← Back to home

Privacy Policy

This policy explains what personal data we collect, how we use it, who we share it with, and the rights you have over your information.

Last updated: 1 May 2026

1. Who we are

UKMLACE Ltd operates the ukmlace educational platform at ukmlace.org ("we", "us", "our"). We are the data controller responsible for the personal information described in this policy. For privacy-related enquiries, contact us at privacy@ukmlace.org.

2. Data we collect

We collect the following categories of personal data:

  • Account data: your name, email address, country, profile picture, and authentication credentials when you register or sign in.
  • Google account data: if you sign in with Google, we receive your name, email address, and profile picture from Google. We request only the minimum scopes necessary (email and profile). We do not access your Google Drive, Gmail, contacts, or any other Google services.
  • Study and performance data: your practice session recordings and transcripts, session feedback scores, session history, study streaks, analytics events, and station interaction states (read, saved, flagged).
  • Payment data: payment status, subscription tier, billing history, and credit balances. Full card details are processed and stored by Stripe — we never see or store your full card number, CVC, or bank details.
  • Communication data: messages you send to our support team and feedback you submit through the platform.
  • Technical data: IP address, browser type, device identifiers, and usage logs collected automatically when you use the Service.
  • Onboarding data: exam date, preparation stage, weak areas, and study preferences you provide during account setup.

3. How we use your data

We use your personal data for the following purposes:

  • Service delivery: to operate your account, process payments, and provide all platform features including practice simulations, study notes, peer rooms, and mock bookings.
  • Personalisation: to generate a tailored study plan, surface relevant stations, and provide performance analytics based on your progress and goals.
  • Voice and practice features: your session audio and text may be processed by third-party automation and speech-technology providers to power simulations, transcripts, and session feedback. Those providers process data under their own privacy policies and our data processing agreements with them where applicable.
  • Payment processing: to charge your subscription or top-up purchases via Stripe and manage billing.
  • Security and abuse prevention: to detect and prevent fraud, account sharing, and misuse of the platform.
  • Service improvement: anonymised, aggregated usage data may be used to improve platform features and content quality.
  • Communications: to send transactional emails (booking confirmations, receipts, session reminders) and, where you have opted in, product updates. You may unsubscribe from marketing emails at any time.
  • Legal compliance: to comply with applicable laws, regulations, and legal processes.

4. Legal basis for processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, our legal bases for processing your personal data are:

  • Contract performance — processing necessary to deliver the Service you have signed up for, including running your account, processing payments, and providing practice sessions.
  • Legitimate interests — improving our platform, preventing fraud, and communicating relevant product updates, where these interests are not overridden by your rights.
  • Legal obligation — complying with tax, financial regulation, and law enforcement requirements.
  • Consent — for optional features such as marketing emails. You may withdraw consent at any time.

5. Google OAuth and user data

ukmlace offers sign-in via Google OAuth as a convenience. When you choose to sign in with Google:

  • We request access to your basic Google profile: name, email address, and profile picture.
  • We do not request access to Gmail, Google Drive, Google Contacts, Google Calendar, or any other Google services.
  • We use your Google email as your account identifier and to send you service-related communications.
  • We do not sell, rent, or share your Google account data with third parties for advertising.
  • You can revoke ukmlace's access to your Google account at any time via your Google account security settings. Revoking access does not automatically delete your ukmlace account; contact us at privacy@ukmlace.org to request account deletion.

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

6. Third-party services and data sharing

We share personal data with the following trusted third-party service providers only to the extent necessary to deliver the Service:

  • Supabase — authentication, database hosting, and file storage. Data is stored on servers in the Mumbai, India region.
  • Stripe, Inc. — payment processing and subscription management. Stripe is PCI DSS Level 1 certified.
  • Third-party automation and speech providers — where you use voice or text-based practice features, content may be processed by vendors we engage for educational simulations, transcription, and feedback. Their identities and terms may change over time; we contractually limit use to providing the Service.
  • Vercel, Inc. — web hosting and edge network delivery for the frontend application.
  • Railway — hosting for our backend API and related server-side services.

We do not sell your personal data to advertisers or data brokers. We do not share your data with third parties for their own marketing purposes.

7. International data transfers

Your data may be processed in countries outside your country of residence, including the United States and India, depending on which subprocessors handle a given feature (for example hosting, payments, database, or automated processing). We ensure appropriate safeguards are in place for such transfers, including Standard Contractual Clauses approved by the European Commission where applicable.

8. Data retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data is retained until you request deletion.
  • Session transcripts and session feedback are retained for up to 3 years to allow you to access your performance history.
  • Payment records are retained for 7 years for tax and legal compliance.
  • Support communications are retained for 2 years.

After account deletion, we will anonymise or delete your personal data within 30 days, except where we are required to retain it by law.

9. Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted data transmission (HTTPS/TLS), encrypted storage, row-level security policies in our database, and access controls limiting data access to authorised personnel only. Despite these measures, no internet transmission is completely secure, and we cannot guarantee the absolute security of your data.

10. Your rights

Depending on your country of residence, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request correction of inaccurate or incomplete data.
  • Deletion: request erasure of your personal data (the "right to be forgotten"), subject to legal retention requirements.
  • Restriction: request that we restrict processing of your data in certain circumstances.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@ukmlace.org. We will respond within 30 days. If you believe we have not complied with data protection law, you have the right to lodge a complaint with your local supervisory authority (in the UK, the ICO at ico.org.uk).

11. Cookies and tracking

We use session cookies and local storage to maintain your login state and preferences. We do not currently use third-party advertising cookies or cross-site tracking technologies. You may clear cookies through your browser settings; doing so will log you out of the platform.

12. Children's privacy

ukmlace is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that a user is under 18, we will promptly delete their account and associated data. If you believe a child has created an account, please contact us at privacy@ukmlace.org.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify you by email or by posting a notice on the platform before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

14. Contact

For any questions about this Privacy Policy or to exercise your data rights, please contact us at privacy@ukmlace.org.