Privacy Policy
Last updated: April 2026
IELTS Prep Studio (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal data responsibly and transparently. This Privacy Policy explains what personal data we collect, how we use it, the legal basis for doing so, your rights, and how to exercise them.
This policy applies to users of www.ieltsprepstudio.com and complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
The data controller responsible for your personal data is:
IELTS Prep Studio
Website: www.ieltsprepstudio.com
Email: privacy@ieltsprepstudio.com
We are based in the United Kingdom. If you have any questions about this policy or your personal data, please contact us at the address above.
2. Personal Data We Collect
We collect personal data in the following circumstances:
2a. Account Registration
- Full name
- Email address
- Password (stored as a secure hash — we never see your plain-text password)
- Country of residence (optional, self-reported)
2b. AI Practice Tools
- Written responses you submit to our Writing Evaluator (Task 1 and Task 2 essays)
- Audio recordings you make in our Speaking Evaluator
- These are processed by our AI provider (Anthropic, Inc.) to generate band-score feedback and then stored against your account so you can review your history.
2c. Live Chat
- Name and email address you provide when starting a chat (optional)
- The content of messages you send
2d. Payments
- Billing name and email address (used to create your Stripe customer record)
- Payment card details are collected and stored securely by Stripe, Inc. We never see or store raw card numbers on our servers.
2e. Usage Data (Analytics — Consent Required)
- Pages visited, time on page, and navigation paths
- Approximate location (country/city level, derived from anonymised IP address)
- Device type, operating system, and browser
- This data is collected via Google Analytics 4 only if you have consented via our cookie banner.
2f. Technical Data
- IP address (used transiently by our hosting infrastructure; not stored in a retrievable form by us)
- Session authentication tokens (stored in browser cookies/local storage)
3. Lawful Basis for Processing
Under UK GDPR Article 6, we rely on the following lawful bases:
| Processing Activity | Lawful Basis |
|---|---|
| Creating and managing your account | Contract (Art. 6(1)(b)) — necessary to perform the service you signed up for |
| Delivering AI writing and speaking feedback | Contract (Art. 6(1)(b)) |
| Processing payments | Contract (Art. 6(1)(b)) |
| Sending transactional emails (receipts, password resets) | Contract (Art. 6(1)(b)) |
| Analytics (Google Analytics 4) | Consent (Art. 6(1)(a)) — only collected after you accept cookies |
| Fraud prevention and site security | Legitimate interests (Art. 6(1)(f)) — to protect our users and business |
| Complying with legal obligations (e.g., tax records) | Legal obligation (Art. 6(1)(c)) |
4. Who We Share Your Data With
We share personal data only with trusted third-party service providers who process it on our behalf under a Data Processing Agreement, and only to the extent necessary to provide our services:
| Processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, and file storage | EU / US |
| Anthropic, Inc. | AI processing of writing and speaking submissions to generate feedback | US |
| Stripe, Inc. | Payment processing and subscription management | US / EU |
| Resend, Inc. | Transactional email delivery | US |
| Vercel, Inc. | Website hosting and content delivery | US / Global CDN |
| Google LLC | Analytics (only if you have consented to cookies) | US |
We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.
5. International Transfers
Some of our processors are based in the United States or other countries outside the UK. Where we transfer personal data outside the UK, we ensure an equivalent level of protection is in place through one of the following mechanisms:
- UK adequacy regulations — where the destination country has been deemed adequate by the UK Government.
- UK International Data Transfer Agreements (IDTAs) or UK Addendum to EU Standard Contractual Clauses (SCCs) — contractual safeguards approved by the ICO that bind the recipient to UK GDPR standards.
You can obtain further details about the specific safeguards in place for any given transfer by contacting us at privacy@ieltsprepstudio.com.
6. Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Account profile data | Duration of account + 30 days after deletion request | Service provision |
| Writing and speaking submissions | Duration of account | Progress tracking |
| Payment records | 7 years | UK legal obligation (HMRC record-keeping) |
| Chat messages | 6 months after conversation closes | Support quality and dispute resolution |
| Analytics data (if consented) | 14 months (Google Analytics default) | Trend analysis |
After the applicable retention period, data is securely deleted or anonymised.
7. Your Rights Under UK GDPR
Under UK GDPR (Articles 15–22) and the Data Protection Act 2018, you have the following rights with respect to your personal data:
Right of Access (Art. 15)
You have the right to request a copy of the personal data we hold about you and information about how we process it (a Subject Access Request).
Right to Rectification (Art. 16)
You have the right to ask us to correct inaccurate or incomplete personal data we hold about you.
Right to Erasure / ‘Right to Be Forgotten’ (Art. 17)
You have the right to request deletion of your personal data in certain circumstances — for example, where we no longer need the data for the purpose it was collected, or where you withdraw consent.
Right to Restriction of Processing (Art. 18)
You can ask us to restrict processing of your data while a dispute is being resolved.
Right to Data Portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format.
Right to Object (Art. 21)
You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent (e.g., analytics cookies), you may withdraw your consent at any time by changing your cookie preferences. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Rights Related to Automated Decision-Making (Art. 22)
We do not make solely automated decisions that produce legal or similarly significant effects about you. Band score feedback generated by our AI tools is advisory and does not constitute a binding assessment.
To exercise any of these rights, please email privacy@ieltsprepstudio.com. We will respond within one calendar month as required by UK GDPR Article 12. We may ask you to verify your identity before processing your request.
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or damage. These measures include:
- TLS encryption for all data in transit
- Encrypted storage at rest (Supabase / database layer)
- Password hashing using industry-standard algorithms
- Role-based access controls for internal systems
- API keys stored as environment variables, not in source code
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours and, where required, notify you directly.
10. Children's Data
Our services are not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us at privacy@ieltsprepstudio.com and we will delete it promptly.
11. Right to Lodge a Complaint with the ICO
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent supervisory authority for data protection:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk
We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify registered users by email. Continued use of the site after the effective date constitutes acceptance of the updated policy.