1. Who we are
StudentCore is operated by Appsession Ltd. We are the data controller for the personal data we hold about you. We are registered with the UK Information Commissioner's Office (ICO) under data-protection registration number ZA462942.
- Contact: contact@appsession.co.uk
- ICO registration: ZA462942
2. What data we collect
- Account data - email address, hashed password, role, account creation date, login activity.
- Profile data - first and last name, date of birth, country of birth and residence, family members, hobbies and interests, books read, achievements, skills, education history, internship / work experience.
- Assessment data - your answers to trait, cognitive, daily current-affairs and check-in questions, AI-generated scores and feedback derived from them.
- Personal statement drafts - text you enter or generate, version history and AI analyses of those versions.
- Payment data - Stripe Checkout session and payment-intent identifiers, amount, currency and date. We do not see or store your card details; these are held by Stripe.
- Technical data - IP address, browser type, request times and minimal server logs, used to keep the Service secure and operational.
3. Why we use your data, and our lawful basis
We process your data on the following legal bases (UK GDPR):
- Performance of a contract - to deliver the Service you signed up for: storing your profile, generating insights, processing payments, sending you support emails.
- Consent - to send your data to our AI provider for analysis and generation (see section 4). You give this consent by submitting data to AI-powered features; you can withdraw at any time by not using those features and by deleting the content you submitted.
- Legitimate interests - to keep the Service secure, prevent fraud, debug problems, and improve usability. We balance this against your rights and only process the minimum necessary.
- Legal obligation - to keep accounting records for payments and to respond to lawful requests from authorities.
4. Who we share your data with
To run the Service we share data with the following categories of third-party processors. We have written agreements in place with each of them and they may only use your data on our instructions.
| Processor | What they receive | Why |
|---|---|---|
| AI provider (EU-based) | The contents of your profile, assessment answers, check-ins, books, personal-statement drafts and other text you submit to AI-powered features. Your name and email are not sent. | To generate scores, evaluations, summaries, personal statements and change analyses. |
| Stripe Payments Europe, Ltd. | Your email address, the amount and currency of each payment, and the card and billing details you enter on Stripe's hosted checkout page. | To process the £60 / 12 months payment and send you a receipt. |
| Hosting and infrastructure providers | All data necessary to run the Service, encrypted in transit and at rest. | To serve the website, store the database and deliver email. |
We do not sell your personal data, and we do not share it with third parties for their own marketing.
AI processing and data residency. Our AI provider processes your data on servers located in the UK and EU. Your data is not used to train AI models, and it is not retained by the AI provider beyond what is needed to return a result for your request.
5. International transfers
Our core infrastructure, database and AI processing are hosted in the UK and EU. Some of our other processors (for example, payment processing) may operate servers outside the UK and EEA. Where data is transferred outside the UK, we rely on the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an applicable adequacy decision, together with technical safeguards such as TLS encryption in transit and encryption at rest.
6. How long we keep your data
- Active accounts - for as long as your account is open.
- Closed accounts - your profile and content are deleted within 30 days of account closure, except where retention is required by law (for example, payment records are retained for 6 years for tax purposes).
- Server logs - typically 30 days.
- Backups - encrypted backups are rotated and overwritten within 35 days.
7. Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data deleted ("right to be forgotten"), subject to legal retention obligations;
- restrict or object to certain processing;
- receive your data in a portable format;
- withdraw consent at any time for processing based on consent;
- complain to the UK Information Commissioner's Office at ico.org.uk if you believe we have mishandled your data.
To exercise any of these rights, email contact@appsession.co.uk. We will respond within one month.
8. Cookies
We use a small number of strictly necessary cookies - an authentication cookie to keep you signed in and an anti-forgery cookie to protect form submissions. We do not use third-party advertising or tracking cookies.
9. Security
We store passwords using PBKDF2-HMAC-SHA512 with 600,000 iterations. All traffic uses HTTPS with HSTS preload. We apply standard security headers (CSP, X-Frame-Options, Referrer-Policy) and follow defence-in-depth practices including anti-forgery tokens on every state-changing request.
10. Children
The Service is intended for users aged 13 and over. If you are under 18, please ensure a parent or guardian has reviewed this policy with you before signing up.
11. Changes to this policy
We may update this policy from time to time. The "last updated" date at the top of this page shows when it was last changed. Material changes will be communicated by email or in-product notice.
12. Contact
Privacy questions, access requests and complaints should be sent to contact@appsession.co.uk. We are registered with the ICO under registration number ZA462942.