This privacy policy explains how "PL CSCS" processes your personal data and your rights under the UK GDPR and Data Protection Act 2018.
1. Data controller
The data controller is —, address: —. Data protection contact: —.
2. What data we process
- Email address, account identifiers, verification status, successful, failed, incomplete, and blocked authentication events, and the legal-document versions, language, and timestamp accepted when the account is created. Firebase Authentication handles the password credential; our application servers do not receive or store the readable password. Login-security records never contain passwords, Firebase ID tokens, multi-factor codes, Turnstile tokens, signed Turnstile proofs, or session cookies.
- Payment-provider customer identifier and payment status - to handle purchases and billing.
- Session results and attempt history - to show your progress.
- Support-ticket contact details, category, subject, message history, status, timestamps, and linked account identifier where you are signed in - to investigate and answer your request.
- Technical and security data, including the account identifier used in a sign-in attempt; its successful, failed, incomplete, or blocked outcome and bounded reason code; observed IP addresses; pseudonymous hashes derived from IP, IP-and-account, and disposable browser-session signals; browser/device information; automated anti-abuse verification signals; timestamps; and server logs where necessary to operate and protect the service. A credential failure reported by the browser is labelled as client-reported and treated as supporting evidence, not an authoritative credential verdict.
- When analytics is configured, cookieless events include only the page pathname (never its URL query or fragment), referring domain, browser or device category, approximate region, timestamps, and the network/browser signals received at ingestion, including the IP address. PostHog uses these signals for privacy-preserving aggregate measurement. We do not send account IDs, email addresses, support content, payment details, or question and answer content to PostHog.
3. Purposes and legal bases
- Contract performance - account creation, access sale, and session history.
- Legal obligations - issuing and storing accounting documents.
- Legitimate interests - fraud and scraping prevention, service security, aggregate visit statistics, product improvement, and support handling.
4. Who receives data
Data is processed by trusted providers:
- Google Firebase and Google Cloud - authentication, Firestore database, hosting, server functions, abuse protection, and operational logging. Processing locations depend on the configured service and may involve approved international transfers. Firebase privacy policy.
- Our transactional email provider - delivery of ticket receipts and support notifications.
- Our payment provider - card payments and receipts. Payment provider privacy policy.
- Cloudflare - automated abuse prevention during account registration, sign-in, and support requests. Cloudflare privacy policy.
- PostHog Cloud (EU hosting in Germany) — aggregate cookieless web analytics. We disable persistent browser identifiers and person profiles, autocapture, session replay, heatmaps, exception and performance capture, surveys, and feature flags; only allowlisted pathname-only pageviews are sent. Appropriate safeguards apply to any permitted international access or transfer. PostHog privacy policy.
5. How long we store data
- Account, entitlement, and study history - while the account is active and afterwards only as long as reasonably required for support, disputes, security, or legal obligations. You may request deletion where the law allows.
- Payment and accounting records - for the retention period required by applicable tax and accounting law.
- Support tickets and replies - for as long as reasonably needed to answer the request, maintain service history, handle complaints or legal claims, and meet legal obligations, then deleted or anonymised where appropriate.
- The account activity summary keeps at most the 10 most recent successful sign-ins while reasonably needed to protect the account, handle support, or establish legal claims. Detailed successful, failed, incomplete, and blocked sign-in-attempt records become eligible for automatic deletion 90 days after the attempt. Expired rate-limit records and temporary or lifted login-ban records become eligible 90 days after their last active time; a permanent ban remains until it is lifted. Google Firestore TTL deletion is asynchronous, so an eligible record may remain briefly while the provider processes its deletion.
- Cookieless PostHog pageview events are kept only for the period configured in the EU analytics project and are reviewed for deletion or aggregation when no longer reasonably needed to measure traffic.
6. Your rights
You have the right to access, rectify, erase, restrict processing, transfer your data, object, and lodge a complaint with a supervisory authority.
To exercise your rights, write to —. You may also complain to the UK Information Commissioner's Office (ICO) or, where applicable, the data-protection authority where you live.
7. Cookies
The service does not use advertising or analytics cookies. It uses necessary browser storage for authentication and study progress, plus a random disposable browser identifier used as one login rate-limit dimension; the server stores only its pseudonymous hash, and it is not an authentication credential. The service also uses HTTP-only server-session and short-lived security-proof cookies and automated security checks. When configured, PostHog web analytics runs in always-cookieless mode without cookies or local/session storage and sends only allowlisted pathname-only pageviews.
8. Security
We use HTTPS, Firebase Authentication, email verification, optional multi-factor authentication, server-side access checks, Firestore rules, automatically resetting browser/network rate limits, and abuse signals. Authorised administrators can review login evidence and manually apply or lift reasoned account, IP, or browser-session bans. A client-reported failure does not by itself create an automatic account ban. No online service can guarantee absolute security, but access is restricted according to role and need.
9. Policy changes
Changes to this policy are published on this page. The last update date is shown above.
