Przejdź do treści
iKnowTheUK

Privacy Policy

Privacy Policy

Last updated: [TODO — set on publication]

We know why you are here. You are preparing for the Life in the UK Test, and that means you are going through the UK immigration process. That context is sensitive. So our rule is simple: we collect the minimum, we never sell your data, and your data stays here.

This policy explains what we collect, why, and your rights under UK data protection law (UK GDPR and the Data Protection Act 2018).

1. Who is responsible for your data (the "controller")

[TODO: company legal name] [TODO: company number] [TODO: registered address] Email: [email protected] ICO registration number: [TODO — register with the ICO before launch]

2. What we collect and why

We only collect what the product needs. We never ask for your nationality, immigration status, visa type, or application details. We do not want them.

DataWhy we collect itLawful basis (UK GDPR Art. 6)
Email addressYour account login; receipts; service emails (e.g. plan reminders, rule-change alerts you asked for)Contract (account and purchase); consent (optional alerts)
Optional test dateTo build your study plan and countdownContract (it powers a core feature you asked for)
Chosen explanation languageTo show explanations in your languageContract
Study activity (answers, scores, mock results, review history)To run your study plan, spaced repetition, and readiness gauge; to check pass-guarantee eligibilityContract
Purchase records (amount, date, payment status — not your card number)To grant access, handle refunds, and meet tax and accounting lawContract; legal obligation
Self-declared real test result (only if you claim the guarantee)To process your refund claimContract
Basic technical data (IP address at request time, browser type)Security, fraud and abuse prevention, keeping the service runningLegitimate interests (protecting the service and users)
Anonymous product analytics (page views, feature usage)To improve the product. Collected without cookies and without building a profile of youLegitimate interests (improving the service)
Error reportsTo fix bugsLegitimate interests

We never see or store your full card or PayPal details. Stripe and PayPal handle payment directly.

A note for the lawyer: we deliberately avoid collecting any Article 9 special category data. Test-prep usage could indirectly suggest immigration context; we treat the whole dataset as sensitive in practice (minimisation, no sale, no ads, EU/UK hosting) even where the law does not strictly require it.

3. Who processes data for us

We use a small number of service providers ("processors"). Each one only gets the data it needs.

ProcessorWhat it doesWhat it seesWhere
Railway (EU region) [TODO: confirm chosen region]Hosts our application and databaseAll service dataEU
ClerkSign-in and account securityEmail, sign-in metadata[TODO: confirm region/transfer mechanism — likely US with UK IDTA/SCCs]
StripeCard, Apple Pay, Google Pay payments; VAT calculationPayment details, emailGlobal; UK/EU safeguards (Stripe's DPA)
PayPalPayPal paymentsPayment details, emailGlobal; PayPal's own controller/processor terms [TODO: lawyer to confirm PayPal acts as independent controller for its side]
PostHog (EU Cloud)Product analytics — cookieless, memory-only persistenceAnonymous usage eventsEU
ResendSends transactional email (receipts, reminders)Email address, email content[TODO: confirm region/transfer mechanism]
SentryError monitoringTechnical error data; incidental request data[TODO: confirm EU data residency option]

We do not use advertising networks, data brokers, or social media pixels. There is no Facebook pixel, no Google Ads tag, nothing of that kind.

4. International transfers

Our application and database are hosted in the EU. Some processors (see table above) may process data outside the UK/EU. Where that happens, we rely on UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses. [TODO: lawyer to verify per processor.]

5. How long we keep data

DataRetention
Account and study dataWhile your account is active, then deleted [TODO: propose 24 months after last activity]
Purchase and refund records6 years (UK tax and accounting law)
Email marketing consents and opt-outsUntil you withdraw, plus a suppression record so we do not email you again
Anonymous analytics[TODO: confirm PostHog retention setting, propose 12 months]
Error logs90 days

You can delete your account at any time (see section 7). Deletion removes your personal data except records we must keep by law (e.g. purchase records for tax).

6. Cookies

We use essential cookies only (sign-in session, payment security). Our analytics is cookieless — PostHog runs in memory-only mode and stores nothing on your device.

Because we set no advertising or tracking cookies, we do not show a cookie consent banner.

PECR reasoning for the lawyer: essential cookies (Clerk session, Stripe fraud/payment) fall within the "strictly necessary" exemption in PECR reg. 6(4). PostHog is configured with persistence: "memory" — no cookie, no localStorage identifier — so no information is stored on, or read from, the user's device beyond what is strictly necessary to deliver the page; on our reading, PECR consent is not triggered for the analytics either. Please confirm this position and the wording of [cookies.md](./cookies.md).

7. Your rights

Under UK GDPR you can:

  • Access your data (get a copy);
  • Correct it;
  • Delete it ("right to erasure");
  • Export it (data portability);
  • Object to or restrict certain processing;
  • Withdraw consent at any time (e.g. unsubscribe from alerts — every email has an unsubscribe link).

How to use these rights (DSAR procedure):

  1. In the app: Settings → Privacy has one-click Export my data and Delete my account. No email needed.
  2. By email: write to [email protected] from your account email. We respond within one month, as the law requires. We may ask you to confirm you control the account email — nothing more.

There is no charge. We will not make it difficult.

8. Our commitments to you

  • We never sell your data. Not to anyone, not ever.
  • We never share your data with advertisers or ad networks.
  • We never share your data with government bodies unless we are legally compelled to, and then only the minimum required.
  • We collect the minimum. If a feature does not need a piece of data, we do not ask for it.
  • Your data stays here. It is used to help you pass your test. That is all.

9. Children

The service is for people aged 16 and over. We do not knowingly collect data from children.

10. Complaints

If you are unhappy with how we handle your data, please contact us first: [email protected]. See our [Complaints Procedure](./complaints.md).

You also have the right to complain to the UK regulator at any time:

Information Commissioner's Office (ICO) ico.org.uk/make-a-complaint — Helpline: 0303 123 1113

11. Changes to this policy

If we change this policy in a way that matters, we will email you and post a notice in the app before the change takes effect.