Privacy Policy

1. Introduction

MedZone ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our UCAT preparation platform. We comply with the UK General Data Protection Regulation (UK GDPR) and other applicable data protection laws.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, school year, UCAT test date
• Profile Information: Study preferences, goals, and settings
• Payment Information: Processed securely by Stripe (we do not store card details)
• Communications: Messages you send us, feedback, and support requests

2.2 Information Automatically Collected

• Usage Data: Practice session data, question attempts, scores, time spent
• Device Information: Browser type, operating system, IP address
• Session Data: Session information to maintain your login state and preferences
• Performance Data: Response times, completion rates, skill mastery metrics

2.3 AI Tutor Interactions

Your questions and interactions with our AI Tutor are logged to improve the service and provide personalized guidance. These interactions are associated with your account but are not shared with third parties.

3. How We Use Your Information

We use your information to:

• Provide and maintain the platform
• Create and manage your account
• Generate personalized practice questions and mock exams
• Track your progress and identify areas for improvement
• Provide AI-powered tutoring and feedback
• Process payments and manage subscriptions
• Send you important updates about your account and subscription
• Respond to your inquiries and provide customer support
• Improve our platform and develop new features
• Detect and prevent fraud or abuse
• Comply with legal obligations

4. Legal Basis for Processing (GDPR)

We process your personal data based on:

• Contract Performance: To provide the services you signed up for
• Legitimate Interests: To improve our platform, prevent fraud, and enhance security
• Consent: For marketing communications (you can opt out anytime)
• Legal Obligations: To comply with applicable laws and regulations

5. Data Sharing and Disclosure

We do not sell your personal information. We may share your data with:

5.1 Service Providers

• Supabase: Database hosting and authentication
• Stripe: Payment processing
• Email Services: Transactional and notification emails
• AI Services: To power our AI Tutor feature

All service providers are bound by data protection agreements and may only use your data to provide services to us.

5.2 Parents and Guardians

If you link your account to a parent or guardian, they will be able to view your progress, scores, and practice history. This requires your explicit consent.

5.3 Legal Requirements

We may disclose your information if required by law, legal process, or to protect our rights, property, or safety.

6. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. Specifically:

• Account Data: Until you delete your account, plus 90 days for backup purposes
• Practice Data: Retained for the lifetime of your account for progress tracking
• Payment Records: 7 years for tax and accounting purposes
• Support Communications: 3 years after resolution

7. Your Rights Under GDPR

You have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restrict Processing: Limit how we use your data
• Data Portability: Receive your data in a machine-readable format
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent for marketing communications

To exercise these rights, contact us at privacy@medzone.co. We will respond within 30 days.

8. Children's Privacy

Our platform is designed for students preparing for the UCAT, many of whom are under 18. We comply with GDPR requirements for processing children's data. For users under 18, we require parental consent for certain features. Parents may request access to, correction, or deletion of their child's information by contacting us.

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption of data in transit (HTTPS/TLS) and at rest
• Regular security assessments and audits
• Access controls and authentication requirements
• Secure hosting infrastructure with Supabase
• Regular backups and disaster recovery procedures

However, no system is completely secure. Please use a strong password and keep your credentials confidential.

10. International Data Transfers

Your data may be processed in countries outside the UK/EEA where our service providers operate. We ensure appropriate safeguards are in place, including standard contractual clauses approved by the UK Information Commissioner's Office (ICO).

11. Session Management

We use secure session management to maintain your login state, remember your preferences, and ensure the platform functions properly. You can manage these settings through your browser preferences.

12. Marketing Communications

We may send you promotional emails about new features, tips, and offers. You can opt out at any time by clicking "unsubscribe" in any marketing email or updating your preferences in your account settings. We will still send essential service-related communications.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a prominent notice on the platform. The "Last Updated" date indicates when changes were last made.

14. Contact and Complaints

If you have questions about this Privacy Policy or how we handle your data:

Email: privacy@medzone.co
Address: MedZone Ltd, London, United Kingdom

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113