Privacy Policy

1. Who We Are

Student Growth Space ("we", "us", "our") is a UK-based platform helping students navigate their path from sixth form through university and into their careers. We're registered in the United Kingdom and act as the data controller for all personal information collected through our website at studentgrowthspace.com.

Contact us: hello@studentgrowthspace.com

2. What This Policy Covers

This Privacy Policy explains how we collect, use, store, and protect your personal information when you:

Create an account on Student Growth Space
Use our platform features (opportunities directory, applications tracker, Daily Protocol, guides, exam countdown, student finance calculator, feedback tools)
Interact with our website or services

Important:By using our platform, you agree to this Privacy Policy. If you don't agree, please don't use our services.

3. Information We Collect

3.1 Personal Information You Provide

When you sign up and use our platform, we collect:

Information	Required?	Why we need it
Email address	Yes	Account creation, login, important updates
Full name	No	Personalising your experience (you choose)
Year group	Yes	Showing relevant opportunities (Year 11, 12 or 13)
A-Level subjects	No	Exam countdown feature (your choice)

3.2 Usage Data (Automatically Collected)

We track how you use the platform to improve your experience:

Daily Protocol progress: Which tasks you've completed, proof text you submit, and your streak
Bookmarks: Which programmes you've saved for later
Applications tracker: Which opportunities you've added to your applications and their status (Applied, Interviewing, Offer, Rejected, Withdrawn)
Opportunity interactions: Click events on programme and apply links, and responses to "Did you apply?" prompts — used to keep the directory accurate and personalise sorting (e.g. the "Most popular" sort)
Calculator inputs: We process these on the fly to show results; household income figures are not stored on our servers
Login activity: When you last used the platform (for security and analytics)
Daily visits: A single per-day record that you logged in (no IP or location beyond country level)
Technical data: Browser type, device type, and approximate location (country level only)

3.3 Authentication Data

Email/password: Stored securely by Supabase using industry-standard hashing (bcrypt)
Google OAuth: If you choose "Sign in with Google", your credentials are managed by Google. We only receive your email and basic profile info.

4. How We Use Your Information

We use your data to provide and improve our services:

Core functionality:

Personalising programme recommendations based on your year group
Tracking your progress through the success protocol
Showing relevant A-Level exam countdowns
Saving your bookmarked programmes for easy access

Communication (with your consent):

Deadline reminders for programmes you've bookmarked (future feature)
Important updates about the platform
Career tips and opportunities we think you'll value

Improvement and security:

Understanding how students use our tools so we can make them better
Protecting against fraud, abuse, or security threats
Complying with legal obligations

We never:

Sell your personal information to third parties
Use your data for advertising (we don't show ads)
Share your information with universities or employers without your explicit permission

5. Legal Basis for Processing (GDPR)

Under UK and EU data protection law, we process your data based on:

Contract necessity: We need your email and year group to provide the service you signed up for
Contract necessity (paid features): If we introduce optional paid features and you choose to subscribe, we'll process the personal data needed to deliver that subscription (for example account identity, plan status, and billing-related records processed via our payment provider—not your full card details)
Legitimate interests: We analyse usage patterns to improve our platform and keep it secure
Consent: For optional features like email reminders (you can opt out anytime)
Legal obligation: When required to comply with laws or regulations

6. How We Store and Protect Your Data

6.1 Security Measures

Encryption: All data is encrypted in transit (HTTPS/TLS 1.3) and at rest (AES-256)
Passwords: Hashed using bcrypt—never stored in plain text
Access control: Strict internal controls on who can access user data
Regular audits: We review our security practices regularly

6.2 Where Your Data Lives

We use Supabase, a GDPR-compliant database provider with servers in the European Union (Frankfurt, Germany). This means your data is protected by EU data protection laws, considered among the strongest in the world.

6.3 Payment Data

We don't currently handle payments. If we ever introduce optional paid features, we'll use a PCI-DSS compliant payment processor (such as Stripe). We never see or store your credit card details—the processor handles everything securely. We may process limited billing-related personal data (such as subscription status, customer reference IDs, and transaction records for accounting and support) as necessary to operate those features; we'll describe this in more detail when they launch and update this Privacy Policy and our Terms of Service accordingly, with reasonable notice before any fees apply to you.

7. Third-Party Services

We work with trusted providers to run our platform:

Service	What they do	Their privacy policy
Supabase	Database, authentication, hosting (EU)	supabase.com/privacy
Vercel	Website hosting, delivery, Vercel Analytics and Speed Insights	vercel.com/legal/privacy-policy
Google	Optional OAuth login, Google Analytics (aggregate usage events)	google.com/policies/privacy
Resend	Transactional email delivery (welcome, deadline reminders, contact replies)	resend.com/legal/privacy-policy

Future services: If we introduce optional paid features in the future, we may add a payment processor (such as Stripe). We only share the minimum data necessary with our providers, and all are GDPR-compliant with appropriate data processing agreements in place.

8. Your Rights Under GDPR

As a UK/EU user, you have strong rights over your data:

Right to access: View all data we hold about you in your account settings, or email us for a complete copy.
Right to rectification: Edit your profile information anytime in settings. Spot an error? Let us know and we'll fix it.
Right to erasure ("Right to be forgotten"): Delete your account permanently. All personal data is removed within 30 days. Some anonymised analytics may be retained.
Right to restrict processing: Temporarily pause how we use your data while resolving a dispute.
Right to data portability: Request your data in a standard format to take elsewhere (coming soon as a self-service feature).
Right to object: Opt out of non-essential communications and certain types of processing.

To exercise any right: Email hello@studentgrowthspace.com or use the controls in your account settings. We respond to all requests within 30 days.

9. Cookies and Local Storage

We keep this simple:

Essential cookies only:

Session authentication (keeps you logged in)
Security tokens (protects against attacks)

Analytics cookies (aggregate only):

Vercel Analytics + Speed Insights: Anonymous performance and usage analytics, no cross-site tracking.
Google Analytics 4: Aggregate events (e.g. which pages are viewed, which programmes are opened). Configured with IP anonymisation; we do not use GA for advertising.

No advertising cookies:We don't use Facebook pixels, retargeting networks, or any ad tracking. We don't show ads.

LocalStorage:We store some preferences locally on your device (like your exam countdown precision, dark mode, or sort order on the opportunities page). This never leaves your browser and isn't sent to our servers. You can clear this data anytime through your browser settings, though it may reset your preferences.

10. Data Retention

Data type	How long we keep it
Active account data	Until you delete your account
Deleted accounts	Permanently erased within 30 days
Anonymised usage analytics	Indefinitely (can't identify you)
Server logs (security)	90 days
Backup copies	Up to 30 days after deletion

11. Children's Privacy and Age-Appropriate Design

Our platform is designed for students aged 16–25.

For users under 18:

We encourage you to review this Privacy Policy with a parent or guardian
We don't knowingly collect data from children under 16
If we discover we've collected data from someone under 16, we delete it immediately

UK Age Appropriate Design Code:

We follow the ICO's Children's Code principles:

We prioritise your privacy and wellbeing
We don't use manipulative design patterns (no dark patterns)
We provide clear information about how we use your data
We give you control over your privacy settings

12. International Data Transfers

Your data is stored in the European Union (Germany). We don't transfer your personal data outside the UK/European Economic Area unless you specifically request a service requiring it, or we have appropriate safeguards in place (Standard Contractual Clauses). All our core services are EU-based to ensure maximum protection.

13. Changes to This Policy

We may update this Privacy Policy as our platform evolves. When we do:

We'll change the "Last Updated" date at the top
We'll email you about significant changes (using your registered email)
We'll post a notice on the platform for 30 days before major changes take effect

Continued use of Student Growth Space after changes means you accept the updated policy.

14. Contact Us

Questions about this policy? Concerns about your data? Want to exercise your rights?

Email: hello@studentgrowthspace.com

We'll respond within: 48 hours (usually much faster)

For formal complaints: You have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk, but we hope you'll give us a chance to resolve any issues first.

15. Quick Reference

Your question	Our answer
Who owns my data?	You do. We're just looking after it.
Can I delete everything?	Yes, anytime. Account deletion is permanent.
Do you sell my data?	Never. We don't even show ads.
Is my data secure?	Yes. Encrypted, EU-hosted, GDPR compliant.
What if I forget my password?	Reset link sent to your email. We can't see your password.
Can my school see my data?	No. Only you can access your account.

Thanks for trusting Student Growth Space with your career journey. We're here to help you succeed, not to exploit your data.
— The Student Growth Space Team

1. Who We Are

Contact us: hello@studentgrowthspace.com

2. What This Policy Covers

This Privacy Policy explains how we collect, use, store, and protect your personal information when you:

Create an account on Student Growth Space
Use our platform features (opportunities directory, applications tracker, Daily Protocol, guides, exam countdown, student finance calculator, feedback tools)
Interact with our website or services

Important:By using our platform, you agree to this Privacy Policy. If you don't agree, please don't use our services.

3. Information We Collect

3.1 Personal Information You Provide

When you sign up and use our platform, we collect:

Information	Required?	Why we need it
Email address	Yes	Account creation, login, important updates
Full name	No	Personalising your experience (you choose)
Year group	Yes	Showing relevant opportunities (Year 11, 12 or 13)
A-Level subjects	No	Exam countdown feature (your choice)

3.2 Usage Data (Automatically Collected)

We track how you use the platform to improve your experience:

Daily Protocol progress: Which tasks you've completed, proof text you submit, and your streak
Bookmarks: Which programmes you've saved for later
Applications tracker: Which opportunities you've added to your applications and their status (Applied, Interviewing, Offer, Rejected, Withdrawn)
Opportunity interactions: Click events on programme and apply links, and responses to "Did you apply?" prompts — used to keep the directory accurate and personalise sorting (e.g. the "Most popular" sort)
Calculator inputs: We process these on the fly to show results; household income figures are not stored on our servers
Login activity: When you last used the platform (for security and analytics)
Daily visits: A single per-day record that you logged in (no IP or location beyond country level)
Technical data: Browser type, device type, and approximate location (country level only)

3.3 Authentication Data

Email/password: Stored securely by Supabase using industry-standard hashing (bcrypt)
Google OAuth: If you choose "Sign in with Google", your credentials are managed by Google. We only receive your email and basic profile info.

4. How We Use Your Information

We use your data to provide and improve our services:

Core functionality:

Personalising programme recommendations based on your year group
Tracking your progress through the success protocol
Showing relevant A-Level exam countdowns
Saving your bookmarked programmes for easy access

Communication (with your consent):

Deadline reminders for programmes you've bookmarked (future feature)
Important updates about the platform
Career tips and opportunities we think you'll value

Improvement and security:

Understanding how students use our tools so we can make them better
Protecting against fraud, abuse, or security threats
Complying with legal obligations

We never:

Sell your personal information to third parties
Use your data for advertising (we don't show ads)
Share your information with universities or employers without your explicit permission

5. Legal Basis for Processing (GDPR)

Under UK and EU data protection law, we process your data based on:

Contract necessity: We need your email and year group to provide the service you signed up for
Contract necessity (paid features): If we introduce optional paid features and you choose to subscribe, we'll process the personal data needed to deliver that subscription (for example account identity, plan status, and billing-related records processed via our payment provider—not your full card details)
Legitimate interests: We analyse usage patterns to improve our platform and keep it secure
Consent: For optional features like email reminders (you can opt out anytime)
Legal obligation: When required to comply with laws or regulations

6. How We Store and Protect Your Data

6.1 Security Measures

Encryption: All data is encrypted in transit (HTTPS/TLS 1.3) and at rest (AES-256)
Passwords: Hashed using bcrypt—never stored in plain text
Access control: Strict internal controls on who can access user data
Regular audits: We review our security practices regularly

6.2 Where Your Data Lives

6.3 Payment Data

7. Third-Party Services

We work with trusted providers to run our platform:

Service	What they do	Their privacy policy
Supabase	Database, authentication, hosting (EU)	supabase.com/privacy
Vercel	Website hosting, delivery, Vercel Analytics and Speed Insights	vercel.com/legal/privacy-policy
Google	Optional OAuth login, Google Analytics (aggregate usage events)	google.com/policies/privacy
Resend	Transactional email delivery (welcome, deadline reminders, contact replies)	resend.com/legal/privacy-policy

8. Your Rights Under GDPR

As a UK/EU user, you have strong rights over your data:

Right to access: View all data we hold about you in your account settings, or email us for a complete copy.
Right to rectification: Edit your profile information anytime in settings. Spot an error? Let us know and we'll fix it.
Right to erasure ("Right to be forgotten"): Delete your account permanently. All personal data is removed within 30 days. Some anonymised analytics may be retained.
Right to restrict processing: Temporarily pause how we use your data while resolving a dispute.
Right to data portability: Request your data in a standard format to take elsewhere (coming soon as a self-service feature).
Right to object: Opt out of non-essential communications and certain types of processing.

To exercise any right: Email hello@studentgrowthspace.com or use the controls in your account settings. We respond to all requests within 30 days.

9. Cookies and Local Storage

We keep this simple:

Essential cookies only:

Session authentication (keeps you logged in)
Security tokens (protects against attacks)

Analytics cookies (aggregate only):

Vercel Analytics + Speed Insights: Anonymous performance and usage analytics, no cross-site tracking.
Google Analytics 4: Aggregate events (e.g. which pages are viewed, which programmes are opened). Configured with IP anonymisation; we do not use GA for advertising.

No advertising cookies:We don't use Facebook pixels, retargeting networks, or any ad tracking. We don't show ads.

10. Data Retention

Data type	How long we keep it
Active account data	Until you delete your account
Deleted accounts	Permanently erased within 30 days
Anonymised usage analytics	Indefinitely (can't identify you)
Server logs (security)	90 days
Backup copies	Up to 30 days after deletion

11. Children's Privacy and Age-Appropriate Design

Our platform is designed for students aged 16–25.

For users under 18:

We encourage you to review this Privacy Policy with a parent or guardian
We don't knowingly collect data from children under 16
If we discover we've collected data from someone under 16, we delete it immediately

UK Age Appropriate Design Code:

We follow the ICO's Children's Code principles:

We prioritise your privacy and wellbeing
We don't use manipulative design patterns (no dark patterns)
We provide clear information about how we use your data
We give you control over your privacy settings

12. International Data Transfers

13. Changes to This Policy

We may update this Privacy Policy as our platform evolves. When we do:

We'll change the "Last Updated" date at the top
We'll email you about significant changes (using your registered email)
We'll post a notice on the platform for 30 days before major changes take effect

Continued use of Student Growth Space after changes means you accept the updated policy.

14. Contact Us

Questions about this policy? Concerns about your data? Want to exercise your rights?

Email: hello@studentgrowthspace.com

We'll respond within: 48 hours (usually much faster)

For formal complaints: You have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk, but we hope you'll give us a chance to resolve any issues first.

15. Quick Reference

Your question	Our answer
Who owns my data?	You do. We're just looking after it.
Can I delete everything?	Yes, anytime. Account deletion is permanent.
Do you sell my data?	Never. We don't even show ads.
Is my data secure?	Yes. Encrypted, EU-hosted, GDPR compliant.
What if I forget my password?	Reset link sent to your email. We can't see your password.
Can my school see my data?	No. Only you can access your account.

Thanks for trusting Student Growth Space with your career journey. We're here to help you succeed, not to exploit your data.
— The Student Growth Space Team

TL;DR (Quick Summary)

1. Who We Are

2. What This Policy Covers

3. Information We Collect

3.1 Personal Information You Provide

3.2 Usage Data (Automatically Collected)

3.3 Authentication Data

4. How We Use Your Information

5. Legal Basis for Processing (GDPR)

6. How We Store and Protect Your Data

6.1 Security Measures

6.2 Where Your Data Lives

6.3 Payment Data

7. Third-Party Services

8. Your Rights Under GDPR

9. Cookies and Local Storage

10. Data Retention

11. Children's Privacy and Age-Appropriate Design

12. International Data Transfers

13. Changes to This Policy

14. Contact Us

15. Quick Reference

Privacy Policy

TL;DR (Quick Summary)

1. Who We Are

2. What This Policy Covers

3. Information We Collect

3.1 Personal Information You Provide

3.2 Usage Data (Automatically Collected)

3.3 Authentication Data

4. How We Use Your Information

5. Legal Basis for Processing (GDPR)

6. How We Store and Protect Your Data

6.1 Security Measures

6.2 Where Your Data Lives

6.3 Payment Data

7. Third-Party Services

8. Your Rights Under GDPR

9. Cookies and Local Storage

10. Data Retention

11. Children's Privacy and Age-Appropriate Design

12. International Data Transfers

13. Changes to This Policy

14. Contact Us

15. Quick Reference