Privacy

Privacy notice

Last updated: 27 April 2026 · Effective immediately for all visitors and account holders.

On this page

Who we are
What we collect
Why we use it (legal bases)
Who we share it with
Cookies & analytics
How long we keep it
International transfers
Your rights
Security
Contact & complaints

1. Who we are

UCATlas (“we”, “us”, “UCATlas”) is an independent UCAT preparation service operated from the United Kingdom. UCATlas is a study aid and is not affiliated with, endorsed by, or licensed by the UCAT Consortium.

For the purposes of UK GDPR and the Data Protection Act 2018, UCATlas is the data controller for personal data described in this notice. You can reach our privacy contact at arizzaman99@gmail.com.

2. What personal data we collect

We only collect what we need to run your account and improve the product:

Category	Examples	Source
Account data	Email address, display name, hashed password (or Google sign-in ID), account created/last sign-in timestamps.	You / your sign-in provider (Google).
Billing data	Stripe customer ID, subscription status and price, billing country, invoice history. We never see your full card number.	You via Stripe Checkout (Stripe is the payment processor).
Study data	Mock-exam attempts, answers, scores, study planner entries, calendar settings, notes you save in the app.	You, while using the platform.
AI tutor transcripts	The questions you ask the AI tutor and the responses we return.	You, while using the AI tutor feature.
Technical data	IP address, browser/device, log entries from our edge functions, error reports.	Automatic, when you use the site.

We do not knowingly collect special-category data (such as health information). Please do not include any in your AI tutor messages.

3. Why we use it (legal bases)

Performing the contract with you — to create and run your account, deliver the practice content you have access to, and process subscription payments.
Legitimate interests — to keep the service secure (rate-limiting, abuse prevention), to debug and improve the product, and to send you essential operational emails about your account or service incidents.
Consent — for any non-essential cookies, marketing emails (if you opt in), and for using your AI tutor transcripts to improve our prompts and curriculum.
Legal obligation — to keep tax and accounting records, and to respond to lawful requests from regulators or courts.

We don’t sell your personal data. We use a small set of trusted processors and only share what they need to do their job:

Processor	Purpose	Region
Supabase (database, auth, storage, edge functions)	Hosts your account, study data, and the question bank; runs our serverless API.	EU (Frankfurt) / UK
Stripe	Processes subscription payments and stores billing details (PCI-DSS compliant).	EU / US (UK GDPR-compliant transfer mechanism in place).
Google (Gemini API)	Powers the AI tutor. We send your prompt; we do not send your name or email.	US (UK GDPR-compliant transfer mechanism in place).
Email delivery (transactional)	Sends sign-up confirmations, billing receipts, and account-security emails.	EU / US

5. Cookies & analytics

We use a small number of strictly necessary cookies and local-storage entries to keep you signed in (Supabase auth) and to remember your study planner state. These do not require consent.

We do not run advertising trackers. If we add product analytics in the future we will ask for your consent first via the cookie banner before any non-essential cookie is set.

6. How long we keep it

Account data: while your account is active, then up to 24 months after you delete it (for fraud and tax records).
Billing records: 6 years from the end of the financial year (UK tax law).
Study data & mock attempts: deleted when you delete your account, except for aggregated, non-identifying statistics.
AI tutor transcripts: 12 months, then deleted.
Server logs: 30 days.

7. International transfers

Some of our processors (Stripe, Google) operate from outside the UK/EEA. Where data leaves the UK, we rely on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses, plus any additional safeguards (e.g. encryption in transit) where the destination country does not have an adequacy decision.

8. Your rights

Under UK GDPR you can ask us to:

provide a copy of the personal data we hold about you (right of access);
correct any inaccurate or incomplete data (rectification);
delete your data (erasure / “right to be forgotten”);
restrict or object to certain processing;
port your data to another provider in a structured, machine-readable format;
withdraw consent at any time, where consent was the legal basis;
opt out of any future marketing emails (each marketing email also includes an unsubscribe link).

Email arizzaman99@gmail.com from the address attached to your account and we will respond within one calendar month.

9. Security

We use TLS for every connection, hash passwords with industry-standard algorithms (handled by Supabase Auth), apply Row-Level Security to every database table, and gate paid content with server-side subscription checks. No system is perfectly secure — please use a unique password and contact us straight away if you suspect your account has been accessed without permission.

10. Contact & complaints

Privacy questions and data-rights requests: arizzaman99@gmail.com.

If you are unhappy with how we have handled your personal data you can complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk or by phoning 0303 123 1113. We would always appreciate a chance to put things right first.

See also our terms of service and refund policy.