Last updated 12 June 2026

Privacy Notice

This is the customer-facing privacy notice for iCan Study, a subscription product from ICANTUTORING LTD. It is written to be read by a fourteen-year-old. The regulatory references sit in square brackets so it is still clear for a regulator.

Controller: ICANTUTORING LTD

ICO registration: ZA464852

Bloom Accredited Supplier to UK local authorities

Contact for data protection: hello@icantutoring.com

1. Who runs iCan Study

iCan Study is built and operated by ICANTUTORING LTD, the same company behind iCan Tutoring. We are a Bloom Accredited Supplier to UK local authorities. We are registered with the UK Information Commissioner's Office under registration number ZA464852.

We are the data controller for everything you do inside the app. That means we decide what data is collected and what happens to it. To talk to us about your data, email hello@icantutoring.com. We aim to reply within two working days.

2. What information we collect

Only what we need to run the service.

You give us:

  • Your name (so we can greet you)
  • Your email address (so you can sign in and we can email you)
  • Your password (hashed by our auth provider before it reaches us; we never see it in plain text)
  • Your target GCSE grade band (so we calibrate marking against the right standard)
  • Anything you write into the app: practice answers, paragraphs, self-mark notes, the cards you complete

We generate as you use it:

  • Marks awarded to your answers and the examiner-voice feedback
  • Your progress through the curriculum
  • Your reading preferences (font, size, focus mode)
  • Account events: when you signed up, when you signed in, when you cancelled

We never collect:

  • Your card number (Stripe handles this, we only see a customer reference)
  • Your address, phone, or any identifier we do not need
  • Cookies for advertising or third-party tracking
  • Anything from other websites you visit

3. Why we use your data, and the lawful basis

PurposeLawful basis
Running your account, saving progress, returning the marked answers you asked forPerformance of a contract (Art 6(1)(b))
Taking payment via StripePerformance of a contract (Art 6(1)(b))
Sending transactional emails (welcome, trial reminders, payment, security)Performance of a contract (Art 6(1)(b))
Keeping the service secure (fraud prevention, abuse monitoring, debugging)Legitimate interests (Art 6(1)(f))
Improving the product (anonymised usage patterns to fix sharp edges)Legitimate interests (Art 6(1)(f))
Marketing emails about new features (none today; if we ever do, you will see a tickbox first)Consent (Art 6(1)(a))

4. Who else sees your data

We use a small set of trusted suppliers. Each is contracted under a Data Processing Agreement and at least matches our own protection standards.

SupplierWhat they doWhere
SupabaseDatabase, authenticationEU
StripeCard payments, subscriptionsIreland (EU)
AnthropicAI marker for answer feedbackUnited States
ResendTransactional emailUnited States
VercelWebsite hosting, serverMulti-region

We do not share your data with anyone outside this list, we do not sell your data, and we do not give it to advertisers. When data moves to a supplier outside the UK (Anthropic, Resend, parts of Vercel), it is protected by Standard Contractual Clauses (SCCs) as required by UK GDPR.

5. Your answers and the AI marker

When you submit a written answer for marking, the answer is sent to Anthropic (the company that makes the Claude AI we use as the marker). Anthropic returns examiner-voice feedback, which you then see in the app.

Anthropic does not use your answers to train its model. This is a contractual commitment in their API terms, not a promise we have made up. We chose Anthropic specifically because of that commitment.

The AI marker produces feedback, which is not an official grade on your record and does not stop you accessing any part of the service. If you disagree with a marking outcome, email hello@icantutoring.com and a human will review it.

6. How long we keep your data

CategoryRetention
Account: profile, name, emailWhile your account is open, plus 24 months after cancellation, then deleted
Answers and marksSame as account
Payment records (Stripe references, invoices)7 years (HMRC and UK accounting law)
Email send/open logs30 days
Session cookiesBrowser session, refreshed every 24 hours

You can ask for deletion before the 24-month point at any time. See section 7.

7. Your rights

You can ask us to:

  • Show you what we have about you (Subject Access Request, Art 15)
  • Correct anything that is wrong (Art 16)
  • Delete your account and your data (right to erasure, Art 17)
  • Restrict what we do with it (Art 18)
  • Move your data to another service in a portable format (Art 20)
  • Object to processing based on legitimate interests (Art 21)
  • Withdraw consent for anything you gave consent for (Art 7(3))

The fastest route is the Delete my account button on your /account page, which removes your account and data immediately. For anything else, email hello@icantutoring.com.

We will respond without undue delay, and in any event within one month of your request. The month can be extended by up to two further months for unusually complex requests, in which case we will write to you within the first month to explain.

If you are not happy with how we have handled a data request, you have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk or 0303 123 1113. We would rather you came to us first so we can put it right.

8. Children using iCan Study

iCan Study is designed for students preparing for GCSE English (usually age 14 to 16). We do not knowingly create accounts for children under 13. Under UK law a child of 13 or older can sign up themselves; under 13s need a parent or guardian to set up the account on their behalf.

The signup form asks you to confirm you are 13 or older, or that you have permission from a parent or guardian. If you sign up without that being true, contact us and we will remove the account.

We follow the ICO Age Appropriate Design Code: high-privacy defaults, the minimum data we need, plain-language explanations, no nudge patterns that push people into giving up more data than they want to. Our full position is in the Children's Privacy Supplement available on request to hello@icantutoring.com.

9. Cookies and what we store on your device

We use the minimum necessary local storage:

  • Authentication cookies so you stay signed in (set by Supabase Auth). Strictly necessary; the service does not work without them.
  • Browser localStorage for your progress through lesson cards and your reading preferences. Stored only on your own device.

We do not use any third-party advertising or analytics cookies. You do not need to make a cookie-consent decision to use this site. The cookies we use are exempt from PECR consent because they are strictly necessary.

10. Security

  • Connections are encrypted in transit (HTTPS, TLS 1.3)
  • Passwords are hashed by Supabase Auth using bcrypt; we never see plain-text passwords
  • Card data never reaches our servers (Stripe handles checkout directly)
  • Database access uses Row Level Security: each user's data is isolated at the database layer
  • All sub-processors are contracted under standard Data Processing Agreements

11. Changes to this notice

If we change the way we handle your data in a material way (a new processor, a new category of data, a change of legal basis), we will email everyone with an account before the change takes effect. Small clarifying wording updates we will not email about; they will simply be reflected on this page with the new date above.

12. Controller and contact

ICANTUTORING LTD
ICO Registration: ZA464852
Email: hello@icantutoring.com

For the registered office, company number, and signing officers, see the Terms page.

This notice will be reviewed by a UK SaaS-specialist solicitor before public launch. The wording here accurately describes how the product handles data as of the date above.