Last updated 13 July 2026
Privacy policy
Paper Grinder is operated from the United Kingdom. We process personal data under the UK GDPR and the EU GDPR. This policy describes what we collect today and how we handle it. If something changes, the date above will change with it.
01What we collect
- Account: email address and, if you sign in with Google, the name and profile picture Google returns.
- Study data: subjects, qualifications, target grades, exam dates, every attempt you submit, the marks we award, observations the coach generates, and chat history with the coach.
- Uploads: photos of handwritten answers you send from your phone. These are stored so we can mark them against the mark scheme.
- Billing: payments are handled by Stripe. We never see or store card numbers. We keep a Stripe customer ID and your subscription status.
- Technical: IP address and user agent in request logs retained by our hosting provider; authentication cookies set by Supabase to keep you signed in.
- Product use: timestamps and internal identifiers for setup, practice, checkout, and subscription events; aggregate marks, rep and session counts, duration bands, launch and plan type, account tier, and deployment environment. Product analytics never includes answers, photos, email addresses, or coach messages.
02Why we collect it
To run and improve the product: build your practice plans, mark your answers, show your progress, understand whether students complete the practice loop, and keep your account secure. We do not sell your data, use it for advertising, or share it with anyone outside the processors listed below.
03Who processes your data
- Supabase (EU region): database, authentication, file storage.
- Vercel: application hosting and edge request routing.
- Stripe: payment processing.
- Google (Gemini): AI marking of your answers, coach chat, and the coaching features (answer explanations, session debriefs, and progress analysis).
- Cloudflare R2: public delivery of exam question and mark-scheme images.
Marking, coach chat, and the coaching features send the relevant question and mark-scheme images, your answer, your messages, and recent session data to Google. Google's own data-processing agreement governs whether that content can be used to train its models; we encourage you to review Google's published DPA.
04How long we keep it
Account and study data are retained while your account exists. When you delete your account we delete it from our database; provider-side backups age out on our processors' standard schedules (typically up to 30 days). Billing records (Stripe customer ID, subscription history) are retained for seven years to meet UK tax and accounting obligations. Server logs are retained per our hosting provider's standard retention for the plan we're on.
05Your rights
Under UK/EU GDPR you can:
- Access the personal data we hold about you.
- Correct it if it is inaccurate.
- Delete your account and the associated study data.
- Receive a copy of your data in a machine-readable format.
- Object to or restrict our processing of it.
- Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local EU data-protection authority.
You can exercise the access, deletion, and data-export rights above directly in Settings (Download my data; Delete your account), or email hello@papergrinder.com and we'll action your request within 30 days.
06Cookies
We set authentication cookies (managed by Supabase) to keep you signed in. These are strictly necessary and are the only cookies we use. We do not run analytics cookies, advertising cookies, or any tracking pixels.
07Children
Paper Grinder is built for secondary-school students. In the UK and EU, users under the age of 16 need verifiable parental consent under UK GDPR Article 8. During our pilot, testers join by invite code (though anyone can create an account) and we collect parental consent directly for any invited participant under 16; we do not accept self-service accounts from under-16s. If you believe a child under 16 has signed up without consent, email us and we'll delete the account.
08International transfers
Data may be processed in countries outside the UK and EEA (notably the United States, for Stripe, Vercel, and Google). Each processor is contracted under the UK International Data Transfer Addendum or EU Standard Contractual Clauses.
09Changes to this policy
Material changes are announced by email at least 14 days before they take effect. The "last updated" date at the top reflects the latest revision.
10Contact
Controller: Paper Grinder (United Kingdom). Contact: hello@papergrinder.com.