Privacy Policy

1. Data Controller

The data controller responsible for your personal data is Rolo Academy Ltd. For any privacy-related enquiries, you can contact us at privacy@studypass.org.

2. What Data We Collect

We collect the following categories of personal data:

2.1 Account information

When you create an account, we collect your name and email address. If you sign up using a third-party provider (such as Google or Apple), we receive your name, email address, and profile image from that provider. We do not receive or store your third-party account password.

2.2 Quiz and progress data

We collect your answers to practice questions, quiz scores, completion times, progress milestones, and readiness scores. This data is used to provide personalised study features such as weak area focus and spaced repetition.

2.3 Payment information

Payment processing is handled entirely by our payment processor, Stripe. We do not receive, process, or store your full credit card number, CVV, or bank account details. Stripe may share with us a partial card number (last four digits), card type, and billing country for transaction records. Stripe's handling of your payment data is governed by the Stripe Privacy Policy.

2.4 Device and usage data

We collect limited technical data including your browser type, device type, operating system, timezone, and approximate location (country level, derived from your timezone). We use Plausible Analytics for website analytics, which is a privacy-focused, cookie-free analytics service that does not collect personal data or track individual users.

2.5 Communications

If you contact us by email or through a support form, we collect the content of your message and any information you choose to provide. We retain support correspondence for a reasonable period to resolve issues and improve our service.

3. Legal Basis for Processing

We process your personal data on the following legal bases under the UK GDPR and EU GDPR:

• Performance of a contract: Processing your account, quiz, and payment data is necessary to provide the StudyPass service you have signed up for.
• Legitimate interests: We process device and usage data to maintain, secure, and improve the service. We also use this basis for fraud prevention and enforcing our Terms of Service.
• Consent: Where we send marketing emails, we do so only with your explicit opt-in consent. You can withdraw consent at any time by clicking the unsubscribe link in any marketing email or by contacting us.
• Legal obligation: We may process and retain certain data where required by law, such as for tax or accounting purposes.

4. How We Use Your Data

We use your personal data to:

• Create and manage your account.
• Provide the core StudyPass service, including quizzes, progress tracking, mock exams, and personalised study recommendations.
• Process pass payments and manage billing.
• Send transactional emails (account confirmations, password resets, payment receipts).
• Send marketing emails if you have opted in.
• Detect, prevent, and address fraud, abuse, and technical issues.
• Analyse aggregate, anonymised usage patterns to improve the service.
• Comply with legal obligations.

5. Third-Party Services

We share data with the following third-party service providers, who process data on our behalf and under our instructions:

• Clerk (authentication): Manages user accounts, login sessions, and social sign-in. Clerk processes your name, email, and authentication tokens. Clerk Privacy Policy.
• Stripe (payments): Processes pass payments. Stripe receives your payment details directly. Stripe Privacy Policy.
• Supabase (database hosting): Stores your account and quiz data on secure, encrypted servers. Supabase Privacy Policy.
• Vercel (hosting): Hosts the StudyPass application. Vercel may process server logs containing IP addresses. Vercel Privacy Policy.
• Plausible Analytics (analytics): Provides privacy-focused, cookie-free website analytics. Plausible does not collect personal data or track individual users. Plausible Data Policy.

We do not sell, rent, or share your personal data with third parties for their own marketing purposes.

6. International Data Transfers

Some of our third-party service providers (Clerk, Stripe, Supabase, Vercel) operate in or transfer data to the United States. Where personal data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission or the UK ICO, or the service provider's participation in a recognised data transfer framework.

7. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes described in this policy:

• Account data: Retained for as long as your account is active. If you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law.
• Quiz and progress data: Retained for as long as your account is active and deleted when your account is deleted.
• Payment records: Retained for up to 7 years after the transaction to comply with tax and accounting requirements.
• Support correspondence: Retained for up to 2 years after the issue is resolved.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption of data in transit (TLS) and at rest, access controls limited to authorised personnel, regular security reviews, and use of reputable, security-certified infrastructure providers.

While we take reasonable steps to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. Your Rights

Under the UK GDPR, EU GDPR, and other applicable data protection laws, you have the following rights:

• Access: You can request a copy of the personal data we hold about you.
• Rectification: You can ask us to correct inaccurate or incomplete data.
• Erasure: You can request that we delete your personal data ("right to be forgotten"), subject to legal retention requirements.
• Restriction: You can ask us to temporarily restrict processing of your data in certain circumstances.
• Portability: You can request your data in a structured, commonly used, machine-readable format.
• Objection: You can object to processing based on our legitimate interests.
• Withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@studypass.org. We will respond within 30 days.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO).

10. Cookies

StudyPass uses essential cookies required for authentication and session management. We may also use optional analytics or functionality cookies with your consent. For full details, including how to manage your cookie preferences, please see our Cookie Policy.

11. Children's Privacy

StudyPass is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at privacy@studypass.org.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by placing a prominent notice on the website. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of StudyPass after any changes constitutes your acceptance of the updated policy.

13. Contact

For privacy-related questions, data requests, or complaints, contact us at privacy@studypass.org.