Studict Home

Privacy Policy

Your data, explained plainly

Last updated: 13 February 2026

1. Who we are

Studict ("we", "us") is a study companion app run from United Kingdom. We are the data controller for the personal information described in this policy. Contact: contact@studictsmartdictionary.com.

This policy is written in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and, where applicable, the EU GDPR. If you are in the United States we honour requests broadly equivalent to the California Consumer Privacy Act (CCPA/CPRA).

2. What we collect

Account & identity

  • Email address (required for sign-in via Google, magic-link or passkey)
  • Display name & profile picture (from Google sign-in only; you can edit/remove these)
  • Unique user ID we generate for you (not your government ID)
  • Plan, payment timestamps, billing history (free / Pro / Pro Plus + Stripe references)

Content you create

  • Glossary entries, categories, study materials (text, PDFs, audio, video, images you upload)
  • Quiz attempts, test dates you add, draft assignments you generate
  • Photos you submit for AI OCR are processed and the extracted text is saved; the original image is deleted within 24 hours unless you choose to save it

Technical & usage data

  • Session cookies and Bearer tokens (so you stay signed in)
  • Server logs (IP address, browser type, paths visited) kept for at most 30 days for security and abuse prevention
  • Push-notification subscription endpoint (only if you opt in)
  • Aggregate counts (e.g. how many users on each plan) — never linked to individuals in admin views

Payments

All card data is handled by Stripe directly. We never see or store your card number, expiry, CVC or banking credentials — we only receive a Stripe customer reference and the amount you paid.

Biometric data — what we do not collect

When you enable a passkey (Face ID, Touch ID, Windows Hello, Android fingerprint or device PIN), no fingerprint, face scan, or any biometric template ever leaves your device or is sent to Studict. Your device performs the biometric check locally and only sends Studict a cryptographic signature proving it succeeded. We store a public key associated with your account — not anything that could identify you biometrically.

3. Lawful basis (UK/EU GDPR Art. 6)

  • Contract (Art. 6(1)(b)) — to provide the Studict service you signed up for: storing your glossary, processing payments, sending account emails.
  • Legitimate interests (Art. 6(1)(f)) — keeping the service secure, preventing abuse, basic product analytics in aggregate.
  • Consent (Art. 6(1)(a)) — push notifications, marketing/promotional emails (you can withdraw anytime in Settings).
  • Legal obligation (Art. 6(1)(c)) — keeping tax/payment records where required by HMRC or equivalent.

We do not knowingly process the personal data of children under 13. Studict is intended for use by secondary, college and university students. If you believe a child under 13 has provided data, contact us and we will delete it.

4. How long we keep your data

  • Account & content: for as long as your account is active, then 30 days after deletion request before permanent removal (so you can change your mind).
  • Payment records: 7 years (tax/legal obligation).
  • Server logs: 30 days.
  • Magic-link tokens: 15 minutes.
  • Push-notification subscription: until you unsubscribe.
  • Photos submitted for OCR: deleted within 24 hours unless you save them to Materials.

5. Who we share data with

We only share what is necessary for the service to run:

  • Stripe — payment processing (their privacy policy)
  • Google — only if you sign in with Google (email, name, profile picture)
  • Resend — outbound transactional emails (sign-in links, receipts, reminders)
  • MongoDB Atlas / Emergent infrastructure — encrypted database hosting
  • Google Gemini / OpenAI — only when you actively use AI features (OCR scan, quiz generation, draft assistant). Inputs are sent to the relevant API for processing and are not used to train their models.
  • PostHog — privacy-friendly product analytics (page views, feature usage, anonymous session replays of your own Studict sessions). We use this to fix bugs and understand which features help students. PostHog is GDPR-compliant; sensitive inputs (passwords, payment fields) are masked. You can opt out by enabling "Do Not Track" or a browser privacy extension. PostHog privacy policy.

We never sell your data. We never use it to train any AI model. We never use third-party advertising or marketing trackers.

6. International transfers

Some of our processors operate servers outside the UK/EU. Where this is the case, we rely on the UK International Data Transfer Agreement (IDTA), Standard Contractual Clauses, or each provider's adequacy mechanism to keep your data protected to the same standard.

7. Your rights

Under UK/EU GDPR (and substantially under CCPA/CPRA) you have the right to:

  • Access a copy of the personal data we hold about you
  • Rectify data that is inaccurate or incomplete
  • Erase your account and personal data ("right to be forgotten")
  • Restrict or object to certain processing
  • Port your data to another service in a machine-readable format
  • Withdraw consent for marketing emails / push notifications at any time
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) — ico.org.uk — or your local data protection authority

8. How to make a request

Email contact@studictsmartdictionary.com with subject "Data request — [Access / Erase / Port / Rectify]" and the email address on your Studict account. We respond within 30 days(extendable to 90 days for unusually complex requests, with notice). We do this free of charge unless the request is manifestly excessive.

For a quicker self-service path: sign in → Settings → Delete my account removes your account and content immediately, with a 30-day grace period.

9. Cookies

We use a small number of essential cookies that don't require consent under PECR/UK GDPR:

  • session_token — keeps you signed in (HTTP-only, secure, SameSite=Lax)

We also store a Bearer token in your browser's localStorage as a fallback for browsers that block cookies. We do not use any advertising cookies or ad pixels that track you across other websites. We do usePostHog for first-party product analytics (see Section 5).

10. Security

We use HTTPS (TLS) everywhere, encrypted database storage, and bcrypt-equivalent secure hashing for any secrets. Despite reasonable safeguards, no internet service is 100% secure — if a breach affects your data, we will notify you within 72 hours as required by UK GDPR.

11. Changes to this policy

We may update this policy from time to time. When material changes happen we will email all active users and post a notice on the homepage. The "Last updated" date at the top always reflects the current version.

12. Contact us

Email contact@studictsmartdictionary.com. We aim to reply within 5 working days for general queries and within 30 days for formal data requests.

Made with Emergent