Draft. Solicitor review required before launch. This page is a starting point produced from an internal legal risk assessment. Entity-specific details (company number, registered address, ICO registration number) are placeholders. It is not legal advice.
Sure Success, Legal

Privacy Notice

Last updated: 21 April 2026

This Privacy Notice tells you how [Sure Success Ltd (or sole trader name)] (“Sure Success”, “we”) handles personal data about visitors, account holders and paying customers. It is written to meet our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who is responsible

The data controller is [Sure Success Ltd (or sole trader name)], registered at [Registered address to be inserted], company number [Company number to be inserted], ICO registration number [ICO registration number to be inserted]. For data protection questions email privacy@suresuccess.co.uk.

2. What data we collect

  • Account data: name, email address, hashed password (if you register with email), Google account identifier (if you use Google Sign-In).
  • Subscription data: plan, billing status. Card data is handled by Stripe and never touches our servers.
  • Practice data: quiz session IDs, answers you select, time spent, flagged questions, bookmarks, scores and topic accuracy.
  • AI tutor messages: the chat content you send and the replies our AI tutor sends back.
  • Leaderboard data: your chosen display name (if you opt in) and aggregate accuracy.
  • Technical data: IP address, user-agent, basic log data for security and troubleshooting.

3. Why we process it, and our lawful basis

  • Creating and running your account, taking payment, and delivering the subscribed service, Article 6(1)(b) UK GDPR (performance of a contract).
  • Service improvement, product analytics, fraud prevention, Article 6(1)(f) (legitimate interests, balanced against your rights; we keep a Legitimate Interests Assessment on file).
  • Marketing emails you opt into, Article 6(1)(a) (consent), with a PECR-compliant opt-in at sign-up or in Profile.
  • Complying with legal obligations such as tax and accounting records, Article 6(1)(c).

4. Who we share it with (sub-processors)

We use the following third-party service providers, each covered by a Data Processing Agreement:

  • Vercel Inc., hosting and CDN. Data may be processed in the United States.
  • Neon, PostgreSQL database hosting, in the UK/EU region where available.
  • Stripe Payments UK Ltd, payment processing.
  • Google, Google Sign-In (authentication only) and Google Gemini API (AI tutor replies).
  • Email provider, [transactional email vendor to insert], for account notifications.

We do not sell your personal data, and we do not share it with advertising networks.

5. International transfers

Some sub-processors are based outside the UK. Where they are, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with additional technical and organisational safeguards appropriate to the transfer.

6. How long we keep it

  • Account data, for the life of your account, plus up to 6 years after closure for tax and contract records.
  • Practice and AI chat data, for the life of your account, then deleted within 90 days of account closure unless you request earlier erasure.
  • Payment records, retained in line with HMRC rules (currently 6 years).
  • Server logs, 30 days.

7. Your rights

Under UK GDPR you have the right to:

  • access the personal data we hold about you;
  • ask us to correct inaccurate data;
  • ask us to delete your data (right to erasure);
  • restrict or object to certain kinds of processing;
  • receive your data in a portable format;
  • withdraw consent at any time where we rely on consent (for example, marketing emails).

To exercise any of these rights, email privacy@suresuccess.co.uk. We will respond within one calendar month.

You also have the right to complain to the Information Commissioner’s Office at ico.org.uk if you think we have mishandled your data. We would prefer to try to sort it out with you first, but it is your right.

8. Automated decision-making and profiling

The AI tutor uses your recent quiz performance (weak topics, recent wrong answers) to personalise its replies. It does not make decisions with legal or similarly significant effects on you. You can ask the tutor to ignore this context, or you can use the service without the tutor feature.

9. Children

Sure Success is intended for users aged 18 and over. We do not knowingly collect data from children. If you believe a child has created an account, please email us and we will delete it.

10. Security

Passwords are hashed with bcrypt. Data in transit is encrypted via HTTPS. Access to production systems is limited to named individuals with multi-factor authentication. We run a breach-response runbook and will notify the ICO within 72 hours of discovering any notifiable breach.

11. Cookies

See the Cookie Policy for the full list of cookies we set and how to control them.

12. Changes to this notice

If we change this notice in a way that materially affects how we handle your data, we will email you and update the “Last updated” date at the top of this page.