Privacy Policy

Last updated: May 2026

1. Who We Are

LearnWithOtti is operated by Robert Yates, a sole trader based in England, United Kingdom. Robert Yates is the data controller for personal data collected through this Service. If you have any questions about this Privacy Policy or how we handle your data, contact us at rob@learnwithotti.co.uk.

2. What This Policy Covers

This policy covers the personal data we collect when you use LearnWithOtti, including access to Otti, our AI tutor. LearnWithOtti currently supports A-Level students across the subjects and exam boards listed as available on our website. This policy applies to all users of the Service regardless of your chosen A-Level subject and exam board.

3. Who Can Use LearnWithOtti

The Service is available to users aged 16 and over. We do not knowingly collect data from users under 16. If we discover that a user under 16 has created an account, we will immediately suspend and delete that account and any associated data. See our Age Verification & Children’s Privacy Statement for full details.

4. Data We Collect

4.1 Account Data

When you register, we collect your full name, email address, chosen subject and exam board, sign-up method, and account creation date.

4.2 Interaction Data

As you use the Service, we record your messages to Otti and Otti’s responses, assessment submissions and scores, topics and sessions accessed, token usage per session, and session timestamps.

4.3 Technical Data

We collect your IP address, browser type and version, device type, and the pages you visit within the Service. This data is used for security, performance monitoring, and analytics.

4.4 Billing Data

Payments are processed by Stripe. We store only your Stripe customer ID — we never hold your card number, CVV, or full billing details. See Stripe’s privacy policy at stripe.com/gb/privacy.

4.5 Data We Do Not Collect

We do not collect gender, ethnicity, or other demographic data. We ask for your date of birth only for age verification purposes and do not retain it once verification is complete.

5. How We Use Your Data

5.1 To Provide the Service

We process your account and interaction data to operate your account, deliver tutoring sessions, track your progress, and manage your subscription. The legal basis is the performance of a contract between you and us.

5.2 To Improve the Service

We use anonymised and aggregated interaction data to identify common learning gaps, improve Otti’s responses, and develop new features. The legal basis is our legitimate interests in improving the Service.

5.3 Educational Content and SEO

We may use anonymised interaction data to produce educational content, blog posts, or SEO materials. No personal data is ever included in publicly published content.

5.4 Communications

We will send you transactional emails (account confirmation, billing notifications, password resets) as necessary for the performance of your contract. We will only send marketing emails with your explicit consent, and you may unsubscribe at any time.

6. Anonymisation and Secondary Use

Where data has been fully anonymised so that it cannot reasonably be linked back to any individual, it is no longer personal data under UK GDPR. Anonymised data may be used for any lawful purpose, including AI model improvement, analytics, SEO, and educational research, without restriction.

7. Third-Party Services

7.1 Supabase

Our database and authentication is hosted by Supabase (EU — Ireland). Supabase is GDPR-compliant and processes data under a Data Processing Agreement with us.

7.2 Anthropic

Otti’s AI responses are powered by Anthropic’s Claude models. We transmit the content of your messages to Anthropic to generate responses. We do not transmit your name, email, or other personally identifying information to Anthropic. See Anthropic’s privacy policy at anthropic.com/privacy.

7.3 Stripe

Stripe processes your subscription payments. Their privacy policy is available at stripe.com/gb/privacy.

7.4 Resend

Transactional emails (account confirmation, billing notifications) are sent via Resend. Resend processes only the email address and message content necessary to deliver these emails. Their privacy policy is available at resend.com/legal/privacy-policy.

7.5 Vercel

The Service is hosted on Vercel. Vercel is GDPR-compliant and processes data under a Data Processing Agreement with us.

7.6 Google Analytics

We use Google Analytics to understand how users navigate the Service. Google Analytics is only loaded with your explicit consent via the cookie banner.

8. International Data Transfers

Your data is primarily stored in the EU (Ireland) via Supabase. Some of our third-party processors (Anthropic, Vercel) may process data in the United States. Where data is transferred outside the UK or EU, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as required by UK GDPR.

9. How Long We Keep Your Data

  • Account data: retained for the duration of your account plus 2 years
  • Interaction data (messages, sessions): retained for 2 years from the date of the interaction
  • Billing records: retained for 7 years as required by UK tax law
  • Technical logs: retained for 90 days
  • Deleted accounts: all personal data removed within 30 days of account deletion request

10. Security

All data in transit is encrypted via HTTPS. Access to personal data is restricted to authorised personnel only. Our database uses Supabase Row Level Security (RLS) to enforce data access controls at the database level, and we conduct periodic audits of RLS policies to ensure controls remain correctly configured. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware.

11. Your Rights Under UK GDPR

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate or incomplete data
  • Erasure — ask us to delete your personal data in certain circumstances
  • Restriction — ask us to restrict processing of your data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — withdraw any consent you have given at any time

To exercise any of these rights, contact us at rob@learnwithotti.co.uk. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

12. Cookies

We use essential cookies for authentication and, with your consent, analytics cookies via Google Analytics. You can manage your cookie preferences at any time via the “Cookie settings” link in the footer. For full details, see our Cookie Policy.

13. Children’s Privacy

The Service is for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. We do not create profiles on users under 18 for commercial or advertising purposes. For users under 18, we apply additional data minimisation measures in line with the ICO’s Children’s Code. See our Age Verification & Children’s Privacy Statement.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or an in-app notice before the changes take effect. The “Last updated” date at the top of this page indicates when the policy was last revised.

15. Contact Us

For any privacy-related questions or to exercise your rights, contact us at rob@learnwithotti.co.uk.

We use cookies

We use essential cookies to keep you signed in (Supabase auth) and, with your permission, Google Analytics to understand how students use LearnWithOtti. Cookie policy