Privacy Policy

Last updated: 3 May 2026

Alpha notice: SuperStudies is currently in Alpha and is provided free of charge. No payment instrument is required and no funds are taken. See the Alpha Programme clause in our Terms for full details.

Want to know how we protect your data? Read our Trust & Security page for details on encryption, guardrails, and your rights.

1. Who We Are

SuperStudies Ltd (Company Number: 16694082) is the data controller responsible for your personal data. Registered office: 71-75 Shelton Street,
Covent Garden, London, WC2H 9JQ
United Kingdom.

Email: [email protected]

2. Data We Collect

We collect the minimum data necessary to provide our service. We use passwordless authentication — no passwords are ever created or stored on our systems. We do not ask for date of birth at signup; you only confirm you are 18 or over and have read these terms.

Account data: name, email address, user type (student/parent), Firebase user ID, the timestamp of your 18+/Terms attestation
Profile data: year group, school name, learning preferences, study goals — all optional and entered after signup
Study data: subject selections, topic progress, exam results, flashcard interactions, study session times, AI Tutor conversation history
Payment data: processed by DodoPayments — we do not store card numbers, only a customer reference, your subscription tier, and (where applicable under applicable Indian law) the timestamp at which you waived your 7-day right of withdrawal
Technical data: IP address (transient, for session security only), browser type, device information, essential cookies

No passwords stored: Authentication is handled via email magic links only. There are no passwords on our systems that could be compromised in a data breach.

3. How We Use Your Data

We use your data to:

Provide and personalise our educational platform
Power AI-driven study recommendations and tutoring
Track learning progress and generate performance reports
Process subscription payments (only once paid tiers are activated — currently in Alpha there are no charges)
Enable parent/guardian oversight of student accounts (linked parents can view a child's progress, AI Tutor transcripts, and exam results)
Send service notifications, safeguarding alerts, and — only if a parent has opted in — a once-a-week summary email of their linked students' effort
Enforce a single-session-per-account policy: signing in on a new device automatically signs you out of any other device, to deter credential sharing
Improve our platform and develop new features

What we do not do with your data:

We do not sell your personal data to anyone.
We do not use your study data, AI Tutor conversations, generated flashcards/notes/mind-maps, uploaded curriculum content, or any other content you create on the platform to train, fine-tune, or evaluate any AI model — neither our own models nor those of any third party. Prompts are sent to AI providers only to generate responses for you and are subject to those providers' standard data-handling terms (see §6).
We do not use your data for advertising or to build advertising profiles.
We do not share your data with data brokers.

4. Lawful Basis for Processing

We rely on the following lawful bases under the Digital Personal Data Protection Act, 2023 (DPDP) and applicable Indian data-protection rules:

Contract: processing necessary to provide the Service
Legitimate interests: improving our platform, preventing fraud
Consent: marketing communications (you may opt out at any time)
Legal obligation: tax records, regulatory compliance

5. Children's Data

Our platform is designed for CBSE students (typically ages 13–18, Class 9 to Class 12) and follows the Digital Personal Data Protection Act, 2023 (which requires verifiable parental consent for users under 18).

Under 13: children cannot create their own SuperStudies account. A parent or legal guardian must register first and then add the student via the "Add a student" flow on the parent dashboard. The parent's act of adding the child is the parental consent required under the DPDP Act 2023 (verifiable parental consent for users under 18).
Aged 13–17: students may use SuperStudies under a parent or guardian's account. We expect the parent or guardian to be aware of the student's use of the service and to oversee their study activity.
Data minimisation: we do not ask for a child's date of birth, school postcode, photograph, or any data we don't strictly need to deliver lessons and keep the student safe.
Safeguarding: the AI Tutor and Snap & Mark features include automated safety filters. If something a student writes or uploads is flagged, the linked parent receives an alert email — see our Trust & Security page.

6. Data Sharing & Sub-processors

We do not sell your personal data. We share data only with trusted third-party processors under data processing agreements, each providing appropriate safeguards:

Processor	Purpose	Data Shared	Location
Google (Firebase)	Authentication & identity management	Email address, display name	EU / UK
Google (Gemini AI)	AI tutoring, study recommendations	Study content, anonymised prompts	EU / UK
OpenAI	AI tutoring (fallback provider)	Study content, anonymised prompts	USA (SCCs applied)
Anthropic	AI tutoring (fallback provider)	Study content, anonymised prompts	USA (SCCs applied)
DodoPayments	Payment processing (Merchant of Record)	Name, email, billing address (no card numbers stored by us)	India / Global
Brevo (formerly Sendinblue)	Transactional email delivery (magic-link sign-in, safeguarding alerts, weekly digest, account notifications)	Email address, recipient name, message content	EU
Google Cloud Platform	Cloud hosting & database	All platform data (encrypted at rest)	India (asia-south1, Bangalore)
Parents/guardians	Parental oversight	Child's progress, study data	N/A

SCCs = Standard Contractual Clauses (EU mechanism for lawful data transfer to non-adequate countries). We review sub-processor agreements annually.

7. Data Retention

We retain your data for as long as your account is active. If you delete your account, your personal data is removed immediately and permanently (hard delete). We retain anonymised deletion audit records for 3 years for GDPR compliance purposes — these contain no personal data.

Accounts that have been inactive for 3 years will be automatically deleted following 30 days' email notice. This policy reflects the typical duration of CBSE Board study.

Billing and refund records (6 years): when paid subscriptions are active, we are required by tax and financial-records law to retain financial records — including invoice data, DodoPayments customer reference, subscription tier history, the timestamp of any right-of-withdrawal waiver, refund requests, refund decisions, refund amounts and DodoPayments refund identifiers — for 6 years from the end of the relevant accounting period. This retention applies even if you delete your account; the records are pseudonymised where possible and accessed only for tax, accounting, dispute resolution, or regulatory purposes. During the current Alpha period no charges are taken, so no billing records are generated.

8. Your Rights

Under the Digital Personal Data Protection Act, 2023 (DPDP) and applicable Indian data-protection rules you have the following rights, which you can exercise via your account or by contacting us:

Access & Portability — request a complete machine-readable copy of all data we hold about you by emailing [email protected] from the address on your account. We respond within 30 days, usually sooner.
Rectification — correct inaccurate data via your profile
Erasure — delete your account instantly via Account Settings (parent accounts only; all linked accounts are also deleted)
Restrict processing — contact us to suspend processing
Object to processing — contact us at any time
Withdraw consent — withdraw marketing consent at any time

We will respond to all rights requests within 30 days as required by the Digital Personal Data Protection Act, 2023 (DPDP) and applicable Indian data-protection rules. Contact us at [email protected].

9. Cookies

We use only the cookies strictly necessary to deliver the service: a session cookie to keep you signed in, a CSRF token cookie to protect form submissions, a Firebase authentication cookie for the magic-link flow, and a small cookie that records your cookie-consent choice. We do not use Google Analytics, Facebook Pixel, Hotjar, Datadog, advertising trackers, or any other third-party analytics. See our Cookie Policy for the full list.

10. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest for sensitive fields, role-based access controls, and a passwordless sign-in flow that means there are no passwords on our systems to be compromised in a breach.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the platform.

12. Complaints

If you are unhappy with how we handle your data, you can complain to the Ministry of Electronics and Information Technology (MeitY) — Data Protection Board under the DPDP Act, 2023 at meity.gov.in.

Back to Home