Privacy
Privacy Policy
Last updated: 20 April 2026
Student privacy promise: we collect only what we need to run your revision loop, we explain why in plain language, and we use high-privacy defaults for students. You stay in control through account deletion, data export, cookie choices, email preferences, and privacy requests.
1. Who we are
StudyVector("we", "us") is the data controller for personal data processed through the Service, except where we process school-controlled learner data as a processor. The operator is Elizabeth Dugand (United Kingdom). For privacy requests, contact privacy@studyvector.co.uk. Our privacy lead currently handles data protection requests — email privacy@studyvector.co.uk and mark the subject "Data protection".
2. What we collect
- Account data: email, name, password hash (handled by our auth provider), account type (e.g. student or parent), and preferences you set.
- Study and progress data: subjects, topics, answers, mistakes, mastery signals, timed practice activity, and similar usage needed for the Mastery Map and recommendations.
- Targets and goals: where you add them (for example UCAS targets or university choices), used to personalise your experience and Evidence Engine prompts.
- Research Nexus — PDFs and documents: files you upload are processed so we can build your knowledge graph and support revision. Processing may use server-side and API-based steps (including third-party analysis services where enabled). We use uploads only to provide the Service to you — not to train public models for other users or for advertising. Retention follows your account lifecycle and the settings we describe below.
- Evidence Engine: drafts, lines, and summaries you generate or store for UCAS-style work stay associated with your account for as long as you keep them.
- Technical and security data: IP address, device/browser metadata, logs, and cookies as described in our cookie notice and consent banner where applicable.
- Contact and support data: name, email address, school or role context, and the message you submit when you contact us, request a starter pack, or ask for a school trial.
- Marketing and waitlist data: email address, the form source, and any course or school context you choose to submit when you ask for updates, join a waitlist, or request a school trial.
- Payment data: processed by Stripe; we do not store full card numbers on our servers.
3. Legal basis and purposes (UK GDPR)
- Contract: to provide StudyVector, including practice, recommendations, Nexus processing, and Evidence Engine features you request.
- Legitimate interests: security, fraud prevention, service reliability, support records, school enquiry follow-up, and necessary product improvement in a way that respects your rights. You can object to this processing where UK GDPR gives you that right.
- Consent: where required (for example non-essential cookies or marketing emails). You can withdraw consent at any time.
- Legal obligation: where we must retain or disclose information by law.
4. Research Nexus and PDFs
When you upload PDFs or other documents to the Research Nexus, we process them so we can extract structure and text relevant to your knowledge graph and revision support. Processing may involve third-party infrastructure and contracted analysis services. We do not use your uploads to advertise to you or to sell your data.
5. Who we share with
We use trusted processors to run StudyVector. We do not sell your personal data. We avoid sending answer text, uploaded files, or free-text form messages to optional analytics tools. See the current Subprocessor List for core and optional providers.
| Processor or service | Purpose |
|---|---|
| Supabase | Authentication, database, storage, edge functions, and account sessions. |
| Vercel | Hosting, security logs, deployment infrastructure, and optional analytics/speed insights if consented. |
| Stripe | Checkout, billing, subscription status, payment receipts, refunds, and fraud controls. |
| Email providers, including Resend where configured | Transactional email, support replies, and marketing emails only where consented. |
| AI and content-processing providers | Explanations, coaching, document processing, safety checks, and content quality workflows used to provide the Service. |
| Google Analytics, PostHog, Vercel Analytics, TikTok Pixel | Optional analytics or campaign measurement only after optional cookie consent and only where configured. |
| Sentry or similar error monitoring | Error reporting and reliability monitoring where configured. |
International transfers outside the UK/EEA are protected with appropriate safeguards, such as UK IDTA terms, standard contractual clauses, or provider-level transfer terms, where applicable.
6. Retention
We keep account and study data while your account is active. We then keep limited records only where needed for security, billing, legal claims, or abuse prevention. Uploaded documents and Nexus-derived content are tied to your account; delete your account to remove associated personal data subject to legal exceptions. Marketing or waitlist emails are kept until you unsubscribe, ask us to delete them, or the list is no longer needed. See our Retention Schedule for the default retention periods.
6a. Retention by data type
- Accounts and authentication: retained while the account is active, then retained only as required for security and legal compliance.
- Study and progress data: retained to support your learning history and to keep recommendations consistent.
- Research Nexus and uploads: retained while your account exists, then removed as part of account deletion, subject to legal/compliance retention holds.
- Billing and order records: retained for legal and tax compliance for the period required by law.
- Marketing preferences: retained until you opt out, unsubscribe, or request deletion.
7. Your rights (including erasure)
You have rights under UK GDPR, including to access, rectify, erase, restrict, port, and object in certain cases.
Requesting access or correction can be done via the privacy email. If your account cannot be accessed, we still process requests by proving identity and account ownership, and we can provide a practical summary of personal data we hold in that account.
The fastest way to delete your StudyVector account and associated personal data is to use Account → Delete account (sometimes labelled as wiping your data) in your settings. That triggers our secure deletion flow. You can also email privacy@studyvector.co.uk if you need help or cannot access the app.
You can also use Account → Download my data to export a JSON copy of key account, study, progress, social, and email-preference data before deleting your account.
We typically respond within 30 days. Some information may be retained where the law requires (for example limited billing records).
If your request is from a parent/guardian or a school administrator, we will verify identity and ownership or lawful authority before releasing account-specific records.
8. Children and teens
The Service is intended for users aged 13+ who create their own accounts. Many users are under 18, so we keep privacy information clear, avoid behavioural advertising, keep optional analytics off unless consent is given, and design public social features to avoid exposing full names or sensitive learning data. If you are a parent or guardian and believe we have data from a child under 13 without proper consent, contact us and we will review or delete it where required.
9. Security
We use industry-standard measures (encryption in transit, access controls, and monitoring). No online service is perfectly secure; please use a strong, unique password.
10. Processors and international data transfers
We use trusted processors to run the Service and billing, including hosting, authentication, email, payment, analytics (consented only), and content-processing providers. We choose processors with clear security and privacy standards and review them periodically.
If your data is processed outside the UK/EEA, we use an approved transfer mechanism (such as UK IDTA, SCCs, or equivalent provider transfer terms) so there is an enforceable basis to receive and process your data.
11. Automated decisions and profiling
We use automated logic to rank topics, choose question sets, and suggest next steps. These systems support recommendation and personalization, not high-risk decisions with legal effects. If you feel an automated outcome is materially wrong for your account, you can contact us to review it.
12. Cookies
We use essential cookies for login and security. We store your cookie choice in browser local storage so the banner can remember your preference. Optional analytics tools, including Google Analytics, PostHog, Vercel Analytics, Vercel Speed Insights, or TikTok Pixel where configured, load only after optional cookie consent. See our cookie banner and Cookie Policy for more detail.
13. Complaints
Contact us first at privacy@studyvector.co.uk. You may also complain to the ICO (UK).
14. Changes
We may update this policy; the date at the top will change. Material changes may be notified by email or in-app.
15. School and family use
If your account is managed by a school or parent, this policy still applies to the student-level data in that account. We do not alter reporting settings without your control, and all data rights can be exercised via this policy's privacy contact or your dashboard.
For school or college deployments, StudyVector may act as a processor for learner data handled on the institution's instructions, while the school or college remains responsible for its own lawful basis and parent/student communications. We can provide data-processing terms for DPO or procurement review, including support for subject-access, deletion, export, and retention requests for school-managed accounts. Schools can review our School DPA summary before requesting signed terms.