Privacy Policy

If you submit your email address via the waitlist form on this site, we collect and store your email address for the sole purpose of notifying you when StudySec launches. This is a pre-release waitlist — you have not signed up for the StudySec service itself.

What you will receive. Two emails only: a confirmation when you join, and one email when StudySec launches. Nothing else.

Legal basis. Consent — Article 6(1)(a) UK GDPR / EU GDPR. You gave consent when you submitted the waitlist form. This is separate from the performance-of-contract basis that applies to users of the StudySec service.

Processors. Your email address is stored in Supabase (EU Frankfurt) and delivered via Resend. Both are listed as sub-processors in the Sub-processors section below.

Retention. Your email is kept until the launch email has been sent, or until you unsubscribe — whichever comes first. After the launch email is sent, waitlist data will be deleted.

How to withdraw. Click the unsubscribe link in any email we send you, or contact support@studysec.app.

StudySec is operated by Microflow Enablement Ltd, a company registered in England and Wales (company number 17197302), with its registered office at 20-22 Venture West Greenham Business Park, Newbury, England, RG19 6HX. In this policy, "StudySec", "we", "us", and "our" all refer to Microflow Enablement Ltd.

Microflow Enablement Ltd is the data controller for the personal information described in this policy. That means we are the company legally responsible for how it is handled.

You can contact us about anything in this policy by emailing privacy@studysec.app. We aim to respond to all privacy enquiries within five working days.

This policy applies to everyone who uses StudySec, including:

• Visitors to studysec.app who have not signed up for an account.
• People who have signed up for an account, whether on a free trial, the Essentials tier, or the Pro tier.
• People who have linked their Google Calendar or Google Drive to StudySec.
• People who have contacted us by email.

Where you live

StudySec is built for students in the United Kingdom and the European Union, and accepts sign-ups from Australia, New Zealand, and other countries. This policy is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025; the EU General Data Protection Regulation (EU GDPR); the Australian Privacy Act 1988 and Australian Privacy Principles (APPs); and the New Zealand Privacy Act 2020 and the Information Privacy Principles.

Where any of these laws give you specific rights, we describe them in section 11. The substantive protections of this policy apply equally to everyone.

Your age

You must be at least 18 years old to sign up for a StudySec account. We do not knowingly accept sign-ups from anyone under 18. If we discover that someone under 18 has signed up, we will close the account and delete any data we have collected.

We only collect information that we need to deliver the service to you. We have grouped what we collect into the categories below. For each category, we explain what is collected, why, and what would happen if you chose not to provide it.

For users in Australia

Under the Australian Privacy Act, we collect and use your personal information for the primary purposes described in section 3. Where we use information for a related secondary purpose that you would reasonably expect (for example, contacting you about a security issue affecting your account), we do so under APP 6.2.

For users in New Zealand

Under the New Zealand Privacy Act 2020 and the Information Privacy Principles, we collect and use your personal information for the purposes set out in section 3. We observe Information Privacy Principle 12 (disclosure of personal information outside New Zealand) by relying on the same transfer safeguards described in section 6.

To deliver StudySec, we use a small number of carefully chosen third-party providers ("sub-processors") who handle information on our behalf. Every sub-processor is bound by a written agreement that requires them to handle information only on our instructions, to protect it with appropriate security, and to comply with UK and EU data protection law.

Our full, current sub-processor list is published at studysec.app/sub-processors. We commit to giving you at least 30 days' notice — by email and on that page — before adding any new sub-processor that handles your personal information.

Sub-processors at launch

Supabase — hosts our database, file storage, authentication, and realtime services. EU (Frankfurt). Covered by Supabase's Data Processing Addendum.

Vercel — hosts the StudySec web application and runs the server functions that power it. Globally distributed with EU primary regions for personal data. Covered by Vercel's Data Processing Addendum.

Trigger.dev — runs background jobs for document processing. EU-proximate execution. Covered by Trigger.dev's Data Processing Addendum.

AWS Textract — extracts text from scanned PDFs and image files. EU (Ireland — eu-west-1). Covered by the AWS GDPR Data Processing Addendum.

Anthropic (Claude) — powers StudySec's AI agents. United States (see section 6 for transfer safeguards). They see prompts and context we send, including excerpts of your documents and notes — not your raw stored files. Under our commercial terms, user content is not used to train AI models. Anthropic retains API inputs and outputs for a standard period (currently 30 days) for operational purposes, after which they are deleted. Anthropic may retain content for up to two years if their safety systems flag a possible policy violation or if legally required.

Perplexity — powers the web search component of the research feature. United States. They see your research query only — not your notes. Zero Data Retention is in place for the Sonar API.

Voyage AI — converts your notes into numerical embeddings for semantic search. United States. They return a vector and do not retain the original text.

Stripe — processes subscription payments. Your card details go directly to Stripe; we never see them. Covered by Stripe's Data Processing Agreement.

Resend — sends transactional and marketing emails. Globally distributed, primarily United States. Covered by Resend's Data Processing Addendum.

Plausible — provides cookieless website analytics for studysec.app. European Union (Germany). They receive anonymous, aggregate metrics only — page visited, referrer, approximate country, and device type — with no cookies set, no fingerprinting, and no data that can identify an individual. Covered by Plausible’s Data Processing Agreement.

Prighter (iuro Rechtsanwälte GmbH) — our EU GDPR Article 27 representative. Processes personal data submitted by EU data subjects when they exercise their data subject rights via Prighter’s request portal — specifically name, contact details, and the content of the request. Austria (European Union). Covered by a Data Processing Agreement with Prighter.

Post-beta sub-processors (Google)

After our beta period, StudySec offers optional integrations with Google Calendar and Google Drive. These are off by default and only activate if you connect them yourself.

If you connect Google Calendar: StudySec uses the calendar.events scope, which permits both reading and writing of calendar events. We also use the userinfo.email, userinfo.profile, and openid scopes to identify which Google account is connected.

Reading your calendar (all tiers with the integration enabled, including Essentials and Pro): We import your Google Calendar events into StudySec so they appear in your planner alongside your study commitments. Imported events include the title, start time, end time, and a Google identifier. They are stored in StudySec’s database (in the European Union) and refreshed periodically using Google’s incremental sync. Imported events are read-only inside StudySec — to change or remove them, you do so in Google Calendar.

Writing to your calendar (Pro tier only): On the Pro tier, you can optionally have StudySec write study sessions to your Google Calendar. This is controlled by you and is off by default. You can switch it on per-event (you click “Send to Google Calendar” for individual sessions you accept) or in automatic mode (every study session you accept is also added to your Google Calendar). We never write to your calendar without your prior opt-in. On the Essentials tier, write-back is not available — your StudySec study sessions remain inside StudySec only.

When you delete a study session in StudySec that had previously been written to your Google Calendar, we delete the corresponding event from your Google Calendar.

If you connect Google Drive: you can import files from your Drive using the narrow drive.file OAuth scope. StudySec can only access files you specifically choose to import. The original files remain in Google Drive; we process the imported content through the same pipeline as direct uploads.

Other recipients

Beyond the sub-processors above, your personal information is shared:

• With professional advisers (lawyers, accountants, auditors) where strictly necessary, under their professional duties of confidentiality.
• With courts, regulators, or law enforcement if we are legally required to disclose it — and only to the extent required.
• With a successor in interest if Microflow Enablement Ltd is acquired or merges. We will give you advance notice and the opportunity to delete your account before any transfer.

We never sell your personal information. We never share it with advertisers.

StudySec's primary storage — your database records and your uploaded files — is hosted in the European Union (Frankfurt, Germany). For the day-to-day work of the application, your information stays in the EU.

Some of our sub-processors are based outside the UK and EU, primarily in the United States. When we use them, your personal information is transferred to those countries. We only make these transfers where we have a legal mechanism in place to protect your information to the same standard as in the UK or EU.

UK to United States

For transfers from the United Kingdom to the United States, we rely on the UK-US Data Bridge (an extension of the EU-US Data Privacy Framework) for any sub-processor that has self-certified under it. For sub-processors that are not certified, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, with appropriate supplementary measures.

EU to United States

For transfers from the European Union to the United States, we rely on the EU-US Data Privacy Framework for any sub-processor that has self-certified under it. For others, we use the European Commission's Standard Contractual Clauses (2021 modules), supported by a Transfer Impact Assessment. As an additional safeguard, we maintain Standard Contractual Clauses with our US-based sub-processors regardless of their DPF certification status.

Australia and New Zealand

For users in Australia, the Australian Privacy Act and APP 8 (Cross-border disclosure of personal information) apply. For users in New Zealand, the Privacy Act 2020 and Information Privacy Principle 12 apply. We take reasonable steps to ensure that overseas recipients handle your personal information to the same standard as required by your country's law.

We keep your information for as long as you have a StudySec account, and for a short period after you delete it.

While your account is active

• Account details (email, hashed password): retained for the lifetime of your account.
• Course information, subjects, modules, terms: retained for the lifetime of your account.
• Uploaded documents and their extracted text: retained until you delete the document or your account.
• Notes and their full version history: retained until you delete a note or your account.
• Research chats (active and archived): retained for the lifetime of your account unless you delete them.
• Planner events, including AI suggestions you have rejected: retained so that the AI does not suggest the same thing twice.
• Quizzes and attempts: retained for the lifetime of your account.
• Subscription and billing records: retained for six years after account closure to meet UK tax and accounting obligations.

When you delete your account

When you ask us to delete your account, you have two options:

• Standard deletion (default): your account is immediately suspended. After a 14-day grace period, all your data is permanently deleted. Within the 14 days you can recover the account by logging back in.
• Immediate deletion: all your data is permanently deleted right away, with no grace period.

In both cases, deletion is technical and complete. Every database row associated with your account is removed via a cascade delete and every file in our storage is deleted in parallel. Backups are overwritten on our standard backup rotation, which completes within 30 days of deletion. We keep only what we are legally required to keep — primarily billing and tax records for six years.

Information retained by sub-processors

When you delete your account, we instruct our sub-processors to delete your information in accordance with their data processing agreements. Anthropic retains inputs and outputs for a standard period (currently 30 days). Perplexity and Voyage AI do not retain query content after the response is returned. Stripe retains billing records as required by financial regulations.

Google Calendar events (if you have connected the integration): imported events are retained while Google Calendar is connected. They are removed from StudySec immediately when you disconnect the integration, or when Google Calendar reports the event as deleted (whichever comes first). A background sweep runs after disconnection as a redundant safeguard.

These are the commitments we make to every StudySec user, regardless of where they live or what plan they are on. They reflect what we think a trustworthy study tool should do — not because the law requires it in every case, but because it is the right way to build a product students can rely on.

What this means in practice

• Best interests first. Where there is a tension between our commercial interests and your best interests, your best interests win.
• Strong privacy by default. Settings that protect your privacy are switched on by default.
• No behavioural advertising. We do not run advertising and we never will.
• No profiling for marketing. The product personalises your study experience, but it does not build a behavioural profile of you for any other purpose.
• No geolocation. We do not collect or use your location.
• No nudge techniques. We do not use streaks, guilt-trip notifications, or psychological pressure to push you into using the product more.
• Easy controls. Deleting your account and exporting your data are easy to find and easy to use.
• Plain-English transparency. We publish a shorter, plain-English version of this policy at studysec.app/privacy-for-students for anyone who prefers it.

StudySec is built on AI agents. Because AI is at the centre of how the product works, you deserve a clear account of what AI is doing with your data.

Under data protection law, you have a set of rights over your personal information. To exercise any right, email us at privacy@studysec.app. We will respond within one month.

We may update this policy from time to time. When we do:

• Material changes (changes to what information we collect, what we do with it, who we share it with, or how long we keep it) will be notified to you by email at least 14 days before they take effect, and signposted on the product when you next log in.
• Non-material changes (clarifications, formatting, minor corrections) will be reflected by updating the "Last updated" date at the top of this page.

We will never apply new uses of your information retroactively to data we already hold without your consent. Older versions of this policy are kept on request — email privacy@studysec.app if you would like to see a previous version.

For anything about this policy, your information, or your rights:

• Email: privacy@studysec.app
• Post: Microflow Enablement Ltd, 20-22 Venture West Greenham Business Park, Newbury, RG19 6HX, United Kingdom

We aim to respond within five working days, and to formal data protection requests within the legal one-month timeframe.

Data Protection Officer

StudySec is not required to appoint a Data Protection Officer under UK or EU GDPR. Data protection matters are handled directly by the founder, who can be reached at privacy@studysec.app.

EU representative

Because Microflow Enablement Ltd is established in the United Kingdom and offers services to data subjects in the European Union, we have appointed iuro Rechtsanwälte GmbH (trading as Prighter) as our EU representative under EU GDPR Article 27.

iuro Rechtsanwälte GmbH t/a Prighter
Schellinggasse 3, 1010 Vienna, Austria

EU data subjects can contact Prighter directly to exercise their data subject rights or to raise a data protection concern, via Prighter’s data subject request portal: app.prighter.com/portal/12978750567. You can also contact us directly at privacy@studysec.app.