Legal

Privacy Policy

Last updated: 2 July 2025

1. Who We Are

PrepareAI is operated as a sole trader business under English law. The data controller responsible for your personal data is Roy Vivasi, trading as PrepareAI (royvivasi@gmail.com).

This Privacy Policy explains how we collect, use, store, and protect personal data when you use PrepareAI at prepareai-777.web.app. It complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We are registered with the Information Commissioner's Office (ICO) as required under the Data Protection (Charges and Information) Regulations 2018. If you have any questions about how we handle your data, please contact us at royvivasi@gmail.com.

2. Data We Collect

2.1 Account Data

When you create an account, we collect:

  • Email address
  • Name (optional, derived from your email prefix if not provided)
  • Password (stored as a one-way bcrypt hash — we never store your plaintext password)
  • Profile image (if provided via OAuth)

2.2 Event and Learning Data

When you use the service, we collect:

  • Events you create: title, type, description, target date, goals
  • Materials you upload or link (documents, URLs, text)
  • Learning progress: lessons completed, quiz answers, time spent, confidence ratings
  • Performance metrics: accuracy, retention scores, streaks

2.3 Usage and Technical Data

  • AI usage logs: token counts, model used, feature triggered, cost estimate — associated with your account to enforce fair-use limits
  • Browser type, device type, and IP address (collected automatically by our hosting provider)
  • Pages visited and features used within the application

2.4 Payment Data

If you subscribe to a paid plan, payment processing is handled entirely by Stripe, Inc. We never see or store your full card number, CVV, or bank details. We store only:

  • Stripe customer ID and subscription ID
  • Your current plan (Free, Pro, Enterprise)
  • Subscription status and renewal date

Stripe's privacy policy is available at stripe.com/gb/privacy.

3. Legal Basis for Processing

We process your personal data under the following lawful bases under UK GDPR Article 6:

PurposeLegal Basis
Providing the service (creating events, generating curricula)Performance of contract (Art. 6(1)(b))
Processing payments and managing subscriptionsPerformance of contract (Art. 6(1)(b))
Preventing abuse, enforcing usage limitsLegitimate interests (Art. 6(1)(f))
Improving our AI models and service qualityLegitimate interests (Art. 6(1)(f))
Sending transactional emails (password resets, billing)Performance of contract (Art. 6(1)(b))
Complying with legal obligations (tax records, ICO)Legal obligation (Art. 6(1)(c))
Marketing communications (with opt-in)Consent (Art. 6(1)(a))

4. How We Use Your Data

  • Service delivery: To generate your personalised AI curriculum, track progress, and provide learning content.
  • Account management: To authenticate you, manage your subscription, and handle billing.
  • AI processing: Your event descriptions, goals, and uploaded materials are sent to Anthropic's Claude API to generate learning content. We do not use your data to train Anthropic's models (see Section 5).
  • Usage limits: We log AI token usage per account to enforce fair-use limits under each plan and prevent runaway API costs.
  • Security: To detect and prevent fraudulent or abusive use of the service.
  • Legal compliance: To meet our obligations under UK law, including tax and financial record-keeping.

We do not sell your personal data to third parties. We do not use your data for advertising profiling or share it with data brokers.

5. Third-Party Services

We use the following sub-processors to operate the service. Each has been assessed for compliance with UK data protection law:

Anthropic PBCUSA — SCCs / adequacy assessment

AI content generation (Claude API)

Your event content and materials are processed to generate curricula. Anthropic's API usage policy states they do not train models on API inputs by default.

Neon Inc.EU (eu-west-2 region)

PostgreSQL database hosting

All user account data, events, progress, and usage logs are stored here.

Google (Firebase / Cloud Functions)USA — SCCs

Application hosting and serverless functions

Hosts the web application. Google Firebase Hosting and Cloud Functions process requests.

Stripe, Inc.USA — SCCs / adequacy assessment

Payment processing

Processes all payment card data. We never receive or store full card details.

Upstash, Inc.EU region selected

Redis cache (session / rate limiting)

Used for temporary caching. Does not store persistent personal data.

6. International Transfers

Some of our sub-processors are based outside the UK. Where we transfer personal data to countries not deemed adequate by the UK Government, we rely on the International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum (UK Addendum to the EU Standard Contractual Clauses) as the legal mechanism for transfer.

7. Data Retention

We retain personal data for as long as necessary to provide the service and comply with legal obligations:

  • Active accounts: Data is retained for the lifetime of your account.
  • Deleted accounts: We delete or anonymise personal data within 30 days of account deletion, except where we are required to retain it by law.
  • Billing records: Financial and transaction records are retained for 7 years as required by HMRC under the Taxes Management Act 1970.
  • AI usage logs: Retained for 12 months for abuse prevention and billing verification, then anonymised.
  • Backups: Database backups may retain data for up to 30 days after deletion.

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of access

Request a copy of all personal data we hold about you (Subject Access Request).

Right to rectification

Ask us to correct inaccurate or incomplete data.

Right to erasure ("right to be forgotten")

Request deletion of your personal data where we no longer have a lawful basis to hold it.

Right to restrict processing

Ask us to pause processing your data in certain circumstances.

Right to data portability

Receive your data in a structured, machine-readable format (where processing is based on consent or contract).

Right to object

Object to processing based on legitimate interests. We must stop unless we can demonstrate compelling legitimate grounds.

Right to withdraw consent

Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

Rights related to automated decision-making

We do not make solely automated decisions with legal or similarly significant effects on you.

To exercise any of these rights, email royvivasi@gmail.com. We will respond within one calendar month as required by UK GDPR. We may need to verify your identity before processing your request.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

9. Cookies

We use the following cookies:

  • Authentication cookies (strictly necessary): Set by NextAuth.js to maintain your signed-in session. These are essential for the service to function and do not require consent.
  • CSRF protection cookies (strictly necessary): Set to protect against cross-site request forgery attacks.

We do not currently use tracking, analytics, or advertising cookies. If we introduce analytics in future, we will update this policy and obtain appropriate consent.

10. Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Passwords are hashed using bcrypt with a work factor of 12 — never stored in plaintext
  • All data in transit is encrypted using TLS 1.2 or higher
  • Database access is restricted by IP allowlist and requires TLS
  • API keys and secrets are stored as environment variables, not in source code
  • Access to production systems is restricted to authorised personnel

No method of internet transmission or electronic storage is 100% secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected users without undue delay, as required by UK GDPR Article 33-34.

11. Children

PrepareAI is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly. Users aged 13–17 should have parental consent before using the service.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email (if you have an account) and by updating the "Last updated" date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.

13. Contact Us

For any privacy-related queries, requests, or complaints:

PrepareAI (Roy Vivasi, Sole Trader)

Email: royvivasi@gmail.com

Response time: within 5 business days (legal requests: within 1 calendar month)