Privacy policy
What this means in plain English
This summary is for convenience only. The full policy below governs your legal relationship with us.
1. Who we are and how to contact us
StudyGuy is operated by [LEGAL ENTITY NAME], a company incorporated in the State of Florida, United States ("we", "us", "our"). We are the data controller for all personal data collected through the StudyGuy service and website.
Data controller contact:
Email: privacy@[DOMAIN]
Postal address: [REGISTERED ADDRESS, FLORIDA, UNITED STATES — to be added on incorporation]
Data Protection Officer
We have assessed our processing activities under applicable law. Based on the nature and scale of our operations — we are not a public authority, we do not carry out large-scale systematic monitoring of individuals, and we do not process special category data as a core activity — we are not required under Article 37 UK/EU GDPR to appoint a Data Protection Officer. Privacy enquiries and data subject requests are handled directly by our team at privacy@[DOMAIN].
EU representative
We are established in the United States, not in the European Economic Area. Article 27 EU GDPR requires controllers not established in the EEA to designate an EU representative where they offer goods or services to, or monitor the behaviour of, individuals in the EEA on other than an occasional basis. We have assessed our current processing of EEA residents' personal data. At this stage of our operations, such processing is limited in scale, does not include special category data as a core activity, and does not involve systematic monitoring of EEA individuals. We currently consider that this falls within the exception at Article 27(2) EU GDPR, and we have not designated an EU representative. We keep this assessment under active review as our user base grows. If our processing of EEA residents' personal data reaches a scale or character that removes us from the exception, we will promptly designate an EU representative and update this policy accordingly. In the meantime, EEA residents may direct all data protection enquiries to privacy@[DOMAIN].
UK representative
We are established in the United States, not in the United Kingdom. Article 27 UK GDPR requires controllers not established in the UK to designate a UK representative where they offer goods or services to, or monitor the behaviour of, individuals in the United Kingdom on other than an occasional basis. We have assessed our current processing of UK residents' personal data. At this stage of our operations, such processing is limited in scale, does not include special category data as a core activity, and does not involve systematic monitoring of UK individuals. We currently consider that this falls within the equivalent exception under UK GDPR, and we have not designated a UK representative. We keep this assessment under active review. If our processing of UK residents' personal data reaches a scale or character that removes us from the exception, we will promptly designate a UK representative and update this policy accordingly. In the meantime, UK residents may direct all data protection enquiries to privacy@[DOMAIN].
2. Scope and key definitions
This policy applies to all personal data we collect through the StudyGuy website, platform, and related services (together, the "Service").
"Personal data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) UK/EU GDPR.
"Processing" means any operation performed on personal data, including collection, storage, use, transmission, and deletion.
"Sub-processor" means a third-party organisation to whom we transfer personal data so that they can process it on our behalf and on our documented instructions.
"Uploaded content" means the documents, files, and images you submit to the Service. Uploaded content may or may not contain personal data — this depends on what you choose to upload.
Where we refer to "UK/EU GDPR", this means the UK General Data Protection Regulation (as retained in UK law by the European Union (Withdrawal) Act 2018) and/or the EU General Data Protection Regulation (Regulation (EU) 2016/679), as applicable to the processing in question.
3. Personal data we collect and our lawful basis
We collect only the personal data necessary to provide the Service. For each category below, we identify the lawful basis under Article 6 UK/EU GDPR on which we rely.
Account and identity data Contract — Art. 6(1)(b)
When you register, we collect your full name, email address, and a securely hashed password. We store the date your account was created and your current subscription plan. This data is necessary to create and maintain your account and to provide the Service — without it, we cannot identify you or give you access to your study materials.
Age verification data Legal obligation — Art. 6(1)(c) Legitimate interest — Art. 6(1)(f)
At registration, you provide your date of birth. We store your date of birth and an age-verification flag indicating whether you meet our minimum age requirement (13 years). We rely on legal obligation to the extent that applicable law requires us to prevent access by children under a certain age, and on our legitimate interest in preventing underage access to a service not designed for young children. Access to the Service is blocked if the flag is not set. If you believe your age has been incorrectly recorded, contact us using the details in section 14.
Terms and policy acceptance record Legitimate interest — Art. 6(1)(f)
When you create an account, we record a boolean flag confirming that you ticked the acceptance checkbox at registration, and the UTC timestamp at which you did so. We also record which version of the Terms of Service and Privacy Policy was in effect at that time. This record is maintained as evidence of the contractual relationship formed at registration. Our legitimate interest is in maintaining legally defensible records of acceptance. This record is distinct from your substantive rights under data protection law — your rights are not contingent on it.
Uploaded documents Contract — Art. 6(1)(b)
Files you upload (PDFs, images, text files, DOCX files) are stored in private encrypted cloud storage. Processing your uploaded content to generate study materials is the core function of the Service — this processing is necessary to perform the contract with you. Without it, we cannot provide the Service at all. Uploaded files may or may not contain personal data, depending on what you choose to upload. You are responsible for the content of files you upload and for having a lawful basis to share that content with a third-party AI processing service (see section 7).
Extracted and intermediate processing data Contract — Art. 6(1)(b)
During document processing, text is extracted from your uploaded file, or images are read directly from scanned PDFs. This extracted content is segmented into chunks, each of which is processed by an AI model to produce a compressed structured summary. These intermediate outputs are held temporarily in your document record while processing completes. Extracted raw text is not stored beyond the processing pipeline. Only compressed summaries and the final generated study guide are retained in your account.
Processing of uploaded content by automated systems is inherent to the Service. No member of our staff reads, views, or reviews the content of your uploaded documents in the ordinary course of providing the Service, except to the extent necessary to investigate a reported legal violation or security incident, or where required by applicable law.
AI-generated study materials Contract — Art. 6(1)(b)
The study guide HTML generated from your document is stored in your account so you can access, view, download, and export it. This is a core deliverable of the Service.
Exported files Contract — Art. 6(1)(b)
If you export a study guide as a PDF or DOCX, the generated file is stored in private account storage under a path linked to your user ID. Exported files are retained until you delete your account or request their deletion.
Usage and quota data Contract — Art. 6(1)(b) Legitimate interest — Art. 6(1)(f)
We record the number of study guides you have generated to enforce plan limits and to calculate billing. We also record approximate AI token counts consumed during processing for internal cost monitoring and abuse prevention. This data is not shared with third parties and is not used for behavioural profiling.
Payment data Contract — Art. 6(1)(b) Legal obligation — Art. 6(1)(c)
If you subscribe to Pro, payments are processed directly by Stripe. We store only a Stripe customer identifier, your subscription status, plan type, and renewal date. We do not receive, process, or store your card number, bank account details, or full billing address — these are collected directly by Stripe under their own privacy policy.
Technical and operational log data Legitimate interest — Art. 6(1)(f)
Standard server and CDN logs may record your IP address, browser type, operating system, device type, pages visited, and timestamps of activity. This data is used solely for security monitoring, debugging, abuse prevention, and platform stability. It is not used for advertising, tracking, or profiling. We have assessed that this processing is proportionate and does not unduly override your privacy interests, given that it is limited to operational necessity.
4. How we use your personal data
We use the personal data described in section 3 for the following purposes only:
- Providing and maintaining the Service — including processing your uploaded documents and generating study materials
- Authenticating you, managing your account, and enforcing access controls
- Enforcing plan limits and tracking guide usage for billing purposes
- Processing payments and managing your subscription via Stripe
- Sending transactional emails — including account verification, password reset, and payment receipts
- Monitoring, maintaining, and improving the security, stability, and performance of the platform
- Detecting and preventing abuse, fraud, and violations of our Terms of Service
- Maintaining legally required records and responding to lawful requests from public authorities
- Defending or bringing legal claims
We do not use your personal data for: advertising; behavioural or interest-based profiling; sale or rental to third parties; or any purpose other than those listed above.
We do not use your uploaded documents, extracted text, intermediate processing outputs, or AI-generated study materials to train, fine-tune, evaluate, or benchmark any AI model — our own or any third party's.
5. Sub-processors and third-party data sharing
We do not sell, rent, or trade your personal data. We share personal data only with the sub-processors listed below, who process it on our behalf and under our documented instructions, and only to the extent necessary to provide the Service.
We have entered into, or rely upon, data processing agreements or equivalent contractual arrangements with each sub-processor listed below. These arrangements require each sub-processor to: process data only on our instructions; maintain appropriate technical and organisational security measures; not engage further sub-processors without our authorisation; assist us in meeting our data subject rights obligations; and delete or return data on termination of the arrangement.
| Sub-processor | Location | Role and purpose | Personal data transmitted |
|---|---|---|---|
| Supabase, Inc. | USA / EU (region-dependent) | Database, authentication, server-side function execution, and file storage. Core infrastructure provider. | Account data, uploaded files, compressed summaries, study guides, usage records, exported files, session tokens |
| Anthropic, PBC | USA | Primary AI processing provider. Text chunk compression and structured extraction is performed by Claude Haiku. Final study guide generation is performed by Claude Sonnet (or the most capable model available at time of processing). Anthropic acts as a processor when receiving data via API calls made on our behalf. | Extracted text chunks from your uploaded document; base64-encoded images or PDFs where vision-based extraction is used; compressed content summaries |
| Cloudflare, Inc. (Pages & CDN) | USA / Global edge network | Website and application hosting, content delivery, and DDoS protection. | IP address, browser metadata transmitted as proxied traffic |
| Cloudflare, Inc. (Workers) | USA / Global edge network | Serverless edge processing for vision-based PDF extraction. A Cloudflare Worker receives base64-encoded PDF content and forwards it to the Anthropic API for structured extraction before returning results to the main processing pipeline. Data is processed transiently and not stored by us on Cloudflare's infrastructure. | Base64-encoded PDF content from your uploaded document |
| Stripe, Inc. | USA | Payment processing and subscription management. Stripe is the merchant of record for card transactions and processes payment data directly — we do not receive raw payment data. | Name, email address, billing information (collected directly by Stripe) |
| ConvertAPI | USA | File conversion service. Used to transform documents between formats (e.g., DOCX to PDF) when you export a study guide. Files are transmitted to ConvertAPI solely for the purpose of format conversion and are not retained by ConvertAPI beyond the duration of the conversion request. | Study guide files submitted for format conversion (e.g., DOCX or HTML content being converted to PDF) |
| Resend, Inc. | USA | Transactional email delivery — account verification, password reset, and payment receipts. | Email address and email message content |
We may update the list of sub-processors from time to time. We will update this policy when we add or replace a processor, and will notify you of material changes in accordance with section 13.
We do not share personal data with third parties for any other purpose. In exceptional circumstances we may disclose personal data where required by law, court order, or a valid request from a competent public authority. Where lawfully permitted, we will notify you of such requests.
6. International transfers of personal data
All sub-processors listed in section 5 are based in or operate infrastructure in the United States, which is a country outside the UK and the EEA. Transferring personal data to these countries requires an appropriate safeguard under Chapter V UK/EU GDPR.
UK transfers: Transfers from the UK to US-based processors are made on the basis of the International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner, or an addendum to the EU Standard Contractual Clauses approved for UK use, as applicable for each processor. Where a processor offers the UK IDTA or an equivalent adequacy mechanism, we rely on that mechanism.
EU transfers: Transfers from the EEA to US-based processors are made on the basis of the Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), in the applicable module (controller-to-processor), supplemented where necessary by a Transfer Impact Assessment to assess the adequacy of protections in the destination country.
You may request a copy of the transfer safeguards we rely on for any specific processor by contacting us at privacy@[DOMAIN]. Each processor also publishes its own data transfer mechanisms in its privacy documentation, which we encourage you to review.
7. AI processing — transparency and your obligations
How AI processing works
When you upload a document, our automated processing pipeline performs the following steps:
- The file is retrieved from private storage and text is extracted programmatically, or — where the document is a scanned image or non-text PDF — the file is sent to a Cloudflare Worker which forwards it to the Anthropic API for vision-based extraction
- Extracted text is divided into chunks, each of which is independently sent to the Anthropic API (Claude Haiku) to produce a compressed structured summary
- The compressed summaries are merged and passed to the Anthropic API (Claude Sonnet) to generate your final study guide as structured HTML
- The generated study guide is stored in your account and the intermediate processing data is discarded
This processing is automated. No human reviews the content of your documents in the ordinary course of processing. The AI models receive only the content necessary for each stage — they do not receive your name, email address, or other account identifiers.
AI provider data use
We have chosen Anthropic as our primary AI provider in part because of its commitment to API data privacy: as of the date of this policy, Anthropic's commercial API terms state that inputs submitted via the API are not used to train its models by default. We explicitly instruct Anthropic not to use your content for training purposes, and this restriction is reflected in our processing arrangements. Anthropic's own policies govern its internal practices on its own infrastructure, and those policies may evolve over time independently of our arrangements. We monitor material changes to the policies of our AI providers and will update this policy and our contractual arrangements if required. We encourage you to review Anthropic's current privacy policy and API usage policy for the most up-to-date information.
We select sub-processors carefully, assessing their security practices and data handling standards before engagement. Each sub-processor is bound by a data processing agreement requiring them to process data only on our instructions, maintain appropriate technical and organisational security measures, and comply with applicable data protection law. Within the scope of those contractual commitments, we have taken reasonable steps to satisfy ourselves that each sub-processor provides adequate protections. That said, each sub-processor operates its own infrastructure and internal controls, which are governed by their own security practices and privacy policies alongside their obligations to us. We encourage you to review the privacy documentation of each sub-processor listed in section 5.
Your responsibilities when uploading
You are responsible for ensuring you have the legal right to upload and process any content you submit to the Service. In particular, you are responsible for determining whether transmitting the content of a document to a US-based third-party AI API is lawful in your jurisdiction, and whether you hold the necessary rights (copyright, confidentiality, data protection) to do so.
If uploaded documents contain personal data about third parties (for example, medical records, student data, a colleague's work, or any document containing another person's identifiable information), you are acting as an independent controller for that third-party personal data and must have a lawful basis under applicable law to transmit it to third-party AI processors. Compliance with data protection obligations in relation to such third-party personal data rests with you as the uploader. We play no role in determining the lawfulness of the content of files you choose to upload.
8. Children and minors
Minimum age — 13
The Service is not directed at children under the age of 13. We do not knowingly collect personal data from any person under 13. Registration requires users to provide their date of birth, and access is blocked for users who do not meet the minimum age requirement. If we discover or obtain actual knowledge that an account was created by a person under 13 — regardless of the date of birth provided — we will immediately suspend and permanently delete that account and all associated data.
COPPA (United States)
The Children's Online Privacy Protection Act (COPPA) applies to online services directed at children under 13 in the United States, and to operators with actual knowledge that they are collecting personal information from a child under 13 in the United States. The Service is not directed at children under 13. We do not knowingly collect personal information from children under 13 in the United States. If a parent or guardian believes their child under 13 has registered for the Service, they should contact us immediately at privacy@[DOMAIN]. We will verify the claim and, upon confirmation, delete the account and all associated data promptly and at no charge. We will not condition access on a child providing more information than is reasonably necessary to use the Service.
Users aged 13–17
Users between the ages of 13 and 17 may use the Service subject to the following:
- Registration requires confirmation that a parent or guardian has consented to the minor's use of the Service and accepts the Terms of Service on the minor's behalf
- We do not serve targeted advertising to any user, including minors
- We do not use data about minors for any purpose beyond delivering the Service
- We do not use data about minors to build behavioural profiles
- Privacy settings for minors are set to the highest protective default — no data sharing beyond what is strictly necessary to provide the Service
- Parents or guardians may request access to, correction of, or deletion of their child's personal data by contacting us at privacy@[DOMAIN] with proof of relationship (such as a copy of a birth certificate or equivalent document). We will respond within 30 days.
UK Age Appropriate Design Code
We are aware of the UK Age Appropriate Design Code (Children's Code) issued by the ICO, which applies to online services likely to be accessed by children. While our service is targeted at students and we take reasonable steps to block under-13 access, we recognise that users aged 13–17 may access the Service. Our data practices for this age group are designed to meet the high privacy standards the Code requires, including data minimisation, no profiling, and privacy-by-default settings.
Reporting under-age accounts
If you are a parent or guardian and believe your child has created an account without your consent, please contact privacy@[DOMAIN]. Include the child's name and email address used at registration. We will verify and delete the account and all associated data.
9. Data retention
We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law. The table below sets out our standard retention periods.
| Data category | Retention period |
|---|---|
| Account and identity data (name, email, preferences) | Until account deletion. Purged from active systems within 30 days of deletion request. Purged from encrypted backups within 90 days of deletion (backups are retained in an encrypted, access-restricted state and not actively used after the deletion request is processed). |
| Age verification data (date of birth, age flag) | Retained with account data. Deleted on the same timeline as account data above. |
| Acceptance records (checkbox timestamp, version) | Retained for 6 years from the date of account creation or last acceptance event, for legal record-keeping purposes. This is the only data category that may be retained after an account deletion request, and only in an archived form, in accordance with our legitimate interest in maintaining legally defensible records. |
| Uploaded files | Retained until account deletion. Deleted immediately from active storage on account deletion or file removal request. Purged from encrypted backups within 90 days. |
| AI-generated study guides | Retained until account deletion. Deleted on the same timeline as uploaded files above. |
| Exported files (PDF/DOCX) | Retained until account deletion. Deleted on the same timeline as uploaded files above. |
| Intermediate processing data (raw extracted text, in-progress summaries) | Not retained beyond the processing pipeline. Discarded upon completion of study guide generation. Retained in encrypted backups for up to 90 days consistent with backup rotation schedules. |
| Usage and quota records | Retained for 24 months from the date of each usage event, then deleted. Used for billing, plan enforcement, and dispute resolution. |
| Payment records (Stripe customer ID, subscription status) | Retained for 7 years from the date of the last transaction, as required by applicable financial and tax law. Stripe independently retains full transaction records under their own legal obligations. |
| Technical and operational logs (IP addresses, server logs) | Retained for 90 days, then automatically deleted. |
When you request account deletion, we initiate deletion from active systems immediately. Residual data held in encrypted, access-restricted backup systems is purged on the schedules above as part of our standard backup rotation. Backup data is not accessed or used after a deletion request is processed, except in the case of a system restoration event, in which case the restored data would itself be promptly re-deleted.
10. Your rights under UK/EU GDPR
Depending on your location and the lawful basis for processing, you may have the following rights in relation to your personal data. We will respond to all verified requests within 30 days, extendable by a further two months where the request is complex or numerous (in which case we will notify you within the first 30 days).
- Right of access (Art. 15) — you may request confirmation of whether we process your personal data, and a copy of the personal data we hold about you, together with information about how and why it is processed.
- Right to rectification (Art. 16) — you may request correction of inaccurate or incomplete personal data without undue delay.
- Right to erasure (Art. 17) — you may request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you have objected to processing (and no overriding legitimate grounds exist), or in other circumstances specified in Article 17. You can exercise this right by deleting your account through the account settings page or by contacting us. Note that certain data categories (such as acceptance records and payment records) may be retained after a deletion request where we have a legal obligation or overriding legitimate interest to do so, as described in section 9.
- Right to restriction of processing (Art. 18) — you may request that we restrict processing of your personal data in certain circumstances, such as while you contest the accuracy of the data or the lawfulness of our processing.
- Right to data portability (Art. 20) — where processing is based on contract or consent and carried out by automated means, you may request a copy of the personal data you have provided to us in a structured, commonly used, and machine-readable format (JSON). This right applies to data you have directly provided to us, not to derived or generated data.
- Right to object (Art. 21) — you may object at any time to processing of your personal data where we rely on legitimate interests (Art. 6(1)(f)) as the lawful basis. We will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.
- Rights related to automated decision-making (Art. 22) — we do not make any decision with legal or similarly significant effect on you based solely on automated processing of your personal data. AI-generated study materials are study aids only and do not constitute decisions about you.
How to exercise your rights
Email privacy@[DOMAIN] with your request. We may ask you to verify your identity before acting on any request — this is to protect your data from unauthorised access. We will not charge a fee for handling requests unless they are manifestly unfounded or excessive, in which case we will notify you before applying any charge.
Withdrawing consent
Where we rely on your consent (Article 6(1)(a)) as the lawful basis for any specific processing activity, you have the right to withdraw that consent at any time by contacting us at privacy@[DOMAIN]. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. Note that most of our processing is based on contract performance or legitimate interests — not consent — and cannot be withdrawn in the same way. For those processing activities, your remedy is the right to object (Art. 21) or the right to erasure (Art. 17), as appropriate.
Right to complain
You have the right to lodge a complaint with a supervisory authority if you believe we have processed your personal data unlawfully.
- UK residents: Information Commissioner's Office (ICO) — ico.org.uk
- EU residents: The data protection supervisory authority in your EU member state of habitual residence, place of work, or place of the alleged infringement
We would welcome the opportunity to resolve any concern directly before you escalate to a supervisory authority, and ask that you contact us first at privacy@[DOMAIN].
11. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, alteration, or disclosure, in accordance with Article 32 UK/EU GDPR. These include:
- Encryption in transit: All data transmitted between your browser and our service, and between our systems and sub-processors, is encrypted using TLS 1.2 or higher.
- Encryption at rest: Data stored in Supabase (database and file storage) is encrypted at rest using AES-256. Uploaded files and generated study guides are stored in a private storage bucket not accessible via public URL.
- Access controls: Row-level security (RLS) is enforced on all database tables, ensuring users can only query their own data. Service-role credentials — which bypass RLS — are used only in server-side Edge Functions and are never exposed in frontend code or public repositories.
- Authentication: Session tokens are validated server-side on every authenticated request. Password credentials are hashed using industry-standard algorithms and are never stored or transmitted in plain text.
- Secret management: API keys and credentials are stored as server-side environment variables. Pre-commit hooks are deployed to prevent accidental exposure of secrets in version-controlled code.
- Staff access: Access to production systems containing personal data is restricted to personnel with a legitimate operational need. We do not grant blanket access to your uploaded content.
No method of electronic transmission or storage is completely secure. Despite the measures described above, it is not possible to guarantee the absolute security of data transmitted over the internet or stored on third-party infrastructure. In the event of a security incident affecting data held by a sub-processor, we will work with that sub-processor to understand the scope and impact, take appropriate remedial steps within our control, and meet our notification obligations under applicable law. Our liability for security incidents caused solely by events outside our reasonable control — including attacks on sub-processor infrastructure or previously unknown software vulnerabilities — is limited to the extent described in our Terms of Service.
Responsible disclosure: If you believe you have identified a security vulnerability affecting the Service, please disclose it responsibly to security@[DOMAIN]. We will acknowledge receipt within 5 business days and work to address verified vulnerabilities promptly.
Personal data breach notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, in accordance with Article 34 UK/EU GDPR. Our notification will describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it.
12. Cookies and local storage
The Service uses a minimal set of technically necessary cookies and browser local storage set by Supabase to maintain your authenticated session. These are strictly necessary for the Service to function — without them, you cannot remain logged in. Under applicable ePrivacy law, strictly necessary cookies do not require your consent.
We do not use advertising cookies, analytics cookies, tracking pixels, social media tracking scripts, or any other non-essential cookies. No behavioural data is collected or transmitted through cookies or local storage to any third party for advertising or profiling purposes.
If you wish to clear session data, you can do so by signing out and clearing your browser's cookies and local storage. Doing so will end your session and require you to log in again.
13. Changes to this policy
We may update this policy from time to time, including when we add or replace sub-processors, alter how we handle personal data, or in response to changes in applicable law. We distinguish between material and non-material changes:
- Material changes — changes that meaningfully affect your rights, the data we collect, or how we use it — will be notified to you by email and by an in-app notice at least 14 days before they take effect. Continued use of the Service after the effective date of a material change constitutes your acknowledgement of the updated policy.
- Non-material changes — such as corrections of typographical errors, clarifications that do not alter the substance of our practices, or the addition of a new sub-processor on equivalent terms — will be updated in this policy without advance notice, but the "Last updated" date at the top of this page will reflect the change.
Where applicable law requires us to obtain fresh consent before implementing a material change, we will do so before the change takes effect. If you do not accept a material change, you should stop using the Service and delete your account before the effective date.
14. Contact
For any privacy-related enquiry, data subject rights request, or to report a concern about our data practices, contact us at:
Email: privacy@[DOMAIN]
Postal address: [REGISTERED ADDRESS, FLORIDA, UNITED STATES — to be added on incorporation]
We aim to acknowledge all privacy enquiries within 5 business days. We will respond to all data subject rights requests within 30 days of receipt of a verified request, in accordance with our obligations under Article 12 UK/EU GDPR.