structured, machine-readable format
• Right to Object — object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

EU/EEA residents: our processing of personal data is based on contract performance (providing the service), legitimate interests (security, fraud prevention), legal obligations, and consent where applicable.

We use cookies and similar technologies to operate the platform and understand how it is used.

Essential Cookies

Required for the platform to function — authentication session tokens, security tokens, and user preference settings. These cannot be disabled.

Analytics Cookies

Help us understand usage patterns so we can improve the platform. Data is aggregated and anonymised. You may opt out via your browser settings or our cookie preference centre.

Advertising Cookies

We display non-personalised ads on the free tier via our ad partner. These ads do not use your personal data for targeting. Premium subscribers see no ads.

You can control cookies through your browser settings. Disabling essential cookies will impair the platform's functionality.

Student Study is designed to be used by students of all ages, including those under 13. We take children's privacy seriously and comply with applicable laws including COPPA (US) and the UK Children's Code.

• We do not knowingly collect personal data from children under 13 without verifiable parental consent
• We do not serve behavioural advertising to any users under 18
• AI-generated content is filtered and moderated for age-appropriateness
• Learning data for minors is never shared with third parties for commercial purposes

If you are a parent or guardian and believe your child has provided personal information without your consent, contact [email protected] and we will take prompt action to remove the data.

The platform integrates with third-party services. When you use these integrations, their own privacy policies apply:

• Google OAuth — optional sign-in method governed by Google's Privacy Policy
• Stripe — payment processing governed by Stripe's Privacy Policy
• OpenAI — AI content generation; we do not send personally identifiable information in prompts
• Anthropic Claude — AI content generation under the same constraints

Links within the platform to external websites are not governed by this policy. We encourage you to review the privacy policy of any third-party site you visit.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the 'Last updated' date at the top of this page
• Send an email notification to registered users
• Display a notice within the platform for at least 14 days

Your continued use of Student Study after the effective date of the revised policy constitutes acceptance of the changes. If you object to any changes, you may close your account before the changes take effect.

For any questions, requests, or concerns about this Privacy Policy or how we handle your data, please reach out:

• Privacy requests: [email protected]
• Security concerns: [email protected]
• General support: [email protected]

You may also use our contact form for any enquiries. We aim to respond to all privacy-related requests within 30 days.