Privacy Policy

• Account: email address and, if you sign in with Google, the name and profile picture Google returns.
• Study data: subjects, qualifications, target grades, exam dates, every attempt you submit, the grades we compute, observations the coach generates, and chat history with the coach.
• Uploads: photos of handwritten answers you send from your phone. These are stored to grade against the mark scheme.
• Billing: payments are handled by Stripe. We never see or store card numbers. We keep a Stripe customer ID and your subscription status.
• Technical: IP address and user agent in request logs retained by our hosting provider; authentication cookies set by Supabase to keep you signed in.

To run the product — build your practice plans, grade your answers, show your progress, and keep your account secure. We do not sell your data, use it for advertising, or share it with anyone outside the processors listed below.

• Supabase (EU region) — database, authentication, file storage.
• Vercel — application hosting and edge request routing.
• Stripe — payment processing.
• Google (Gemini) — AI grading for short-text and image answers.
• Anthropic (Claude) — AI grading for essay answers; coach chat responses.
• Cloudflare R2 — public delivery of exam question and mark-scheme images.

AI grading requests send the question image, the mark-scheme image, and your answer to the relevant provider. Each provider's own data-processing agreement governs whether that content can be used to train their models; we encourage you to review Google's and Anthropic's published DPAs.

Account and study data are retained while your account exists. When you delete your account we delete it from our database; provider-side backups age out on our processors' standard schedules (typically up to 30 days). Billing records (Stripe customer ID, subscription history) are retained for seven years to meet UK tax and accounting obligations. Server logs are retained per our hosting provider's standard retention for the plan we're on.

Under UK/EU GDPR you can:

• Access the personal data we hold about you.
• Correct it if it is inaccurate.
• Delete your account and the associated study data.
• Receive a copy of your data in a machine-readable format.
• Object to or restrict our processing of it.
• Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local EU data-protection authority.

In-app deletion and data export are not currently available. Email hello@papergrinder.com and we'll action your request within 30 days.

We set authentication cookies (managed by Supabase) to keep you signed in. These are strictly necessary and are the only cookies we use. We do not run analytics cookies, advertising cookies, or any tracking pixels.

Paper Grinder is built for secondary-school students. In the UK and EU, users under the age of 16 need verifiable parental consent under UK GDPR Article 8. An age gate is rolling out before launch; until it is live, we do not knowingly accept accounts from users under 16 in the UK or EU. If you believe a child under 16 has signed up without consent, email us and we'll delete the account.

Data may be processed in countries outside the UK and EEA (notably the United States, for Stripe, Vercel, Google, and Anthropic). Each processor is contracted under the UK International Data Transfer Addendum or EU Standard Contractual Clauses.

Material changes are announced by email at least 14 days before they take effect. The "last updated" date at the top reflects the latest revision.

Controller: Paper Grinder (United Kingdom). Contact: hello@papergrinder.com.