Privacy Policy

Obiter Ltd (“Company”, “we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, process, and protect your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Our Data Protection Officer can be contacted at legal@obiter.site.

1. Legal Basis for Processing

We process your personal data based on:

• Consent: you have explicitly given us permission (e.g. marketing emails)
• Contract Performance: processing is necessary to provide the Service (e.g. storing your essays, authentication)
• Legal Obligation: we are required by law (e.g. tax records)
• Legitimate Interests: we have a legitimate business interest not overridden by your rights (e.g. fraud prevention, security, analytics)

2. What Data We Collect

2.1 Data You Provide Directly

• Account Registration: email address, hashed password, name (optional), university/institution (optional), year of study (optional)
• Your Content & Activity: essays and answers, flashcards and study notes, quiz responses and SBAQ answers, bookmarks and saved articles, study timer sessions, search queries, support communications
• Payment Information: billing address and subscription details only — we do not store your full card details (handled by Stripe)

2.2 Data Collected Automatically

• Device & Browser: device type, operating system, browser type and version, IP address, user agent
• Usage Data: pages/screens you visit, time spent on features, search queries, button interactions (anonymised), error reports
• Cookies: session cookies, analytics cookies, and preference cookies — see Section 7

We do not actively track your precise location. Your IP address may reveal approximate country/city.

2.3 Data From Third Parties

• Supabase — database and authentication
• Anthropic — when you request essay feedback or SBAQ explanations, your content is sent to Anthropic's servers. See Anthropic's Privacy Policy. Your essays are not used to train Anthropic's models.
• Stripe — payment processing
• Resend — transactional emails

3. How We Use Your Data

3.1 Essential Uses

We process your data to: create and maintain your account; authenticate you; provide the Service; send transactional emails; comply with legal obligations; detect and prevent fraud; enforce our Terms of Service; and respond to law enforcement requests.

3.2 Service Improvement

We use your data to understand how you use Obiter, identify and fix bugs, improve algorithms, test new features, and personalise your experience.

3.3 Marketing (Consent Required)

We will only send you marketing emails if you explicitly opt-in. You can opt-out at any time via the unsubscribe link or in Settings. We will not sell, share, or rent your email address to third parties.

3.4 AI-Powered Features

When you use essay feedback or AI explanations, your content is sent to Anthropic's API. Obiter does not use your essays or answers to train AI models. AI feedback is generated by machine learning and may not be perfect — review it critically and always verify against authoritative sources.

4. Data Retention

• Account & Personal Data: retained while your account is active; deleted within 30 days of account deletion
• User Content: retained while your account is active; deleted within 30 days of account deletion (backups up to 90 days)
• Payment Records: retained for 6 years (UK tax law)
• Server Logs: 30 days; detailed analytics 1 year; summary analytics indefinitely (anonymised)

5. Data Sharing & Third Parties

5.1 Who We Share With

We share data only with service providers bound by Data Processing Agreements: Supabase (database), Anthropic (AI processing), Stripe (payments), Resend (email), and legal or regulatory authorities if required by law.

5.2 What We Do Not Do

• We do not sell your personal data to advertisers or data brokers
• We do not share your essays with Anthropic for model training
• We do not share your data with competitors

5.3 International Transfers

Some service providers are based outside the UK. Where transfers occur, we ensure Standard Contractual Clauses (SCCs) or appropriate safeguards are in place. Contact us for details.

6. Your GDPR Rights

Under UK GDPR, you have the right to:

• Access: request a copy of all personal data we hold about you
• Rectification: correct inaccurate or incomplete data (update in Settings or email us)
• Erasure: request deletion of your personal data (delete your account in Settings)
• Data Portability: receive your data in a portable format (CSV/JSON) via Settings → Data & Privacy
• Object: object to certain processing, including marketing (click Unsubscribe or email us)
• Restrict Processing: request that we limit how we use your data
• Lodge a Complaint: with the ICO at ico.org.uk/make-a-complaint

To exercise any right, email legal@obiter.site. We will respond within 30 days.

7. Cookies

We use:

• session_token — authentication (required, keeps you logged in)
• obiter_theme — remember your theme preference (essential)
• analytics_id — usage analytics (opt-in via cookie banner)
• stripe_session — payment processing (required for checkout)

You can manage cookies in your browser settings. Disabling essential cookies may limit functionality.

8. Security

We implement industry-standard security: HTTPS/TLS encryption in transit, AES-256 encryption at rest for sensitive data, bcrypt password hashing, access controls with multi-factor authentication, and regular security audits. If a breach occurs, we will notify you within 72 hours as required by law.

9. Children's Privacy

Obiter is not intended for children under 13. We do not knowingly collect data from children under 13. If we discover we have done so, we will delete it immediately.

10. Changes to This Policy

We may update this Privacy Policy as needed. Material changes will be posted on this page and notified via email at least 30 days in advance.

11. Contact

For privacy questions or requests: legal@obiter.site