Privacy
Privacy Policy
Last updated: 15 May 2026
Student privacy promise: we collect only what we need to run your revision loop, we explain why in plain language, and we use high-privacy defaults for students. You stay in control through account deletion, data export, cookie choices, email preferences, and privacy requests.
1. Who we are
StudyVector ("we", "us") is operated by Vector Learning Technologies Ltd, trading as StudyVector. Vector Learning Technologies Ltd is the data controller for personal data processed through the Service, except where we process school-controlled learner data as a processor. The operator is based in the United Kingdom. For privacy requests, contact privacy@studyvector.co.uk. Our privacy lead currently handles data protection requests — email privacy@studyvector.co.uk and mark the subject "Data protection".
Registered office: 71-75 Shelton Street Covent Garden London WC2H 9JQ.
2. What we collect
- Account data: email, name, password hash (handled by our auth provider), account type (e.g. student or parent), and preferences you set.
- Study and progress data: subjects, topics, answers, mistakes, mastery signals, timed practice activity, and similar usage needed for the Mastery Map and recommendations.
- Targets and goals: where you add them (for example UCAS targets or university choices), used to personalise your experience and Evidence Engine prompts.
- Research Nexus — PDFs and documents: files you upload are processed so we can build your knowledge graph and support revision. Processing may use server-side and API-based steps (including third-party analysis services where enabled). We use uploads only to provide the Service to you — not to train public models for other users or for advertising. Retention follows your account lifecycle and the settings we describe below.
- Evidence Engine: drafts, lines, and summaries you generate or store for UCAS-style work stay associated with your account for as long as you keep them.
- Technical and security data: IP address, device/browser metadata, logs, and cookies as described in our cookie notice and consent banner where applicable.
- Contact and support data: name, email address, school or role context, and the message you submit when you contact us, request a starter pack, or ask for a school trial.
- Marketing and waitlist data: email address, the form source, and any course or school context you choose to submit when you ask for updates, join a waitlist, or request a school trial.
- Payment data: processed by Stripe; we do not store full card numbers on our servers.
3. Legal basis and purposes (UK GDPR)
- Contract: to provide StudyVector, including practice, recommendations, Nexus processing, and Evidence Engine features you request.
- Legitimate interests: security, fraud prevention, service reliability, support records, school enquiry follow-up, and necessary product improvement in a way that respects your rights. You can object to this processing where UK GDPR gives you that right.
- Consent: where required (for example non-essential cookies or marketing emails). You can withdraw consent at any time.
- Legal obligation: where we must retain or disclose information by law.
4. Research Nexus and PDFs
When you upload PDFs or other documents to the Research Nexus, we process them so we can extract structure and text relevant to your knowledge graph and revision support. Processing may involve third-party infrastructure and contracted analysis services. We do not use your uploads to advertise to you or to sell your data.
5. Who we share with
We use trusted processors to run StudyVector. We do not sell your personal data. We avoid sending answer text, uploaded files, or free-text form messages to optional analytics tools. See the current Subprocessor List for core and optional providers.
| Processor or service | Purpose |
|---|---|
| Supabase | Authentication, database, storage, edge functions, and account sessions. |
| Vercel | Hosting, security logs, deployment infrastructure, and optional analytics/speed insights if consented. |
| Stripe | Checkout, billing, subscription status, payment receipts, refunds, and fraud controls. |
| Email providers, including Resend where configured | Transactional email, support replies, and marketing emails only where consented. |
| AI and content-processing providers | Explanations, coaching, document processing, safety checks, and content quality workflows used to provide the Service. |
| Google Analytics, PostHog, Vercel Analytics, TikTok Pixel | Optional analytics or campaign measurement only after optional cookie consent and only where configured. |
| Sentry or similar error monitoring | Error reporting and reliability monitoring where configured. |
International transfers outside the UK/EEA are protected with appropriate safeguards, such as UK IDTA terms, standard contractual clauses, or provider-level transfer terms, where applicable.
6. Retention
We keep account and study data while your account is active. We then keep limited records only where needed for security, billing, legal claims, or abuse prevention. Uploaded documents and Nexus-derived content are tied to your account; delete your account to remove associated personal data subject to legal exceptions. Marketing or waitlist emails are kept until you unsubscribe, ask us to delete them, or the list is no longer needed. See our Retention Schedule for the default retention periods.
6a. Retention by data type
- Accounts and authentication: retained while the account is active, then retained only as required for security and legal compliance.
- Study and progress data: retained to support your learning history and to keep recommendations consistent.
- Research Nexus and uploads: retained while your account exists, then removed as part of account deletion, subject to legal/compliance retention holds.
- AI tutor chats and safety logs: AI tutor conversations and the safety-decision logs they generate are retained for 90 days from the date of the message, and are deleted automatically after that by a daily scheduled job. This applies regardless of whether your account is still active. If you delete your account sooner, the associated chats are removed as part of account deletion.
- Billing and order records: retained for legal and tax compliance for the period required by law.
- Marketing preferences: retained until you opt out, unsubscribe, or request deletion.
7. Your rights (including erasure)
You have rights under UK GDPR, including to access, rectify, erase, restrict, port, and object in certain cases.
Requesting access or correction can be done via the privacy email. If your account cannot be accessed, we still process requests by proving identity and account ownership, and we can provide a practical summary of personal data we hold in that account.
The fastest way to delete your StudyVector account and associated personal data is to use Account → Delete account (sometimes labelled as wiping your data) in your settings. That triggers our secure deletion flow. You can also email privacy@studyvector.co.uk if you need help or cannot access the app.
You can also use Account → Download my data to export a JSON copy of key account, study, progress, social, and email-preference data before deleting your account.
We typically respond within 30 days. Some information may be retained where the law requires (for example limited billing records).
If your request is from a parent/guardian or a school administrator, we will verify identity and ownership or lawful authority before releasing account-specific records.
8. Children and teens
The Service is intended for users aged 13 and over. At signup we ask you to confirm, via a single checkbox, that you are 13 or older. Anyone who cannot confirm that is not able to create an account.
Privacy-protective defaults for everyone. Because many of our users are teenagers, we apply the same privacy-protective settings to every account regardless of age: we do not run behavioural advertising; optional analytics stays off unless you give consent; marketing emails are off by default and are only sent if you explicitly opt in to each purpose (study reminders, product updates, etc.); and public social features are designed to avoid exposing full names or sensitive learning data.
Optional date of birth. At signup we offer an optional date-of-birth field. Providing it is not required to use the Service — the 13+ checkbox is the only confirmation we need. If you do choose to provide it, we store it on your profile so we can offer age-appropriate features in future. We do not display it, we do not use it for advertising, and you can leave the field blank or delete your account at any time.
We do not knowingly collect data from anyone under 13. If you are a parent or guardian and believe a child under 13 has created an account, contact us and we will review the account, delete the data, and confirm the outcome in writing.
9. Security
We use industry-standard measures (encryption in transit, access controls, and monitoring). No online service is perfectly secure; please use a strong, unique password.
10. Processors and international data transfers
We use trusted processors to run the Service and billing, including hosting, authentication, email, payment, analytics (consented only), and content-processing providers. We choose processors with clear security and privacy standards and review them periodically.
If your data is processed outside the UK/EEA, we use an approved transfer mechanism (such as UK IDTA, SCCs, or equivalent provider transfer terms) so there is an enforceable basis to receive and process your data.
11. Automated decisions and profiling
We use automated logic to rank topics, choose question sets, and suggest next steps. These systems support recommendation and personalization, not high-risk decisions with legal effects. If you feel an automated outcome is materially wrong for your account, you can contact us to review it.
12. Cookies
We use essential cookies for login and security. We store your cookie choice in browser local storage so the banner can remember your preference. Optional analytics tools, including Google Analytics, PostHog, Vercel Analytics, Vercel Speed Insights, or TikTok Pixel where configured, load only after optional cookie consent. See our cookie banner and Cookie Policy for more detail.
13. Complaints
Contact us first at privacy@studyvector.co.uk. You may also complain to the ICO (UK).
14. Changes
We may update this policy; the date at the top will change. Material changes may be notified by email or in-app.
15. School and family use
If your account is managed by a school or parent, this policy still applies to the student-level data in that account. We do not alter reporting settings without your control, and all data rights can be exercised via this policy's privacy contact or your dashboard.
For school or college deployments, StudyVector may act as a processor for learner data handled on the institution's instructions, while the school or college remains responsible for its own lawful basis and parent/student communications. We can provide data-processing terms for DPO or procurement review, including support for subject-access, deletion, export, and retention requests for school-managed accounts. Schools can review our School DPA summary before requesting signed terms.