Privacy Policy
Last updated: 1 March 2026
1. Who We Are
studysesh ltd. (trading as Director of Studies, “we”, “us”, “our”) is the data controller for personal data collected through our AI tutoring platform at directorofstudies.com. We are registered in England and Wales (Company No. 16860469).
Contact: privacy@directorofstudies.com
2. Data We Collect
Account Data
- Name, email address, date of birth, school year
- Account type (student or parent/guardian)
- Parent–student linking information
Usage Data
- Session transcripts and AI-generated summaries
- Progress snapshots and areas for improvement
- Subject enrolments and exam board selections
- Calendar and scheduling data
Technical Data
- Browser type, operating system, and IP address
- Session timestamps and duration
- Authentication tokens (managed by Supabase)
3. How We Use Your Data
We process your data for the following purposes:
- Providing the Service: delivering AI tutoring sessions, tracking progress, generating summaries and recommendations
- Account management: authentication, billing, parent–student linking
- Improvement: analysing usage patterns to improve the AI tutor and educational content (anonymised and aggregated)
- Legal obligations: safeguarding, parental consent verification, responding to data subject requests
4. Legal Basis for Processing
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Providing the tutoring service | Performance of a contract (Art. 6(1)(b)) |
| Account security and fraud prevention | Legitimate interests (Art. 6(1)(f)) |
| Parental consent for under-13s | Consent (Art. 6(1)(a), Art. 8) |
| Legal and safeguarding obligations | Legal obligation (Art. 6(1)(c)) |
| Service improvement (anonymised) | Legitimate interests (Art. 6(1)(f)) |
5. Children's Data
We take the protection of children's data seriously. Students under 13 cannot use the Service without verified parental consent. We comply with the UK Age Appropriate Design Code (Children's Code) and process children's data with the highest level of protection.
Parent/guardian accounts can view their linked student's progress data, control usage limits, and request deletion of the student's account and data.
6. Data Retention
- Active accounts: data retained while the account is active
- Deleted accounts: personal data is soft-deleted and fully purged within 30 days of account deletion
- Session transcripts: retained for up to 12 months after the session, then anonymised or deleted
- Billing data: retained as required by UK tax and financial regulations (typically 6 years)
7. Data Sharing
We share personal data only with:
- Supabase: authentication and database hosting (EU servers)
- Stripe: payment processing (PCI DSS compliant)
- OpenAI: AI model provider for tutoring sessions (data processing agreement in place)
- Deepgram: speech-to-text and text-to-speech processing
We do not sell personal data to third parties.
8. Your Rights (UK GDPR)
You have the right to:
- Access your personal data (Subject Access Request)
- Rectify inaccurate data via your settings page
- Erase your data (“right to be forgotten”) via account deletion
- Restrict processing in certain circumstances
- Data portability — receive your data in a machine-readable format
- Object to processing based on legitimate interests
- Withdraw consent at any time where consent is the legal basis
To exercise any of these rights, contact privacy@directorofstudies.com. We will respond within one month as required by UK GDPR.
9. Cookies
We use essential cookies for authentication and session management. Analytics cookies (if enabled) are only set with your consent. You can manage your cookie preferences at any time using the cookie settings accessible from the footer of every page.
10. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encrypted database connections, and access controls. We regularly review our security practices.
11. International Transfers
Some of our data processors (OpenAI, Deepgram) are based in the United States. These transfers are protected by appropriate safeguards including Standard Contractual Clauses and data processing agreements.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email. The “Last updated” date at the top indicates when this policy was last revised.
13. Complaints
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.