SCM Study

Privacy policy

Last updated: May 14, 2026

This is the canonical version of our privacy policy, published at scmstudyapp.io/privacy. The SCM Study app also bundles a copy so you can read it offline; if the two ever differ, this web version wins.

Short version: we collect the minimum we need to run the service. We don't sell or rent your data, and we don't use advertising trackers.

Who we are

SCM Education Solutions ("we", "us") operates the website at scmeducation.com and the SCM Study mobile app. For the purposes of the EU and UK GDPR we are the data controller; for the California Consumer Privacy Act we are the business that determines how your information is used. Contact: hello@scmeducation.com.

What we collect

  • Account information — your email address, a hashed password (or an OAuth token if you sign in with Google or Apple), and an optional display name.
  • Study activity — practice answers, mock-exam scores, flash-card review history, study streaks, and reading progress. We use this to power the adaptive scheduler and your progress dashboard.
  • Subscription data — if you pay for a plan, we record your subscription status, tier, currency, and an opaque customer ID from our payments provider. We never see or store full card numbers.
  • Diagnostic data — when the app crashes or hits an unhandled error, we collect the stack trace, device model, OS version, app version, and the IP address the report came from. This is used only to fix bugs.
  • Server logs — IP address, user agent, and basic request metadata for security, abuse prevention, and debugging.

How we use it

We use this information to provide and improve the service, sync your progress across devices, process payments, prevent abuse, and answer your questions. We send transactional email (receipts, password resets, security and policy updates). Marketing email is opt-in and easy to unsubscribe from. We do not use your data for automated decision-making that produces legal or similarly significant effects on you.

Legal bases (GDPR)

  • Contract — account creation, sync, subscription management.
  • Legitimate interests — crash diagnostics, security logging, abuse prevention, and improving the product. You can object to processing on this basis (see "Your rights").
  • Consent — marketing email and any optional telemetry. You can withdraw consent at any time.
  • Legal obligation — limited tax and accounting records for paid subscriptions.

Who we share it with

We share data with a short list of service providers ("sub-processors") who are contractually bound to handle it only on our instructions:

  • Supabase — authentication and database (United States, AWS).
  • Vercel — web hosting (global edge, US-primary).
  • Sentry — crash and error diagnostics for the mobile app (United States).
  • RevenueCat and Stripe — subscription management and card processing (United States).
  • Apple App Store and Google Play — in-app subscription billing on each platform.
  • Namecheap — domain registration, DNS, and email forwarding.

We do not sell or rent your personal information, and we do not share it for cross-context behavioural advertising.

Where it's stored and international transfers

Your data is processed and stored in the United States. If you are in the EEA, the UK, or Switzerland, transfers rely on the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable). Several of our processors are also certified under the EU–US and UK–US Data Privacy Framework.

How long we keep it

  • Account and study data — until you delete your account.
  • Crash diagnostics — 90 days, then automatically purged.
  • Server logs — up to 30 days.
  • Backups — rolling 7-day window; deleted data ages out of backups within that window.
  • Billing records — kept for as long as tax law requires (typically up to 7 years), even after account deletion.

Cookies and similar technologies

The website uses first-party cookies for sign-in sessions and to remember your dark-mode preference. The mobile app uses local storage on your device for the same purpose. We don't use third-party advertising cookies, fingerprinting, or cross-site trackers.

Your rights (EEA, UK, Switzerland)

If GDPR or UK GDPR applies to you, you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data deleted ("right to be forgotten");
  • restrict or object to certain processing;
  • receive a copy of your data in a portable format;
  • withdraw consent where processing relies on it;
  • lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, or your national DPA in the EU).

To exercise any of these rights, email hello@scmeducation.com. We'll respond within 30 days. You can also delete your account and all associated study data directly from the Profile screen in the app.

Your rights (California)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the right to:

  • Know what personal information we've collected, used, disclosed, and the categories of sources and recipients;
  • Delete personal information we've collected;
  • Correct inaccurate personal information;
  • Opt out of the sale or sharing of personal information — we don't do either, but you have the right regardless;
  • Limit the use of sensitive personal information — we don't process sensitive personal information for purposes that would trigger this right;
  • Non-discrimination — we won't deny, charge more for, or degrade the service because you exercised a right.

Categories of personal information collected in the last 12 months: identifiers (email, account ID, IP address); customer records (name, payment status); internet activity (app and site usage); inferences (study performance, scheduler state). Sources: directly from you, automatically from your device, and from our payments provider. Business purposes: providing the service, security, debugging, billing. Recipients: the sub-processors listed above. We have not sold or shared personal information in the preceding 12 months and have no plans to.

To submit a request, email hello@scmeducation.com with "CCPA request" in the subject. We'll verify your identity using the email on your account and respond within 45 days. Authorised agents may submit requests on your behalf with written proof of authorisation.

Children

The service is not directed to children under 16, and we don't knowingly collect data from anyone under that age. If you believe a child has provided us with personal information, contact us and we'll delete it.

Security

We use TLS for data in transit and encryption at rest for our database. Authentication is handled by Supabase Auth with industry-standard password hashing. Access to production data is limited to the people who need it and protected by 2FA. If we become aware of a breach affecting your personal data, we'll notify you and the relevant authorities within the timeframes required by law.

Changes

If we change how we handle your data in a meaningful way, we'll update this page and notify account holders by email before the change takes effect.

Contact

Privacy questions or rights requests: hello@scmeducation.com.